safer ecurity alert for enterprise resources · sambar server admin access vulnerability.....24...

SAFER SECURITY ALERT FOR ENTERPRISE RESOURCES

Volume 4 Issue 2 February 2001

A monthly publication of The Relay Group. Copyright © 2001 All rights reserved. For further information or comments please contact [email protected]

The Relay Group produces this newsletter to aid and assist security-concerned executives and IT professionals. The Relay Group’s comments are opinions only. No action may be taken against The Relay Group for following comments or for any consequence of action emanating from the reading of this newsletter. SAFER subscriptions can be made at http://www.safermag.com

SAFER – Vol. 4, Issue 2 2 © 2001 The Relay Group

CONTENTS CONTENTS.................................................................................................................................................... 2

EXECUTIVE NEWS...................................................................................................................................... 6 GENERAL NEWS ............................................................................................................................................ 6 EUROPE – MIDDLE-EAST ............................................................................................................................... 7 UNITED STATES - CANADA ............................................................................................................................ 7 ASIA - PACIFIC .............................................................................................................................................. 8

SECURITY ALERTS..................................................................................................................................... 9 SOLARIS XIMP40 LIBRARY BUFFER OVERFLOW VULNERABILITY .................................................................... 9 ISC BIND INTERNAL MEMORY DISCLOSURE VULNERABILITY........................................................................ 9 WWW-SQL .HTACCESS BYPASS VULNERABILITY .............................................................................................10 SOLARIS X86 NLPS_SERVER BUFFER OVERFLOW VULNERABILITY..................................................................10 MYSQL LOCAL BUFFER OVERFLOW VULNERABILITY ...................................................................................10 MARS NWE FORMAT STRING VULNERABILITY .............................................................................................10 PDGSOFT SHOPPING CART EXPOSED ORDERS VULNERABILITY .....................................................................11 MICROSOFT IIS FILE FRAGMENT DISCLOSURE VULNERABILITY .....................................................................11 SMARTMAX MAILMAX SMTP BUFFER OVERFLOW VULNERABILITY .............................................................11 MAJORDOMO LISTS COMMAND EXECUTION VULNERABILITY .........................................................................11 ISC BIND 4 NSLOOKUPCOMPLAIN() FORMAT STRING VULNERABILITY...........................................................12 ISC BIND 4 NSLOOKUPCOMPLAIN() BUFFER OVERFLOW VULNERABILITY......................................................12 AT&T WINVNC SERVER BUFFER OVERFLOW VULNERABILITY ....................................................................13 AT&T WINVNC CLIENT BUFFER OVERFLOW VULNERABILITY .....................................................................13 ISC BIND 8 TRANSACTION SIGNATURES HEAP OVERFLOW VULNERABILITY...................................................14 ISC BIND 8 TRANSACTION SIGNATURES BUFFER OVERFLOW VULNERABILITY ...............................................14 RPMMAIL LOCAL/REMOTE ROOT VULNERABILITY .......................................................................................15 RWHOD BUFFER OVERFLOW VULNERABILITY................................................................................................15 MICROSOFT POWERPOINT BUFFER OVERFLOW VULNERABILITY ....................................................................15 WU-FTPD DEBUG MODE CLIENT HOSTNAME FORMAT STRING VULNERABILITY .............................................16 ORACLE XSQL SERVLET ARBITRARY JAVA CODE VULNERABILITY ...............................................................16 FREEBSD IPFW FILTERING EVASION VULNERABILITY ...................................................................................16 WWWWAIS.C HEAP OVERFLOW VULNERABILITY ...........................................................................................17 EASYCOM/SAFECOM PRINT SERVER REMOTE ARBITRARY COMMAND VULNERABILITY ..................................17 ORACLE JSP/JSPSQL REMOTE FILE READING VULNERABILITY.....................................................................17 ORACLE JSP/SQLJSP SERVLET EXECUTION VULNERABILITY ........................................................................18 NETSCAPE ENTERPRISE SERVER 'INDEX' DISCLOSURE VULNERABILITY ..........................................................18 WATCHGUARD FIREBOXII PASSWORD RETRIEVAL VULNERABILITY ...............................................................18 LOTUS DOMINO MAIL SERVER 'POLICY' BUFFER OVERFLOW VULNERABILITY................................................19 MOUNTAIN-NET WEBCART EXPOSED ORDERS VULNERABILITY .....................................................................19 BING GETHOSTBYADDR BUFFER OVERFLOW VULNERABILITY.........................................................................19 SYSADMIN MAGAZINE MAN.SH ARBITRARY COMMAND EXECUTION VULNERABILITY .....................................20 AT&T VNC WEAK AUTHENTICATION VULNERABILITY ................................................................................20 PHORUM 3.0.7 AUTH.PHP3 BACKDOOR VULNERABILILTY ..............................................................................20 PHORUM VIOLATION.PHP3 ARBITRARY EMAIL RELAY VULNERABILITY..........................................................21 PHORUM ADMIN.PHP3 UNVERIFIED ADMINISTRATIVE PASSWORD CHANGE VULNERABILITY ...........................21 LOCALWEB2000 DIRECTORY TRAVERSAL VULNERABILITY..........................................................................21 FASTREAM FTP++ DIRECTORY TRAVERSAL VULNERABILITY ........................................................................21 EZMALL2000 CREDIT CARD EXPOSURE VULNERABILITY..............................................................................22 ICECAST PRINT_CLIENT() BUFFER OVERFLOW VULNERABILITY......................................................................22 CGI_LITE.PM INSECURE INPUT HANDLING VULNERABILITY...........................................................................22 TEXTCOUNTER.PL ARBITRARY COMMAND EXECUTION VULNERABILITY.........................................................23 MICROSOFT OUTLOOK CONCEALED ATTACHMENT VULNERABILITY ..............................................................23 SHOUTCAST SERVER FOR LINUX BUFFER OVERFLOW VULNERABILITY ...........................................................23 SAMBAR SERVER ADMIN ACCESS VULNERABILITY........................................................................................24 MICQ REMOTE BUFFER OVERFLOW VULNERABILITY ....................................................................................24 SOLARIS CU BUFFER OVERFLOW VULNERABILITY .........................................................................................24 SKUNKWARE VIEW-SOURCE DIRECTORY TRAVERSAL VULNERABILITY...........................................................25 WINDOWS 2000 EFS TEMPORARY FILE RETRIEVAL VULNERABILITY .............................................................25 SSH SECURE-RPC WEAK ENCRYPTED AUTHENTICATION VULNERABILITY ....................................................25 AOL INSTANT MESSENGER BUFFER OVERFLOW VULNERABILITY ..................................................................26


PHP ENGINE DISABLE SOURCE VIEWING VULNERABILITY.............................................................................26 GLIBC LD_PRELOAD FILE OVERWRITING VULNERABILITY .........................................................................26 POSTACI ARBITRARY SQL COMMAND INJECTION VULNERABILITY ................................................................27 ORACLE APACHE+WEBDB DOCUMENTED BACKDOOR VULNERABILITY ........................................................27 MICROSOFT WINS DOMAIN CONTROLLER SPOOFING VULNERABILITY ..........................................................27 TINYPROXY HEAP OVERFLOW VULNERABILITY.............................................................................................28 CALDERA DHCP PACKAGE FORMAT STRING VULNERABILITY.......................................................................28 SUSE RCTAB RACE CONDITION VULNERABILITY...........................................................................................28 FLASH SOUND WRITE-OVERFLOW VULNERABILITY.......................................................................................29 TREND MICRO INTERSCAN VIRUSWALL SYMLINK ROOT COMPROMISE VULNERABILITY.................................29 TREND MICRO INTERSCAN VIRUSWALL WEAK ADMIN PASSWORD PROTECTION VULNERABILITY ..................29 OMNIHTTPD FILE CORRUPTION AND COMMAND EXECUTION VULNERABILITY..............................................30 SPLITVT FORMAT STRING VULNERABILITY ....................................................................................................30 PHP .HTACCESS ATTRIBUTE TRANSFER VULNERABILITY...............................................................................30 MICROSOFT WINDOWS MEDIA PLAYER .WMZ ARBITRARY JAVA APPLET VULNERABILITY ............................31 MICROSOFT MSHTML.DLL CRASH VULNERABILITY ...................................................................................31 EXMH SYMLINK VULNERABILITY..................................................................................................................31 IOMEGA JAZIP BUFFER OVERFLOW VULNERABILITY .....................................................................................32 RDIST /TMP FILE RACE CONDITION VULNERABILITY ......................................................................................32 GETTY_PS /TMP FILE RACE CONDITION VULNERABILITY................................................................................32 COMPAQ WEB ADMIN BUFFER OVERFLOW VULNERABILITY ..........................................................................33 MICROSOFT WEB CLIENT EXTENDER NTLM AUTHENTICATION VULNERABILITY...........................................33 BASILIX WEBMAIL INCORRECT FILE PERMISSIONS VULNERABILITY ...............................................................33 ULTRABOARD INCORRECT DIRECTORY PERMISSIONS VULNERABILITY ...........................................................34 SHADOW-UTILS /ETC/DEFAULT TEMP FILE RACE CONDITION VULNERABILITY ................................................34 SOLARIS ARP BUFFER OVERFLOW VULNERABILITY........................................................................................34 BORLAND/INPRISE INTERBASE BACKDOOR PASSWORD VULNERABILITY.........................................................35 SDIFF /TMP FILE RACE CONDITION VULNERABILITY.......................................................................................35 INN /TMP FILE RACE CONDITION VULNERABILITY..........................................................................................35 WU-FTPD /TMP FILE RACE CONDITION VULNERABILITY .................................................................................36 GPM /TMP FILE RACE CONDITION VULNERABILITY ........................................................................................36 MGETTY /TMP FILE RACE CONDITION VULNERABILITY ..................................................................................36 LINUXCONF /TMP FILE RACE CONDITION VULNERABILITY..............................................................................36 SQUID /TMP FILE RACE CONDITION VULNERABILITY......................................................................................37 ARPWATCH /TMP FILE RACE CONDITION VULNERABILITY ..............................................................................37 APACHE /TMP FILE RACE VULNERABILITY ....................................................................................................37 GLIBC RESOLV_HOST_CONF FILE READ ACCESS VULNERABILITY............................................................38 LINUX REISERFS KERNEL OOPS AND CODE EXECUTION VULNERABILITY ......................................................38 SOLARIS EXRECOVER BUFFER OVERFLOW VULNERABILITY ...........................................................................38 EXTROPIA BBS_FORUM.CGI REMOTE ARBITRARY COMMAND EXECUTION VULNERABILITY.............................39 LOTUS DOMINO SERVER DIRECTORY TRAVERSAL VULNERABILITY................................................................39 IBROW NEWSDESK.CGI FILE DISCLOSURE VULNERABLILITY...........................................................................39 HP-UX KERMIT BUFFER OVERFLOW VULNERABILITY ...................................................................................40 INFORMIX WEBDRIVER LOCAL FILE OVERWRITE VULNERABILITY .................................................................40 GTK+ ARBITRARY LOADABLE MODULE EXECUTION VULNERABILITY...........................................................40 MICROSOFT WINDOWS MEDIA PLAYER JAVASCRIPT URL VULNERABILITY....................................................41

SECURITY ADVISORIES............................................................................................................................42 CISCO SECURITY ADVISORY: CISCO CONTENT SERVICES SWITCH VULNERABILITY.........................................42 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:019: BIND..................................................................42 FREEBSD SECURITY ADVISORY SA-01:18: BIND...........................................................................................42 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:018: KDESU ...............................................................43 TURBOLINUX SECURITY ANNOUNCEMENT TLSA2001001-1: LPRNG ............................................................43 RED HAT SECURITY ADVISORY RHSA-2001:006: INETD ...............................................................................43 SUSE SECURITY ANNOUNCEMENT SUSE-SA:2001:03: BIND8........................................................................43 SUSE SECURITY ANNOUNCEMENT SUSE-SA:2001:02: KDESU .......................................................................44 MICROSOFT SECURITY BULLETIN (MS01-005) ..............................................................................................44 CONECTIVA ANNOUNCEMENT CLSA-2001:378: KDE2...................................................................................44 FREEBSD SECURITY ADVISORY SA-01:15: TINYPROXY ................................................................................45 TRUSTIX SECURITY ADVISORY: BIND, OPENLDAP ...........................................................................................45 FREEBSD SECURITY ADVISORY SA-01:13: SORT ..........................................................................................45 CALDERA SECURITY ADVISORY CSSA-2001-008.0: BIND..............................................................................46 FREEBSD SECURITY ADVISORY SA-01:11: INETD.........................................................................................46 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-001-01: BIND.................................................................46


FREEBSD SECURITY ADVISORY SA-01:17: EXMH2 .......................................................................................46 HP SECURITY BULLETIN #0138: VULNERABILITY IN MAN(1) COMMAND ........................................................47 FREEBSD SECURITY ADVISORY SA-01:08: IPFW/IP6FW.................................................................................47 DEBIAN SECURITY ADVISORY DSA-026-1: BIND ...........................................................................................47 RED HAT SECURITY ADVISORY RHSA-2001:007: BIND.................................................................................47 FREEBSD SECURITY ADVISORY SA-01:14: MICQ ..........................................................................................48 CONECTIVA ANNOUNCEMENT CLSA-2001:377: BIND....................................................................................48 FREEBSD SECURITY ADVISORY SA-01:16: MYSQL .....................................................................................48 MICROSOFT SECURITY BULLETIN (MS01-004) ..............................................................................................49 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:017: BIND..................................................................49 CALDERA SECURITY ADVISORY CSSA-2001-006.0: MYSQL ........................................................................50 DEBIAN SECURITY ADVISORY DSA-025-2: OPENSSH .....................................................................................50 DEBIAN SECURITY ADVISORY DSA-024-1: CRON ..........................................................................................50 DEBIAN SECURITY ADVISORY DSA-023-1: INN2 ...........................................................................................50 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:016: WEBMIN.............................................................51 SUSE SECURITY ANNOUNCEMENT SUSE-SA:2001:01: GLIBC ........................................................................51 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:014-1: MYSQL .........................................................51 DEBIAN SECURITY ADVISORY DSA-022-1: EXMH..........................................................................................52 DEBIAN SECURITY ADVISORY DSA-021-1: APACHE ......................................................................................52 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:015: EXMH ................................................................52 CONECTIVA ANNOUNCEMENT CLSA-2001:376: MYSQL ..............................................................................52 DEBIAN SECURITY ADVISORY DSA-020-1: PHP4 ...........................................................................................53 CONECTIVA ANNOUNCEMENT CLSA-2001:374: ICECAST ..............................................................................53 DEBIAN SECURITY ADVISORY DSA-019-1: SQUID .........................................................................................53 MICROSOFT SECURITY BULLETIN (MS01-002) ..............................................................................................54 RED HAT SECURITY ADVISORY RHSA-2001:005-03: MICQ............................................................................54 MICROSOFT SECURITY BULLETIN (MS01-003) ..............................................................................................54 RED HAT SECURITY ADVISORY RHSA-2000:136: PHP...................................................................................55 ALLAIRE SECURITY BULLETIN (ASB01-02)...................................................................................................55 DEBIAN SECURITY ADVISORY DSA-018-1: TINYPROXY.................................................................................55 FREEBSD SECURITY ADVISORY SA-01:10: BIND...........................................................................................56 DEBIAN SECURITY ADVISORY DSA-017-1: JAZIP...........................................................................................56 FREEBSD SECURITY ADVISORY SA-01:09: CRONTAB....................................................................................56 ORACLE SECURITY ALERTS ..........................................................................................................................57 FREEBSD SECURITY ADVISORY SA-01:08: IPFW/IP6FW.................................................................................57 CALDERA SECURITY ADVISORY CSSA-2001-005.0: KDESU ...........................................................................57 FREEBSD SECURITY ADVISORY SA-01:07: XFREE86....................................................................................58 DEBIAN SECURITY ADVISORY DSA-016-1: WU-FTPD.....................................................................................58 RED HAT SECURITY ADVISORY RHSA-2001:003: MYSQL............................................................................58 DEBIAN SECURITY ADVISORY DSA-015-1: SASH...........................................................................................59 CALDERA SECURITY ADVISORY CSSA-2001-007.0: GLIBC ............................................................................59 DEBIAN SECURITY ADVISORY DSA-014-2: SPLITVT ......................................................................................59 DEBIAN SECURITY ADVISORY DSA-013: MYSQL.........................................................................................59 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:014: MYSQL & PHP ..................................................60 DEBIAN SECURITY ADVISORY DSA-012-1: MICQ...........................................................................................60 TRUSTIX SECURITY ADVISORY: GLIBC ...........................................................................................................60 IMMUNIX OS SECURITY ADVISORY IMNX-2000-62-044-01: GLIBC ...............................................................60 HP SECURITY BULLETIN #0137: VULNERABILITY IN SUPPORT TOOLS MANAGER ...........................................61 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:012: GLIBC ................................................................61 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-029-01: GLIBC ...............................................................61 CONECTIVA ANNOUNCEMENT CLSA-2001:373: PHP4 ...................................................................................62 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:013: PHP....................................................................62 CALDERA SECURITY ADVISORY CSSA-2001-004.0: WEBMIN.........................................................................62 RED HAT SECURITY ADVISORY RHSA-2001:002-03: GLIBC ..........................................................................63 FREEBSD SECURITY ADVISORY SA-01:03: BASH1 ........................................................................................63 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:001-02: WU-FTPD ......................................................63 FREEBSD SECURITY ADVISORY SA-01:06: ZOPE ..........................................................................................64 FREEBSD SECURITY ADVISORY SA-01:05: STUNNEL ....................................................................................64 FREEBSD SECURITY ADVISORY SA-01:04: JOE.............................................................................................64 FREEBSD SECURITY ADVISORY SA-01:03: BASH1 ........................................................................................65 FREEBSD SECURITY ADVISORY SA-01:02: SYSLOG-NG.................................................................................65 FREEBSD SECURITY ADVISORY SA-01:01: OPENSSH...................................................................................65 PHP SECURITY ADVISORY - APACHE MODULE BUGS.....................................................................................66 CALDERA SECURITY ADVISORY CSSA-2001-003.0: DHCP .............................................................................66


