OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ67753842712424077_at_sans.org)
Date: Thu Oct 17 2002 - 14:32:06 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                     -- Security Alert Consensus --
                           Number 041 (02.41)
                      Thursday, October 17, 2002
                           Created for you by
                Network Computing and the SANS Institute
                          Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ************************* Begin Advertisement ************************

    TechQuiz: Threat Management
    It's the last chance to try your hand at our TechQuiz on managing
    security concerns. Answer all our editors' questions correctly, and you
    could win a Microsoft Xbox from our sponsor, Symantec.
    http://www.nwc.com/techquiz/

    ************************** End Advertisement *************************

    This week's three notable bugs are all in the "Cross-Platform"
    category: a denial of service problem in the HTTP proxy service
    included with the various Symantec firewall products (reported as item
    {02.41.029}); a multivendor ypxfrd bug, which lets local users read
    arbitrary files on the system (item {02.41.018}); and an improper
    check in the Shockwave Flash player, which lets Flash movies/Web
    sites read local files (reported as item {02.41.024}).

    Remember, if you're not subscribed to the appropriate category, you
    won't get those items. But don't despair: you can always catch them
    online, in full, at http://archives.neohapsis.com/archives/sac/2002/.
    You will also find past SAC issues in the same place.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.41.016} Win - MS02-058: Outlook Express S/MIME parsing buffer
                overflow
    {02.41.021} Win - MondoSearch CGI file viewing
    {02.41.025} Win - PowerFTP large data stream overflow
    {02.41.026} Win - SurfControl SuperScout admin server vulnerabilities
    {02.41.028} Win - Daniel Arenz' Mini Server Web root escaping
    {02.41.001} Linux - Update {02.40.029}: Bugzilla multiple
                vulnerabilities
    {02.41.002} Linux - Update {02.39.006}: Fetchmail multiple
                vulnerabilities
    {02.41.003} Linux - Update {02.37.007}: Konqueror subframe CSS and
                insecure cookie vulnerabilities
    {02.41.004} Linux - Update {02.39.013}: gv sscanf() overflow
    {02.41.005} Linux - Update {02.39.004}: unzip file extraction directory
                traversal
    {02.41.006} Linux - Update {02.39.003}: GNU tar file extraction
                directory traversal
    {02.41.007} Linux - Update {02.38.006}: Squirrel mail CGI multiple CSS
                vulnerabilities
    {02.41.008} Linux - heartbeat daemon format string overflow
    {02.41.009} Linux - Update {02.32.017}: xinetd signal pipe descriptor
                DoS
    {02.41.010} Linux - Update {02.40.013}: Apache host name CSS, ab
                overflow and shared memory vulnerabilities
    {02.41.011} Linux - Update {01.45.013}: teTeX insecure temp file and
                dvips invocation
    {02.41.023} SGI - Multiple IRIX vulnerabilities: rpcbind; uux; mv;
                fsr_efs
    {02.41.013} SCO - Update {02.26.002}: DNS libresolve/resolver buffer
                overflow
    {02.41.017} Other - Update {02.10.014}: zlib double free decompression
                bug
    {02.41.019} Other - Tru64 routed allows file access
    {02.41.012} Cross - syslog-ng macro expansion overflow
    {02.41.014} Cross - KGhostview sscanf() format string vulnerabilities
    {02.41.015} Cross - kpf arbitrary file retrieval
    {02.41.018} Cross - ypxfrd arbitrary file reading
    {02.41.020} Cross - Oracle listener SERVER_CURLOAD DoS
    {02.41.022} Cross - MySimpleNews PHP CGI script execution
    {02.41.024} Cross - Flash XML functions can read local files
    {02.41.027} Cross - phpRank CGI multiple vulnerabilities
    {02.41.029} Cross - Symantec firewall HTTP proxy DNS timeout DoS
    {02.41.030} Cross - Symantec firewall CONNECT host scanning

