OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ18251328335884228sans.org)
Date: Thu Jan 24 2002 - 14:32:28 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                     -- Security Alert Consensus --
                           Number 003 (02.03)
                       Thursday, January 24, 2002
                           Created for you by
                 Network Computing and the SANS Institute
                          Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    Five-Minute Workout: Deploying a Remote Access VPN
    To select the best and most secure remote-access server for the money,
    look no further than our multimedia how-to. Senior Technology Editor
    Mike Fratto and Online Editor in Chief Bradley F. Shimmin talk you
    through the tough questions to ask before you purchase a VPN server and
    offer advice on deploying the one you choose.
    http://www.nwc.com/out/fivemin/fmw14jan02.html

    ----------------------------------------------------------------------

    An analysis of many Windows secure deletion tools was posted to
    VulnWatch this week. Basically, the findings suggest that many secure
    deletion tools do not overwrite alternate data streams. Since Windows
    does stick some data in alternate streams (like thumbnail names of
    pictures and so on), this could expose information users thought was
    securely deleted.
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0025.html

    From the "it's funny unless it happens to you" department, around
    Wednesday, Jan. 16, Trend Microsystems' e-mail virus scanner had
    a bug in one of the definition updates that caused the scanner
    to declare any e-mail with the number "1" in it spam and thus
    quarantine it. Talk about an over-zealous spam catching tactic.
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q1/0034.html

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.03.021} Win - Avirt proxy HTTP header overflow
    {02.03.022} Win - Avirt telnet proxy allows local access
    {02.03.027} Win - BadBlue multiple vulnerabilities
    {02.03.002} Linux - Update {02.01.002}: stunnel format string
                vulnerability
    {02.03.003} Linux - at invalid time heap overflow
    {02.03.005} Linux - Conectiva MySQL logs to world-readable file
    {02.03.006} Linux - Update {01.52.020}: Exim local pipe forward/command
                execution
    {02.03.007} Linux - enscript insecure temp file handling
    {02.03.010} Linux - chinput HOME environment variable overflow
    {02.03.014} Linux - Update {02.02.015}: Eterm HOME environment variable
                overflow
    {02.03.017} Linux - Maelstrom insecure temp file handling
    {02.03.018} Linux - BOOZT administrative CGI overflow
    {02.03.026} Linux - Linux leaks memory contents on ICMP TTL exceeded
                messages
    {02.03.009} BSD - NetBSD suid/ptrace race
    {02.03.019} HPUX - Update {01.45.019}: Overflow in dtspcd via DCE SPC
                library
    {02.03.020} HPUX - Sendmail sends sensitive info in queue warning
    {02.03.011} Other - Cisco MGC/Solaris updates
    {02.03.001} Cross - Update {02.02.007}: sudo passes unclean environment
                to MTA
    {02.03.008} Cross - PHP-Nuke file parameter command execution
    {02.03.012} Cross - Update {02.02.014}: Pi3Web large CGI URL DoS
    {02.03.013} Cross - COWS CGI multiple vulnerabilities
    {02.03.015} Cross - Timbuktu port connection DoS
    {02.03.016} Cross - dnrd malformed DNS request vulnerability
    {02.03.023} Cross - Hellbent Web server path disclosure
    {02.03.024} Cross - Multiple chuid vulnerabilities
    {02.03.025} Cross - uuxqt --config vulnerability
    {02.03.004} Tools - HFNetChk 3.3 available

    - --- Windows News -------------------------------------------------------

    *** {02.03.021} Win - Avirt proxy HTTP header overflow

    The Avirt Gateway and SOHO versions 4.2 have been found vulnerable
    to a buffer overflow in the handling of large HTTP headers passed
    through the HTTP proxy. The overflow allows a remote attacker to
    execute arbitrary code.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0224.html

    *** {02.03.022} Win - Avirt telnet proxy allows local access

    Avirt's telnet proxy, shipped with Avirt Gateway version 4.2, has been
    reported to allow a remote attacker to access the proxy system's file
    system and command shell by entering a few diagnostic commands. This
    can be done without authentication.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0225.html

    *** {02.03.027} Win - BadBlue multiple vulnerabilities

    The BadBlue file serving mechanism used in such products
    as Deerfield.com's D2Gfx has been found to contain multiple
    vulnerabilities, including authentication bypassing, denial of service
    and execution of system commands. Full information is available at
    the reference URL below.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0239.html

    - --- Linux News ---------------------------------------------------------

    *** {02.03.002} Linux - Update {02.01.002}: stunnel format string
                    vulnerability

    Mandrake has released updated stunnel packages, which fix the
    vulnerability discussed in {02.01.002} ("stunnel format string
    vulnerability").

    Updated RPMS are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0223.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0223.html

    *** {02.03.003} Linux - at invalid time heap overflow

    The at scheduling service has been found to contain a locally
    exploitable heap overflow in the handling of malformed time command
    parameters. This vulnerability allows local attackers to elevate
    their privileges.

