|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #028
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu Jul 17 2003 - 18:04:05 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 028 (03.28)
Thursday, July 17, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by Captus Networks.
Stop DDoS Attacks, Worms & Port Scans, Quickly & Easily!
Prevent Network Attacks - Automatically
Control P2P & IM Traffic, Block Bulk E-mail
FREE Vulnerability Assessment Toolkit & WhitePaper
http://www.captusnetworks.com/ads/19.htm
************************** End Advertisement *************************
Three big bugs were released this week. The first is a remote RPC DCOM
overflow in all versions of Windows NT/2000/XP/2003 (MS03-026). Access
to port 135 on a vulnerable machine is all that's needed. More
information is available as item {03.28.006}. And then there is a Linux
rpc.mountd overflow, reported as item {03.28.004}. Lastly, all versions
of Cisco IOS on routing platforms are vulnerable to a denial of service
that could halt the processing on the targeted interface. This bug is
further reported in item {03.28.016}.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.28.001} Win - Gattaca Server multiple vulns
{03.28.002} Win - MDaemon SELECT and EXAMINE overflows
{03.28.006} Win - MS03-026: DCOM RPC buffer overflow
{03.28.007} Win - MS03-027: Windows Shell desktop.ini custom attribute
overflow
{03.28.008} Win - MS03-028: ISA Server error pages XSS
{03.28.010} Win - MS Jet OLEDB select argument overflow
{03.28.014} Win - Storefront CGI login SQL tampering
{03.28.015} Win - ASP-DEV Forum CGI unrestricted admin access
{03.28.024} Win - Twilight WebServer long request DoS
{03.28.003} Linux - Updated patches for previous vulnerabilities
{03.28.004} Linux - rpc.mountd/nfs-utils xlog() off by one overflow
{03.28.019} Linux - falconseye -s parameter overflow
{03.28.012} HP-UX - Updated patches for previous vulnerabilities
{03.28.017} SGI - Updated patches for previous vulnerabilities
{03.28.018} SGI - local login/scheme env var overflow
{03.28.016} NetDev - Cisco IOS malformed packet interface DoS
{03.28.020} NetDev - Asus AAM6000EV ADSL router auth info disclosure
{03.28.005} Cross - IBM U2 UniVerse multiple vulns
{03.28.011} Cross - Vulnerable PHP applications, 07/16
{03.28.013} Cross - Citadel/UX BBS multiple vulns
{03.28.021} Cross - xfstt working() boundary overflow
{03.28.022} Cross - BRU parameter overflow/format string vuln
{03.28.023} Cross - UMN gopherd multiple overflows
{03.28.009} MacOS - Update {03.27.001}: MacOS X secure screen saver
bypass
- --- Windows News -------------------------------------------------------
*** {03.28.001} Win - Gattaca Server multiple vulns
Gattaca Server version 1.0.8.1 reportedly contains multiple
vulnerabilities: arbitrary file reading via view.tmpl script; directory
listing; and cross-site scripting.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0016.html
*** {03.28.002} Win - MDaemon SELECT and EXAMINE overflows
MDaemon version 6.7.9 contains buffer overflows in the handling of large
EXAMINE and SELECT commands to the IMAP service, thereby allowing an
authenticated user to execute arbitrary code on the server with local
system privileges.
The advisory indicates confirmation by the vendor, which released
version 6.8.0.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0021.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0022.html
*** {03.28.006} Win - MS03-026: DCOM RPC buffer overflow
Microsoft released MS03-026 ("DCOM RPC buffer overflow"). The MS RPC
functionality related to DCOM object activation contains a buffer
overflow that lets a remote attacker execute arbitrary code with local
system privileges. Windows NT, 2000, XP and 2003 are affected.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-026.as
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0042.html
*** {03.28.007} Win - MS03-027: Windows Shell desktop.ini custom
attribute overflow
Microsoft released MS03-027 ("Windows Shell desktop.ini custom attribute
overflow"). The Windows Shell interface in Windows XP contains a buffer
overflow in the handling of custom attributes found in a malicious
desktop.ini file. Viewing/loading of a malicious desktop.ini file (via
network share, removable/shared media, etc.) could result in the
execution of arbitrary code.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-027.asp
Source: Microsoft
http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0044.html
*** {03.28.008} Win - MS03-028: ISA Server error pages XSS
Microsoft released MS03-028 ("ISA Server error pages XSS"). Microsoft
ISA server 2000 contains a cross-site scripting vulnerability in the
various ISA error pages.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-028.asp
Source: Microsoft
http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0043.html
*** {03.28.010} Win - MS Jet OLEDB select argument overflow
MS Jet versions 4.0 SP6 and prior contain a buffer overflow in the
handling of large arguments passed to a SELECT SQL statement,
potentially allowing the execution of arbitrary code.