TRUSTIX SECURITY ADVISORY: DIFFUTILS, SQUID ..........................................................................................66 SUN SECURITY BULLETIN SUN-00200: ARP ...................................................................................................66 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:011: LINUXCONF........................................................67 CALDERA SECURITY ADVISORY CSSA-2001-002.0: MGETTY /TMP.................................................................67 MICROSOFT SECURITY BULLETIN (MS01-001) ..............................................................................................67 RED HAT SECURITY ADVISORY RHSA-2001:001-05: GLIBC ..........................................................................68 CALDERA SECURITY ADVISORY CSSA-2001-001.0: INN................................................................................68 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-027-01: SHADOW-UTILS .................................................68 DEBIAN SECURITY ADVISORY DSA-011-1: MGETTY......................................................................................68 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-026-01: RDIST ...............................................................69 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-025-01: GETTY_PS.........................................................69 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-024-01: DIFFUTILS .........................................................69 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-023-01: INN...................................................................69 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-022-01: WU-FTPD ..........................................................70 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:010: INN ....................................................................70 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-021-01: GPM..................................................................70 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:009: MGETTY.............................................................70 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:008-1: DIFFUTILS .......................................................71 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:007: SHADOW-UTILS ..................................................71 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-020-01: MGETTY ...........................................................71 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:006: GPM...................................................................71 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-019-01: LINUXCONF.......................................................71 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:005: RDIST ................................................................72 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-018-01: SQUID...............................................................72 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:004: GETTY_PS ..........................................................72 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-017-01: ARPWATCH .......................................................72 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:003: SQUID ................................................................72 IMMUNIX OS SECURITY ADVISORY IMNX-2000-70-016-01: APACHE ...........................................................73 LINUX-MANDRAKE SECURITY UPDATE MDKSA-2001:002: ARPWATCH ........................................................73 HP SECURITY BULLETIN #0136: VULNERABILITY IN IN INETD(1M)................................................................73 CONECTIVA ANNOUNCEMENT CLSA-2001:369: SLOCATE .............................................................................73

DENIAL-OF-SERVICE ................................................................................................................................74 MICROSOFT WINDOWS NT 4.0 MUTEX DOS VULNERABILITY........................................................................74 NETSCAPE ENTERPRISE SERVER WEB PUBLISHING DOS VULNERABILITY.......................................................74 NETOPIA R9100 ROUTER DENIAL OF SERVICE VULNERABILITY .....................................................................74 NETSCAPE ENTERPRISE SERVER DOS VULNERABILITY ..................................................................................75 IRIS GET DENIAL OF SERVICE VULNERABILITY.............................................................................................75 NETSCAPE FASTTRAK CACHE MODULE DOS VULNERABILITY .......................................................................75 CHECK POINT FIREWALL-1 4.1 DENIAL OF SERVICE VULNERABILITY.............................................................76 GOODTECH FTP SERVER DENIAL OF SERVICE ...............................................................................................76 FASTREAM FTP++ DENIAL OF SERVICE VULNERABILITY...............................................................................76 HP-UX SUPPORT TOOLS MANAGER DENIAL OF SERVICE ATTACK .................................................................77 VERITAS BACKUP DENIAL OF SERVICE VULNERABILITY ................................................................................77 WEBMASTER CONFERENCEROOM DEVELOPER EDITION DOS VULNERABILITY...............................................77 NETSCREEN FIREWALL DENIAL OF SERVICE VULNERABILITY ........................................................................77 IBM HTTP SERVER AFPACACHE DOS VULNERABILITY................................................................................78 STORAGESOFT IMAGECAST IC3 DOS VULNERABILITY ..................................................................................78 SOLARIS MAILX LOCKFILE DENIAL OF SERVICE VULNERABILITY...................................................................78

SAFER ADVISORIES...................................................................................................................................79 S.A.F.E.R. SECURITY BULLETIN 010123.EXP.1.10 .......................................................................................79 S.A.F.E.R. SECURITY BULLETIN 010124.EXP.1.11 .......................................................................................79 S.A.F.E.R. SECURITY BULLETIN 010125.EXP.1.12 .......................................................................................80 S.A.F.E.R. SECURITY BULLETIN 010125.DOS.1.5.........................................................................................80

UNDERGROUND TOOLS ...........................................................................................................................81

STATISTICS - JANUARY 2000 ...................................................................................................................83


EXECUTIVE NEWS What follows is the author’s selection of rumors and noises of concern to the security community. We welcome your comments and opinions.

General News

- A recently discovered security flaw embedded in the most popular breed of Internet server software could expose more than 80 percent of the world's Web sites to debilitating hacker attacks if network administrators don¹t move quickly to replace the flawed versions. "There are a number of potential (vulnerabilities)," CERT coordination Center electronic vulnerability expert Shawn Hernan said. "The worst case scenario is the distribution of malicious software from a popular site." In a statement made earlier, CERT outlined the security flaws inherent in the two most commonly used versions of the Berkeley Internet Name Domain or "BIND" software, which is used to run most of the world's Internet name servers. The flaw exists in BIND 4 and BIND 8, which combined are used by more than 80 percent of name servers worldwide, Hernan said, adding that his estimate is "conservative."

- A consortium of 145 tech companies including HP, IBM, Intel and Microsoft have released the first version of a specification designed to secure hardware and software on the desktop. The Trusted Computing Platform Alliance (TCPA) was formed in 1999 to help companies collaborate on security between hardware, applications and operating systems. The TCPA specification defines a trusted 'subsystem' on any computer where processes cannot be altered. According to the consortium, any transaction taking place in this subsystem will be monitored to ensure complete integrity. The system includes protected storage, digital signature and PKI (public key infrastructure) technology. The TCPA has adopted IBM's 256-bit security chips as a standard base for the platform.

- In the wake of a massive DDoS (distributed denial of service) attack on major U.S. Web sites last year, users are clearly moving to outsourced MSS (management security services) for protection. Users also got a reminder of the ever-present threat of these attacks when Microsoft acknowledged that it had been the victim of a DDoS assault that overwhelmed the company's Web site traffic routers, cutting off users for hours. The software giant said the attack was unrelated to other shutdowns. Despite the severity of the DDoS attacks that crippled Yahoo.com, eBay, and Amazon.com at different times from Feb. 6 t o Feb. 14, 2000, many companies still are not devoting the necessary funds to the problem, analysts said, and some users still have a lackadaisical attitude toward security.

- Network managers are increasingly ignorant about Internet security, according to a leading vendor. Amir Belkhelladi, head of security practice at Lucent, said: "Stupid network administrators are a bigger problem than smart hackers. There is a real lack of skilled people in Internet security. There are few people who truly understand TCP/IP nowadays, and the level of knowledge of IT professionals is going down month by month." Lucent believes that it is up to systems administrators within companies to educate users. Belkhelladi argued that it can cost £30,000 to install a firewall, but that it costs much less to train employees in Internet security. "Users are the weakest link and hackers will always try the easiest way to get in. Firewalls are there to enforce policies. If a company doesn't have a policy there is only so much you can do. Senior management doesn't take security seriously," he said. "Internet servers are increasingly complex and are being run by people with less talent," he added.

- The FBI has recruited IBM and more than 500 other US companies to a scheme designed to combat cybercrime. The idea of InfraGuard is to enable the FBI and member firms to alert others about Internet attacks and to pool information on how systems might be protected from crackers. Bloomberg reports that the FBI is pushing the scheme because hacking incidents are on the rise and increasing in severity. "Building bridges between law enforcement and the public and private sector is one of the most important ways we can protect ourselves from these threats," US Attorney General Janet Reno told a Washington news conference. The InfraGuard program involves the creation of a secure Web site through which member companies can exchange information about suspicious activity or best practices. The site will support encrypted email and, according to Bloomberg, will allow users to alert the FBI about intruders "either anonymously or with detailed information”.


- While most Y2K fears proved to be unfounded, those who predicted widespread security troubles in the year 2000 were certainly vindicated. Businesses were attacked on all fronts: Denial-of-service attacks brought down Web storefronts, script viruses flooded E-mail gateways across the globe, electronic extortionists held consumer's credit card and personal information ransom; and the world's largest software company had its system infiltrated, placing trade secrets and software code at risk. The year 2000 showed that although companies are becoming increasingly dependent on E-mail and the Internet, it takes fewer skills to wreak havoc. Early in the year, a string of distributed denial-of-service attacks against Buy.com, eBay, Yahoo, and other leading Web sites temporarily made the sites unavailable. It's believed these attacks were launched by "script kiddies" equipped with software readily available on the Internet. Likewise, virus writers took advantage of the relatively easy -to-learn Visual Basic Script language to design malicious code. According to antivirus software maker Sophos Inc., VBScript viruses account for more than one-third of all infections

Europe – Middle-East

- There's a job waiting for the hacker who broke into the Web site of Bulgaria's president , but he's not showing himself. "I'll offer him a job in my office without hesitation," President Petar Stoyanov said in an interview published by the daily 24 Hours. "He's obviously very talented, because he broke into the site without damaging any information." After cracking the site, the hacker left a message of despair reflecting the mood in a society struggling for prosperity more than a decade after the end of communism. "Why did I do it?" the message asked. "Very simple - when my parents live in misery and I cannot find a job without the proper connections, and most of my friends seek their fortunes abroad, what else is left? ... "A time comes, when you say, 'Enough.'" While such a stunt would lead to criminal charges elsewhere, there is no legislation in Bulgaria making hacking a crime.

- "People know by now that you leave many data tracks on the Internet by surfing there," Koehntopp said. "The user has to be aware ... how to control everything about his or her identity that he gives other people." Europeans have traditionally placed much more of an emphasis on protecting the privacy of citizens than in the United States, and this is especially true in Germany. Each of Germany's 17 Laender, or states, has its own commissioner for data protection, who monitors the activities of both companies and the government. The center -left government of Social Democrat Chancellor Gerhard Schroeder appears likely to pass a law in the months ahead that will place restrictions on companies monitoring the e-mail of their employees. So far, all of Germany's state privacy commissioners, including one for all of Germany, are affiliated with the Virtual Privacy Center -- as are privacy commissioners from Switzerland, the Netherlands and Ontario, Canada. The site offers regular citizens both information and software downloads.

United States - Canada

- An American airline will have to answer charges that it illegally gained access to one of its own pilot's Web sites which criticised its management, a Federal appeals court has ruled. Bloomberg reports a decision by the US Ninth Circuit Court of Appeals to reverse an earlier decision to dismiss a pilot's lawsuit, which claimed that Hawaiian Airlines had broken federal wiretap and employment laws in accessing his secure site under false pretences. The court heard that a company VP logged onto the site 20 times using another pilot's name. The decision sets a precedent that means unauthorised access to private Web site may be in violation of both federal Wiretap or Stored Communication Acts. "The contents of secure Web sites are 'electronic communications' in intermediate storage that are protected from unauthorised interception under the Wiretap Act," the court stated in its ruling.

- While sector-specific technology measures don't factor highly in the US Chamber of Commerce's 2001 legislative wish list , the Chamber does intend play an active role in upcoming congressional debates over online privacy, cyber- security and Web site content restrictions, according to the organization's top technology official. Particularly in the area of electronic privacy, the nation's most powerful business group is gearing up to fight any congressional effort to enact federal standards, US Chamber Director of E-Commerce and Internet Technology Rick Lane told Newsbytes today. And while Lane concedes that the Chamber's role in the privacy debate will be largely reactive - fighting the myriad privacy bills likel y to be introduced this year - he said the Chamber will assume a "proactive role" in educating members of Congress about the business community's concerns surrounding privacy legislation. "We are going to use our resources to launch a massive educational effort," Lane said, adding that the Chamber would seek to "get the rhetoric and the headlines out of the debate and get the substance in."


Asia - Pacific

- Reports of computer viruses tripled last year in Japan as the increasingly networked nation felt the effects of the Love Bug and other potent strains, a government study said. Authorities logged a total of 11,109 reports of viruses being sent to computers in Japan in 2000, the Yomiuri newspaper reported on Saturday, citing a study by the government-affiliated Information Technology Promotion Agency. That was up from 3,645 reports the previous year and from just 14 in 1989, when such cases were first recorded. Experts say the number may actually be higher, since only 10 per cent of the reports came from indiv iduals, who are less likely than companies to have software capable of detecting viruses. Viruses and other forms of cyber crime have concerned authorities in Japan following a series of high-profile raids by unidentified hackers on government-run Internet sites last year.


-

SECURITY ALERTS We try to inform you of vulnerabilities as soon as they become a threat to your resources, not when the vendors decide to report them.

Solaris ximp40 Library Buffer Overflow Vulnerability

Released January 31, 2001 Affects Sun Solaris 7.0, 8.0 Reference http://www.securityfocus.com/bid/2322 Problem - A problem in the ximp40 library packaged with Openwin could allow a user to gain elevated

privileges. Due to a problem with the handling of input by the programs linked against ximp40.so.2, it is possible to supply a long string, approximately 272 bytes, to the arg0 of the command, which will overwrite stack variables, including the return address of the program.

- This makes it possible for a malicious user with local access to the system to execute arbitrary code, and depending upon which SUID binary is exploited, gain either EUID mail, or EUID root.

SAFER - We are not aware of any solutions for this issue.

ISC BIND Internal Memory Disclosure Vulnerability

Released January 31, 2001 Affects BIND 4.9 up to 8.2.3 Beta Reference http://www.securityfocus.com/bid/2321 Problem - The ISC has disclosed information about a vulnerability in BIND that may disclose memory

contents to remote attackers. The vulnerability can be exploited if an attacker crafts a specially formed 'inverse query' that causes the behaviour to occur. The memory disclosed is from the program's 'stack' region of memory, which stores internal-values related to execution as well as run-time/local variables. In addition to reading such information as environment -variables or function variables from the stack, it may also be possible for the attacker to make an assessment of the run-time memory layout. This information could assist in more easily launched/successful platform/architecture and data-dependent attacks.

- An example of this is the single-byte buffer overflow transaction signatures vulnerability in BIND (Bugtraq ID 2302). According to COVERT Advisory 2000-01 from Network Associates, it is possible to retrieve stack frames from BIND with this vulnerability. With this information, well -written exploit code can automatically know where a return address will be read from after a saved base pointer has been modified. This hypothetical well-written exploit code can then automatically adjust the location of the replacement return address and exploit the vulnerability successfully (provided other conditions are met) on the first try. As demonstrated above, such disclosed information may provide attackers with a cleaner, more efficient means of exploiting other vulnerabilities.

SAFER - The ISC strongly recommends upgrading to BIND version 9.1.0.


www-sql .htaccess bypass Vulnerability

Released January 30, 2001 Affects www-sql 0.4.4 Reference http://www.securityfocus.com/bid/2317 Problem - WWW-SQL is a script that provides a web interface for accessing MySQL or PostgreSQL

databases. It is designed to process HTML files containing specially formed SQL query tags, filtering the file and replacing the SQL tags with appropriate text. Versions prior to 0.5.0 allow attackers to access pages on the web server protected by .htaccess restrictions under the apache web server. This is accomplished by passing the path to the protected page as an argument to the script.

SAFER - Version 0.5.0 of the script addresses this issue.

Solaris x86 nlps_server Buffer Overflow Vulnerability

Released January 30, 2001 Affects Sun nlps_server 1.0 Reference http://www.securityfocus.com/bid/2319 Problem - Solaris 2.4, 2.5, and 2.51 x86 are vulnerable to a buffer overflow in nlps_server, a network -printing

listener residing on port 2766 when installed. This buffer overflow can be exploited to gain remote root access, by sending an excessively long string of characters to the port following a short specific command.


MySQL Local Buffer Overflow Vulnerability

Released January 30, 2001 Affects MySQL 3.22.26 up to 3.23.9 Reference http://www.securityfocus.com/bid/2262 Problem - By supplying an excessively long string as an argument for a SELECT statement, it is possible for

a local attacker to overflow mysql's query string buffer. - As a result of this overflow, excessive data copied onto the stack can overwrite critical parts of the

stack frame such as the calling function's return address. Since the user supplies this data, it can be made to alter the program's flow of execution.

SAFER - Upgrades are available.