    This vulnerability has been confirmed. An exploit has been published.

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/vendor/2002-q1/0010.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q1/0301.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0232.html

    Source: Debian, SuSE, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/vendor/2002-q1/0010.html
    http://archives.neohapsis.com/archives/linux/suse/2002-q1/0301.html
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0232.html

    *** {02.03.005} Linux - Conectiva MySQL logs to world-readable file

    Conectiva has released a security advisory indicating that the MySQL
    package shipped with Conectiva Linux 6.0 will, by default, log all
    queries (including user name/password updates) to a world-readable
    file in /var/log/. This could allow a local attacker to retrieve
    sensitive information.

    Updated RPMs are located at:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0008.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0008.html

    *** {02.03.006} Linux - Update {01.52.020}: Exim local pipe
                    forward/command execution

    Conectiva has released updated exim packages, which fix the
    vulnerability discussed in {01.52.020} ("Exim local pipe
    forward/command execution").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0007.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0007.html

    *** {02.03.007} Linux - enscript insecure temp file handling

    The enscript converter has been found to insecurely create and use
    temporary files, allowing a local attacker to perform a symlink attack
    against a user who invokes enscript.

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0034.html

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/vendor/2002-q1/0012.html

    Source: RedHat, Debian
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0034.html
    http://archives.neohapsis.com/archives/vendor/2002-q1/0012.html

    *** {02.03.010} Linux - chinput HOME environment variable overflow

    The chinput Chinese input server has been found to contain a buffer
    overflow in the handling of the HOME environment variable, which
    could allow a local attacker to execute arbitrary code with elevated
    privileges.

    This vulnerability has not been confirmed. An exploit has been
    published.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0214.html

    *** {02.03.014} Linux - Update {02.02.015}: Eterm HOME environment
                    variable overflow

    The vendor has released updated imlib packages, which fix the
    vulnerability discussed in {02.02.015} ("Eterm HOME environment
    variable overflow").

    Download and install imlib version 1.0.5 from:
    http://prdownloads.sourceforge.net/enlightenment/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0246.html

    *** {02.03.017} Linux - Maelstrom insecure temp file handling

    The Maelstrom application version 3.0.1 has been found to insecurely
    handle temporary files. A local attacker can create a symlink to
    /tmp/f, which Maelstrom will happily open and overwrite with the
    permissions of the running user.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0235.html

    *** {02.03.018} Linux - BOOZT administrative CGI overflow

    The BOOZT administrative CGI suite has been found to contain a buffer
    overflow in the handling of certain form elements. This could lead
    to a remote attacker executing arbitrary code under the Web server's
    privileges.

    This vulnerability has been confirmed. An update is available at:
    http://www.boozt.com/news.php

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0036.html

    *** {02.03.026} Linux - Linux leaks memory contents on ICMP TTL
                    exceeded messages

    The Linux 2.2.x kernel has been found to not overwrite reused memory
    fragments used in making ICMP TTL exceeded messages. As a result,
    whatever data the memory fragment (when unallocated) contains is sent
    out onto the network. By chance, it's possible that fragments could
    contain sensitive information.

    This vulnerability has been confirmed. A third-party patch is
    available at:
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0265.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0234.html

    - --- BSD News -----------------------------------------------------------

    *** {02.03.009} BSD - NetBSD suid/ptrace race

    NetBSD has released an advisory indicating a vulnerability whereby one
    application executes a setuid application. In the small window of time
    before the target application executes, the calling application can
    use ptrace() to modify parameters -- potentially giving local users
    the chance to execute arbitrary code with the elevated privileges.

    This vulnerability has been confirmed. All NetBSD branches prior to
    Jan. 14, 2002, are vulnerable.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q1/0077.html

    - --- HP-UX News ---------------------------------------------------------

    *** {02.03.019} HPUX - Update {01.45.019}: Overflow in dtspcd via DCE
                    SPC library

    HP has released updated patches, which fix the vulnerability discussed
    in {01.45.019} ("Overflow in dtspcd via DCE SPC library").

    Full patch information and instructions are available at:
    http://archives.neohapsis.com/archives/hp/2002-q1/0016.html

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q1/0016.html

    *** {02.03.020} HPUX - Sendmail sends sensitive info in queue warning

    HP has released patches for a vulnerability in sendmail, whereby it
    would send sensitive information within e-mail queue warning messages
    under certain conditions.

    Information on available updates is available at:
    http://archives.neohapsis.com/archives/hp/2002-q1/0016.html

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q1/0016.html

    - --- Other News ---------------------------------------------------------

    *** {02.03.011} Other - Cisco MGC/Solaris updates

    Cisco's Media Gateway Controller ships with an underlying Solaris
    operating system. The version shipped by Cisco contains many actively
    exploited vulnerabilities, so Cisco has released updates to patch
    security problems. The SC2200, VSC3000, PGW 2200, BAMS and VSPT
    products are vulnerable.