The advisory indicates confirmation by the vendor, which released Jet
version 4.0 SP7.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0038.html
*** {03.28.014} Win - Storefront CGI login SQL tampering
The Storefront ASP CGI suite is vulnerable to SQL tampering in the
handling of the user's login e-mail address.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0146.html
*** {03.28.015} Win - ASP-DEV Forum CGI unrestricted admin access
The ASP-DEV Discussion Forum ASP CGI suite does not restrict access to
the administrative pages, potentially allowing a remote attacker to
recover user names and passwords as well as to administer the discussion
forum application.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0148.html
*** {03.28.024} Win - Twilight WebServer long request DoS
Twilight WebServer version 1.3.3.0 crashes when a remote attacker sends
an overly long URL request.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0162.html
- --- Linux News ---------------------------------------------------------
*** {03.28.003} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:162-01: Mozilla
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0008.html
- --- Mandrake:
MDKSA-2003:074: kernel
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0030.html
- --- Debian:
DSA-348-1: traceroute-nanog
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0105.html
DSA-351-1: php4
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0123.html
- --- Conectiva:
CLA-2003:694: gnupg
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0013.html
CLA-2003:695: mpg123
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0014.html
CLA-2003:696: ucd-snmp
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0015.html
CLA-2003:697: phpgroupware
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0016.html
- --- TurboLinux
TSLSA-2003-0025: Apache
http://archives.neohapsis.com/archives/bugtraq/2003-07/0135.html
Source: Red Hat, Mandrake, Debian, Conectiva, TurboLinux (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0008.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0030.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0105.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0123.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0013.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0014.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0015.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0016.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0135.html
*** {03.28.004} Linux - rpc.mountd/nfs-utils xlog() off by one overflow
The Linux NFS utils suite versions 1.0.3 and prior contain an 'off by
one' buffer overflow in the xlog() function used by rpc.mountd,
potentially allowing a remote attacker to execute arbitrary code on the
target system.
This vulnerability is confirmed and fixed in version 1.0.4.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0007.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0117.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0147.html
Updated Slackware tarballs:
http://archives.neohapsis.com/archives/bugtraq/2003-07/0190.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0002.html
Source: VulnWatch, Red Hat, Debian, SuSE, Slackware, Immunix (SF
Bugtraq)
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0023.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0007.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0117.html
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0147.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0190.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0002.html
*** {03.28.019} Linux - falconseye -s parameter overflow
The falconseye game application contains a buffer overflow in the
handling of the '-s' command-line parameter that allows a local attacker
to execute arbitrary code with gid 'games' privileges.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0119.html
- --- HP-UX News ---------------------------------------------------------
*** {03.28.012} HP-UX - Updated patches for previous vulnerabilities
The following is a list of HP-UX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
HPSBUX0307-269: Apache
http://archives.neohapsis.com/archives/hp/2003-q3/0011.html
HPSBUX0307-268: J2SE
http://archives.neohapsis.com/archives/hp/2003-q3/0011.html
HPSBUX0307-267: JRE
http://archives.neohapsis.com/archives/hp/2003-q3/0011.html
Source: HP
http://archives.neohapsis.com/archives/hp/2003-q3/0011.html
- --- SGI News -----------------------------------------------------------
*** {03.28.017} SGI - Updated patches for previous vulnerabilities
The following is a list of IRIX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
20030701-01-P: nsd
http://archives.neohapsis.com/archives/vendor/2003-q3/0020.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q3/0020.html
*** {03.28.018} SGI - local login/scheme env var overflow
An SGI advisory indicates the login program /usr/lib/iaf/scheme contains
a buffer overflow in the handling of environment variables that could
allow a local attacker to execute arbitrary code with root privileges.
