OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ70491249049314681sans.org)
Date: Thu Mar 07 2002 - 14:45:18 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                      -- Security Alert Consensus --
                            Number 009 (02.09)
                         Thursday, March 7, 2002
                            Created for you by
                Network Computing and the SANS Institute
                            Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    ALERT! Web applications are the new area of attack for hackers! By
    taking advantage of your Web site and using it to exploit your
    applications, a hacker can gain access to your backend data. All
    undetectable by today's methods of Internet security! Download this
    *FREE* white paper from SPI Dynamics that provides a complete guide of
    vulnerabilities and steps for protection!
    http://www.spidynamics.com/mktg/webappsecurity3/

    ----------------------------------------------------------------------

    To get the most value out of SAC, we recommend three things:

    A) Subscribe to the Cross-Platform category. Multi-vendor bugs,
    which most likely apply to you, show up there. Instructions on how
    to change your category subscriptions are at the bottom of the e-mail.

    B) Don't stop with the summary -- make sure you read the appropriate
    reference URLs if you think a bug applies to you. Our goal is to
    summarize the information and not necessarily provide all the exact
    details. The original posts also might contain workaround and/or
    instructions on how to confirm if you're vulnerable.

    C) If you see a reference to a bug that is not in your issue, it's
    because you didn't subscribe to that category. You can view the online
    copy, which has all categories, at:
    http://archives.neohapsis.com/archives/sac/

    Also, if you're at all confused about how to work with this newsletter
    (change your e-mail address, unsubscribe, etc.), simply scroll to
    the bottom of this message amd follow the directions there.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.09.006} Win - MS02-012: Malformed SMTP command DoS
    {02.09.013} Win - MS02-011: Users can use SMTP service with null session
    {02.09.016} Win - WorldGroup FTP and HTTP overflows
    {02.09.019} Win - Hotline client stores plain text authentication
                information in bookmarks
    {02.09.023} Win - MS02-013: Java applets can redirect HTTP traffic via
                proxy
    {02.09.024} Win - MS SQL Server xp_dirtree overflow
    {02.09.025} Win - Talentsoft Web+ buffer overflow
    {02.09.029} Win - BPM Studio Pro internal HTTP server vulnerabilities
    {02.09.002} Linux - Update {02.08.035}: mod_ssl session serializing
                overflow
    {02.09.004} Linux - Update {02.08.034}: PHP file upload vulnerabilities
    {02.09.005} Linux - Netfilter IRC DCC tracking vulnerability
    {02.09.021} Linux - Users can kill processes via lcall()
    {02.09.028} BSD - KAME IPSEC IPv4 forwarding SPD bypass
    {02.09.007} NApps - Cisco IOS CEF packet data leak
    {02.09.014} NApps - Cobalt Raq/Cube admin CGI vulnerabilities
    {02.09.001} Cross - Update {02.08.012}: Squid multiple vulnerabilities
    {02.09.003} Cross - Apache-SSL buffer overflow
    {02.09.008} Cross - Multiple vendor RADIUS vulnerabilities
    {02.09.009} Cross - CVS pserver overflow/DoS
    {02.09.010} Cross - Cyrus SASL logging format string vulnerability
    {02.09.011} Cross - cfsd overflows/DoS
    {02.09.012} Cross - Update {02.06.011}: Multiple vendor SNMP problems
    {02.09.015} Cross - Zope proxy roles ownership vulnerability
    {02.09.017} Cross - DCP-Portal reveals file paths
    {02.09.018} Cross - xtelld multiple overflow vulnerabilities
    {02.09.020} Cross - Bad SNMP packet crashes Ethereal
    {02.09.022} Cross - ntop traceEvent() format string vulnerability
    {02.09.026} Cross - xsane insecure temp file handling
    {02.09.027} Cross - Java applets can hijack HTTP proxy connections
    {02.09.030} Cross - Snitz CGI forum img tag CSS vulnerability
    {02.09.031} Cross - AeroMail CGI multiple vulnerabilities

    - --- Windows News -------------------------------------------------------

    *** {02.09.006} Win - MS02-012: Malformed SMTP command DoS

    Microsoft released MS02-012 ("Malformed SMTP command DoS"). A remote
    attacker could potentially issue a malformed SMTP command to the
    Windows 2000 SMTP service (also used by Exchange 2000), which causes
    the service to crash.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-012.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q1/0044.html

    *** {02.09.013} Win - MS02-011: Users can use SMTP service with null
                    session

    Microsoft released MS02-011 ("Users can use SMTP service with null
    session"). The SMTP service shipped with Windows 2000, Exchange 2000
    and Exchange 5.5 contains a bug in the authentication of remote users,
    which would allow a remote attacker to authenticate with a null session
    and thus be able to relay e-mail. As such, there is a potential for
    abuse (read: spammers).