    - --- Windows News -------------------------------------------------------

    *** {02.41.016} Win - MS02-058: Outlook Express S/MIME parsing buffer
                    overflow

    Microsoft released MS02-058 ("Outlook Express S/MIME parsing buffer
    overflow"). The S/MIME verification function of Outlook Express
    incorrectly parses malicious digital signatures on incoming e-mail,
    thereby allowing the malicious e-mail to execute arbitrary code on
    the user's system.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-058.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/microsoft/2002-q4/0004.html

    *** {02.41.021} Win - MondoSearch CGI file viewing

    The MondoSearch CGI suite discloses the contents of files in the
    Webroot by providing the target file name to the mask URL parameter
    of the MsmMask.exe CGI. This disclosure could potentially reveal Web
    application script source code.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0147.html

    *** {02.41.025} Win - PowerFTP large data stream overflow

    PowerFTP Personal FTP Server version 2.24 reportedly contains a
    buffer overflow in the handling of large data amounts sent by a remote
    attacker. It is unconfirmed if arbitrary code execution is possible.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0124.html

    *** {02.41.026} Win - SurfControl SuperScout admin server
                    vulnerabilities

    The administrative HTTP server included with SurfControl's SuperScout
    suite reportedly contains four vulnerabilities: cross-site scripting
    in the handling of error messages; remotely retrievable plain text
    user names and passwords; and two malformed HTTP request denial of
    service attacks.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0137.html

    *** {02.41.028} Win - Daniel Arenz' Mini Server Web root escaping

    Daniel Arenz' Mini (HTTP) Server version 2.1.6 reportedly does not
    properly handle HTTP requests, thereby allowing remote attackers to
    access files outside the Web root.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0181.html

    - --- Linux News ---------------------------------------------------------

    *** {02.41.001} Linux - Update {02.40.029}: Bugzilla multiple
                    vulnerabilities

    Debian released updated Bugzilla packages, which fix the
    vulnerabilities discussed in {02.40.029} ("Bugzilla multiple
    vulnerabilities").

    Updated DEBs are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0121.html

    *** {02.41.002} Linux - Update {02.39.006}: Fetchmail multiple
                    vulnerabilities

    Red Hat released updated Fetchmail packages, which fix the
    vulnerabilities discussed in {02.39.006} ("Fetchmail multiple
    vulnerabilities").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0010.html

    *** {02.41.003} Linux - Update {02.37.007}: Konqueror subframe CSS and
                    insecure cookie vulnerabilities

    Mandrake released updated kdelibs packages, which fix the
    vulnerabilities discussed in {02.37.007} ("Konqueror subframe CSS
    and insecure cookie vulnerabilities").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0013.html

    *** {02.41.004} Linux - Update {02.39.013}: gv sscanf() overflow

    Red Hat released updated gv packages, which fix the vulnerability
    discussed in {02.39.013} ("gv sscanf() overflow").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0011.html

    *** {02.41.005} Linux - Update {02.39.004}: unzip file extraction
                    directory traversal

    Mandrake released updated unzip packages, which fix the vulnerability
    discussed in {02.39.004} ("unzip file extraction directory traversal").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0016.html

    *** {02.41.006} Linux - Update {02.39.003}: GNU tar file extraction
                    directory traversal

    Mandrake released updated tar packages, which fix the vulnerability
    discussed in {02.39.003} ("GNU tar file extraction directory
    traversal").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0018.html

    *** {02.41.007} Linux - Update {02.38.006}: Squirrel mail CGI multiple
                    CSS vulnerabilities

    Red Hat released updated squirrel mail packages, which fix the
    vulnerabilities discussed in {02.38.006} ("Squirrel mail CGI multiple
    CSS vulnerabilities").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0016.html

    *** {02.41.008} Linux - heartbeat daemon format string overflow

    The heartbeat daemon used for high-availability Linux clusters
    contains various remotely exploitable format string vulnerabilities
    that let a remote attacker execute arbitrary code on the system with
    root privileges.