Mars NWE Format String Vulnerability

Released January 30, 2001 Affects Mars NWE 0.99pl19 Reference http://www.securityfocus.com/bid/2316 Problem - A problem with the software could allow a user to gain elevated privileges. Due to the handling of

format strings by the software package, it is possible for a DOS or Windows workstation attached to the emulator to generate a custom crafted request of the system that will ultimately execute the code.

- In the logging code of the program, improper handling of format strings make it possible to fill buffers, and overwrite variables on the stack including the return address. Due to this problem it is possible for a user with malicious intent to pass shell code to the program, which will result in execution of the code on the stack with the privileges inherited by the emulator program, normally run as root.

SAFER - Patch has been provided by Przemyslaw Frasunek [email protected].


PDGSoft Shopping Cart Exposed Orders Vulnerability

Released January 30, 2001 Affects PDGSoft Shopping Cart 1.50 Reference http://www.securityfocus.com/bid/2315 Problem - PDGSoft's PDG Shopping Cart, when poorly installed, leaves customer order information

(including credit card details and order history) in world readable plain text log files. A remote attacker can retrieve these files when they have been poorly secured in this manner.

- By default this log file can be found at PDG_Cart/order.log. Additional information can be found at PDG_Cart/shopper.conf - including the name and directory of the order.log file if the default location has been changed.


Microsoft IIS File Fragment Disclosure Vulnerability

Released January 30, 2001 Affects Microsoft IIS 4.0, 5.0 Reference http://www.securityfocus.com/bid/2313 Problem - Due to the handling of requests by the ISAPI extensions, it is possible for a remote user to

disclose various known files. A maliciously crafted URL could cause IIS to use .htr ISAPI extensions to process requests of other file types, segments of the particular file could be disclosed to the attacker. Successful exploitation of this vulnerability could lead to the disclosure of sensitive information and possibly assist in further attacks against the victim.

- It should be noted that this vulnerability is a variation of a previously discovered bug. Bid:1193 and Bid:1488

SAFER - Microsoft has released a patch which rectifies this issue.

SmartMax MailMax SMTP Buffer Overflow Vulnerability

Released January 29, 2001 Affects MailMax 1.0 Reference http://www.securityfocus.com/bid/2312 Problem - Smartmax MailMax is an email server for Windows 95/98 /NT. It is vulnerable to buffer overflow

attacks against the SMTP-command processing function. This can be exploited to execute arbitrary commands with the privileges of the user running MailMax.

- Specific vulnerable version information is not currently kno wn by SecurityFocus, but exploit code has been released for versions using version 1.5c of its ODBC Drivers. According to the exploit author all versions he has encountered use this driver.


Majordomo lists Command Execution Vulnerability

Released January 29, 2001 Affects Majordomo 1.90 Reference http://www.securityfocus.com/bid/2310 Problem - Majordomo uses the Perl eval() function to see if a user (specified in the Reply-to: portion of the

header) submitting a "lists" command matches any patterns specified in the "advertise" or "noadvertise" directives in the configuration file. It includes some basic input checking in doing this; filtering stream redirection characters, etc. This can be bypassed however, by utilizing the backtick (`) and composing the commands so that they are not interrupted by majordomo's input parsing functions.


SAFER - Upgrade to the latest version of majordomo (fixed in 1.91). If th is is difficult, a patch for version

1.90 and a workaround for other versions are available.

ISC Bind 4 nslookupComplain() Format String Vulnerability

Released January 29, 2001 Affects BIND 4.9 up to 4.9.7-T1B Reference http://www.securityfocus.com/bid/2309 Problem - Version 4 of BIND contains a format string vulnerability that may be exploitable by attackers to

gain root access remotely. When BIND 4 nameserver recieve a query for a hostname, the first thing that happens is that their own zone files and caches are checked for records that match requested address/hostname. If the hostname cannot be resolved through these local means, BIND obtains the name servers that are responsible for the host's domain. Once it has the proper NS records, BIND calls nslookup() to obtain the IP addresses of these name servers. The nslookup() function checks each nameserver IP address for validity. If it is invalid (ie, 0.0.0.0, 255.255.255.255 or a multicast address), it calls nslookupComplain()to log the error to syslog.

- A condition exists in the nslookupComplain() function that may allow a remote attacker to overwrite arbitrary locations in memory with almost arbitrary values. This is due to passing syslog() a string containing attacker-supplied input (nameserver hostname) as its format string argument. Any format specifiers that are within the hostname will be acted upon by the *printf() function used by syslog(). If an attacker utilizes certain format specifiers, arbitrary locations in memory can be overwritten. An attacker may, for example, overwrite a function return address with a value pointing to shell code in memory. It may require that the attacker use more than one malicious DNS server to build a fully qualified doma in name long enough to contain the format specifiers.

- It should be noted that this may not be exploitable due to restrictions on characters in domain names.

SAFER - The ISC strongly recommends upgrading to BIND version 9.1.0. It has been reported that this

vulnerability or vulnerabilities closely related to it are being actively exploited.

ISC Bind 4 nslookupComplain() Buffer Overflow Vulnerability

Released January 29, 2001 Affects BIND 4.9 up to 4.9.7-T1B Reference http://www.securityfocus.com/bid/2307 Problem - Version 4 of BIND contains a stack overflow that may be exploitable by attackers to gain root

access remotely. When BIND 4 name servers receive a query for a hostname, the first thing that happens is that their own zone files and caches are checked for records that match requested address/hostname. If the hostname cannot be resolved through these local means, BIND obtains the name servers that are responsible for the host's domain. Once it has the proper NS records, BIND calls nslookup() to obtain the IP addresses of these name servers. The nslookup() function checks each nameserver IP address for validity. If it is invalid (ie, 0.0.0.0, 255.255.255.255 or a multicast address), it calls nslookupComplain()to log the error to syslog.

- A buffer overflow condition exists in the nslookupComplain() function. When generating the error message, nslookupComplain() uses sprintf() to construct a null terminated string. This string is 999 bytes in length and is a local variable. If the nameserver hostname exceeds the length of the buffer size, it will be copied over nslookupComplain()'s stack variables when the string is created. Because the buffer size is so large, it may require that the attacker use more than one malicious DNS server to build a fully qualified domain name long enough to cause the overflow. As stated above, this vulnerability could be exploited to gain remote access to the host on which BIND 4 is running. By replacing the return address with an address pointing to supplied shell code, an attacker can execute arbitrary code.

- It should be noted, however, that the bytes an attacker may use to carry out this attack must be characters allowed in Internet hostnames. It may not be possible to build a valid return address from these bytes.




AT&T WinVNC Server Buffer Overflow Vulnerability

Released January 29, 2001 Affects AT&T WinVNC Server 3.3.3r7 and Previous Reference http://www.securityfocus.com/bid/2306 Problem - A problem with the WinVNC server could allow remote users to arbitrarily execute code. The

problem is due to the handling of HTTP requests when a non-zero debug level has been set. HTTP requests are placed into a buffer of 1024 bytes, and when the Windows registry key DebugLevel is set to a value greater than 0, the HTTP request is logged using the method ReallyPrint(), which contains a fixed buffer of 1024 bytes. It is possible to generate a custom crafted HTTP request to the WinVNC server that will overwrite variables on the stack, including the return address.

- A malicious user can use this vulnerability to execute arbitrary code with privileges of the WinVNC server process, and potentially gain access to the local system.

SAFER - A patch has been provided by Core-SDI as part of their advisory.

AT&T WinVNC Client Buffer Overflow Vulnerability

Released January 29, 2001 Affects AT&T WinVNC Client 3.3.3r7 and Previous Reference http://www.securityfocus.com/bid/2305 Problem - A problem with the client portion of the package could allow a remote user to execute arbitrary

code. This is due to the handling of the rfbConnFailed packet sent from the server to the client during connection and authentication. This error response normally signals the client that the connection attempt has failed, at which time the client passes the contents of the packet through a logging routine for future administrative reference. However, by spoofing the version number of the server, and sending the rfbConnFailed packet with a reason string of 1024 bytes, and a reason length of greater than 1024 bytes, an overflow will occur. This overflow could be used to overwrite stack variables, including the return address, and execute arbitrary code.

- This problem makes it possible for a user with malicious motives to execute code on a remote system, with the privileges of the user of the WinVNC client.

SAFER - A patch has been provided by Core-SDI as part of their advisory.


ISC Bind 8 Transaction Signatures Heap Overflow Vulnerability

Released January 29, 2001 Affects BIND 8.2 up to 8.2.3 beta Reference http://www.securityfocus.com/bid/2304 Problem - The vulnerability is present when BIND recieves queries via the TCP transport protocol. When a

query is received, it is read from the TCP stream into a malloc()'d buffer. When sending responses, BIND re-uses this buffer for creating the reply. As BIND processes the request, it appends data to the DNS response (in the malloc'd buffer). The length of the DNS message as well as the number of bytes that can be written are kept track of using two variables. When a transaction signature is included in the query, BIND skips normal processing of the request and attempts to verify the signature. If the signature is invalid, a TSI G response is appended to a location in memory that BIND thinks is the end of the message (based on the two variables described above). Unfortunately, since BIND has not processed the message normally, this location is far from where it should be. This can result in the TSIG response being written beyond the boundaries of the allocated block of memory.

- While this is a buffer overflow, it occurs in the 'bss' or 'heap' region of process memory. It cannot be exploited in the same way a stack overflow can be. In addition, this part of memory is not executable; therefore any shell code must somehow be put in the stack. The most likely way to exploit a vulnerability like this is through corruption of malloc() structures. If an attacker can overwrite the beginning of a malloc()'ed block of memory and have it remain intact until free() is called on it, arbitrary locations in memory can be overwritten with attacker supplied-values.

- An attacker may, for example, overwrite a return address on the stack with a value pointing to shell code somewhere in executable memory. When the function returns, the supplied shell code will be executed with privileges of named (typically root).



ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability

Released January 29, 2001 Affects BIND 8.2 up to 8.2.2 p7 Reference http://www.securityfocus.com/bid/2302 Problem - The vulnerability is present when BIND receives queries via the UDP transport protocol. When a

query is received, it is read from the datagram into a local buffer on the stack and then processed. This buffer is 512 bytes in length, the maximum amount of information that can be sent in a single UDP datagram. When sending responses, BIND re-uses this buffer for creating the response. As BIND processes the request, it appends data to the DNS response (in the local buffer). The length of the DNS message as well as the number of bytes that can be written are kept track of using two variables.

- When a transaction signature is included in the query, BIND skips normal processing of the request and attempts to verify the signature. If the signature is invalid, a TSIG response is appended to a location in memory that BIND thinks is the end of the message (based on the two variables described above). Unfortunately, since BIND has not processed the message normally, this location is far from where it should be. This can result in the TSIG response being written partially over the executing function's stack frame. The TSIG response consists of fixed values, including zero-value bytes. If the least significant byte of the saved base pointer in the stack frame is overwritten (with a zero, for example), it could end up referencing memory under the control of the attacker.

- If this happens, the attacker has control over the stack frame of the calling function. An ar bitrary address supplied by the attacker inserted within this region of memory can be referenced as a return address when the calling function returns. If this address points to shell code, it will be executed with privileges of named.


vulnerability is being actively exploited.


RPMMail Local/Remote Root Vulnerability

Released January 29, 2001 Affects RedHat Linux 6.0x, S.u.S.E. Linux 6.2 Reference http://www.securityfocus.com/bid/2301 Problem - By sending a carefully formed mail message to the affected mail host's 'rpmmail' account, an

attacker may be able to obtain a root shell, or to run arbitrary commands as an unprivileged user. - The results of a successful exploit vary from system to system. In certain environments and

configurations, an attacker can obtain local or remote root privileges. In other contexts, the result is remote command execution as the user running rpmmail.

SAFER - Version 1.4 of rpmmail should not be vulnerable to this attack.

rwhod Buffer Overflow Vulnerability

Released January 26, 2001 Affects FreeBSD, AIX, NetBSD, RedHat Reference http://www.securityfocus.com/bid/2298 Problem - A remote buffer overflow vulnerability exists in versions of the rwho daemon on several platforms.

Versions of rwho may fail to properly validate user-supplied input argumenting an rwho query. As a result, it is possible for an attacker to construct a query which overflows rwho's input buffer.

- As a result, the excessive data copied onto the stack as input to rwho.c's path field can overwrite critical parts of the stack frame such as the calling functions' return address. Since the user supplies this data it can be a crafted to alter the program's flow of execution. If properly exploited, this can yield root privilege to the attacker.

- OpenBSD, NetBSD, FreeBSD, Linux distributions and AIX are believed to be affected. SAFER - For users of AIX, new packages of fixes are available for AIX-4.

Microsoft PowerPoint Buffer Overflow Vulnerability

Released January 26, 2001 Affects Microsoft PowerPoint 2000 Reference http://www.securityfocus.com/bid/2297 Problem - Due to a parsing function within the execution process of a PowerPoint presentation, it is possible

for an attacker to produce a buffer overflow condition. Maliciously user -supplied data may be embedded within the document in such a way that the hostile code will be executed when the file is accessed.

- Successful exploitation of this vulnerability could lead to complete compromise of the affected host.

SAFER - Microsoft has released a patch which addresses this issue.


Wu-Ftpd Debug Mode Client Hostname Format String Vulnerability

Released January 25, 2001 Affects wu-ftpd 2.4.1up to 2.6 Reference http://www.securityfocus.com/bid/2296 Problem - If wu-ftpd is running in debug mode (ie, started by inetd with the -d or -v flag) it may be possible for

an attacker to exploit a format string attack. When in debug mode, Wu -ftpd logs user commands and server responses via syslog() with 'DEBUG' designation. When a passive file transfer is initiated by the user (real or anonymous), this message is written to syslog: PASV port X assigned to HOSTNAME

- This string containing this message is constructed before the call to syslog(). The value of HOSTNAME within the string is resolved by the server. This string is then passed to syslog as its format string argument. As a result, any format specifiers that are within the string will be interpreted and acted upon. This could be exploited in the typical manner format string vulnerabilities are exploited.

- It is not known if any distributions of Wu-ftpd or distributions of software including Wu-ftpd ship with debug mode on by default.

SAFER - Debian has released both upgraded packages and diff files that fix this vulnerability.

Oracle XSQL Servlet Arbitrary Java Code Vulnerability

Released January 25, 2001 Affects Oracle XSQL Servlet 1.00 up to 1.0.3, Oracle 8i 8.1.7.0.0 Ent., DB server 8.1.7.0.0 Reference http://www.securityfocus.com/bid/2295 Problem - The Oracle XSQL Servlet dynamically generates XML documents from one or more SQL queries.

The Oracle database server exhibits a possible failure to validate user-supplied input in stylesheet references contained in URLs submitted to the server.

- Properly exploited, this can permit the remote execution of arbitrary Java code with the server's privilege level. More specific information on this vulnerability is not currently available.

SAFER - This issue has been corrected in the new release of XSQL Servlet, Release 1.0.4.0.

FreeBSD ipfw Filtering Evasion Vulnerability

Released January 25, 2001 Affects FreeBSD 3.0 up to 4.2 Reference http://www.securityfocus.com/bid/2293 Problem - A vulnerability in this system has been uncovered that may allow attackers to evade certain rules.

It has to do with FreeBSD's interpretation of the ECE flag in the TCP header. The ECE flag is an experimental extension to TCP, and is part of TCP's reserved options. Its purpose is for notification of network congestion.

- When the packet filter examines TCP packets that have this ECE flag set, it interprets them as being part of an established TCP connection. Thus if a filtering rule exists that permits packets belonging to an established connection, these packets will qualify and be let through. Attackers could use this vulnerability to circumvent firewall rules. Packets could be constructed so that the ECE flag is set for outgoing traffic and establish connections with services behind the firewall. Under normal circumstances, packets would only be received by these services if a TCP connection had already been established.

- Vulnerable services to be protected by this rule will be exposed to possibly hostile external networks.

SAFER - FreeBSD has released patches to fix this vulnerability.


wwwwais.c Heap Overflow Vulnerability

Released January 25, 2001 Affects wwwwais.c 2.5c Reference http://www.securityfocus.com/bid/2292 Problem - When user-supplied input argumenting the GET command exceeds the maximum anticipated

length, it is possible for a local attacker to overflow the input buffer. This can allow excessive input to be written past the boundary of the allocated space on the heap.

- As a result, if certain internal memory structures can be successfully overwritten, it may be possible to execute a denial of service attack, or even to execute arbitrary commands with the privilege level of the webserver.


Easycom/Safecom Print Server Remote Arbitrary Command Vulnerability

Released January 24, 2001 Affects Easycom/Safecom Print Server 1.0 Reference http://www.securityfocus.com/bid/2291 Problem - Excess user-supplied input submitted as a URL to the print server's web service could create a

buffer overflow condition, which has the potential to crash the server, posing a denial of service risk.

- If the submitted URL is constructed with sufficient precision, the excess data received by the vulnerable server is copied onto the stack and can overwrite critical parts of the stack frame such as the calling function's return address. Since the user supplies this data it could be crafted to remotely alter the program's flow of execution.