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-011.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q1/0045.html

    *** {02.09.016} Win - WorldGroup FTP and HTTP overflows

    Galacticomm's WorldGroup suite version 3.x comes with an FTP
    and HTTP server. Both are vulnerable to buffer overflows in long
    requests/commands.

    These vulnerabilities are unconfirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0311.html

    *** {02.09.019} Win - Hotline client stores plain text authentication
                    information in bookmarks

    The Hotline client version 1.8.5 stores a user's authentication
    information in plain text within any bookmarks created by the
    user. This allows anyone with file system access to recover the
    information.

    These vulnerabilities are unconfirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0338.html

    *** {02.09.023} Win - MS02-013: Java applets can redirect HTTP traffic
                    via proxy

    Microsoft released MS02-013 ("Java applets can redirect HTTP traffic
    via proxy"). A bug in the MS JVM lets Java applets 'do something'
    (vague, since we have no details) that would cause users who surf with
    IE through a proxy to have their traffic redirected to a location of
    the Java applet's choice.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-013.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q1/0051.html

    *** {02.09.024} Win - MS SQL Server xp_dirtree overflow

    Microsoft SQL Server version 7 is vulnerable to a buffer overflow
    in the handling of large strings passed to the xp_dirtree stored
    procedure.

    This vulnerability is unconfirmed.

    Source: NTBugtraq
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q1/0152.html

    *** {02.09.025} Win - Talentsoft Web+ buffer overflow

    Talensoft's Web+ version 5.0 is vulnerable to a buffer overflow in
    the handling of long strings, which could allow a remote attacker to
    execute arbitrary code with local system privileges.

    The vendor confirmed this vulnerability and released an update,
    which is available at:
    http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943

    Source: NTBugtraq
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q1/0153.html

    *** {02.09.029} Win - BPM Studio Pro internal HTTP server
                    vulnerabilities

    BPM Studio Pro version 4.2 comes with an internal HTTP server that has
    two vulnerabilities: a denial of service by requesting DOS device
    files in a URL request; and access to arbitrary files by using
    '..' notation in URL requests.

    These vulnerabilities are unconfirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0312.html
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0320.html

    - --- Linux News ---------------------------------------------------------

    *** {02.09.002} Linux - Update {02.08.035}: mod_ssl session serializing
                    overflow

    Conectiva released updated mod_ssl packages, which fix the
    vulnerability discussed in {02.08.035} ("mod_ssl session serializing
    overflow").

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0018.html

    Updated EnGarde RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0009.html

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0357.html

    Source: Conectiva, EnGarde, Trustix (SF Bugtraq)
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0018.html
    http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0009.html
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0357.html

    *** {02.09.004} Linux - Update {02.08.034}: PHP file upload
                    vulnerabilities

    Multiple vendors released updated PHP packages, which fix the
    vulnerabilities discussed in {02.08.034} ("PHP file upload
    vulnerabilities").

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0087.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q1/1403.html

    Updated EnGarde RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0010.html

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/vendor/2002-q1/0048.html

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0362.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0346.html

    Source: RedHat, SuSE, EnGarde, Debian, Trustix, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0087.html
    http://archives.neohapsis.com/archives/linux/suse/2002-q1/1403.html
    http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0010.html
    http://archives.neohapsis.com/archives/vendor/2002-q1/0048.html
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0362.html
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0346.html

    *** {02.09.005} Linux - Netfilter IRC DCC tracking vulnerability

    A bug in the IRC DCC netfilter firewalling code could potentially
    reconfigure the local firewall in a manner that could allow unwanted
    inbound access.

