OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ28933603553873171sans.org)
Date: Thu May 02 2002 - 14:30:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                        -- Security Alert Consensus --
                              Number 017 (02.17)
                            Thursday, May 2, 2002
                              Created for you by
                   Network Computing and the SANS Institute
                             Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    Compare IT: Get Quotes From Major Players and Rising Stars
    IP-PBX offers real-time unified messaging and computer-telephone
    integration by converging voice and data onto a single server. Our
    interactive Compare IT tool will help you evaluate IP-PBX products and
    get quotes from Altigen, Cisco and Siemens.
    http://www.nwc.com/compareit/comp-1309a.html

    ----------------------------------------------------------------------

    A large gaggle of Solaris vulnerabilities was released this week, so
    Solaris ships should definitely take note of entries in the Solaris
    category. IBM also released a security patch 'rollup' for AIX, which
    features multiple security patches. More information is available
    under item {02.17.016} in the 'AIX' category.

    Until next week,
    --Security Alert Consensus

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.17.006} Win - MS02-021: Outlook e-mail editor could execute
                malicious script
    {02.17.009} Win - FTP service STAT DoS
    {02.17.030} Win - vqServer sample CGI CSS vulns
    {02.17.005} Linux - Update {02.14.001}: icecast client_login() overflow
    {02.17.007} Linux - Update {02.12.008}: imlib library multiple overflows
    {02.17.008} Linux - Update {02.15.026}: Squid compressed DNS answer DoS
    {02.17.010} Linux - Update {02.16.027}: OpenSSH AFS/Kerberos support
                overflow
    {02.17.018} Linux - Update {02.09.008}: Multiple vendor RADIUS
                vulnerabilities
    {02.17.019} Linux - Update {02.15.013}: Webalizer reverse DNS lookup
                overflow
    {02.17.027} Linux - Update {02.10.016}: GNU fileutils recursive symlink
                attack
    {02.17.011} Sol - admintool -d and PROVIDERS overflows
    {02.17.012} Sol - lbxproxy display name overflow
    {02.17.014} Sol - cachefsd mount file overflow
    {02.17.032} Sol - admintool media install path overflow
    {02.17.033} Sol - RPC walld syslog format string vulnerability
    {02.17.016} AIX - Security/critical patch rollup
    {02.17.001} HPUX - passwd corrupts password file
    {02.17.002} SGI - syslogd remote overflow
    {02.17.003} SGI - IRISconsole allows login to icadmin account
    {02.17.021} SGI - /dev/ipfilter incorrect permissions lead to DoS
    {02.17.022} SGI - pmcd memory leak DoS
    {02.17.023} SGI - cpr buffer overflow
    {02.17.031} NApps - Blahz-DNS CGI authentication bypass
    {02.17.004} Cross - sudo password prompt heap overflow
    {02.17.013} Cross - Lotus Domino binsock multiple vulnerabilities
    {02.17.015} Cross - dtprintinfo help search keyword overflow
    {02.17.017} Cross - BEA Weblogic URL parsing problems
    {02.17.020} Cross - SHADOW IDS CGI interface command execution
    {02.17.024} Cross - Kerberos FTP client passive response overflow
    {02.17.025} Cross - PHProjekt CGI multiple vulnerabilities
    {02.17.026} Cross - dnstools CGI authentication bypass
    {02.17.028} Cross - PHP-Survey CGI global.inc exposes authentication
                info
    {02.17.029} Cross - P. Chinery Guestbook CGI CSS vulnerability

    - --- Windows News -------------------------------------------------------

    *** {02.17.006} Win - MS02-021: Outlook e-mail editor could execute
                    malicious script

    Microsoft released MS02-021 ("Outlook e-mail editor could execute
    malicious script"). When Outlook 2000 and 2002 are configured to use
    Microsoft Word as the primary e-mail editor, Word can potentially
    execute malicious JavaScript when a user replies or forwards an e-mail
    containing the malicious script.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-021.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q2/0018.html

    *** {02.17.009} Win - FTP service STAT DoS

    A posted advisory indicates a denial of service in the IIS FTP service
    included with IIS 4.0 and 5.0. The DoS is triggered by a particular
    malformed STAT request, which requires the user to be able to log in
    (whether with normal credentials or anonymously).