Oracle JSP/JSPSQL Remote File Reading Vulnerability

Released January 24, 2001 Affects Oracle8 8.1.7 Reference http://www.securityfocus.com/bid/2288 Problem - Upon generating a custom crafted request to either the a .jsp file or the bb.sqljsp file, it is possible

to force the JSP and JSPSQL handlers to ascend the directory tree outside of the webroot, and attempt to read the contents of the specified file in the request. Successful execution results in the files being moved to the http://host/_pages subdirectory, and the extension of the file being changed to a .java file.

- This problem makes it possible for a user with malicious motives to access and read files that may be restricted and/or sensitive. It could also lead to a remote user gaining local access, and an elevation of privileges.



Oracle JSP/SQLJSP Servlet Execution Vulnerability

Released January 24, 2001 Affects Oracle8 8.1.7 Reference http://www.securityfocus.com/bid/2286 Problem - A problem in the Oracle8 database could allow a remote user to execute arbitrary .jsp files. Due to

the handling of input by the Oracle JSP agent, it's possible for a remote user to access files that may be execution restricted.

- Upon connecting to a web server using the Oracle database, and running on a Windows 2000 system, it's possible for a user to execute java servlet pages on the same partition as the web server root. This is done by connecting to the web server, and requesting a file such as http://webhost/servlet//..//..//o.jsp, which would execute the file c: \o.jsp, presuming such a file existed, and that the web server root was on the c:\ partition. This would also create directory C:\servlet\_pages\_servlet, and copy the source and .class file of o.jsp into the created directory.

- This makes it possible for a user with knowledge of the web infrastructure to execute arbitrary .jsp files, and potentially learn information that could aide in gaining local access to the server, or even gain elevated privileges on a local web server.


Netscape Enterprise Server 'Index' Disclosure Vulnerability

Released January 24, 2001 Affects Netscape Enterprise Server 3.0, 4.0 Reference http://www.safermag.com/advisories/ Problem - Netscape Enterprise Server with Web Publishing enabled will disclose the directory listing of the

target server. If a remote user connects via a telnet port on the Netscape Enterprise Server, submitting a specially crafted request 'INDEX / HTTP/1.0' will cause the server to display the entire directory listing.

- Successful exploitation of this vulnerability could lead to the disclosure of sensitive information and possibly assist in further attacks against the victim.

- It should be noted that this vulnerability is not exploitab le on directories with aliases. SAFER - Workaround is to disable Web Publishing, or disable INDEX request (which will, most likely, break

web publishing feature).

Watchguard FireboxII Password Retrieval Vulnerability

Released January 24, 2001 Affects WatchGuard FireboxII Firmware 4.0, 4.1, 4.2, 4.3, 4.4, 4.5 Reference http://www.securityfocus.com/bid/2284 Problem - A problem with the firmware may allow remote users with read-only access to gain elevated

privi leges. The problem occurs in the handling of passwords by the FireboxII system. It is possible for a user with read-only access to the firewall to initiate an SSL connection through the proprietary libraries included with the administration tools. Upon connecting and executing the MPF command, a user can retrieve the binary /var/lib/mpf/keys.gz from flash memory which contains the hashed passwords of both the read-only and read-write. A remote user can then initiate connections through the library, using the hashed read-write password to modify configuration. This problem makes it possible for a user with malicious motives to gain control of the firewall, and allow access to resources which may be restricted, or potentially deny service to the network.

SAFER - Upgrades are available form Watchguard.


Lotus Domino Mail Server 'Policy' Buffer Overflow Vulnerability

Released January 24, 2001 Affects Lotus Domino Mail Server 5.0.5 Reference http://www.safermag.com/advisories/ Problem - Lotus Domino Mail Server fails to properly validate user supplied input to the field which specifies

permitted domain names in mail forwarding policy. - As a result, if the policy feature is enabled, maliciously -crafted values as input to this field can

overflow the relevant buffer, allowing the attacker to crash the server or, potentially, to execute arbitrary code with the privilege level of the mail server.

- Successful exploitation of this vulnerability could lead to complete compromise of the host. SAFER - Lotus has addressed this issue in Lotus Domino Mail Server 5.0.6.

Mountain-net WebCart Exposed Orders Vulnerability

Released January 23, 2001 Affects WebCart 1.0 Reference http://www.securityfocus.com/bid/2281 Problem - WebCart is a web commerce product provided by Mountain Network Systems, Inc. Certain poorly

configured default installations leave customer order information in remotely accessible text files, including credit card details and other sensitive information. These files include orders/checks.txt, config/import.txt, config/mountain.cfg, and possibly others. Exact version information has not been determined; this default configuration issue may have been resolved in more recent versions. Regardless, it should be noted that this is not a vulnerability in the strictest sense but rather a poor configuration issue.

SAFER - Mountain Network Systems Inc. recommends following the security practices outlined in the user

manual. Remote users should be denied access to customer order information files.

bing gethostbyaddr Buffer Overflow Vulnerability

Released January 23, 2001 Affects bing 1.0.4 and Previous Reference http://www.securityfocus.com/bid/2279 Problem - A problem in bing can allow a local user to gain administrative privileges. A static buffer used to

store the name of the host using a gethostbyaddr function is allocated a static 80 byte buffer in memory. It is possible for a user with control of their on IN-ADDR.arpa zone to create a custom crafted entry in their zone records, appended with shell code. Upon receiving the IN-ADDR entry, the buffer could overflow, overwriting stack variables up through the return address, and therefore executing the shell code in the zone entry. This problem makes it possible for a user with malicious motives to gain elevated privileges on a vulnerable system, including administrative access.

SAFER - Upgrade to bing 1.0.5.


Sysadmin Magazine man.sh Arbi trary Command Execution Vulnerability

Released January 23, 2001 Affects SysAdmin Magazine man.sh 1.0 Reference http://www.securityfocus.com/bid/2276 Problem - A problem with the man.sh script however can allow users to remotely execute arbitrary

commands. Due to the improper handling of special characters by the script it is possible to force the script to execute arbitrary commands. This problem can make it possible for a user with malicious motives to execute arbitrary commands with the UID and GID of the httpd process, and potentially gain access to the local host.

SAFER - Fix has been provided by Robert Moniot [email protected].

AT&T VNC Weak Authentication Vulnerability

Released January 23, 2001 Affects AT&T VNC 3.3.3 and Previous Reference http://www.securityfocus.com/bid/2275 Problem - A problem with the software package may allow unauthorized access to the desktop of machines

using the service. It is a possible for a system in a position to control data between the client and server to gain unauthorized access to a VNC connection without using means such as TCP session hijacking by exploiting a weakness in the challenge and response system between the Client and Server.

- When a connection between a server (S) and client (C) are negotiated, it is possible for an intermediate system (I) to gain access to session by intercepting and exchanging data necessary to authenticate with the VNC server. (I) can first initiate a connection with (S), wait for (C) to initiate a connection with (S), and using by techniques of both intercepting and injecting data, force (C) to accept the key for the session between (S) and (I), allow (C) to authenticate the key and attempt to return it to (S). The return to (S) will be intercepted by (I) and used for it's own session. This attack fulfills the authentication requirements of (S), and allows the connection from ( I), denying the connection from (C).

- This makes it possible for a system with access to alter data flow between a VNC client and server to gain access to a system desktop, allowing local access to the system and potentially elevated privileges.

SAFER - A temporary workaround is to tunnel all VNC sessions through software that uses strong

authentication and end to end cryptography.

Phorum 3.0.7 auth.php3 Backdoor Vulnerabililty

Released January 23, 2001 Affects Phorum 3.0.7 and Previous Reference http://www.securityfocus.com/bid/2274 Problem - A problem with the package allows users access to any resources within the bulletin board

system. Any file that is access controlled by the auth.php3 script may be accessed, due to a backdoor password written into the script auth.php3. The password "boogieman" will permit users to access files controlled by auth.php3 by simply appending the variable PHP_AUTH_USER=boogieman to the URL. This makes it possible for users with malicious intentions to access any file under the access control of auth.php3, and potentially gain elevated privileges, including access to the local system.

SAFER - Upgrade to Phorum 3.2.11.


Phorum violation.php3 Arbitrary Email Relay Vulnerability

Released January 23, 2001 Affects Phorum 3.0.7 and Previous Reference http://www.securityfocus.com/bid/2272 Problem - A problem with the Phorum package could allow remote users to arbitrarily relay email. Due to the

way violation.php3 handles URL's as arguments, it is possible to create a custom crafted URL request to the script which will allow a remote user to send email through the hosts MTA. This email will then be delivered to the specified person with the appearance of coming from the web host. This problem makes it possible for a user with malicious intentions to socially engineer, mailbomb, or spam from the web host, and potentially get the host blacklisted in one of such lists.


Phorum admin.php3 Unverified Administrative Password Change Vulnerability

Released January 23, 2001 Affects Phorum 3.0.7 and Previous Reference http://www.securityfocus.com/bid/2271 Problem - A problem with Phorum can allow remote users access to restricted files on the local system. This

is due to the handling of passwords by the program. By sending a custom crafted string to the admin.php3 script, it's possible to change the administrative password of the board without verification of the users credentials. The "default .langname name" field in the Master settings can then be changed to any file of the users liking, which upon reload, will be output as the page. This problem makes it possible for a user with malicious motives to take control of the message board, read any file on the system, and potentially gain remote access.


LocalWEB2000 Directory Traversal Vulnerability

Released January 23, 2001 Affects Intranet-Server LocalWEB2000 1.1 Reference http://www.securityfocus.com/bid/2268 Problem - It is possible for users to gain read access to any known file residing on the server. By submitting

a specially crafted HTTP request composed of the known filename and appended with '../', LocalWEB2000 will disclose the file with read permissions.

- Successful exploitation of this vulnerability could assist in further attacks against the victim host. SAFER - This vulnerability will be addressed in a future release of LocalWEB2000. The release date is not

yet known.

Fastream FTP++ Directory Traversal Vulnerability

Released January 23, 2001 Affects Fastream FTP++Server 2.0 Reference http://www.securityfocus.com/bid/2267 Problem - Fastream FTP++ Server is subject to a directory traversal. Once a user has logged into the FTP

server, requesting an 'ls' command along with the drive name will disclose all of the directories within the requested drive.

- Successful exploitation of this vulnerability could assist in further attacks against the victim host. SAFER - We are not aware of any solutions for this issue.


EZMall2000 Credit Card Exposure Vulnerability

Released January 23, 2001 Affects Seaside Enterprises EZMall 2000.0 Reference http://www.securityfocus.com/bid/2266 Problem - A site using this software may put customers at risk when the package is improperly configured.

By storing the information input into the software in a directory that can be searched and indexed by robots and spiders, these software packages may index the data files of customers and make them available on search engines. This makes it possible for a user with malicious motives to use search engines as a means of finding vulnerable sites, and then visiting the sites to gain sensitive information such as credit card numbers, addresses, and other personal information.

SAFER - A two part workaround includes putting the directory of sensitive data in a separate path outside of

the HTTP root directory, as well encrypting any information that is stored on the server. This configuration should be checked to insure that it is neither viewable to outside visitors, and that data, when entered, is placed into cipher text, rather than plain text.

Icecast print_client() Buffer Overflow Vulnerability

Released January 23, 2001 Affects Icecast 1.3.7, 1.3.8 beta2 Reference http://www.securityfocus.com/bid/2264 Problem - Versions of Icecast up to and including 1.3.8 beta2 exhibit a format string vulnerability in the

print_client() function of utility.c. - An insecurely-structured call to fd_write() directly passes user supplied characters as part of the

format string to a *printf function. As a result, a malicious user can cause the *printf function to overwrite memory at possibly arbitrary addresses. This type of vulnerability can be exploited by a remote attacker to execute arbitrary code on the victim host.

SAFER - Unofficial patches are available.

CGI_lite.pm Insecure Input Handling Vulnerability

Released January 22, 2001 Affects CGI_lite.pm 1.62, 1.7, 1.8 Reference http://www.securityfocus.com/bid/22 63 Problem - It is possible for users to access sensitive files remotely due to a problem in the CGI_lite.pm

module. The CGI_lite.pm module allows users to upload files to a remote system. However, due to inadequate checking of the input of filenames by the module, it is possible to either view the contents of a file, or arbitrarily execute a command on a host using the module. The $filename variable within the modules does not adequately escape the inputted data when creating a file. Therefore, when a command is entered through a form POST method, it is piped directly to a shell. Therefore, a user with malicious intentions could use this to either view the contents of files readable by the UID of the httpd process, or execute commands with the inherited UID and GID of the httpd process.

SAFER - A temporary workaround was submitted by Andrew McNaughton <[email protected]> in his

initial BugTraq post. It entails disabling the upload feature.


textcounter.pl Arbitrary Command Execution Vulnerability

Released January 22, 2001 Affects Matt Wright TextCounter 1.2 Reference http://www.securityfocus.com/bid/2265 Problem - textcounter.pl is distributed through Matt's Scripts archive, and provides added features to httpd

servers such as counters, guest books, and http cookie management. Due to insufficient checking of entered characters, it is possible for a remote user to input custom formatted strings into the $DOCUMENT_URI environment variable which, which when parsed can be executed as the UID of the httpd process. This makes it possible for a user with malicious intentions to execute arbitrary commands, and potentially gain access to the local host.

SAFER - Upgrade to textcounter 1.2.1.

Microsoft Outlook Concealed Attachment Vulnerability

Released January 22, 2001 Affects MS Outlook Express 5.0, 5.01, 5.5, Outlook 2000, 98, Internet Explorer 5.0 Reference http://www.securityfocus.com/bid/2260 Problem - Several versions of Microsoft Outlook's mail and news components are vulnerable to the remote

inclusion of a hidden, potentially malicious attachment in incoming email and news messages. By crafting a string for the subject: field of a specific length, a malicious user can force the receiving MS Outlook client to reconstruct the included string as an attachment containing attacker-supplied data. If this string is properly constructed, the resulting attachment may be executable and capable of compromising the receiving host's security. The required length of this string varies among different versions of the product.

- The concealed attachment will not be mentioned in the message header, and remains effectively hidden until the message is received by a vulnerable version of Outl ook. Certain types of network mail filters may fail to detect the surreptitious attachment. Properly exploited, this can allow an attacker to create a hidden attachment containing hostile code, which will be effectively invisible during the message's transport. The attacker is also able to obfuscate the extension of the attached file so that it appears to be a non-threatening graphics file or another non-executable file-type.

- As a result, IE5.5 will deliver an apparently innocuous message containing a dangerous executable attachment, which may be inadvertently executed by the recipient.


Shoutcast Server for Linux Buffer Overflow Vulnerability

Released January 22, 2001 Affects Nullsoft Shoutcast Server 1.7.1 Linux Reference http://www.securityfocus.com/bid/2257 Problem - The remote attacker, a user of the Winamp audio player client, must have installed the DSP Plugin

for Audio Streaming. This plugin allows the client to provide streaming audio to other remote clients, via the Shoutcast Distributed Network Audio Server. The MP3 audio codecs included with Microsoft Netshow Tools must be installed in order to exploit this vulnerability. In addition, the vulnerable server must not be actively connected to the client - the connection must be in a 'sleep' condition in which a connection exists but no data is being transmitted.

- Under these circumstances, excess user-supplied input (supplied by the user, via the remote Winamp client, to the vulnerable server) in the 'description' field, will Server's input buffer and overflow the ShoutCast cause an overflow condition, halting it and requiring a restart. This denial of service attack can only be carried out prior to the establishment of an active connection between the Winamp client and the ShoutCast sever.



Sambar Server Admin Access Vulnerability

Released January 22, 2001 Affects Sambar Server 4.1beta Reference http://www.securityfocus.com/bid/2255 Problem - The default authentication credentials for the administrator account in a Sambar Server is

Username: admin with the password left blank. Once a remote user has gained knowledge of the path to log into the admin account, it is possible for the user to login to the server via an http request. This unauthorized access is gained providing that the default settings have not been changed.

- Successful exploitation of this vulnerability could lead to complete compromise of the host. SAFER - The following workaround has been provided by Michiel de Weerd: upgrade to a non-beta version

of Sambar Server, don't allow directory browsing if index.html or default.html isn't found , change the admin username and password before someone else changes it for you.

mICQ Remote Buffer Overflow Vulnerability

Released January 22, 2001 Affects Matthew Smith mICQ 0.4.6 Reference http://www.securityfocus.com/bid/2254 Problem - micq-0.4.6 running on Linux/ix86 (Slackware 7.1 - RedHat 6.1) is vulnerable to a remote buffer

overflow attack. Other versions on other platforms may also be vulnerable. micq, a Linux -based, ICQ-compatible interactive messaging tool, makes use of an insecurely-structured call to sprintf() from its Do_Msg() function.

- An attacker, who must have access to the network between the client and server, can intercept, analyze and add data to message traffic between client and server. By this method, the description field of a URL message sent from the ICQ server can be modified so that, when received and processed by the vulnerable micq client, it creates an overflow condition in the 'message char' buffer. If the data surreptitiously added to the URL message from the server is structured correctly, the overflow can be exploited to execute arbitrary code on the affected host with the privilege level of micq.

- In addition, the possibility exists of a local exploit. A similar technique t o the above remote exploit may permit a local DoS. If micq is run suid, this could also potentially yield root privilege to the local attacker.

