|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #37
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu Sep 18 2003 - 16:49:08 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 037 (03.37)
Thursday, September 18, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue is sponsored by McAfee(R) IntruShield(R).
Is Intrusion Prevention Coming of Age?
Download a white paper on Intrusion Prevention: Myths,
Challenges, Requirements and a Path to Preventio (TM) at:
https://secure.nai.com/us/forms/registration/survey.asp?code=na100
************************** End Advertisement *************************
The Unix world had a significant lineup of notable security problems
this past week. The default Solaris sadmind configuration can be
remotely tricked into executing arbitrary commands (reported as item
{03.37.004}). OpenSSH contains multiple buffer overflows in the buffer
management functions (reported as item {03.37.008}). While the OpenSSH
bug doesn't appear to be exploitable at this time, a bug in Sendmail's
address parsing functions *was* confirmed as remotely exploitable on
some platforms (reported as item {03.37.011}). Lastly, the popular Pine
e-mail client has two overflows that can be triggered remotely by a
malicious e-mail (reported as item {03.37.012}).
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.37.005} Win - WideChapter browser large URL overflow
{03.37.007} Win - Minihttpserver Web root escaping
{03.37.009} Win - Yak! client FTP file access
{03.37.013} Win - MyServer HTTP server MSCGI param value overflow
{03.37.016} Win - FTGate information exposure and password recovery
{03.37.022} Win - Nokia NED multiple vulns
{03.37.001} Linux - Updated patches for previous vulnerabilities
{03.37.018} Linux - Asterisk CallerID CDR SQL tampering
{03.37.006} BSD - OpenBSD semget() integer overflow
{03.37.004} Sol - sadmind default auth allows command exec
{03.37.021} SCO - Updated patches for previous vulnerabilities
{03.37.002} Cross - MySQL large password overflow
{03.37.003} Cross - KDE KDM PAM error vuln and insecure session cookies
{03.37.008} Cross - OpenSSH buffer management failure overflow
{03.37.010} Cross - man MANPL env var overflow
{03.37.011} Cross - Sendmail address parsing overflow
{03.37.012} Cross - Pine MIME parsing and integer overflows
{03.37.014} Cross - Vulnerable PHP applications, 09/16
{03.37.015} Cross - Gordano URL request DoS and info disclosure
{03.37.017} Cross - RAR file header file size manipulation
{03.37.023} Cross - SANE daemon multiple DoS vulns
{03.37.020} Tru64 - Updated patches for previous vulnerabilities
{03.37.019} MacOS - 4D WebSTAR FTP password overflow
- --- Windows News -------------------------------------------------------
*** {03.37.005} Win - WideChapter browser large URL overflow
The WideChapter Web browser version 3.0 contains a buffer overflow in
the handling of large URLs, thereby allowing a malicious Web site to
execute arbitrary code on the system.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0236.html
*** {03.37.007} Win - Minihttpserver Web root escaping
Minihttpserver version 1.x allows attackers to access files outside the
Web root.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0107.html
*** {03.37.009} Win - Yak! client FTP file access
Yak! version 2.0.1 includes an FTP server listening on port 3535. The
FTP service uses a hard-coded user name and password and allows remote
attackers to access arbitrary files on the system outside the FTP root.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0225.html
*** {03.37.013} Win - MyServer HTTP server MSCGI param value overflow
MyServer HTTP server version 0.4.3 reportedly contains a buffer overflow
in the handling of large parameter values sent to the MSCGI handler.
This allows the remote execution of arbitrary code.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0227.html
*** {03.37.016} Win - FTGate information exposure and password recovery
FTGate Pro version 1.2 reportedly allows non-authenticated users to
recover various configuration information, including user account and
password lists, via the built-in Web administration interface.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0182.html
*** {03.37.022} Win - Nokia NED multiple vulns
Nokia Electronic Document (NED) server contains multiple
vulnerabilities: cross-site scripting; browsing of directories within
the Web root; and the ability to use NED as an authorized/anonymizing
proxy.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0108.html
- --- Linux News ---------------------------------------------------------
*** {03.37.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:264-01: gtkhtml
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0032.html
- --- Conectiva:
CLA-2003:737: gtkhtml
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0040.html
- --- Mandrake:
MDKSA-2003:089: XFree86
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0143.html
- --- Debian:
DSA-380-1: xfree86
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0485.html
Source: Red Hat, Conectiva, Mandrake, Debian
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0032.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0040.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0143.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0485.html
*** {03.37.018} Linux - Asterisk CallerID CDR SQL tampering
The Asterisk PBX software suite is vulnerable to SQL tampering when
handling CallerID values placed into CDR records.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0102.html
- --- BSD News -----------------------------------------------------------
*** {03.37.006} BSD - OpenBSD semget() integer overflow
OpenBSD 3.3 and prior have an integer overflow in the semget() system
function that allows a local root user to bypass secure-level
restrictions.