Update information is available at the reference URL below.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q3/0019.html
- --- Network Devices News -----------------------------------------------
*** {03.28.016} NetDev - Cisco IOS malformed packet interface DoS
A Cisco advisory indicates that particular malformed IPv4 packets sent
directly to a router device running IOS can cause the listening
interface to stop processing packets, thereby leading to a denial of
service.
This vulnerability is confirmed. Update information is available at the
reference URL below.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2003-q3/0002.html
*** {03.28.020} NetDev - Asus AAM6000EV ADSL router auth info disclosure
The Asus AAM6000EV ADSL network router allows attackers on the local
network to query the router's built-in Web interface and retrieve a list
of all valid user names and passwords, which would allow the router to
be compromised.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0171.html
- --- Cross-Platform News ------------------------------------------------
*** {03.28.005} Cross - IBM U2 UniVerse multiple vulns
The IBM UniVerse database versions 10.0.0.9 and prior contain multiple
vulnerabilities: cci_dir insecure temp file handling; uvadmsh arbitrary
root command execution; and uvadmsh command line parameter overflow.
Other suspicious bugs were found; however, exploitability is not
confirmed.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0025.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0026.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0027.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0028.html
*** {03.28.011} Cross - Vulnerable PHP applications, 07/16
The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not necessarily confirmed.
W-Agora 4.1.5: XSS, command execution, file uploading, information
disclosure
http://archives.neohapsis.com/archives/bugtraq/2003-07/0134.html
Invision Power Board 1.1.2: XSS, SQL tampering, file uploading
http://archives.neohapsis.com/archives/bugtraq/2003-07/0136.html
EJ3 BlackBook 1.0: XSS, information disclosure
http://archives.neohapsis.com/archives/bugtraq/2003-07/0164.html
phpforum 2 RC-1: remote file include script execution
http://archives.neohapsis.com/archives/bugtraq/2003-07/0129.html
Digi-news/Digi-ad 1.1: SQL tampering
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0030.html
Source: SecurityFocus Bugtraq, VulnWatch
http://archives.neohapsis.com/archives/bugtraq/2003-07/0134.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0136.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0164.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0129.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0030.html
*** {03.28.013} Cross - Citadel/UX BBS multiple vulns
Citadel/UX BBS versions prior to 6.08 contain multiple vulnerabilities:
weak random number generation used during authentication; various buffer
overflows; and file system space consumption can lead to a denial of
service vulnerability.
The advisory indicates confirmation by the vendor, which released
version 6.09.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0181.html
*** {03.28.021} Cross - xfstt working() boundary overflow
The X Fontserver for Truetype fonts (xfstt) version 1.4 reportedly
contains a boundary calculation error in the working() function that
allows a denial of service condition that could crash xfstt and possibly
execute arbitrary code.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0178.html
*** {03.28.022} Cross - BRU parameter overflow/format string vuln
EST's BRU versions 17 and prior reportedly contain a buffer overflow
and format string vulnerability in the handling of command-line
parameters, thereby allowing a local attacker to execute arbitrary code
with elevated privileges.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0032.html
*** {03.28.023} Cross - UMN gopherd multiple overflows
UMN gopherd versions 2.x and 3.x reportedly contain multiple buffer
overflows that could allow a remote attacker to execute arbitrary code
on the target system.
These vulnerabilities are not confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2003-q3/0015.html
- --- Mac OS News --------------------------------------------------------
*** {03.28.009} MacOS - Update {03.27.001}: MacOS X secure screen saver
bypass
Apple released updates that fix the vulnerability discussed in
{03.27.001} ("MacOS X secure screen saver bypass").
Update information is available at:
http://docs.info.apple.com/article.html?artnum=120232
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0187.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE/Fwn2+LUG5KFpTkYRAvZFAJ9zSY+mdhDQ+cChIxlG1XtxawPxowCfWK4C
a08+WZEEiKL2Z6+P0ZGuQck=
=/RhT
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by Captus Networks.
Stop DDoS Attacks, Worms & Port Scans, Quickly & Easily!
Prevent Network Attacks - Automatically
Control P2P & IM Traffic, Block Bulk E-mail
FREE Vulnerability Assessment Toolkit & WhitePaper
http://www.captusnetworks.com/ads/19.htm
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org/
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]