SAFER - Unofficial patches and patch from RedHat are available.

Solaris cu Buffer Overflow Vulnerability

Released January 22, 2001 Affects Sun Solaris 2.4, 2.5, 2.5.1, 2.6, 7.0, 8.0 Reference http://www.securityfocus.com/bid/2253 Problem - The version of /usr/bin/cu that ships with Solaris contains a buffer overflow v ulnerability. The

problem occurs when it copies argv[0] to an internal variable without bounds checking. As a result, if argv[0] exceeds the length of the destination buffer, it will be copied over neighbouring data on the stack.

- It may be possible for a local attacker to exploit this vulnerability to gain effective group -id 'uucp'. This may lead to a root compromise.



Skunkware view-source Directory Traversal Vulnerability

Released January 22, 2001 Affects SCO Skunkware 2.0 Reference http://www.securityfocus.com/bid/2251 Problem - A problem with the view-source script could allow access to restricted files remotely. The problem

occurs in the handling of slashes and dots when appended to the view-source script. By appending a series of double-dots and slashes to a query using the view-source script, it is possible to traverse the directory structure on a web server. By doing so, it is possible for to view the contents of directories, and files that are readable by the UID of the httpd process. This flaw makes it possible for a user with malicious motives to read files on a remote system and gather intelligence for an attack against the system, as well as other potentially sensitive information.

SAFER - Upgrade is available from SCO.

Windows 2000 EFS Temporary File Retrieval Vulnerability

Released January 21, 2001 Affects Microsoft Windows NT 2000 Reference http://www.securityfocus.com/bid/2243 Problem - A problem in the package could allow the recovery of sensitive data encrypted by the EFS. When

the file is selected for encryption, and backup copy of the file is moved into the temporary directory using the file name efs0.tmp. The data from this file is taken and encrypted using EFS, with the backup file being deleted after the encryption process is performed. However, after the file is encrypted and the file is deleted, the blocks in the file system are never cleared, thus making it possible for a any user on the local host to access the data of the encrypted file, which falls outside of the constrains of access control imposed by the Operating System. This makes it possible for a malicious user to recover sensitive data encrypted by EFS.


SSH Secure-RPC Weak Encrypted Authentication Vulnerability

Released January 21, 2001 Affects SSH 1.2.27, 1.2.28, 1.2.29, 1.2.30 Reference http://www.securityfocus.com/bid/2222 Problem - A problem exists which could allow the discovery of the secret key used to encrypt traffic on the

local host. When using SUN-DES-1 to share keys with other hosts on the network to facilitate secure communication via protocols such as NFS and NIS+, the keys are shared between hosts using the private key of the user and a cryptographic algorithm to secure the contents of the key, which is stored on the NIS+ primary. The problem occurs when the key is encrypted with the SUN-DES-1 magic phrase prior to having done a keylogin (the keyserv does not have the users DH private key). A design flaw in the software that shares the key with the NIS+ master will inconsistently return the correct value for an attempted keyshare that has failed. A step in the private key encryption process is skipped, and the users private key is then encrypted only with the public key of the target server and the SUN-DES-1 magic phrase, a phrase that is guessable due to the way it is generated. A user from the same host can then execute a function that returns another users magic phrase, and use this to decrypt the private key of the victim. This makes it possible for a user with malicious intent to gain knowledge of a users secret key, and decrypt sensitive traffic between two hosts, with the possibility of gaining access and elevated privileges on the hosts and/or NIS+ domain. This reportedly affects the SSH2 series of the software package.

SAFER - Patches are available for all versions.


AOL Instant Messenger Buffer Overflow Vulnerability

Released January 19, 2001 Affects AOL Instant Messenger 2.0N, 2.0.912, 2.0.996, 2.1.1236 Reference http://www.securityfocus.com/bid/2236 Problem - By modifying incoming packets, it is possible for an attacker with sufficient skills, and access to the

network between the affected client and the AOL Instant Messenger server to cause a buffer overflow condition in the IM client, permitting a remote attacker to execute arbitrary code.


PHP Engine Disable Source Viewing Vulnerability

Released January 19, 2001 Affects PHP 4.0, 4.0.1, 4.0.3, 4.0.4 Reference http://www.securityfocus.com/bid/2205 Problem - A problem in the package could allow external users to view the source code of PHP scripts. This

problem is due to a bug in the PHP code, combined with a system using Apache and PHP and hosting several virtual hosts. When the PHP software is installed and turned off via configuration parameter "engine = off", it is possible for this configuration to affect not only the intended virtual host, but all virtual hosts managed by the system. In the event of such a configuration, it is possible for a malicious user to attain the source of various PHP scripts, which could lead to intelligence gathering and attack. This problem affects the PHP 4.x series on Apache Webserver only, and does not affect the PHP 3.x series.


glibc LD_PRELOAD File Overwriting Vulnerability

Released January 19, 2001 Affects Mandrake, RedHat, Trustix Reference http://www.securityfocus.com/bid/2223 Problem - A problem with the library could allow access to write or overwrite restricted files. Upon execution

of SUID and SGID applications, the library allows a user to preload libraries in the environment variable LD_PRELOAD providing the variable does not contain forward slashes. A special check is also performed to ensure the library being preloaded is SUID. However, if the library is found in the /etc/ld.so.cache file, this check is circumvented, and never performed. It is therefore possible to load a library from /lib or /usr/lib prior to the execution of a SUID or SGID program. This flaw makes it possible for a user with malicious motives to create files in restricted locations, or overwrite files outside of the access of this user, including system files.



Postaci Arbitrary SQL Command Injection Vulnerability

Released January 18, 2001 Affects Umut Gokbayrak Postaci 1.1.2, 1.1.3 Reference http://www.securityfocus.com/bid/2230 Problem - A problem in the software may allow remote users to pass malicious queries to the database

server. This affects Postaci implementations that are backended by the PostgreSQL database, and does not affect those using a MySQL implementation. It is possible to append or inject arbitrary SQL commands to the request of a legitimate user due to the way the commands are passed to the PostgreSQL database. Commands used by the Postaci software are passed to the database using PHP pages, and FORM methods. The FORM methods passed by Postaci to the PostgreSQL database allow for the entry of semi-colons, which can be used to append database queries or other commands to the end of a command sent by a legitimate user. This makes it possible for a user with malicious motives to inject and execute arbitrary commands on the database.


Oracle Apache+WebDB Documented Backdoor Vulnerability

Released January 18, 2001 Affects Oracle Internet Application Server 3.0.7 and Previous Reference http://www.securityfocus.com/bid/2171 Problem - The problem occurs in the combination of Apache and WebDB software, a common

implementation. The software requires a password to access the /WebDB directory on most implementations. However, a documented backdoor in the Oracle Internet Application Server allows remote users access to the /WebDB/admin_/ directory without access control. This makes it possible for a user with malicious intent to change passwords, alter web content, and change table names.

SAFER - This temporary fix was supplied by <[email protected]> : Quick fix for the open

/WebDB/admin_/gateway.htm file is to uncomment and supply real user account names to the administrators line in the [WVGATEWAY] section of wdbsvr.app.

Microsoft WINS Domain Controller Spoofing Vulnerability

Released January 17, 2001 Affects Microsoft Windows NT 4.0, 2000 Server Reference http://www.securityfocus.com/bid/2221 Problem - Windows Internet Naming Service (WINS) ships with Microsoft Windows NT Server. WINS

resolves IP addresses with network computer names in a client to server environment. A distributed database is updated with an IP address for every machine available on the network.

- Unfortunately WINS does not properly verify the registration of domain controllers. It is possible for a user to modify the entries for a domain controller, causing the WINS service to redirect requests for the DC to another system. This can lead to a loss of network functionality for the domain. The DC impersonator can also be set up to capture username and password hashes passed to it during login attempts.

SAFER - Unofficial workarounds are available.


Tinyproxy Heap Overflow Vulnerability

Released January 17, 2001 Affects tinyproxy 1.3.2, 1.3.3 Reference http://www.securityfocus.com/bid/2217 Problem - A failure to properly validate user-supplied input which arguments a call to sprintf() can allow

unexpectedly large amounts of input to a buffer (used to display error messages) to be written past the boundary of the allocated space on the heap.

- As a result, it may be possible to execute a denial of service attack, or even to execute arbitrary commands if certain internal memory structures can be successfully overwritten.

SAFER - Fixed v.1.3.3a is available.

Caldera DHCP Package Format String Vulnerability

Released January 17, 2001 Affects Caldera OpenLinux Desktop 2.3, eServer 2.3.1, eDesktop 2.4 Reference http://www.securityfocus.com/bid/2215 Problem - A problem with the Caldera implementation of DHCP could create the possibility of a format string

attack. The problem affects both the DHCP daemon and client, and involves string formatting when passed through the error logging code. It is possible to pass custom crafted packets to both the DHCP daemon and DHCP client that will result in an error, and pass the formatted strings to a static buffer. This buffer will then be filled and overflowed, overwriting variables on the stack and potentially executing arbitrary code. This problem makes it possible for a user with malicious motives to execute arbitrary code, potentially gain a ccess, and elevated privileges.

SAFER - Upgrades are available form Caldera.

SuSE rctab Race Condition Vulnerability

Released January 17, 2001 Affects S.u.S.E. Linux 6.1, 6.2, 6.3, 6.4, 7.0 Reference http://www.securityfocus.com/bid/2207 Problem - A race condition in the rctab script could allow an attacker to either gain elevated privileges, or

append to and corrupt system files. This problem exists due to the insecure creation of files in the /tmp directory by the rctab script. Upon execution of the rctab script, rctab creates a subdirectory in the /tmp directory, using directory name rctmpdir.[pid of rctab process]. The script, which is normally run by root, also does not chown the rctmpdir subdirectory root. This problem makes it possible for a malicious user to guess the future process id of the rctab process, and create a range of directories that either will overwrite system files, or append to other system files and potentially allow elevation of privil eges.

SAFER - This solution was supplied by Roman Drahtmueller <[email protected]> of SuSE Security: Solution

for the problem: remove the only occurrence of the string " -p " in the file /sbin/rctab. Change the line mkdir -p ${tmpdir} to read mkdir ${tmpdir}.


Flash Sound Write-Overflow Vulnerability

Released January 16, 2001 Affects Oliver Debon Flash 0.4.9 and Previous Reference http://www.securityfocus.com/bid/2214 Problem - A buffer overflow exists in the modu le that could allow potential execution of arbitrary code. The

problem occurs in the handling of sound files that have been incorrectly formatted or custom crafted. The format of a flash sound file comes as [tag_14 length_of_tag sound_id flags samples data]. A write-overflow occurs when the size of the file specified in the [samples] variable is smaller than the amount of data contained in the [data] variable. Therefore, it is possible to overwrite variables on the stack beyond the total number of bytes specified in the [samples] variable, and potentially execute arbitrary code. This problem makes it possible for a user with malicious intent to arbitrarily execute code as the UID of the Netscape process, and potentially gain remote access or elevated privileges. This vulnerability does not affect the Macromedia version of the flash plugin.


Trend Micro Interscan VirusWall Symlink Root Compromise Vulnerability

Released January 16, 2001 Affects Trend Micro InterScan VirusWall for Unix 3.0.1, 3.6x Reference http://www.securityfocus.com/bid/2213 Problem - Interscan VirusWall creates temporary files in the world-writeable /tmp directory with predictable

filenames. It is possible for a malicious user to create symbolic links in /tmp with guessed/predicted filenames, knowing in advance that Interscan VirusWall will be run by root. When this happens, the files pointed to by the correctly guessed symbolic links will be overwritten by VirusWall (as root). If the attacker is able to control the data being written to these temporary files by VirusWall, it is possible to obtain root privilege.


Trend Micro Interscan VirusWall Weak Admin Password Protection Vulnerability

Released January 16, 2001 Affects Trend Micro InterScan VirusWall for Unix 3.0.1, 3.6x Reference http://www.securityfocus.com/bid/2212 Problem - The method used to remotely authenticate the administrator leaves the administrator's username

and password encoded in an easily-converted base64 format. This could permit an attacker with sufficient skills and access to the network to obtain and decode the admin password, potentially undermining the system's anti-virus and anti-trojan measures, further jeopardizing the security of the affected host.

- In addition, the administrator's password change script (setpasswd.cgi) receives its information in cleartext via the HTTP protocol. This method of transport may allow an attacker eavesdropping on network traffic to obtain administrative access to the Interscan VirusWall configuration, and to make changes which may leave the system open to infection and/or further compromises.



OmniHTTPD File Corruption and Command Execution Vulnerability

Released January 16, 2001 Affects Omnicron OmniHTTPD 2.0.7 Reference http://www.securityfocus.com/bid/2211 Problem - Due to the implementation of 'statsconfig.pl' multiple vulnerabilities exist in OmniHTTPD. It is

possible to corrupt various known filenames and execute arbitrary commands. By appending a known filename to the 'cgidir' form variable accompanied with a null argument, the known filename will be corrupt. In addition, it is possible to execute commands on the target server. This is due to statsconfig.pl creating a Perl script on the file. When the Perl script is created, user supplied data (the most browsers form variable if it is present) is written directly to the Perl script file. If an attacker sets this value to semi-colon separated Perl commands, they will be executed when statsconfig runs the script. This can result in an attacker gaining interactive access on the victim host with the privilege level of the webserver/cgi process.

- Successful exploitation of this vulnerability could lead to complete compromise of the host or denial of service.

SAFER - The following workaround has been provided by [email protected]: Erase 'statsconfig.pl'

along with any other unnecessary files in your 'cgi-bin'.

splitvt Format String Vulnerability

Released January 16, 2001 Affects Sam Lantinga splitvt 1.6.4 and Previous, Debian Linux 2.2 Reference http://www.securityfocus.com/bid/2210 Problem - A problem in the program could allow for a format string attack. The problem occurs in the

handling of format strings by the -rcfile command line flag. By placing shell code in the $HOME environment variable, and generating a custom crafted request to the splitvt program it is possible to overwrite variables on the stack, and arbitrarily execute code contained in the $HOME environment variable. This makes it possible for a user with malicious motives to execute arbitrary code, and in implementations with the splitvt binary installed SUID root, gain administrative privileges. There are also various reported buffer overflows in the code. These have been addressed in the new release.


PHP .htaccess Attribute Transfer Vulnerability

Released January 16, 2001 Affects PHP 4.0, 4.0.1, 4.0.3, 4.0.4 Reference http://www.securityfocus.com/bid/2206 Problem - A problem with the PHP package could allow for unauthorized access to restricted resources. The

problem is specifically in the Apache Module of the PHP package, and affects the package only when running in combination with Apache Webserver. Per directory access control is done via the .htaccess file. However, by generating a custom crafted request, it is possible to force PHP to serve the next page with the same access control attributes as the previous accessed page. This problem could allow a malicious user to access restricted information in an intelligence gathering attack.



Microsoft Windows Media Player .WMZ Arbitrary Java Applet Vulnerability

Released January 15, 2001 Affects Microsoft Windows Media Player 7 Reference http://www.securityfocus.com/bid/2203 Problem - Skins are downloadable files which change the appearance of a program's user interface. Skins

for Windows Media Player are installed to a known location: "C:/Program files/Windows Media Player/Skins/skin.wmz". As a result, a remote HTML document, visited by the victim user, can lead the user's browser to download an arbitrary file matching the name 'skin.wmz' to this known location.

- A malicious remote user could exploit this to upload a file containing executable java code disguised as a Windows Media Player skin file. An applet tag in the remote HTML document can then execute the 'skin.wmz' file as Java code. Properly exploited, this c ould provide an attacker with complete control of the vulnerable system. On multiuser Windows NT or 2000 systems, this vulnerability can only provide the attacker with access to the system that is within the security context of the user who was exploited.


Microsoft MSHTML.DLL Crash Vulnerability

Released January 15, 2001 Affects Microsoft Internet Explorer 4.0, Outlook 2000, Outlook Express 5.5 Reference http://www.securityfocus.com/bid/2202 Problem - MSHTML.DLL is the shared library for parsing HTML in Internet Explorer and related applications.

It may be possible for an attacker to crash this library remotely and cause a denial of service with special Jscript code.

- This bug involves Jscript's ability to handle multiple window objects. If a window object is deleted after it receives data and then re-initalized, the library will reportedly crash. This behavior has been attributed to a stack overflow by i ts discoverer. It is reportedly not exploitable in any way that may permit an attacker to gain access to the victim host.

SAFER - Microsoft has acknowledged this bug and it should be fixed in the next service pack.

Exmh Symlink Vulnerability

Released January 15, 2001 Affects exmh 1.5 up to 2.2 Reference http://www.securityfocus.com/bid/2201 Problem - Exmh is an X user interface for the Unix MH mail UI. An error -reporting feature of exmh exhibits a

vulnerabili ty to symlink attacks. A dialog allows a user to return bug reports to the software developer through email.

- A temporary file (/tmp/exmhErrorMsg) is created insecurely, allowing a malicious local user to carry out a symlink attack, potentially overwriting arbitrary files owned or writeable by the user running exmh.

SAFER - Patch is available.