This vulnerability is confirmed. Patch information is available at:
http://archives.neohapsis.com/archives/openbsd/2003-09/0799.html
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2003-09/0799.html
- --- Solaris News -------------------------------------------------------
*** {03.37.004} Sol - sadmind default auth allows command exec
An advisory indicates the default authentication mechanism used by
sadmind included with Solaris 2.6 through 9 allows a remote attacker to
execute arbitrary commands on the system with root privileges.
The advisory indicates vendor confirmation. An exploit was discovered
in the wild. The proper workaround seems to be enabling a higher level
of authentication for the sadmind daemon.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0109.html
- --- SCO News -----------------------------------------------------------
*** {03.37.021} SCO - Updated patches for previous vulnerabilities
The following is a list of SCO vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
CSSA-2003-SCO.13.1: samba
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0011.html
CSSA-2003-SCO.10.1: Apache
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0012.html
CSSA-2003-SCO.17.1: bind
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0013.html
CSSA-2003-SCO.19: SCO Internet manager
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0014.html
Source: SCO
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0011.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0012.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0013.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0014.html
- --- Cross-Platform News ------------------------------------------------
*** {03.37.002} Cross - MySQL large password overflow
MySQL versions prior to 4.0.15 incorrectly handle large password values
stored in the 'User' table of the 'mysql' system database. A database
administrator with global admin rights can insert a large password value
into this table and cause a buffer overflow and the execution of
arbitrary code.
This vulnerability is confirmed and fixed in version 4.0.15.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0491.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archives/bugtraq/2003-09/0188.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0491.html
*** {03.37.003} Cross - KDE KDM PAM error vuln and insecure session
cookies
The KDM application included with KDE 3.1.3 and prior contains two
vulnerabilities: the return value of pam_setcred() was not checked,
potentially allowing root access if the PAM modules experience an error;
and the session cookies contain enough randomness to potentially allow
them to be brute forced.
These vulnerabilities are confirmed and fixed in KDE 3.1.4.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0035.html
Source: SecurityFocus Bugtraq, Red Hat
http://archives.neohapsis.com/archives/bugtraq/2003-09/0256.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0035.html
*** {03.37.008} Cross - OpenSSH buffer management failure overflow
OpenSSH versions 3.7.0 and prior contain a heap-based buffer overflow
in the buffer management routines. It is unconfirmed at this point
whether this vulnerability is exploitable.
A patch is available at:
http://archives.neohapsis.com/archives/openbsd/2003-09/1241.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0006.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0034.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0516.html
FreeBSD update information:
http://archives.neohapsis.com/archives/freebsd/2003-09/0068.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0019.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0042.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0164.html
Updated Slackware tarballs:
http://archives.neohapsis.com/archives/bugtraq/2003-09/0255.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0753.html
Source: OpenBSD, VulnWatch, EnGarde, Red Hat, Debian, FreeBSD, Immunix,
Conectiva, Mandrake, Slackware, SuSE
http://archives.neohapsis.com/archives/openbsd/2003-09/1241.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0110.html
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0006.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0034.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0516.html
http://archives.neohapsis.com/archives/freebsd/2003-09/0068.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0019.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0042.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0164.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0255.html
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0753.html
*** {03.37.010} Cross - man MANPL env var overflow
Man prior to version 1.5m2 contains a buffer overflow in the handling
of the MANPL environment variable that allows a local attacker to
execute arbitrary code with elevated privileges if the man binary is
setgid.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0103.html
*** {03.37.011} Cross - Sendmail address parsing overflow
Sendmail versions prior to 8.12.10 contain a buffer overflow in the
parsing of addresses. This vulnerability allows the execution of
arbitrary code by a remote attacker.
