|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ53136722855344077
sans.org)Date: Thu Aug 09 2001 - 14:56:07 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 109 (01.32)
Thursday, August 9, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
BuzzCut: Metricom Bites the Dust
Metricom yesterday initiated what it calls an "orderly shutdown,"
closing its doors and effectively killing the Ricochet wireless service.
Don't blame its demise on poor funding or the slouching market, however.
http://www.nwc.com/buzzcut/bc8aug01.html
----------------------------------------------------------------------
OK, just when you thought Code Red was gone, Code Red II rears its ugly
head. Code Red II uses the same exploit mechanism as the original Code
Red; however, it contains a better propagation mechanism (better =
more problematic) and carries a payload that will create a backdoor
on the target server. Luckily, the solution is still the same: apply
patches! Those wishing to read up on the specifics should check out
the various posts to the SecurityFocus Incidents list.
http://archives.neohapsis.com/archives/incidents/2001-08/
Of course, Code Red and the newer Code Red II are still crashing
innocent devices in their wakes. Newly reported are 3Com CoreBuilder
3500s, Cisco 67 routers, Xylan Omni Switches, Telocity/Direct TV DSL
gateways and Microsoft Proxy servers. Don't forget: Not only servers
have patches. Always check your dedicated hardware device vendors
periodically for updates, as well.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.32.002} Win - WMP ASF marker overflow
{01.32.008} Win - PCAnywhere aborted connection flood DoS
{01.32.016} Win - Identix BioLogon multimonitor authentication bypass
{01.32.004} Linux - Update {01.27.035}: Tomcat CSS vulnerability
{01.32.005} Linux - Update {01.30.003}: Squid httpd accelerator
unauthorized Web proxy
{01.32.006} Linux - sdbsearch CGI local keylist.txt shell script
execution
{01.32.015} Linux - Multiple vulnerabilities in cda/xmcd
{01.32.021} Linux - Update {01.30.014}: IMP local prefs.lang script
execution
{01.32.001} Cross - Avaya Argent Office multiple vulnerabilities
{01.32.003} Cross - Emacs/rcs2log insecure temp file handling
{01.32.007} Cross - PHP-Nuke database prefix SQL tampering
{01.32.009} Cross - Oracle dbsnmp ORACLE_HOME env variable overflow
{01.32.010} Cross - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
{01.32.011} Cross - Roxen Web server UTF-8 canonicalization arbitrary
file access
{01.32.012} Cross - Sendmail 8.12.0beta single handling race condition
{01.32.013} Cross - phpBB arbitrary SQL injection/authentication bypass
{01.32.017} Cross - Oracle otrcrep command line parameter overflow
{01.32.018} Cross - Raytheon Silent Runner multiple overflows
{01.32.019} Cross - SHOUTcast server large HTTP header DoS
{01.32.020} Cross - Update {01.31.020}: Entrust getAccess shell script
arbitrary applet execution
{01.32.022} Cross - Oracle log file symlink attack
{01.32.014} Tools - Sendmail 8.11.5 available
- --- Windows News -------------------------------------------------------
*** {01.32.002} Win - WMP ASF marker overflow
The Windows Media Player has been reported to contain a buffer overflow
in the handling of markers embedded in ASF files, resulting in a
malicious Web site or e-mail crashing the user's browser or e-mail
client. It's unknown if arbitrary code execution is possible.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0091.html
*** {01.32.008} Win - PCAnywhere aborted connection flood DoS
A recent advisory indicates that PCAnywhere version 9.2 (and possibly
prior) contains a denial of service whereby a remote attacker would
initiate a large number of connections to the listening PCAnywhere
service.
The vendor has confirmed this vulnerability and made an update
available via LiveUpdate.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0225.html
http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0248.html
*** {01.32.016} Win - Identix BioLogon multimonitor authentication
bypass
This is more of a bug, which should be obvious, but we're reporting
it for recording/database purposes. Identix's BioLogon biometric
authentication software for Windows does not correctly handle
multimonitor systems. When the biometric-protected screensaver is
activated, it only protects the main monitor/desktop -- a local
attacker can still use the other desktops unhampered.