Iomega JaZip Buffer Overflow Vulnerability

Released January 14, 2001 Affects Iomega JaZip 0.32-2 Reference http://www.securityfocus.com/bid/2209 Problem - By supplying an excessively long string for DISPLAY, it is possible for a local attacker to overflow

the relevant buffer. As a result, excessive data copied onto the stack can overwrite critical parts of the stack frame such as the calling functions' return address. Since this data is supplied by the user it can be a crafted so that alter the program's flow of execution.

- If properly exploited, this can yield root privilege to the attacker. SAFER - We are not aware of any solutions for this issue.

rdist /tmp File Race Condition Vulnerability

Released January 13, 2001 Affects Mandrake, RedHat, Immunix Reference http://www.securityfocus.com/bid/2195 Problem - A problem in the program exists that could allow for a symbolic link attack. Under some

circumstances, rdist will create files in the /tmp directory. However, the files created in the /tmp file system are created insecurely, as the name of future files created by rdist can be predicted, and the program does not check for the existance of files before attempting to create them. It is possible to create a range of symbolic links in the /tmp file system using forecasted names of files that could be created by the rdist process, and symbolically linked to files that are write-accessible to the UID of the rdist process. This makes it possible for a user with malicious intent to overwrite or append to and corrupt files owned by another user, and potentially system files.


getty_ps /tmp File Race Condition Vulnerability

Released January 13, 2001 Affects Mandrake, RedHat, Immunix Reference http://www.securityfocus.com/bid/2194 Problem - A problem in the getty_ps software package could make it vulnerable to a symbolic link attack.

The problem occurs in the creation and handling of files in the /tmp directory by the getty_ps program. Under certain circumstances, getty_ps will create files in the /tmp filesystem in an insecure manner. The program uses a naming scheme that could make it possible to guess the filename of future files in the /tmp directory, and does not check for the existance of the file before attempting to create it. It is possible to create a range of symbolic links with forecasted filenames, and link them to files that are write-accessible by the UID of the getty_ps process, which is normally run as root. A malicious user could use this vulnerability to overwrite or append to and corrupt system files.



Compaq Web Admin Buffer Overflow Vulnerability

Released January 12, 2001 Affects Almost all Compaq applications Reference http://www.securityfocus.com/bid/2200 Problem - The administration tool is vulnerable to buffer overflow attack techniques employing maliciously -

formed user-supplied input. Properly exploited, this vulnerability can allow a remote attacker to execute arbitrary code on the affected system, with the privilege level of the system administrator.

- The advisory did not provide further information about this vulnerability. SAFER - Affected users are advised to upgrade to the latest patches provided by the Compaq.

Microsoft Web Client Extender NTLM Authent ication Vulnerability

Released January 12, 2001 Affects Microsoft Office 2000, Windows Me, Windows 2000 Reference http://www.securityfocus.com/bid/2199 Problem - Due to a design error, WEC does not implement the security zone settings in Internet Explorer.

The vulnerability lies within the fact that WEC may initiate a NTLM challenge -response session with any server even if it is not trusted. Therefore, a malicious user could possibly obtain third -party NTLM credentials by either creating a HTML or email message which requests a session that would automatically send NTLM credentials back to the malicious user. They could then apply brute force techniques to the recovered data to access a valid password.

- Successful exploitation of this vulnerability could lead to the disclosure of sensitive information and possibly assist in further attacks against the victim.

SAFER - Microsoft has released patches, which eliminate this vulnerability.

Basilix Webmail Incorrect File Permissions Vulnerability

Released January 12, 2001 Affects Basilix Webmail 0.9.7beta Reference http://www.securityfocus.com/bid/2198 Problem - Basilix Webmail ships with several configuration files tha t have the file extensions '.class' and '.inc'.

Among other things, these files contain the authentication information for the MySQL database that the product uses.

- These files reside in directories accessible via http. If the webserver is not configured to treat .class and .inc files as PHP scripts,they can be retrieved by remote users. Properly exploited, this information can allow further attacks on the affected host.

SAFER - Excerpted from bugtraq post by <[email protected]>: Class and inc file extensions should

be defined as PHP files and be denied read permissions from outside. MySQL port should also be filtered from remote connects.


Ultraboard Incorrect Directory Permissions Vulnerability

Released January 12, 2001 Affects UltraScripts UltraBoard 2.11 Reference http://www.securityfocus.com/bid/2197 Problem - A version of Ultraboard 2000, a bulletin board script from UltraScripts, is reported to install with

improperly-set directory permissions. As a result, a local user could copy malicious cgi scripts to these directories which would then be remotely executable with the privilege level of the webserver.

- This may lead to a compromise of data owned by the webserver user, such as defacement of the webpage.


shadow-utils /etc/default Temp File Race Condition Vulnerability

Released January 12, 2001 Affects Mandrake, RedHat, Immunix Reference http://www.securityfocus.com/bid/2196 Problem - A problem in the package could create the opportunity for a symbolic link attack. During execution

of the passwd program, temporary files are created in the /etc/default directory. The files created in this directory use predictable filenames. In the event of the /etc/default directory being world writable, it is possible to create a range of symbolic links to files owned by another user that could overwrite or append to files that are write-accessible by the UID of the passwd process. This could make it possible for a user with malicious motives to overwrite or append to and corrupt files writable by the UID of the passwd process.


Solaris arp Buffer Overflow Vulnerability

Released January 12, 2001 Affects Sun Solaris 2.4, 2.5, 2.5.1, 2.6, 7.0 Reference http://www.securityfocus.com/bid/2193 Problem - The arp utility is used for viewing and manipulating tables containing network to hardware address

mappings. On Solaris systems up to version 8, arp is installed setgid and owned by group bin. - For convenience, Solaris arp supports the option to insert multiple entries contained in a file at

once with the -f parameter. The field values in the f ile are extracted as strings via sscanf(). As a result, there is nothing to ensure that their length does not exceed the size of the local variables allocated to store them. It is possible to overwrite stack variables and corrupt program execution flow if fields in the supplied file are oversized.

- This vulnerability can be exploited to execute code with effective groupid bin privileges. Group 'bin' privileges on Solaris systems can lead to root access.

SAFER - Solaris has released patches for this vulnerability.


Borland/Inprise Interbase Backdoor Password Vulnerability

Released January 10, 2001 Affects Borland/Inprise Interbase 4.0, 5.0, 6.0 Reference http://www.securityfocus.com/bid/2192 Problem - Interbase contains a backdoor user account and password called "LOCKSMITH". When accessed

this account will eliminate all implemented security allowing full control of any database and contents within the database, this level of access will allow any function to be performed including modification of objects, root access and execution of arbitrary functions. "LOCKSMITH" is hard coded in the database engine and is located in the jrd/pwd.h header.

- Successful exploitation of this vulnerability will lead to complete comp romise of the host. SAFER - Borland/ Inprise has released a patch which addresses this issue.

sdiff /tmp File Race Condition Vulnerability

Released January 10, 2001 Affects Madrake, RedHat, Trustix, Immunix Reference http://www.securityfocus.com/bid/2191 Problem - A problem in the sdiff program included with diffutils could create a race condition. This

vulnerability is in the creation and handling of files in the /tmp directory. Under certain circumstances, sdiff will create files in the /tmp directory, which is done insecurely by first not checking for the existance of the file, and additionally by using a predictable filename. It is possible to create a range of symbolic links to a file that is write -accessible to the user executing the sdiff program, thus resulting in a symbolic link attack if the sdiff program attempts to create one of the predicted filenames. The result is the possibility of a user with malicious motives overwriting or appending to and corrupting a file that is write-accessible by the UID of the sdiff process.


inn /tmp File Race Condition Vulnerability

Released January 10, 2001 Affects Caldera, Mandrake, RedHat, Immunix Reference http://www.securityfocus.com/bid/2190 Problem - The problem occurs in the in the creation and handling of /tmp files by the inn program. Under

some circumstances, inn will create files in the /tmp directory that use a predictable filen ame. In addition, inn may not check for the existance of these files. It is possible to create a range of symbolic links using predicted filenames in the /tmp directory, which could result in a symbolic link attack. This makes it possible for a user with malicious intent to symbolically link a file that's write -accessible by the UID of the inn process, and potentially overwrite or append to and corrupt the linked file.

SAFER - Upgrades and workarounds are available.


wu-ftpd /tmp File Race Condition Vulnerabi lity

Released January 10, 2001 Affects Debian, Mandrake, RedHat, Immunix Reference http://www.securityfocus.com/bid/2189 Problem - The problem occurs in the creation and handling of files in the /tmp directory. The program

privatepw within the software package creates files within the /tmp directory insecurely, first by using a predictable naming scheme for the files, and additionally by not checking for the existance of the file. It is possible to create a range of symbolic links using variants of the name of the wu-ftpd /tmp filename. This problem could allow a user to overwrite or append to and corrupt a file that the UID of the wu-ftpd process has write access to. The wu-ftpd process normally runs as root.


gpm /tmp File Race Condition Vulnerability

Released January 10, 2001 Affects Linux Madrake, RedHat, Immunix Reference http://www.securityfocus.com/bid/2188 Problem - The problem is in the creation and handling of /tmp files by the gpm package. gpm will under some

circumstances create files in the /tmp directory. The files created in the /tmp directory are created insecurely, as they first use a predictable filename and do not check for the existance of previously existing files. It is therefore possible for a user with malicious motives to create symbolic links to files that the UID of the gpm process (normally running as root) has write access to and either overwrite, or append to and corrupt the linked files.


mgetty /tmp File Race Condition Vulnerability

Released January 10, 2001 Affects Caldera, Debian, Mandrake, RedHat, Immunix Reference http://www.securityfocus.com/bid/2187 Problem - The problem occurs in the handling of files created in the /tmp directory. During execution of the

program, files are created in the /tmp directory. However, these files are created in an insecure manner, which makes it possible to guess the filename of a future /tmp file. This makes it possible for a user with malicious motives to create a number of symbolic links in the /tmp directory, and potentially append to or overwrite system files that are write-accessible to the UID executing mgetty, normally root.


linuxconf /tmp File Race Condition Vulnerability

Released January 10, 2001 Affects RedHat, Immunix Reference http://www.securityfocus.com/bid/2186 Problem - The problem occurs in the creation of /tmp files by linuxconf. The vpop3d program, which is part of

the linuxconf package, creates /tmp files in an insecure manner under some circumstances. This could result in guessing of the filename of a future /tmp file, and the creation of a symbolic link to a file writable by the user executing linuxconf, which is normally root. A user with malicious motives could use this vulnerability to potentially overwrite or append to system files.



squid /tmp File Race Condition Vulnerability

Released January 10, 2001 Affects Mandrake, Squid Web Proxy, RedHat, Trustix, Immunix Reference http://www.securityfocus.com/bid/2184 Problem - The problem occurs in the operation of the software and it's creation of /tmp files. The squid

package can be configured to send out emails to the administrator when updates occur. However, when the email is created, files in the /tmp directory are created insecurely and the pre-existance of files is not queried. The creation of the files in the /tmp directory normally occur under the conditions of either using a development version of squid, or when the system clock is reporting an incorrect time. Therefore, it is possible for a user with malicious motives to guess the handle of a future /tmp file, and create a symbolic link to a file writable by the UID of the squid process, thus overwriting a file owned by the squid user, or appending to and corrupting the file.

SAFER - Upgrades are available from vendors.

arpwatch /tmp File Race Condition Vulnerability

Released January 10, 2001 Affects Mandrake, RedHat, immunix Reference http://www.securityfocus.com/bid/2183 Problem - A vulnerability exists in arpwatch that could allow a user to perform a symbolic link attack. When

executed, the arpwatch program creates files in the /tmp directory under certain conditions. These files, however, are not created in a secure manner, and not stat()'d when the program executes and attempts to create these files. It is possible to guess the handle of these files, and create them in advance as symbolic links to programs that are writable by the user executing arpwatch. The user executing arpwatch would then overwrite the linked files, or append content to them, thus corrupting the file. This makes it possible for a user with malicious motives to overwrite or append to files owned by the user of arpwatch, the typical user of arpwatch being root.

SAFER - Upgrades for Mandrake and Immunix are available.

Apache /tmp File Race Vulnerability

Released January 10, 2001 Affects RedHat Linux 7.0, Wirex Immunix OS 7.0 -Beta Reference http://www.securityfocus.com/bid/2182 Problem - A problem has been discovered in the Apache httpd distributed with the Immunix Linux

distribution, a distribution based off the RedHat Linux distribution. Apache programs htdigest and htpasswd are used to offer advanced features to users of the web server. However, these two helper programs insecurely create files in the /tmp directory, which could allow for /tmp file guessing. This makes it possible for a user with malicious motives to symblink attack files writable by the UID of the Apache process.

SAFER - Upgrades for Immunix are available.


glibc RESOLV_HOST_CONF File Read Access Vulnerability

Released January 10, 2001 Affects Debian, RedHat, Yellow Dog Linux, Immunix, Slackware Reference http://www.securityfocus.com/bid/2181 Problem - A problem in versions of glibc 2.1.9 and greater allow a local user access to restricted files. A typo

in the glibc source creates a situation of insufficent validation and clearing of the environment variable RESOLV_HOST_CONF, a controlled environment variable that is normally cleared when suid/sgid programs are executed. Therefore, it is possible for a local user to set this environment variable to a sensitive system file and gain read privileges to the file. This vulnerability makes it possible for a user with malicious intent to read the shadow file, and gain access to encrypted passwords. Successful exploitation of this vulnerability could lead to compromise of system accounts, elevated privileges, and potentially administrative access.

SAFER - Updates for RedHat and Immunix are available.

Linux ReiserFS Kernel Oops and Code Execution Vulnerability

Released January 09, 2001 Affects Hans Reiser ReiserFS 3.5.28 Reference http://www.securityfocus.com/bid/2180 Problem - A problem has been reported in the handling of long file names with ReiserFS version 3.5.28 on

SuSE Linux distribution 7.0. It is possible to create a directory with a long file name (the initial example displayed a directory with 768 characters), then attempt to list the file system using system binary ls or with built in shell function echo and create a Denial of Service. Upon attempting to list or echo the contents of the filesystem, a kernel buffer overflow occurs, overwriting variables on the stack including possibly the return address, as well as crashing the system. It may be possible for a malicious user to execute arbitrary code, deny service to legitimate users, and potentially break out of a chroot environment. This vulnerability is yet unverified.


Solaris exrecover Buffer Overflow Vulnerability

Released January 09, 2001 Affects Sun Solaris 2.4, 2.5, 2.5.1, 2.6 Reference http://www.securityfocus.com/bid/2179 Problem - The problem occurs in the handling of format strings by the program. By executing the program

and using format strings as arguments to the command, it is possible to overflow buffers and cause the program to crash. The binary, as distributed with Solaris versions 2.4 through 2.6, is setuid root. While no known exploits exist for this problem, future research and exploitation of this vulnerability could occur, making it possible for a user with malicious intent to overwrite stack variables and potentially arbitrarily execute code.

SAFER - Current workaround is to remove the setuid bit from the exrecover program.


eXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability

Released January 07, 2001 Affects Extropia bbs_forum.cgi 1.0 Reference http://www.securityfocus.com/bid/2177 Problem - Version 1.0 of bbs_forum.cgi fails to properly valid ate user-supplied, URL-encoded input to the

read environment variable. Maliciously -formed URLs submitted to the script may contain references to files on the host's filesystem, as well as shell commands which will be run with the privilege level of the web server (ie, user 'nobody'). As a result, unpatched affected versions of the script permit an attacker to execute arbitrary code and to read arbitrary files on the vulnerable system.

SAFER - We recommend updating your script as soon as possible.

Lotus Domino Server Directory Traversal Vulnerability

Released January 05, 2001 Affects Lotus Domino 5.0.2, 5.0.3, 5.0.5, 5.0.6 Reference http://www.securityfocus.com/bid/2173 Problem - It is possible for a remote user to gain access to any known file residing on the Lotus Domino

Server 5.0.6 and previous. A specially crafted HTTP request comprised of '.nsf' and '../' along with the known filename, will display the contents of the particular file with read permissions.

- It should be noted that when making this malformed request Internet Explorer removes '.nsf' portion of the URL, obstructing the exploitation of this vulnerability.

- Successful exploitation of this vulnerability could enable a remote user to gain access to systems files, password files, etc. This could lead to a complete compromise of the host.

SAFER - This vulnerability will be rectified in the next release of Lotus Domino Server. The release date is

not yet known. Unofficial workaround is available.

Ibrow newsdesk.cgi File Disclosure Vulnerablility

Released January 04, 2001 Affects ibrow newsdesk.cgi 1.2 Reference http://www.securityfocus.com/bid/2172 Problem - Due to a failure to properly remove '/../' sequences from user-supplied input, a malicious remote

user may lead the newsdesk.cgi script to improperly reveal the contents of any file on the filesystem, and to disclose the portions of the filesystems readable by the user running the webserver.

- This can permit an attacker to obtain passwords and other sensitive information, allowing an attacker to gain interactive access to the system with the privilege of the webserver. If the attacker is able to locate the newsdesk.cgi password string, this could permit website defacement.