    SuSE and Debian confirmed this vulnerability.

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0203.html

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0224.html

    Source: SuSE, Debian
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0203.html
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0224.html

    *** {02.41.009} Linux - Update {02.32.017}: xinetd signal pipe
                    descriptor DoS

    Red Hat released updated xinetd packages, which fix the vulnerability
    discussed in {02.32.017} ("xinetd signal pipe descriptor DoS").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0208.html

    *** {02.41.010} Linux - Update {02.40.013}: Apache host name CSS, ab
                    overflow and shared memory vulnerabilities

    Mandrake released updated Apache packages, which fix the
    vulnerabilities discussed in {02.40.013} ("Apache host name CSS,
    ab overflow and shared memory vulnerabilities").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0022.html

    *** {02.41.011} Linux - Update {01.45.013}: teTeX insecure temp file
                    and dvips invocation

    Red Hat released updated teTeX packages, which fix the vulnerability
    discussed in {01.45.013} ("teTeX insecure temp file and dvips
    invocation").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0018.html

    - --- SGI News -----------------------------------------------------------

    *** {02.41.023} SGI - Multiple IRIX vulnerabilities: rpcbind; uux; mv;
                    fsr_efs

    SGI released patches that fix various vulnerabilities found in
    the rpcbind, uux, mv and fsr_efs utilities. IRIX prior to 6.5.18
    is vulnerable.

    A full list of patches is available at the reference URL below.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2002-q4/0014.html

    - --- SCO News -----------------------------------------------------------

    *** {02.41.013} SCO - Update {02.26.002}: DNS libresolve/resolver
                    buffer overflow

    Caldera/SCO released updated packages, which fix the vulnerability
    discussed in {02.26.002} ("DNS libresolve/resolver buffer overflow").

    OpenServer 5.0.5 and 5.0.6 updates are available at:
    ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.39

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0001.html

    - --- Other News ---------------------------------------------------------

    *** {02.41.017} Other - Update {02.10.014}: zlib double free
                    decompression bug

    Compaq/HP released updates for Tru64, which fix the vulnerability
    discussed in {02.10.014} ("zlib double free decompression bug").

    Updates are available at:
    ftp://ftp1.support.compaq.com/public/unix/v5.1a/t64v51ab03as0003-20020827.tar

    Source: HP/Compaq
    http://archives.neohapsis.com/archives/compaq/2002-q4/0011.html

    *** {02.41.019} Other - Tru64 routed allows file access

    Compaq/HP reported that the routed daemon shipped with Tru64 versions
    4.0F through 5.1A allows a remote attacker to access 'unauthorized
    files' on the system.

    Tru64 ERPs are listed at the reference URL below.

    Source: Compaq/HP
    http://archives.neohapsis.com/archives/compaq/2002-q4/0008.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.41.012} Cross - syslog-ng macro expansion overflow

    Versions 1.4.15 and prior of the syslog-ng daemon do not properly
    expand macro strings configuration templates, which leads to a remotely
    exploitable buffer overflow that can execute arbitrary code under
    certain configurations.

    The vendor confirmed this vulnerability and released a patch, which
    is available at:
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0151.html

    Updated Debian DEBs are listed at:
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0256.html

    Source: SecurityFocus Bugtraq, Debian
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0151.html
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0256.html

    *** {02.41.014} Cross - KGhostview sscanf() format string
                    vulnerabilities

    The KGhostview utility included with KDE versions 1.1 through 3.0.3a
    contains a format string vulnerability that lets a malicious postscript
    or PDF execute arbitrary code. This vulnerability is based on the
    vulnerability reported in {02.39.013} ("gv sscanf() overflow").

    KDE version 3.0.4 fixes the vulnerability.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0163.html

    *** {02.41.015} Cross - kpf arbitrary file retrieval

    The kpf utility included with KDE versions 3.0.1 through 3.0.3a
    contains a vulnerability that lets a remote attacker retrieve arbitrary
    files outside the specified shared directory.

