|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ35398452504954681_at_sans.org)
Date: Thu Oct 31 2002 - 14:04:55 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 043 (02.43)
Thursday, October 31, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by SPI Dynamics.
ALERT: Test and assess your Web Applications TODAY!
Hackers exploiting Web applications gain entry to backend data via Port
80 and 443! Firewalls and IDS don't stop these attacks because hackers
using the Web App Layer are NOT seen as intruders. Are you vulnerable?
15-Day *Free* Trial! Download now!
http://www.spidynamics.com/mktg/freewebinspect9
************************** End Advertisement *************************
The big buzz this week is over the kadmind Kerberos buffer overflow,
reported last week and updated this week. A working exploit is out
there and attackers are using it, so make sure to apply those patches
sooner rather than later.
In other news, Windows 2000 was recently awarded the Common Criteria
security certification. Of course, it requires Service Pack 3 and some
additional hot fixes to get to that level. Vanilla, out-of-the-box
Windows 2000 doesn't cut it by itself, but it's good to know that it
has been approved...and just in time to start planning your migration
to Windows XP and .NET Server.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.43.014} Win - MDaemon server long POP3 DELE/UIDL DoS
{02.43.016} Win - Norton AV Corp Edition winhlp32 local privilege
escalation
{02.43.018} Win - BRS WebWeaver server protected file access
{02.43.019} Win - BadBlue Web server protected file access
{02.43.020} Win - Liteserve Web server protected file access
{02.43.022} Win - SolarWinds TFTP server tftproot escaping
{02.43.001} Linux - Update {02.42.013}: Apache mod_ssl host name CSS
{02.43.002} Linux - Update {02.41.014}: KGhostview sscanf() format
string vulnerability
{02.43.003} Linux - Update {02.35.003}: Ethereal ISIS decode overflow
{02.43.004} Linux - Update {02.19.017}: uudecode insecure output file
handling
{02.43.005} Linux - Update {02.21.023}: pam_ldap logging function
format string vulnerability
{02.43.006} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow
{02.43.007} Linux - ypserv memory leak DoS
{02.43.008} Linux - Update {02.42.020}: Heimdal kadmind multiple
vulnerabilities
{02.43.011} Linux - Update {02.20.025}: bzip2 insecure temp file
handling and overwrite vulnerabilities
{02.43.025} Linux - Update {02.15.013}: Webalizer reverse DNS lookup
overflow
{02.43.026} Linux - Update {01.45.013}: teTeX insecure temp file and
dvips invocation
{02.43.023} BSD - trek game buffer overflow
{02.43.009} Cross - Molly IRC bot command execution
{02.43.010} Cross - Perlbot IRC bot command execution
{02.43.012} Cross - Mailreader.com Perl CGI file read and command
execution
{02.43.013} Cross - phpBB CGI admin_ug_auth.php improper authorization
check
{02.43.015} Cross - Oracle9iAS Web Cache 2 DoS vulnerabilities
{02.43.017} Cross - Acuma Acusend direct file access
{02.43.021} Cross - vpopmail CGIs multiple command execution
{02.43.024} Cross - IBM WebSphere proxy CSS and DoS
- --- Windows News -------------------------------------------------------
*** {02.43.014} Win - MDaemon server long POP3 DELE/UIDL DoS
MDaemon server version 6 reportedly does not properly handle
large parameters passed to the DELE and UIDL commands in the POP3
service. Because the services crash, this leads to a denial of
service attack.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0382.html
*** {02.43.016} Win - Norton AV Corp Edition winhlp32 local privilege
escalation
Norton Antivirus Corporate Edition prior to version 7.6.1 build
35a allows a local user to gain local system privileges because the
'Scan for Viruses...' GUI runs the help subsystem with local system
privileges.