    This vulnerability is not confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0023.html

    *** {02.17.030} Win - vqServer sample CGI CSS vulns

    An advisory surfaced indicating that the sample CGIs included with
    vqServer are vulnerable to cross-site scripting.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0313.html

    - --- Linux News ---------------------------------------------------------

    *** {02.17.005} Linux - Update {02.14.001}: icecast client_login()
                    overflow

    Red Hat released updated icecast packages, which fix the vulnerability
    discussed in {02.14.001} ("icecast client_login() overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0024.html

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0024.html

    *** {02.17.007} Linux - Update {02.12.008}: imlib library multiple
                    overflows

    Mandrake and Caldera released updated imlib packages, which fix
    the vulnerability discussed in {02.12.008} ("imlib library multiple
    overflows").

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0358.html

    Updated Caldera RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0008.html

    Source: Mandrake, Caldera
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0358.html
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0008.html

    *** {02.17.008} Linux - Update {02.15.026}: Squid compressed DNS answer
                    DoS

    Caldera released updated squid packages, which fix the vulnerability
    discussed in {02.15.026} ("Squid compressed DNS answer DoS").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0369.html

    Source: Caldera
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0369.html

    *** {02.17.010} Linux - Update {02.16.027}: OpenSSH AFS/Kerberos
                    support overflow

    Trustix released updated openSSH packages, which fix the vulnerability
    discussed in {02.16.027} ("OpenSSH AFS/Kerberos support overflow").

    Updates RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0394.html

    Source: Trustix (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0394.html

    *** {02.17.018} Linux - Update {02.09.008}: Multiple vendor RADIUS
                    vulnerabilities

    SuSE released updated radiusd packages, which fix the vulnerability
    discussed in {02.09.008} ("Multiple vendor RADIUS vulnerabilities").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/suse/2002-q2/0362.html

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2002-q2/0362.html

    *** {02.17.019} Linux - Update {02.15.013}: Webalizer reverse DNS
                    lookup overflow

    Conectiva released updated webalizer packages, which fix the
    vulnerability discussed in {02.15.013} ("Webalizer reverse DNS lookup
    overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0006.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0006.html

    *** {02.17.027} Linux - Update {02.10.016}: GNU fileutils recursive
                    symlink attack

    Caldera released updated fileutils packages, which fix the
    vulnerability discussed in {02.10.016} ("GNU fileutils recursive
    symlink attack").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0007.html

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0007.html

    - --- Solaris News -------------------------------------------------------

    *** {02.17.011} Sol - admintool -d and PROVIDERS overflows

    The admintool utility shipped with Solaris 2.5 through 8 contains
    buffer overflows in the handling of the -d command-line parameter
    as well as the 'PROVIDERS' configuration file variable, which could
    allow a local attacker to execute arbitrary code with root privileges.

    Sun confirmed this vulnerability; a list of patches is available at:
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0035.html

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0035.html

    *** {02.17.012} Sol - lbxproxy display name overflow

    The lbxproxy utility shipped with Solaris 8 contains a buffer overflow
    in the handling of the display name command-line option, which could
    allow a local attacker to gain group 'root' privileges.

    Sun confirmed this vulnerability. The following patches were released:

    Solaris 7: T107654-10
    Solaris 8: 108652-51 & 108653-41
    Solaris 9: 112785-01

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0041.html

    *** {02.17.014} Sol - cachefsd mount file overflow

    The cachefs daemon included with Solaris 2.5.1 through 8 contains a
    buffer overflow in the handling of file system mount points supplied
    by the user, which allows a local attacker to execute arbitrary code
    with elevated privileges.

    Sun confirmed this vulnerability. Patches are currently in the works.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0048.html

    *** {02.17.032} Sol - admintool media install path overflow

    The admintool utility shipped with Solaris 2.6 through 8 contains a
    buffer overflow in the handling of large, user-supplied media install
    paths, which allows a local attacker to execute arbitrary code with
    elevated privileges.