    The vendor confirmed this vulnerability. A fix is available in KDE
    version 3.0.4.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0164.html

    *** {02.41.018} Cross - ypxfrd arbitrary file reading

    The ypxfrd daemon included with various OSs (Solaris, SCO OpenServer
    and Caldera OpenLinux, in particular) allows a remote attacker to read
    arbitrary .pag and .dir files on the system. If attackers have local
    (non-root) access, they can use symlinks to read any file on the system
    (by linking to the target using a .pag or .dir symlink extension).

    This vulnerability is confirmed.

    Caldera/SCO OpenServer updates are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0000.html

    Compaq/HP Tru64 ERPs are listed at:
    http://archives.neohapsis.com/archives/compaq/2002-q4/0007.html

    Source: VulnWatch, Caldera/SCO, Compaq/HP
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0018.html
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0000.html
    http://archives.neohapsis.com/archives/compaq/2002-q4/0007.html

    *** {02.41.020} Cross - Oracle listener SERVER_CURLOAD DoS

    The Oracle listener server included with Oracle 8i and 9i contains
    a denial of service attack in the handling of the SERVER_CURLOAD
    command. Further details were not provided.

    The advisory indicates confirmation by the vendor, which released
    a patch.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0017.html

    *** {02.41.022} Cross - MySimpleNews PHP CGI script execution

    The MySimpleNews PHP CGI suite version 1 allows a remote attacker to
    execute arbitrary PHP code when submitted as various URL parameters
    to the users.php script.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0027.html

    *** {02.41.024} Cross - Flash XML functions can read local files

    A Macromedia advisory indicates that the Flash/Shockware player
    allows a malicious Flash file to read files from the local user's
    system and potentially send those files over the Internet.

    The vendor confirmed this vulnerability and released an updated
    Shockware/Flash player version.

    Source: Macromedia
    http://archives.neohapsis.com/archives/vendor/2002-q4/0001.html

    *** {02.41.027} Cross - phpRank CGI multiple vulnerabilities

    The phpRank CGI suite version 1.8 reportedly contains multiple
    vulnerabilities: various cross-site scripting problems; the
    administrative password is stored and handled in plaintext; the
    authentication mechanism 'fails open' when the database is not
    available; a unique random ID generation is based on time(); and
    update.php does not perform a proper authentication check.

    These vulnerabilities are not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0148.html

    *** {02.41.029} Cross - Symantec firewall HTTP proxy DNS timeout DoS

    The HTTP proxy service included with the various Symantec firewall
    products (Raptor, VelociRaptor, Symantec Enterprise Firewall and
    Symantec Gateway Security) is vulnerable to a denial of service
    attack. An attacker sends HTTP requests for a nonexistent DNS zone,
    thereby causing the service to hang until the timeout--which defaults
    to five minutes--expires.

    Symantec confirmed this vulnerability and released a patch, which is
    available at:
    http://www.symantec.com/techsupp

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0189.html

    *** {02.41.030} Cross - Symantec firewall CONNECT host scanning

    The Symantec Enterprise Firewall and Raptor Firewall provide different
    responses to an external attacker who submits CONNECT proxy requests
    to various internal hosts. These responses can be used to determine
    which internal hosts are responsive.

    Symantec confirmed this vulnerability and released patches, which
    are available at:
    http://www.symantec.com/techsupp/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0190.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9rw44+LUG5KFpTkYRAmNjAKCLRr596938/fQwY8+EGPgPabhG8wCfVz5G
    l8AabAclzI5OPSPm7lMw7Nc=
    =NEOM
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    ************************* Begin Advertisement ************************

    TechQuiz: Threat Management
    It's the last chance to try your hand at our TechQuiz on managing
    security concerns. Answer all our editors' questions correctly, and you
    could win a Microsoft Xbox from our sponsor, Symantec.
    http://www.nwc.com/techquiz/

    ************************** End Advertisement *************************

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).