    A patch is available at:
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0306.html

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0085.html

    Source: RedHat, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0085.html
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0306.html

    *** {02.09.021} Linux - Users can kill processes via lcall()

    A bug in the Linux kernel allows local users to kill arbitrary
    processes, even system processes to which they don't have access.

    This vulnerability is confirmed. A third-party patch is available at:
    http://www.openwall.com/linux/

    Source: Owl Linux
    http://archives.neohapsis.com/archives/linux/owl/2002-q1/0008.html

    - --- BSD News -----------------------------------------------------------

    *** {02.09.028} BSD - KAME IPSEC IPv4 forwarding SPD bypass

    A released advisory indicates that a bug in the handling of forwarded
    IPv4 traffic in KAME-derived IPSEC implementations allows invalid
    packets to pass through the security gateway. Both NetBSD and FreeBSD
    appear to be vulnerable.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0057.html

    - --- Network Appliances News --------------------------------------------

    *** {02.09.007} NApps - Cisco IOS CEF packet data leak

    Cisco released an advisory indicating that the Cisco Express Forwarding
    feature of IOS can potentially include data from prior packets in
    packets that it forwards. The bug is the result of IOS not clearing
    the memory it uses to pad the packet.

    An update matrix is available at:
    http://archives.neohapsis.com/archives/cisco/2002-q1/0006.html

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2002-q1/0006.html

    *** {02.09.014} NApps - Cobalt Raq/Cube admin CGI vulnerabilities

    A released advisory indicates various problems in the administrative
    CGIs included with the Cobalt/Sun Raq4 appliances. The problems include
    cross-site scripting, the ability to read server-readable files and a
    denial of service. Another advisory indicates that cross-site scripting
    problems also are present in the Cube.

    These vulnerabilities are unconfirmed. Some third-party workarounds
    are available at:
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0371.html

    Source: SecurityFocus Bugtraq, Vuln-Dev
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0365.html
    http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0719.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.09.001} Cross - Update {02.08.012}: Squid multiple
                    vulnerabilities

    SuSE and Caldera/SCO released updated squid packages, which
    fix the vulnerability discussed in {02.08.012} ("Squid multiple
    vulnerabilities").

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q1/1462.html

    Updated SCO binaries are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0017.html

    Source: SuSE, Caldera/SCO, Conectiva
    http://archives.neohapsis.com/archives/linux/suse/2002-q1/1462.html
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0017.html

    *** {02.09.003} Cross - Apache-SSL buffer overflow

    Apache-SSL also is vulnerable to the mod_ssl buffer overflow discussed
    in {02.08.035}.

    Updated source tarballs are available at:
    http://www.apache-ssl.org/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0000.html

    *** {02.09.008} Cross - Multiple vendor RADIUS vulnerabilities

    CERT released an advisory indicating that many RADIUS implementations
    are vulnerable to remote buffer overflows, which lead to denial of
    service attacks and, potentially, the execution of arbitrary code
    under certain conditions.

    For a list of affected products and vendors, view the CERT advisory at:
    http://archives.neohapsis.com/archives/cc/2002-q1/0006.html

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0089.html

    Source: CERT, RedHat
    http://archives.neohapsis.com/archives/cc/2002-q1/0006.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0089.html

    *** {02.09.009} Cross - CVS pserver overflow/DoS

    Debian released an advisory indicating that certain CVS components
    have a buffer overflow, which could allow a remote attacker (with
    proper credentials) to crash the CVS service. It is uncertain if
    execution of arbitrary code is possible.

    Updated DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q1/0052.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q1/0052.html

    *** {02.09.010} Cross - Cyrus SASL logging format string vulnerability

    The Cyrus SASL library contains an exploitable format string
    vulnerability in one of the logging functions, which could potentially
    allow a remote attacker to execute arbitrary code.

    Mandrake released updated RPMs, which are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0334.html

    Source: Mandrake
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0334.html

    *** {02.09.011} Cross - cfsd overflows/DoS

    The crytographic file system cfsd daemon contains various buffer
    overflows that allow a local user to crash the service, which leads
    to a denial of service attack. It also may be possible to execute
    arbitrary code with elevated privileges.