HP-UX kermit Buffer Overflow Vulnerability

Released January 03, 2001 Affects HP-UX 10.1, 10.10, 10.20, 11.0 Reference http://www.securityfocus.com/bid/2170 Problem - A problem exists in the kermit software package distributed with HP-UX. The problem is the result

of a buffer overflow in kermit. It is possible to overwrite stack variables and potentially the return address. This problem could allow a user with malicious intent to arbitrarily execute code, and gain elevated privileges with the potential for administrative access.

SAFER - Upgrades from HP are available.

Informix Webdriver Local File Overwrite Vulnerability

Released January 03, 2001 Affects Informix Webdriver 1.0 Reference http://www.securityfocus.com/bid/2168 Problem - Webdriver reportedly uses insecure methods of temporary file creation. Properly exploited, this

can allow a malicious local user to successfully carry out a symlink attack, potentially overwriting arbitrary files owned or writeable by user 'nobody'. This can also permit defacement of websites where the affected HTML files are owned by user 'nobody'.

- Further technical details of the vulnerability are not known. SAFER - We are not aware of any solutions for this issue.

GTK+ Arbitrary Loadable Module Execution Vulnerability

Released January 02, 2001 Affects GTK+ 1.2.8 and Previous Reference http://www.securityfocus.com/bid/2165 Problem - The problem occurs in the ability to load modules with the GTK_MODULES environment variable.

It is possible to specify a path to modules that may not be part of the GTK+ package using this environment variable. By doing so, a custom crafted module can be loaded by the toolkit. Once loaded by the toolkit, the module is executed. This issue makes it possible for a user with malicious intent to potentially gain elevated privileges, overw rite system files, or execute arbitrary and potentially dangerous code.

SAFER - A temporary fix is to add the following line of code to line 215 (approximately in GTK 1.2.8 ) of

source file gtkmain.


Microsoft Windows Media Player Javascript URL Vulnerabilit y

Released January 01, 2001 Affects Microsoft Windows Media Player 7 Reference http://www.securityfocus.com/bid/2167 Problem - It is possible to execute a javascript URL from within the Windows Media Player ActiveX control

embedded in HTML. This javascript can be executed in arbitrary "already open" frames, specified within the ActiveX control. By doing this, an attacker can take over the frame's DOM (document object model), bypassing security restrictions. This would be accomplished through a special webpage and having the victim visit the webpage.

- An attacker exploiting this vulnerability can read files on the users filesystem and reportedly execute arbitrary programs on the victim host.

SAFER - The following workaround has been provided by Wkit Security Advisory

Team<[email protected]>: Since this vulnerability depends on ActiveX and Javascript it can be "disarmed" by adjusting the security settings in MS IE. If ActiveX and Active Scripting options are set to Disabled or Ask (and the user chooses "No" when prompted) this vulnerability should be prevented.


SECURITY ADVISORIES This section contains official advisories as released by various vendors or security organizations. This list addresses the problems found during January 2001.

Cisco Security Advisory: Cisco Content Services Switch Vulnerability

Released January 31, 2001 Affects Cisco CSS 11050, CSS 11150, and CSS 11800 Reference http://www.cisco.com/warp/public/707/arrowpoint -cli-filesystem-pub.shtml Problem - The Cisco Content Services (CSS) switch product, also known as Arrowpoint, has several security

vulnerabilities once access to the command line interface (CLI) is granted. The first vulnerability, the switch can be forced into a temporary denial of service by an unprivileged user, this is documented in Cisco Bug ID CSCdt08730. The second issue allows a non-privileged user to view filenames and file contents. This is documented in Cisco Bug ID CSCdt12748.

SAFER - CSCdt08730 is resolved in revision 4.01(12s), and revision 3.10 (71s) of Cisco WebNS software.

The file system information disclosure vulnerabilities are scheduled to be fixed, but are currently unresolved. Workarounds are recommended in the interim. This notice will be updated when the vulnerabilities are resolved, or monthly until the vulnerabilities are resolved.

Linux-Mandrake Security Update MDKSA-2001:019: bind

Released January 31, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 and CS 1.0.1 Reference http://www.linux -mandrake.com/ Problem - Previous versions of XEmacs had a problem with the gnuserv application. Versions prior to

21.1.14 could allow arbitrary code to be executed by overrunning the magic cookie buffer, as well as accepting the prefix of valid magic cookies (i.e. "12" is accepted if the cookie is "12345678").

SAFER - Update is available from Mandrake.

FreeBSD Security Advisory SA-01:18: bind

Released January 31, 2001 Affects FreeBSD 3.x, FreeBSD 4.x Reference http://www.freebsd.org/ Problem - An overflowable buffer related to the processing of transaction signatures (TSIG) exists in all

versions of BIND prior to 8.2.3-RELEASE. The vulnerability is exploitable regardless of configuration options and affects both recursive and non-recursive DNS servers.

- Additional vulnerabilities allow the leaking of environment variables and the contents of the program stack. These vulnerabilities may assist the ability of attackers to exploit the primary vulnerability described above, and make provide additional information about the state or configuration of the system.

- All previous versions of BIND 8, such as the beta versions included in FreeBSD 4.x prior to the correction date (designated the version number BIND 8.2.3-T<#>B) are vulnerable to this problem. Systems running versions of BIND 9.x (available in the FreeBSD ports collection) are unaffected.

- Note that this advisory also describes vulnerabilities in the BIND 4.x software, which is not included in any recent version of FreeBSD. All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem, if they have been configued to run named (this is not enabled by default). In addition, the bind8 port in the ports collection (versions prior to 8.2.3) is also vulnerable.

SAFER - Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the respective

correction dates.


Linux-Mandrake Security Update MDKSA-2001:018: kdesu

Released January 31, 2001 Affects Mandrake Linux 6.1, 7.0, 7.1, 7.2 and CS 1.0.1 Reference http://www.linux -mandrake.com/ Problem - A problem exists with the kdesu program for KDE versions 1 and 2. kdesu is a frontend for the su

program, allowing normal users to run programs with root privileges by prompting for the root password. When the "keep password" option is enabled, kdesu tries to send the password across process boundaries to kdesud via a UNIX socket. During this, it does not verify the identity of the listener on the other end, which can allow attackers to obtain the root password.

- As of Linux-Mandrake 7.2, the kdesu program is a part of the kdebase package, and libraries for kdesu are found in the kdelibs package.


TurboLinux Security Announcement TLSA2001001-1: LPRng

Released January 31, 2001 Affects TurboLinux 6.0.5 and earlier Reference http://www.turbolinux.com/security/ Problem - The LPRng port, versions prior to 3.6.26, contains a potential vulnerability which may allow root

compromise from both local and remote systems. The vulnerability is due to incorrect usage of the syslog(3) function. Local and remote users can send string-formatting operators to the printer daemon to corrupt the daemon's execution, potentially gaining root access.

SAFER - Update the package from TurboLinux ftp server.

Red Hat Security Advisory RHSA-2001:006: inetd

Released January 30, 2001 Affects Red Hat Linux 6.2 Reference http://www.redhat.com/ Problem - The inetd server as shipped with Red Hat Linux 6.2 fails to close sockets for internal service

properly. This could make services stop working when the system had leaked sufficient resources. - Note that all of these services are turned off in the default configuration. SAFER - Updates are available from RedHat.

SuSE Security Announcement SuSE-SA:2001:03: bind8

Released January 30, 2001 Affects SuSE Linux 6.0, 6.1, 6.2, 6.3, 6.4, 7.0, 7.1 Reference http://www.suse.com/ Problem - bind-8.x in all versions of the SuSE distributions contain a bug in the transaction signature

handling code that can allow to remotely over-flow a buffer and thereby execute arbitrary code as the user running the nameserver (this is user named by default on SuSE systems). In addition to this bug, another problem allows for a remote attacker to collect information about the running bind process (this has been found by Claudio Musmarra <[email protected]>). For more information on these bugs, please visit the CERT webpage at http://www.cert.org/advisories/CA-2001-02.html and the bind bugs webpage at http://www.isc.org/products/BIND/bind-security.html .

- The problem is existent in the upcoming SuSE distribution 7.1 that will be available by February 10th in the CD/DVD version.

SAFER - There exists no reasonable method to circumvent the problems other than to update the package

as described below.


SuSE Security Announcement SuSE-SA:2001:02: kdesu

Released January 30, 2001 Affects SuSE Linux 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Reference http://www.suse.com/ Problem - kdesu is a KDE frontend for su(1). When invoked it prompts for the root password and runs su(1).

kdesu itself does not run setuid/setgid. However when enabling the 'keep password' option it tries to send the password across process boundaries to kdesud via a UNIX socket. During this it does not verify the identity of the listener on the other end. This allows attackers to obtain the root password.

- This bug has been fixed in the update packages by checking the ownership of the socket on the listener side.

SAFER - Download the update package from SuSE.

Microsoft Security Bulletin (MS01 -005)

Released January 30, 2001 Affects Microsoft Windows 2000 Professional, Server, Advanced Server Reference http://www.microsoft.com/technet/security/bulletin/fq01 -005.asp Problem - Microsoft packages all Windows 2000 hotfixes (including security patches) with a catalog file that

lists all of the valid hotfixes that have been i ssued to date. The catalog is digitally signed to ensure its integrity, and Windows File Protection uses the signed catalog to determine which hotfixes are valid. An error in the production of the catalog files for English language Windows 2000 Post Service Pack 1 hotfixes made available through December 18, 2000 could, under very unlikely circumstances, cause Windows File Protection to remove a valid hotfix from a system. The removal of a hotfix could cause a customer’s system to revert to a version of a W indows 2000 module that contained a security vulnerability.

- Windows File Protection will only remove valid hotfixes from a Windows 2000 system under a very restrictive set of circumstances. The system administrator would have to have applied multiple hotfixes in an order other than that in which Microsoft produced and packaged them. Furthermore, Windows File Protection would only remove hotfixes from a system if it were run explicitly (by running sfc/scannow for instance) or triggered by some administrator action (such as specifying that it be invoked under a group policy).

SAFER - Microsoft has released patches for this vulnerability.

Conectiva Announcement CLSA-2001:378: kde2

Released January 30, 2001 Affects Conectiva Linux 6.0 Reference http://www.conectiva.com.br/ Problem - "kdesu" is an utility called by some graphic programs when they need to execute something as

another user, typically root. This utility then prompts for the password. There is a vulnerability in kdesu which allows for other users on the machine to capture that password and thus potencially compromise the root account.

SAFER - All KDE2 users should upgrade.


FreeBSD Security Advisory SA-01:15: tinyproxy

Released January 29, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - The tinyproxy port, versions prior to 1.3.3a, contains remote vulnerabilities: due to a heap

overflow, malicious remote users can cause a denial-of-service by crashing the proxy. Additionally, the attacker may potentially cause arbitrary code to be executed as the user running tinyproxy.

- Malicious remote users may cause a denial-of-service and potentially cause arbitrary code to be executed.

SAFER - Upgrade your entire ports collection and rebuild the port.

Trustix security advisory: bind, openldap

Released January 29, 2001 Affects Trustix Secure Linux (all versions) Reference http://www.trustix.net/ Problem - Trustix released security updates for the following packages: - bind - A remote hole in bind allows for the environment of the server process to be leaked to an

attacker. - openldap - A silly bug in the rpm spec file for openldap makes the server run by default, which

violates Trustix' standard of no running services by default. Note that there are no known remote security holes in openldap as shipped by Trustix.

SAFER - All users of TSL should upgrade to the new rpm.

FreeBSD Security Advisory SA-01:13: sort

Released January 29, 2001 Affects FreeBSD 3.x, FreeBSD 4.x (all prior to 4.2), FreeBSD 3.5-STABLE Reference http://www.freebsd.org/ Problem - During internal auditing, sort(1) was found to use easily predictable temporary file names. It does

create these temporary files correctly such that they cannot be "subverted" by a symlink attack, but the program will abort if the temporary filename chosen is already in use. This allows an attacker to cause the sort(1) command to abort, which may have a cascade effect on other scripts which make use of it (such as system management and reporting scripts). For example, it may be possible to use this failure mode to hide the reporting of malicious system activity which would otherwise be detected by a management script.

- All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.1.1 are vulnerable. The problem was corrected prior to the release of FreeBSD 4.2.

- Attackers can cause the operation of sort(1) to fail, possibly disrupting aspects of system operation.

SAFER - Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE, 4.2-RELEASE, or 4.2-

STABLE after the correction date.


Caldera Security Advisory CSSA-2001-008.0: bind

Released January 29, 2001 Affects Caldera Linux 2.3, 2.4 Reference http://www.calderasystems.com/ Problem - Several security problems have been discovered in the most recent versions of BINDv8 (8.2.2p7).

One of them is a buffer overflow that can potentially explo ited to execute arbitrary code with the privilege of the bind user.

- If you do not run the BIND named server, you are not affected by this problem. SAFER - The proper solution is to upgrade to the latest packages.

FreeBSD Security Advisory SA-01:11: inetd

Released January 29, 2001 Affects FreeBSD 3.x, FreeBSD 4.x Reference http://www.freebsd.org/ Problem - During internal auditing, the internal ident server in inetd was found to incorrectly set group

privileges according to the user. Due to ident using root's group permissions, users may read the first 16 (excluding initial whitespace) bytes of wheel-accessible files.

- All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable.

- Users can read the first 16 bytes of wheel-accessible files. To determine which may be potentially read, execute the following command as root: # find / -group wheel $ -perm -40 -a \! -perm +4 $ -ls.

SAFER - Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the correction date.

Immunix OS Security Advisory IMNX -2000-70-001-01: bind

Released January 29, 2001 Affects Immunix OS 6.2, 7.0-beta Reference http://www.immunix.org/ Problem - The people at COVERT Labs have discovered a number of security problems with all previous

versions of Bind (see http://www.securityfocus.com/archive/1/159035 for a good summary of all of the problems found).

SAFER - Packages have been created and released for Immunix 6.2 and 7.0-beta to fix these problems.

FreeBSD Security Advisory SA-01:17: exmh2

Released January 29, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - The exmh2 port, versions prior to 2.3.1, contains a local vulnerability: at startup, if exmh detects a

problem in its code or configuration an error dialog appears giving the user an option to fill in a bug report and email it to the maintainer. If the user agrees to mail the maintainer a file na med /tmp/exmhErrorMsg is created. If the file exists and is a symlink, it will follow the link, allowing local files writable by the user to be overwritten.

- Malicious local users may cause arbitrary files writable by the user running exmh to be overwritten, in certain restricted situations.



HP Security Bulletin #0138: Vulnerability in man(1) command

Released January 29, 2001 Affects HP-UX 11.00, 10.04, 10.20, 10.24, 10.10, 10.01 Reference http://www.hp.com/ Problem - Hewlett-Packard Company has become aware of a defect in the the man(1) command. Users

could cause a Denial of Service (DoS). SAFER - Apply patches for HP-UX releases.

FreeBSD Security Advisory SA-01:08: ipfw/ip6fw

Released January 29, 2001 Affects FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE Reference http://www.freebsd.org/ Problem - A vulnerability was inadvertently introduced into periodic that caused temporary files with insecure

file names to be used in the system's temporary directory. This may allow a malicious local user to cause arbitrary files on the system to be corrupted.

- By default, periodic is normally called by cron for daily , weekly, and monthly maintenance. Because these scripts run as root, an attacker may potentially corrupt any file on the system.

- FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE prior to the correction date are vulnerable. The problem was corrected prior to the release of FreeBSD 4.2.

- Malicious local users can cause arbitrary files on the system to be corrupted. SAFER - Upgrade the vulnerable FreeBSD system to 4.1.1-STABLE after the correction date.

Debian Security Advisory DSA-026-1: bind

Released January 29, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - BIND 8 suffered from several buffer overflows. It is possible to construct an inverse query that

allows the stack to be read remotely exposing environment variables. CERT has disclosed information about these issues. A new upstream version fixes this. Due to the complexity of BIND we have decided to make an exception to our rule by releasin the new upstream source to our stable distribution.

SAFER - We recommend you upgrade your bind packages immediately.

Red Hat Security Advisory RHSA-2001:007: bind

Released January 29, 2001 Affects Red Hat Linux 5.2, 6.2, 7.0 Reference http://www.redhat.com/ Problem - Some security problems, including a remotely exploitable information leak allowing anyone to read

the stack, have been found in bind versions prior to 8.2.3. SAFER - Updates are available from RedHat.


FreeBSD Security Advisory SA-01:14: micq

Released January 29, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - The micq port, versions prior to 0.4.6.1, contains a remote vulnerability: due to a buffer overflow, a

malicious remote user sending specially-crafted packets may be able to execute arbitrary code on the local system with the privileges of the micq process. To accomplish this, the attacker must be able to sniff the packets between the micq client and ICQ server in order to gain the session key to cause the client to accept the malicious packets.


Conectiva Announcement CLSA-2001:377: bind

Released January 29, 2001 Affects Conectiva Linux 4.0, 4.0es, 4.1, 4.2, 5.0, e-commerce and graphic tools, 5.1, 6.0 Reference http://www.conectiva.com.br/ Problem - COVERT labs and Claudio Musmarra have found several vulnerabilities in the bind packages.

Two of these vulnerabilities affect the version shipped with Conectiva Linux (8.2.2P7 is the most current shipped package):

- a buffer overflow in the TSIG (transaction signature) code allows a remote attacker to execute arbitrary code on the server with the privileges under which the "named" daemon is running. On default installations of Conectiva Linux, this is the non -privileged "named" account, and not root.