The vendor confirmed this vulnerability and released updated versions.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0346.html
http://archives.neohapsis.com/archives/bugtraq/2002-10/0369.html
*** {02.43.018} Win - BRS WebWeaver server protected file access
BRS WebWeaver HTTP server version 1.01 reportedly allows remote
attackers to access password-protected Web directories and files by
submitting a particular malformed HTTP request.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0043.html
*** {02.43.019} Win - BadBlue Web server protected file access
BadBlue Web server version 1.7 reportedly allows remote attackers to
access password-protected Web directories and files by submitting a
particular malformed HTTP request.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0041.html
*** {02.43.020} Win - Liteserve Web server protected file access
Liteserve Web server version 2.0 reportedly allows remote attackers
to access password-protected Web directories and files by submitting
a particular malformed HTTP request.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0042.html
*** {02.43.022} Win - SolarWinds TFTP server tftproot escaping
SolarWinds TFTP Server prior to version 5.0.60 allows requests for
files outside the tftp root directory by using reverse-directory
notation ('..') in TFTP get requests. A denial of service attack was
also reported; a large request will cause the service to crash.
These vulnerabilities are confirmed and fixed in versions 5.0.60
or later.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0044.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0040.html
- --- Linux News ---------------------------------------------------------
*** {02.43.001} Linux - Update {02.42.013}: Apache mod_ssl host name CSS
Multiple vendors released updated mod_ssl packages, which fix the
vulnerability discussed in {02.42.013} ("Apache mod_ssl host name
CSS").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0056.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0005.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0385.html
Source: Mandrake, EnGarde, Debian
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0056.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0005.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0385.html
*** {02.43.002} Linux - Update {02.41.014}: KGhostview sscanf() format
string vulnerability
Mandrake and Debian released updated kdegraphics packages, which
fix the vulnerability discussed in {02.41.014} ("KGhostview sscanf()
format string vulnerability").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0055.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0413.html
Source: Mandrake, Debian
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0055.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0413.html
*** {02.43.003} Linux - Update {02.35.003}: Ethereal ISIS decode
overflow
Caldera released updated ethereal packages, which fix the vulnerability
discussed in {02.35.003} ("Ethereal ISIS decode overflow").
Updated RPMs are listed at the reference URL below.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0004.html
*** {02.43.004} Linux - Update {02.19.017}: uudecode insecure output
file handling
Caldera released updated sharutils packages, which fix the
vulnerability discussed in {02.19.017} ("uudecode insecure output
file handling").
Updated RPMs are listed at the reference URL below.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0005.html
*** {02.43.005} Linux - Update {02.21.023}: pam_ldap logging function
format string vulnerability
Caldera released updated pam_ldap packages, which fix the vulnerability
discussed in {02.21.023} ("pam_ldap logging function format string
vulnerability").
Updated RPMs are listed at the reference URL below.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0006.html
*** {02.43.006} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow
EnGarde rereleased updated syslog-ng packages, which fix the
vulnerability discussed in {02.41.012} ("syslog-ng macro expansion
overflow").
Updated RPMs are listed at the reference URL below.
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0006.html
*** {02.43.007} Linux - ypserv memory leak DoS
NIS ypserver prior to version 2.5 contains a memory leak that is
triggered by remote requests for nonexistent maps. Repeated malformed
requests will result in an eventual memory exhaustion denial of
service.
This vulnerability is confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0367.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0031.html
Source: Debian, Red Hat
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0367.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0031.html
*** {02.43.008} Linux - Update {02.42.020}: Heimdal kadmind multiple
vulnerabilities
Multiple vendors released updated krb packages, which fix the
vulnerability discussed in {02.42.020} ("Heimdal kadmind multiple
vulnerabilities").
A patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0370.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0006.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0444.html
Source: Conectiva, Debian, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0006.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0444.html
http://archives.neohapsis.com/archives/bugtraq/2002-10/0370.html
*** {02.43.011} Linux - Update {02.20.025}: bzip2 insecure temp file
handling and overwrite vulnerabilities
Caldera released updated bzip2 packages, which fix the vulnerabilities
discussed in {02.20.025} ("bzip2 insecure temp file handling and
overwrite vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0007.html
*** {02.43.025} Linux - Update {02.15.013}: Webalizer reverse DNS
lookup overflow
Caldera released updated Webalizer packages, which fix the
vulnerability discussed in {02.15.013} ("Webalizer reverse DNS lookup
overflow").