This vulnerability has not been confirmed.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2001-q3/0032.html
- --- Linux News ---------------------------------------------------------
*** {01.32.004} Linux - Update {01.27.035}: Tomcat CSS vulnerability
Caldera has released updated Tomcat RPMs that fix the vulnerability
discussed in {01.27.035} ("Tomcat CSS vulnerability").
Updated Caldera RPM's are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0009.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0009.html
*** {01.32.005} Linux - Update {01.30.003}: Squid httpd accelerator
unauthorized Web proxy
Caldera has released updated Squid RPMs that fix the vulnerability
discussed in {01.30.003} ("Squid httpd accelerator unauthorized
Web proxy").
Updated Caldera RPM's are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0010.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0010.html
*** {01.32.006} Linux - sdbsearch CGI local keylist.txt shell script
execution
The sdbsearch.cgi CGI application shipped with SuSE (and possibly
others) contains a vulnerability that makes it possible for an
attacker, who can place a shell script by the name of 'keylist.txt'
on the target server, to execute that script under the privileges of
the Web server.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0014.html
*** {01.32.015} Linux - Multiple vulnerabilities in cda/xmcd
SuSE has released an advisory indicating that various vulnerabilities
exist in the cda application, which is a setuid helper program for
the xmcd CD player application. It's possible for a local attacker
to overwrite files or gain additional privileges.
SuSE has confirmed this vulnerability. Updated SuSE RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q3/0392.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q3/0392.html
*** {01.32.021} Linux - Update {01.30.014}: IMP local prefs.lang script
execution
Caldera has released updated IMP packages that fix the vulnerability
discussed in {01.30.014} ("IMP local prefs.lang script execution").
Updated RPMs are listed at:
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0008.html
- --- Cross-Platform News ------------------------------------------------
*** {01.32.001} Cross - Avaya Argent Office multiple vulnerabilities
Avaya's Argent Office suite has been found to contain multiple
vulnerabilities: a UDP packet to port 53 causes the service to restart;
the password is protected by a weak encoding scheme, leaving it
vulnerable to network sniffing attacks; it's trivial to bypass required
SNMP community strings; and it's possible for a local system to
potentially answer a TFTP request to the broadcast address, sending
along a trojaned file.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0088.html
*** {01.32.003} Cross - Emacs/rcs2log insecure temp file handling
A small report indicates that the rcs2log application shipped with
Emacs insecurely handles temporary files, allowing a local attacker
to perform a symlink attack. The exact vulnerable versions were
not specified.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0093.html
*** {01.32.007} Cross - PHP-Nuke database prefix SQL tampering
The PHP-Nuke Web CGI application has been found to contain a
vulnerability in the handling of the database prefix variable,
potentially allowing an attacker to inject arbitrary SQL commands
for execution.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0019.html
*** {01.32.009} Cross - Oracle dbsnmp ORACLE_HOME env variable overflow
An advisory was recently released indicating that the Oracle dbsnmp
application, which is setuid root in some Oracle installations,
contains a buffer overflow in the handling of the ORACLE_HOME
environment variable. This allows a local attacker to execute arbitrary
code with elevated privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0031.html
*** {01.32.010} Cross - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
Multiple vendors have released patches and fixes for the vulnerability
discussed in {01.30.021} ("Multivendor telnetd option-handling
overflow").
IBM has a temporary efix for AIX:
ftp://aix.software.ibm.com/aix/efixes/security/telnetd_efix.tar.Z
MIT has released a patch for MIT Kerberos 5 telnetd version 1.2.2:
http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt
Caldera has released patches for UnixWare 7 and OpenUnix 8:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0007.html
Source: Caldera, IBM, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0776.html
*** {01.32.011} Cross - Roxen Web server UTF-8 canonicalization
arbitrary file access
Roxen Web server versions prior to 2.0.92 and 2.1.264 contain a bug
in handling UTF-8 URL encoding. This could allow a remote attacker to
access arbitrary files outside the Web root if the file is readable
by the Web server privileges.