    Update information is available at:
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0218.html

    Source: Cisco
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0218.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.03.001} Cross - Update {02.02.007}: sudo passes unclean
                    environment to MTA

    Immunix and OpenBSD have released updated sudo packages, which fix
    the vulnerability discussed in {02.02.007} ("sudo passes unclean
    environment to MTA").

    Updated Immunix RPMs:
    http://archives.neohapsis.com/archives/linux/immunix/2002-q1/0012.html

    Updated OpenBSD information:
    http://archives.neohapsis.com/archives/openbsd/2002-01/1584.html

    Source: Immunix, OpenBSD
    http://archives.neohapsis.com/archives/linux/immunix/2002-q1/0012.html
    http://archives.neohapsis.com/archives/openbsd/2002-01/1584.html

    *** {02.03.008} Cross - PHP-Nuke file parameter command execution

    The PHP-Nuke CGI portal suite has been found to contain a vulnerability
    whereby a remote attacker specifies a remote PHP file in the 'file'
    parameter passed to PHP-Nuke that will be fetched and executed on the
    target server. This allows remote attackers to run arbitrary PHP code
    on the server under the Web server's privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0210.html

    *** {02.03.012} Cross - Update {02.02.014}: Pi3Web large CGI URL DoS

    The vendor has released an updated patch, which fixes the vulnerability
    discussed in {02.02.014} ("Pi3Web large CGI URL DoS").

    It is available at:
    http://sourceforge.net/tracker/index.php?func=detail&aid=505583&group_id
    =17753&atid=317753

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0242.html

    *** {02.03.013} Cross - COWS CGI multiple vulnerabilities

    The COWS CGI shopping cart suite has been found to contain multiple
    vulnerabilities, including cross-site scripting, exposure of the
    administrative password and potential downloading of credit-card
    order data.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0222.html

    *** {02.03.015} Cross - Timbuktu port connection DoS

    The Timbuktu remote control software version 6.0.1 has been reported
    vulnerable to a remote connection denial of service attack, whereby
    an attacker can cause the Timbuktu to stop accepting new incoming
    connections by opening many TCP connections to the listening ports.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0243.html

    *** {02.03.016} Cross - dnrd malformed DNS request vulnerability

    The dnrd DNS daemon version 2.10 has been found to crash when it
    receives a particular malformed DNS request. At this point, the
    vulnerability seems limited to a denial of service attack; however,
    it may be possible to execute arbitrary code.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0250.html

    *** {02.03.023} Cross - Hellbent Web server path disclosure

    Under certain conditions, the hellbent Java HTTP server prior to
    version 0.11 has been found to disclose full path information for
    requested files.

    This vulnerability has been confirmed, and version 0.11 has been
    released to fix the problem. It is available at:
    http://hogs.rit.edu/~joet/code/hellbent_v011.zip

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0228.html

    *** {02.03.024} Cross - Multiple chuid vulnerabilities

    The chuid PHP helper application prior to version 1.3 has been found to
    contain two vulnerabilities: users can change the uid of files outside
    the designated upload directory; and the application allows root-owned
    files to be changed. This could allow the system to be compromised.

    These vulnerabilities have been confirmed. An update is available at:
    http://srparish.net/scripts/chuid-1.3.tar.gz

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-01/0272.html

    *** {02.03.025} Cross - uuxqt --config vulnerability

    The uuxqt application from the Taylor uucp package has been found
    to not strip out the --config long option before passing control to
    uux. This allows a local attacker to execute arbitrary commands under
    uucp privileges.

    RedHat has confirmed this vulnerability and released updated RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0030.html

    Source: RedHat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0030.html

    - --- Tool Announcements News --------------------------------------------

    *** {02.03.004} Tools - HFNetChk 3.3 available

    Microsoft has released HFNetChk version 3.3, which includes many
    new features. For those of you who are unfamiliar with HFNetChk,
    it is a tool to remotely scan your servers for missing hot fixes.

    HFNetChk can be downloaded from:
    http://www.microsoft.com/downloads/release.asp?releaseid=31154

    Source: Microsoft (NTBugtraq)
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q1/0032.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8UG2T+LUG5KFpTkYRAjpuAJ0YnumazWy59uC1KU/nOMtR+xw6tACgo3Dx
    9UyrWQCi7YeLH5RPv+qttOw=
    =W7Hy
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    Five-Minute Workout: Deploying a Remote Access VPN
    To select the best and most secure remote-access server for the money,
    look no further than our multimedia how-to. Senior Technology Editor
    Mike Fratto and Online Editor in Chief Bradley F. Shimmin talk you
    through the tough questions to ask before you purchase a VPN server and
    offer advice on deploying the one you choose.
    http://www.nwc.com/out/fivemin/fmw14jan02.html

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, or unsubscribe
    to this newsletter, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).