    Debian released updated DEBs:
    http://archives.neohapsis.com/archives/vendor/2002-q1/0049.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q1/0049.html

    *** {02.09.012} Cross - Update {02.06.011}: Multiple vendor SNMP
                    problems

    nCipher released updated patches for the SNMP agent that ships with
    various nForce, nFast and nShield modules, which fix the vulnerability
    discussed in {02.06.011} ("Multiple vendor SNMP problems").

    Updated information is available at:
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0353.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0353.html

    *** {02.09.015} Cross - Zope proxy roles ownership vulnerability

    Zope versions 2.2.0 through 2.5.x contain a bug in the enforcement of
    ownership roles in relation to proxy roles. The bug may allow users
    to access objects they otherwise wouldn't be able to access.

    The Zope developers confirmed this vulnerability and released a hotfix,
    which is available at:
    http://www.zope.org/Products/Zope/Hotfix_2002-03-01/
    Hotfix_2002-03-01.tgz

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0377.html

    *** {02.09.017} Cross - DCP-Portal reveals file paths

    The DCP-Portal CGI suite prior to version 4.5.1 displays full path
    information in a request that has an invalid language file.

    The vendor confirmed this vulnerability and released version 4.5.1
    to fix the problem.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0323.html

    *** {02.09.018} Cross - xtelld multiple overflow vulnerabilities

    xtelld version 2.6.1 contains multiple vulnerabilities: a buffer
    overflow in the handling of large authd return data; a buffer overflow
    in the handling of large DNS names; and a buffer overflow in the
    handling of large amounts of data sent to the service.

    These vulnerabilities are unconfirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0333.html

    *** {02.09.020} Cross - Bad SNMP packet crashes Ethereal

    The Ethereal Web browser crashes when trying to decode a particular
    malformed SNMP packet. This leads to a remotely exploitable denial
    of service situation.

    The advisory indicates confirmation by the vendor, which has checked
    a fix into the current CVS.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0356.html

    *** {02.09.022} Cross - ntop traceEvent() format string vulnerability

    Ntop version 2.0 contains a remotely exploitable format string
    vulnerability in the traceEvent() function, which will let an attacker
    execute arbitrary code.

    This vulnerability is unconfirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0056.html

    *** {02.09.026} Cross - xsane insecure temp file handling

    Debian released an advisory indicating that the xsane application
    insecurely handles temporary files, thereby allowing local symlink
    attacks.

    Updated Debian DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q1/0053.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q1/0053.html

    *** {02.09.027} Cross - Java applets can hijack HTTP proxy connections

    A released advisory indicates various vendor JVMs are vulnerable to
    a bug that lets a Java applet hijack a user's connection to an HTTP
    proxy, thus allowing the applet to have unrestricted network access.

    This vulnerability is confirmed. Sun, Netscape and Microsoft are
    vulnerable. Microsoft was reported elsewhere in this issue.

    Sun bulletin:
    http://sunsolve.Sun.COM/pub-cgi/secBulletin.pl

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0025.html

    *** {02.09.030} Cross - Snitz CGI forum img tag CSS vulnerability

    The Snitz CGI forum suite versions 3.3.03 and prior are vulnerable
    to cross-site scripting in the handling of user-submitted img tags.

    The vendor confirmed the problem. Fix information is available at:
    http://forum.snitz.com/forum/link.asp?TOPIC_ID=23660

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0326.html

    *** {02.09.031} Cross - AeroMail CGI multiple vulnerabilities

    The AeroMail PHP CGI suite prior to version 1.45 contains multiple
    vulnerabilities, including: e-mail header spoofing; cross-site
    scripting in Subject line; and attachment of local server files
    to e-mails.

    These vulnerabilities are confirmed and fixed in version 1.45.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0004.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8h8+S+LUG5KFpTkYRAkCKAJ40I+HTLQlQn53yWBbMe4bwUY3zVACePh9e
    ETO07VTWBgW6YBF3tlyDmV0=
    =kTcX
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    ALERT! Web applications are the new area of attack for hackers! By
    taking advantage of your Web site and using it to exploit your
    applications, a hacker can gain access to your backend data. All
    undetectable by today's methods of Internet security! Download this
    *FREE* white paper from SPI Dynamics that provides a complete guide of
    vulnerabilities and steps for protection!
    http://www.spidynamics.com/mktg/webappsecurity3/

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, or unsubscribe
    to this newsletter, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).