Updated RPMs are listed at the reference URL below.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0003.html
*** {02.43.026} Linux - Update {01.45.013}: teTeX insecure temp file
and dvips invocation
Mandrake released updated tetex packages, which fix the vulnerability
discussed in {01.45.013} ("teTeX insecure temp file and dvips
invocation").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0039.html
- --- BSD News -----------------------------------------------------------
*** {02.43.023} BSD - trek game buffer overflow
A NetBSD advisory indicates that the trek game contains a buffer
overflow in the handling of keyboard input. This overflow allows a
local attacker to gain group 'games' privileges.
NetBSD-1.5, -1.6 and -current as of Oct. 22, 2002, contain the fix.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2002-q4/0113.html
- --- Cross-Platform News ------------------------------------------------
*** {02.43.009} Cross - Molly IRC bot command execution
The Molly IRC bot version 0.5 reportedly allows malicious IRC users
to run arbitrary commands on the system running the Molly IRC bot,
since the bot's various plug-ins do not properly filter user data
before passing it to a command-line shell.
The advisory indicates vendor confirmation. Workaround patches are
available at the reference URL below.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0028.html
*** {02.43.010} Cross - Perlbot IRC bot command execution
The Perlbot IRC bot version 1.0 beta reportedly does not properly
filter user data from incoming IRC queries, thereby allowing
malicious IRC users to run arbitrary command-line commands on the
system running Perlbot.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0029.html
*** {02.43.012} Cross - Mailreader.com Perl CGI file read and command
execution
The Mailreader.com Perl CGI suite version 2.3.31 reportedly
contains two vulnerabilities: the ability to access files outside
the Web root by using reverse-directory notation (nph-mr.cgi) in the
'configLanguage' URL parameter; and the 'RealEmail' configuration
option is passed to a command-line shell, thereby allowing command
execution.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0387.html
*** {02.43.013} Cross - phpBB CGI admin_ug_auth.php improper
authorization check
The admin_ug_auth.php script included in the phpBB CGI suite version
2.0.0 does not properly check for administrative access before
accepting data, thereby allowing a malicious user to elevate a normal
user account to administrative status.
The advisory indicates vendor confirmation; versions after 2.0.0
reportedly are not vulnerable.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0385.html
*** {02.43.015} Cross - Oracle9iAS Web Cache 2 DoS vulnerabilities
Oracle9iAS Web Cache version 9.0.2.0.0 crashes in two situations:
when it receives an HTTP request containing /../ in the request URL;
and when it receives an HTTP request with a 'Transfer-encoding:
chunked' header.
The vendor confirmed this vulnerability. More information is
available at:
http://otn.oracle.com/deploy/security/pdf/2002alert43rev1.pdf
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0047.html
*** {02.43.017} Cross - Acuma Acusend direct file access
Acuma's Acusend version 4 reportedly allows users to access another
users' documents if they can find the appropriate URL to those
documents. Other factors also potentially make brute-forcing the
URL easy.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0366.html
*** {02.43.021} Cross - vpopmail CGIs multiple command execution
The vpopmail-CGIApps CGI suite prior to version 0.3 does not
properly filter out shell metacharacters from input to the vpasswd
and vadddomain CGI scripts, thereby allowing a remote attacker to
execute arbitrary command-line commands on the system.
The advisory indicates confirmation by the vendor, which released
version 0.3.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0356.html
http://archives.neohapsis.com/archives/bugtraq/2002-10/0353.html
*** {02.43.024} Cross - IBM WebSphere proxy CSS and DoS
IBM Web Traffic Express Caching Proxy Server (included with IBM
WebSphere Edge Server bundle) versions 3.6 and 4.x contain multiple
vulnerabilities: cross-site scripting issues in the handling of various
URL requests and HTTP headers; and a denial of service attack against
the helpout.exe CGI, which causes the entire proxy to crash.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0038.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0039.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9wYr8+LUG5KFpTkYRAoLzAKCZ7ANNj+dGz3tG45d0QBGQQmTrYQCeOnLw
cuL2A06Q+xRceWErntZW7Ak=
=ynod
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by SPI Dynamics.
ALERT: Test and assess your Web Applications TODAY!
Hackers exploiting Web applications gain entry to backend data via Port
80 and 443! Firewalls and IDS don't stop these attacks because hackers
using the Web App Layer are NOT seen as intruders. Are you vulnerable?
15-Day *Free* Trial! Download now!
http://www.spidynamics.com/mktg/freewebinspect9
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]