    Sun confirmed this vulnerability; patches are currently in the works.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0043.html

    *** {02.17.033} Sol - RPC walld syslog format string vulnerability

    The walld RPC service included with Solaris 2.5.1 through 8 reportedly
    contains a format string vulnerability in the syslog() function,
    which allows a remote attacker to execute arbitrary code under root
    privileges.

    Sun has not confirmed this vulnerability. Patches are currently
    in development.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0049.html

    - --- AIX News -----------------------------------------------------------

    *** {02.17.016} AIX - Security/critical patch rollup

    IBM released APAR IY30431 for AIX 4.3, which fixes critical
    problems including six security problems: pioout buffer overflow;
    mail/mailx core dump; namerslv long argument overflow; uucp overflow;
    template.dhcpo linkage problem; and lsmcode buffer overflow.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2002-q2/0005.html

    - --- HP-UX News ---------------------------------------------------------

    *** {02.17.001} HPUX - passwd corrupts password file

    HP released an advisory indicating that the passwd utility shipped
    with HP-UX 11.x corrupts the system password file, which leads to a
    local denial of service.

    Apply the appropriate patch:
    HP-UX 11.00: PHCO_25527
    HP-UX 11.04: PHCO_26904
    HP-UX 11.11: PHCO_24839

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q2/0023.html

    - --- SGI News -----------------------------------------------------------

    *** {02.17.002} SGI - syslogd remote overflow

    SGI released an advisory indicating that a remotely exploitable
    buffer overflow exists in the syslog daemon. IRIX 6.5.0 through 6.5.9
    are affected.

    The solution is to upgrade to the latest IRIX release.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2002-q2/0015.html

    *** {02.17.003} SGI - IRISconsole allows login to icadmin account

    SGI released an advisory indicating that a bug in IRISconsole could
    allow someone to log into the icadmin account without supplying the
    appropriate password. This affects IRISconsole version 2.0.

    SGI confirmed this problem and released patch 4038.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2002-q2/0014.html

    *** {02.17.021} SGI - /dev/ipfilter incorrect permissions lead to DoS

    SGI released an advisory indicating that the permissions on the
    /dev/ipfilter device allow a local attacker to cause a denial of
    service on the system. IRIX 6.5.0 through 6.5.10 are affected.

    The solution is to update to a current release of IRIX.

    Source: SGI (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0416.html

    *** {02.17.022} SGI - pmcd memory leak DoS

    SGI released an advisory indicating that a memory leak in the pmcd
    command could result in a local attacker causing a denial of service by
    consuming all available memory. IRIX 6.5.0 through 6.5.10 are affected.

    The official solution is to upgrade to a current IRIX release.

    Source: SGI (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0417.html

    *** {02.17.023} SGI - cpr buffer overflow

    SGI released an advisory indicating that a buffer overflow in the cpr
    command could allow a local attacker to gain root privileges. IRIX
    6.5.0 through 6.5.10 are vulnerable.

    The official fix is to upgrade to a current release of IRIX.

    Source: SGI (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0415.html

    - --- Network Appliances News --------------------------------------------

    *** {02.17.031} NApps - Blahz-DNS CGI authentication bypass

    The Blahz-DNS CGI suite version 0.2 allows remote attackers to access
    internal CGIs, which then allows them to manipulate configuration
    info without providing proper authentication information.

    According to the advisory, the problem is fixed in version 0.25.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0395.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.17.004} Cross - sudo password prompt heap overflow

    Sudo version 1.6.5p2 contains a heap overflow in the handling of the
    password prompt command-line option (-p), which could allow a local
    attacker to execute arbitrary code with elevated privileges.

    Sudo version 1.6.6 is now available at:
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz

    NetBSD patch available at:
    http://archives.neohapsis.com/archives/netbsd/2002-q2/0049.html

    Updated Red Hat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0023.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0022.html

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/vendor/2002-q2/0017.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0355.html

    OpenBSD patches:
    http://archives.neohapsis.com/archives/openbsd/2002-04/2556.html

    Updated Slackware tarballs:
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0366.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0005.html

    Updated EnGarde RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2002-q2/0002.html

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0393.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/vendor/2002-q2/0021.html