This vulnerability is confirmed and fixed in version 8.12.10.
OpenBSD update information:
http://archives.neohapsis.com/archives/openbsd/2003-09/1386.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0038.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0577.html
Source: Sendmail, OpenBSD, Red Hat, Debian
http://archives.neohapsis.com/archives/sendmail/2003-q3/0002.html
http://archives.neohapsis.com/archives/openbsd/2003-09/1386.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0038.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0577.html
*** {03.37.012} Cross - Pine MIME parsing and integer overflows
Pine versions 4.56 and prior contain two vulnerabilities: a buffer
overflow in the parsing of MIME attribute values and an integer overflow
in the parsing of e-mail headers. Both vulnerabilities can be exploited
by a malicious e-mail to execute arbitrary code when read.
These vulnerabilities are confirmed and fixed in version 4.58.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0033.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0706.html
Updated Slackware tarballs:
http://archives.neohapsis.com/archives/bugtraq/2003-09/0194.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0005.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0041.html
Source: VulnWatch, Red Hat, SuSE, Slackware, EnGarde, Conectiva
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0099.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0033.html
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0706.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0194.html
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0005.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0041.html
*** {03.37.014} Cross - Vulnerable PHP applications, 09/16
The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not necessarily confirmed.
Webcalendar 0.9.42: XSS, SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2003-09/0051.html
myPHPNuke 1.8.8_7: remote file include code execution
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0101.html
Invision Power Board 1.2: XSS
http://archives.neohapsis.com/archives/bugtraq/2003-09/0199.html
Bandsite 1.5: admin account access
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0104.html
vbPortal 2.0: SQL tampering
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0106.html
Source: SecurityFocus Bugtraq, VulnWatch
http://archives.neohapsis.com/archives/bugtraq/2003-09/0051.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0101.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0199.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0104.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0106.html
*** {03.37.015} Cross - Gordano URL request DoS and info disclosure
Gordano Messaging Suite version 9 contains two vulnerabilities: a denial
of service vulnerability whereby a URL request for parent directories
causes the Web service to crash; and direct access to the alertlist.mml
file displays various user information.
The advisory indicates vendor confirmation. Update information is
included at the reference URL below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0175.html
*** {03.37.017} Cross - RAR file header file size manipulation
An advisory indicates that two RAR unpacking applications, WinRAR and
unrar, incorrectly allocate disk space based on the file size specified
in the header. It's possible for a malicious RAR file to insert a size
value larger than the contents of the file and cause a denial of service
attack.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0161.html
*** {03.37.023} Cross - SANE daemon multiple DoS vulns
The SANE scanner daemon contains multiple oversights and vulnerabilities
in the handling of the communications protocol that could allow a remote
attacker to consume large amounts of memory on the system or cause the
SANE daemon to crash.
This vulnerability is confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0481.html
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0481.html
- --- Tru64 News ---------------------------------------------------------
*** {03.37.020} Tru64 - Updated patches for previous vulnerabilities
The following is a list of Tru64 vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
SSRT3507: dtterm
http://archives.neohapsis.com/archives/tru64/2003-q3/0011.html
Source: Compaq/HP
http://archives.neohapsis.com/archives/tru64/2003-q3/0011.html
- --- Mac OS News --------------------------------------------------------
*** {03.37.019} MacOS - 4D WebSTAR FTP password overflow
4D WebSTAR FTP version 5.3.1 contains a buffer overflow in the handling
of large passwords that allows a remote attacker to execute arbitrary
code on the target system.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0214.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/afaP+LUG5KFpTkYRAvH3AKCX99atJhFvnovjuvEknrMGlPH/SgCgopnp
ajq62ZCGvZ4njxVJz2O847w=
=kwHd
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue is sponsored by McAfee(R) IntruShield(R).
Is Intrusion Prevention Coming of Age?
Download a white paper on Intrusion Prevention: Myths,
Challenges, Requirements and a Path to Preventio (TM) at:
https://secure.nai.com/us/forms/registration/survey.asp?code=na100
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]