The vendor has confirmed this vulnerability and released updated
versions, which are available at:
http://download.roxen.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0041.html
*** {01.32.012} Cross - Sendmail 8.12.0beta single handling race
condition
The recent Sendmail 8.12.0beta16 announcement indicates that a 'single
handling race condition' was recently fixed. Given the recent locally
exploitable race condition bug found in Sendmail's single handling
({01.22.016} "Sendmail signal handler heap vulnerability"), we believe
this problem could have security potential. Thus, anyone running the
8.12.0 beta versions of Sendmail should consider upgrading.
The source can be downloaded:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta16.tar.gz
Source: Sendmail
http://archives.neohapsis.com/archives/sendmail/2001-q3/0002.html
*** {01.32.013} Cross - phpBB arbitrary SQL injection/authentication
bypass
phpBB, a PHP-based bulletin board, has been found to not properly
filter submitted user data, which would allow a remote attacker to
inject arbitrary SQL commands for execution. In addition, it's possible
to inject particular SQL commands that would allow a remote attacker
to bypass the administrator authentication process. Another advisory
indicates that it's possible to execute arbitrary PHP code via the
'lang' URL parameter.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0056.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0077.html
*** {01.32.017} Cross - Oracle otrcrep command line parameter overflow
An advisory was released indicating that the Oracle otrcrep application
does not correctly handle long command line parameters. This could
result in a buffer overflow, which would allow local attackers to
execute arbitrary code under uid 'Oracle.' This would allow them to
tamper with the local Oracle databases.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0032.html
*** {01.32.018} Cross - Raytheon Silent Runner multiple overflows
Raytheon's Silent Runner versions 2.0 and 2.0.1 (and possibly prior)
contain buffer overflows in the handling of various data monitored on
the network (particularly user passwords and long HTTP URLs). This
could allow a remote attacker to crash the Silent Runner collector
or potentially execute arbitrary code on the Silent Runner system.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0085.html
*** {01.32.019} Cross - SHOUTcast server large HTTP header DoS
NullSoft's SHOUTcast server version 1.8.2 (and possibly others)
has been found to incorrectly handle large, incoming HTTP headers
(particularly the Host and User-Agent headers). This enables a remote
attacker to crash the SHOUTcast service, thereby causing a denial
of service.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0048.html
*** {01.32.020} Cross - Update {01.31.020}: Entrust getAccess shell
script arbitrary applet execution
Entrust has confirmed the vulnerability discussed in {01.31.020}
("Entrust getAccess shell script arbitrary applet execution") and
released patches.
Patches can be found at:
https://login.encommerce.com/private/docs/techSupport/Patches-BugFix/e01-001.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0662.html
*** {01.32.022} Cross - Oracle log file symlink attack
Another Oracle advisory (the third this week) was released indicating
that the main Oracle application does not properly create log
files. This allows a local attacker to perform a symlink attack and
overwrite any file writable by the 'Oracle' user.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0034.html
- --- Tool Announcements News --------------------------------------------
*** {01.32.014} Tools - Sendmail 8.11.5 available
The Sendmail Consortium has released Sendmail version 8.11.5. This
new version fixes various minor bugs found in version 8.11.4. None
of them is believed to affect security.
The source can be downloaded:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.5.tar.gz
Source: Sendmail
http://archives.neohapsis.com/archives/sendmail/2001-q3/0001.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7cuiA+LUG5KFpTkYRAqulAJ0XhKGZrAM4s0YR1UFWfybaEWO/MQCcC8Qb
EEW2+LV69EP5NBKXZtWLDAM=
=lJfO
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
BuzzCut: Metricom Bites the Dust
Metricom yesterday initiated what it calls an "orderly shutdown,"
closing its doors and effectively killing the Ricochet wireless service.
Don't blame its demise on poor funding or the slouching market, however.
http://www.nwc.com/buzzcut/bc8aug01.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]