    Source: NetBSD, RedHat, Debian, Mandrake, OpenBSD, Slackware,
    Conectiva, EnGarde, Trustix, SuSE (SF Bugtraq)
    http://archives.neohapsis.com/archives/netbsd/2002-q2/0049.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0023.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0022.html
    http://archives.neohapsis.com/archives/vendor/2002-q2/0017.html
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0366.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0005.html
    http://archives.neohapsis.com/archives/linux/engarde/2002-q2/0002.html
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0393.html
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0355.html
    http://archives.neohapsis.com/archives/openbsd/2002-04/2556.html
    http://archives.neohapsis.com/archives/vendor/2002-q2/0021.html

    *** {02.17.013} Cross - Lotus Domino binsock multiple vulnerabilities

    The binsock application included with Lotus Domino prior to version
    5.0.9a contains multiple vulnerabilities: a buffer overflow in the
    handing of the PATH environment variable; predictable temporary file
    names; a buffer overflow in the handling of the Notes_ExecDirectory.

    The vendor confirmed these vulnerabilities and released version 5.0.9a,
    which fixes the problems.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0044.html
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0045.html
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0046.html

    *** {02.17.015} Cross - dtprintinfo help search keyword overflow

    The CDE dtprintinfo utility shipped with various CDE Unix installations
    contains a buffer overflow in the handling of the keywords used in
    the help search facility, which allows a local attacker to execute
    arbitrary code with elevated privileges.

    This vulnerability is confirmed. A list of available patches for
    Solaris, HP-UX, AIX and Tru64 is available at:
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0036.html

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0036.html

    *** {02.17.017} Cross - BEA Weblogic URL parsing problems

    A report surfaced indicating that BEA Weblogic's parsing of URLs can
    lead to multiple problems: exposure of the physical path; a denial
    of service; and exposure of JSP file source code. Versions 6.1 SP 2
    and prior are affected.

    BEA confirmed this problem and released a patch, which is available at:
    ftp://ftpna.bea.com/pub/releases/security/CR069809_610sp2_v2.jar

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0037.html

    *** {02.17.020} Cross - SHADOW IDS CGI interface command execution

    The analyze CGIs included with the CIDER SHADOW IDS system allows a
    remote attacker to execute arbitrary command-line commands under the
    privileges of the Web server.

    This vulnerability is not confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0038.html

    *** {02.17.024} Cross - Kerberos FTP client passive response overflow

    The FTP client included with certain Kerberos installations, version
    4-1.1.1, contains a heap overflow in the handling of the server's
    response to a passive request, which allows a malicious FTP server
    to execute arbitrary code on the client system.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0339.html

    *** {02.17.025} Cross - PHProjekt CGI multiple vulnerabilities

    PHProjekt CGI prior to version 3.2 contains multiple vulnerabilities,
    including: SQL injection; authentication bypass; and arbitrary file
    reading.

    These vulnerabilities are corrected in version 3.2.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0347.html

    *** {02.17.026} Cross - dnstools CGI authentication bypass

    Dnstools.com's dnstools CGI suite prior to version 2.0 beta 5 does
    not properly track logged-in users, which allows a remote attacker
    to bypass authentication and manipulate DNS configurations.

    These bugs are fixed in version 2.0 beta 5.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0390.html

    *** {02.17.028} Cross - PHP-Survey CGI global.inc exposes
                    authentication info

    The PHP-Survey CGI suite has a global.inc file that contains
    configuration information, including database authentication info. A
    remote attacker can request the global.inc file without restriction.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0383.html

    *** {02.17.029} Cross - P. Chinery Guestbook CGI CSS vulnerability

    Philip Chinery's Guestbook CGI version 1.1 is vulnerable to cross-site
    scripting in various fields.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0309.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE80ZHk+LUG5KFpTkYRAkbuAJ9nsiI/KvS44L2YKA+zRGFVSNPPtACfbdbM
    PrDcP6EJ14nn3ivFMyqgFrg=
    =wYgM
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    Compare IT: Get Quotes From Major Players and Rising Stars
    IP-PBX offers real-time unified messaging and computer-telephone
    integration by converging voice and data onto a single server. Our
    interactive Compare IT tool will help you evaluate IP-PBX products and
    get quotes from Altigen, Cisco and Siemens.
    http://www.nwc.com/compareit/comp-1309a.html

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).