- the second vulnerability allows a remote attacker to gather information about the running named process which would help him/her to succesfully exploit the first vulnerability (this is the problem found by Claudio Musmarra).

SAFER - ISC has released a new version to address these issues. All users of the bind package should

upgrade immediately. After upgrading, issue the following command to start the new version of the server: /etc/rc.d/init.d/named restart.

FreeBSD Security Advisory SA-01:16: MySQL

Released January 29, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - The mysql323-server port, versions prior to 3.23.22, and all mysql322-server ports contain remote

vulerabilities. Due to a buffer overflow, a malicious remote user can cause a denial -of-service by crashing the database. Additionally, the attacker may be able to gain the privileges of the mysqld user, allowing access to all databases and the ability to leverage other local attacks as the mysqld user. In order to accomplish this, the attacker must have a valid mysql account.

- The mysql322-server and mysql323-server ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases.

- Malicious remote mysql users may cause a denial-of-service and potentially gain access as the mysqld user, allowing access to all databases on the mysql server and the ability to leverage other local attacks as the mysqld user.




Released January 29, 2001 Affects Microsoft Internet Information Server 4.0, 5.0 Reference http://www.microsoft.com/technet/security/bulletin/fq01 -004.asp Problem - This vulnerability involves a new variant of the “File Fragment Reading via .HTR” vulnerability,

previous variants of which were discussed in Microsoft Security Bulletins MS00-031 and MS00-044. Like the original variants, this one could enable an attacker to request a file in a way that would cause it to be processed by the .HTR ISAPI extension. The result of doing this is that fragments of server-side files like .ASP files could potentially be sent to the attacker. There is no capability via the vulnerability to add, change or delete files on the server, or to access a file without permissions.

- There are a number of significant restrictions on this vulnerability: - The effect of normal .HTR processing would be to strip out the very data that would be most likely

to contain sensitive data, there would need to be zeros fortuitously located in the server memory in order for the file f ragments to be sent.

- If best practices have been followed regarding the need to avoid ever storing sensitive information in .ASP and other server-side files, there will be no sensitive information in the file to begin with.

- Customers who have previously disabled the .HTR functionality would not be affected by this vulnerability. Microsoft recommends that all customers who haven’t already disabled .HTR do so, unless there is a business-critical reason for keeping it. For the latter group of customers, a patch is available that eliminates this vulnerability, as well as those discussed in Microsoft Security Bulletins MS00-031 and MS00-044.

SAFER - The recommended method of eliminating this vulnerability is to disable .HTR. Customers who

must retain the .HTR functionality should apply the patch.

Linux-Mandrake Security Update MDKSA-2001:017: bind

Released January 29, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 and CS 1.0.1 Reference http://www.linux -mandrake.com/ Problem - Four problems exists in all versions of ISC BIND 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3 (9.x is

not affected). Version 8.2.x contains a buffer overflow in transaction signature (TSIG) handling code that can be exploited by an attacker to gain unauthorized privileged access to the system, allowing execution of arbitrary code. BIND 4 contains both a buffer overflow in the nslookupComplain() function, as well as an input validation error in the same function. These two flaws in BIND 4 can result in a Denial of Service or the execution of arbitrary code if successfully exploited. Finally, both BIND 4 and BIND 8 suffer from an information leak in the query processing code that allows a remote attacker to access the program stack, possibly exposing program and/or environment variables. This flaw is triggered by sending a specially formatted query to vulnerable BIND servers.

- Linux-Mandrake ships with ISC BIND 8 and is therefore vulnerable to the first and final vulnerabilities previously mentione d. The first vulnerability is limited because any access gained exploiting it will result in restricted access due to the named server running as the user and group named, not as root.

SAFER - It is highly recommended that all Linux-Mandrake users upgrade BIND immediately to the latest

8.2.3 version that fixes these vulnerabilities.


Caldera Security Advisory CSSA-2001-006.0: MySQL

Released January 29, 2001 Affects Caldera Linux 2.4 Reference http://www.calderasystems.com/ Problem - There is a buffer overflow in the MySQL server that allows an attacker to gain access to the mysql

account. A valid mysql account is required for this attack. An exploit for this problem has been published on bugtraq.

- Note that a second vulnerability is currently being discussed on various mailing lists relating to the SHOW GRANTS command. This command is not supported in MySQL versions currently shipped by Caldera, so this second vulnerability does not affect OpenLinux.

SAFER - The proper solution is to upgrade to the latest packages.

Debian Security Advisory DSA-025-2: openssh

Released January 28, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - A former security upload of OpenSSH lacked support for PAM which lead to people not being able

to log onto their server. This was only a problem on the sparc architecture. SAFER - We recommend you upgrade your ssh packages on sparc.

Debian Security Advisory DSA-024-1: cron

Released January 27, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - The FreeBSD team has found a bug in the way new crontabs were handled which allowed

malicious users to display arbitrary crontab files on the local system. This only affects valid crontab files so can't be used to get access to /etc/shadow or something. crontab files are not especially secure anyway, as there are other ways they can leak. No passwords or similar sensitive data should be in there.

SAFER - We recommend you upgrade your cron packages.

Debian Security Advisory DSA-023-1: inn2

Released January 26, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org /security/ Problem - People at WireX have found several potential insecure uses of temporary files in programs

provided by INN2. Some of them only lead to a vulnerability to symlink attacks if the temporary directory was set to /tmp or /var/tmp, which is the case in many installations, at least in Debian packages. An attacker could overwrite any file owned by the news system administrator, i.e. owned by news.news.

- Michal Zalewski found an exploitable buffer overflow with regard to cancel messages and their verification. This bug did only show up if "verifycancels" was enabled in inn.conf which is not the default and has been disrecommended by upstream.

- Andi Kleen found a bug in INN2 that makes innd crash for two byte headers. There is a chance this can only be exploited with uucp.

SAFER - We recommend you upgrade your inn2 packages immediately.


Linux-Mandrake Security Update MDKSA-2001:016: webmin

Released January 26, 2001 Affects Mandrake Linux 7.1, 7.2 and CS 1.0.1 Reference http://www.linux -mandrake.com/ Problem - Previous versions of webmin would create temporary files insecurely on several occasions. This

could be exploited by a local attacker to overwrite or create arbitrary files and possibly gain root privileges.


SuSE Security Announcement SuSE-SA:2001:01: glibc

Released January 26, 2001 Affects SuSE Linux 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Reference http://www.suse.com/ Problem - ld-linux.so.2, the dynamical linker, adds shared libraries to the memoryspace of a program to be

started. Its flexibility allows for some environment variables to influence the linking process such as preloading shared libraries as well as defining the path in which the linker will search for the shared libraries. Special care must be exercised when runtime-linking setuid- or setgid-binaries: The runtime-linker must not link against user-specified libraries since the code therein would then run with the elevated privi leges of the suid binary. The runtime-linker as used in the SuSE distributions ignores the content of the critical environment variables if the specified path begins with a slash ("/"), or if the library file name is not cached (eg it is contained in a pat h from /etc/ld.so.conf). However, Solar Designer has found out that even preloading glibc-native shared libraries can be dangerous: The code in the user-linked library is not aware of the fact that the binary runs with suid or sgid privileges. Using debugging features of the glibc (and possibly other features) it is possible for a local attacker to overwrite arbitrary files with the elevated privileges of the suid/sgid binary executed. This may lead to a local root compromise.

SAFER - To eliminate these problems, SuSE provide update packages that completely disregard the LD_*

variables upon runtime-linking of a binary that has an effective uid different from the caller's userid.

Linux-Mandrake Security Update MDKSA-2001:014-1: MySQL

Released January 26, 2001 Affects Mandrake Linux 7.1, 7.2 and CS 1.0.1 Reference http://www.linux -mandrake.com/ Problem - A security problem exists in all versions of MySQL after 3.23.2 and prior to 3.23.31. The problem

is that the SHOW GRANTS command could be executed by any user making it possible for anyone with a MySQL account to get the crypted password from the mysql.user table. The new 3.23.31 version fixes this.

- Due to library changes, the previously announced PHP update (MDKSA-2001:013) has been updated as well so that the php-mysql module supports this new version of MySQL. It also corrects the upgrade scripts in the package, however you will still need to verify that PHP support is enabled in your /etc/httpd/conf/httpd.conf Apache configuration file and verify that the installed modules are uncommented in your /etc/php.ini file.

- Previous versions of MySQL also suffered from a buffer overflow problem that has been corrected in the recent releases. This update fixes the buffer overflow problem in the MySQL packages provided with Linux-Mandrake 7.1 and Corporate Server 1.0.1.



Debian Security Advisory DSA-022-1: exmh

Released January 26, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - Former versions of the exmh program used /tmp for storing temporary files. No checks were made

to ensure that nobody placed a symlink with the same name in /tmp in the meantime and thus was vulnerable to a symlink attack. This could lead to a malicious local user being able to overwrite any file writable by the user executing exmh. Upstream developers have reported and fixed this. The exmh program now use /tmp/login now unless TMPDIR or EXMHTMPDIR is set.

SAFER - We recommend you upgrade your exmh packages immediately.

Debian Security Advisory DSA-021-1: apache

Released January 26, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - WireX have found some occurrences of insecure opening of temporary files in htdigest and

htpasswd. Both programs are not installed setuid or setgid and thus the impact should be minimal. The Apache group has released another security bugfix which fixes a vulnerability in mod_rewrite which may result the remote attacker to access arbitrary files on the web server.

SAFER - We recommend you upgrade your apache package immediately.

Linux-Mandrake Security Update MDKSA-2001:015: exmh

Released January 26, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 and CS 1.0.1 Reference http://www.linux -mandrake.com/ Problem - All versions of exmh prior to 2.3.1 use the /tmp directory for storing temporary files . This was done

in an insecure manner as exmh did not check to ensure that nobody placed a symlink with the same name in /tmp in the meantime and thus was vulnerable to a symlink attack. This could lead to a malicious local user being able to overwrite any file writable by the user executing exmh. These updated versions of exmh now use /tmp/username unless TMPDIR or EXMHTMPDIR is set.


Conectiva Announcement CLSA-2001:376: MySQL

Released January 25, 2001 Affects Conectiva Linux 4.0, 4.0es, 4.1, 4.2, 5.0, 5.1, 6.0 Reference http://www.conectiva.com.br/ Problem - Versions od SQL older than 3.23.31 have a buffer overflow vulnerability that could be exploited

remotely depending on how the database access is configured (via web, for example). SAFER - It is recommended that all MySQL users update their packages immediately. Older versions of

Conectiva Linux ran the mysqld daemon as root. This update changes that behaviour for these older versions so that the daemon now runs as the "mysql" user instead of root. CL6.0 already has this feature. Users upgrading older versions should check the /var/lib/mysql directory for permissions for the mysql user. Usually, a "chown -R mysql.mysql /var /lib/mysql" should be enough. Also, programs using the dynamic library of MySQL should be recompiled after this update.


Debian Security Advisory DSA-020-1: php4

Released January 25, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - The Zend people have found a vulnerability in older versions of PHP4 (the original advisory

speaks of 4.0.4 while the bugs are present in 4.0.3 as well). It is possible to specify PHP directives on a per-directory basis which leads to a remote attacker crafting an HTTP request that would cause the next page to be served with the wrong values for these directives. Also even if PHP is installed, it can be activated and deactivated on a per-directory or per-virtual host basis using the "engine=on" or "engine=off" directive. This setting can be leaked to other virtual hosts on the same machine, effectively disabling PHP for those hosts and resulting in PHP source code being sent to the client instead of being executed on the server.

SAFER - We recommend you upgrade your php package immediately.

Conectiva Announcement CLSA-2001:374: icecast

Released January 25, 2001 Affects Conectiva Linux 4.1, 4.2, 5.0, 5.1, 6.0 Reference http://www.conectiva.com.br/ Problem - "icecast" is a server used to distribute audio streams to compatible clients such as winamp,

mpg123, xmms and many others. The "Packet Knights" group has found a format string vulnerability on this program that could be used to remotely execute arbitrary code on the server with the privileges of the user running it, normally root. This can lead to remote root compromise.

SAFER - It is recommended that all icecast users upgrade their servers. The new packages fix this problem

and also provide some new features: the icecast daemon now runs as the unprivileged user "icecast" and not root; it is not possible to start the server if the default password has not been changed; remote web administration has been turned off by default.

Debian Security Advisory DSA-019-1: squid

Released January 25, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - WireX discovered a potential temporary file race condition in the way that squid sends out email

messages notifying the administrator about updating the program. This could lead to arbitrary files to get overwritten. However the code would only be executed if running a very bleeding edge release of squid, running a server whose time is set some number of months in the past and squid is crashing. Read it as hardly to exploit. This version also containes more upstream bugfixes wrt. dots in hostnames and unproper HTML quoting.

SAFER - Upgrade your package immediately.



Released January 25, 2001 Affects Microsoft PowerPoint 2000 Reference http://www.microsoft.com/technet/security/bulletin/fq01 -002.asp Problem - A parsing routine that is executed when PowerPoint 2000 opens files contains an unchecked

buffer. If an attacker inserted specially chosen data into a PowerPoint file and could entice another user into opening the file on his machine, the data would overrun the buffer, causing either of two effects. In the less serious case, overrunning the data would cause PowerPoint to fail, but wouldn’t have any other effect. In the more serious case, overrunning the buffer could allow the attacker to cause code of her choice to run on the user’s machine. The code could take any action that the user himself could take on the machine. Typically, this would enable the attacker’s code to add, change or delete data, communicate with a remote server, or take other actions.

- In order for this behavior to occur, a malicious user would need to entice a user into either opening the malformed PowerPoint 2000 file, visiting a malicious website, or viewing a specially crafted html email message.

SAFER - Patch from Microsoft is avail able.

Red Hat Security Advisory RHSA-2001:005-03: micq

Released January 24, 2001 Affects Red Hat Linux 6.0, 6.1, 6.2, 7.0 Reference http://www.redhat.com/ Problem - A buffer overflow exists in the micq package, which a llows arbitrary commands to be executed. SAFER - Updates are available from RedHat.


Released January 24, 2001 Affects Microsoft Windows NT 4.0, Terminal Server Edition Reference http://www.microsoft.com/technet/security/bulletin/fq01 -003.asp Problem - Like all other objects under Windows NT 4.0, mutexes – synchronization objects that govern

access to resources – have permissions associated with them, that govern how they can be accessed. However, a particular mutex used to govern access to a networking resource has inappropriately loose permissions. This could enable an attacker who had the ability to run code on a local machine to monopolize the mutex, thereby preventing any other processes from using the resource that it controlled. This would have the effect of preventing the machine from participating in the network.

- The attacker would require interactive logon access to the affected machine. This significantly limits the scope of the vulnerability because, if normal security recommendations have been followed, unprivileged users will not be granted interactive logon rights to critical machines like servers. Unprivileged users typically are granted interactive logon rights to workstations and terminal servers. However, a workstation would not be a tempting target for an attacker, because he could only use this vulnerability to deny service to himself. The machines most likely to be affected would be terminal servers.

SAFER - Patch from Microsoft is available.


Red Hat Security Advisory RHSA-2000:136: php

Released January 24, 2001 Affects Red Hat Linux 5.2, 6.0, 6.1, 6.2, 7.0 Reference http://www.redhat.com/ Problem - Clients uploading "multipart/form-data" information with form requests could cause PHP 3.0.17 to

crash. The GD module was not compiled into the previously-issued PHP 4.0.3pl1 errata packages. The php-mysql package is linked against an older version of the libmysqlclient shared library, which was obsoleted by a previous MySQL errata. Security holes in versions 4.0.0 through 4.0.4 of the PHP Apache module have been found.

SAFER - Updates are available from RedHat.

Allaire Security Bulletin (ASB01-02)

Released January 24, 2001 Affects JRun 3.0 (all editions) Reference http://www.allaire.com/security/ Problem - It is possible to get a directory listing of the WEB-INF directory when requesting pages from a

JRun Web Server. It is also possible to display the contents of the web.xml file in WEB -INF. - Under certain circumstances, submitting a malformed URI to JRun 3.0 will return the web.xml file

or a directory listing of the WEB-INF directory on the server. For example, a URL like: http://jrun_server:8000/./WEB-INF/ can reveal a directory listing of the WEB -INF directory on the server, 'jrun_server'. Also, a URL like: http://jrun_server:8000/./WEB-INF/web.xml can retrieve the 'web.xml' file in the 'WEB -INF' directory.

SAFER - Allaire has published this bulletin, notifying customers of the problem. Allaire has also released a

patch that should resolve the issue in JRun 3.0. The patch is included in Service Pack 2 for JRun 3.0.

Debian Security Advisory DSA-018-1: tinyproxy

Released January 23, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - PkC have found a heap overflow in tinyproxy that could be remotely exploited. An attacker could

gain a shell (user nobody) remotely. SAFER - We recommend you upgrade your tinyproxy package immediately.


FreeBSD Security Advisory SA-01:10: bind

Released January 23, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - A vulnerability exists with the bind nameserver dealing with compressed zone transfers. Due to a

problem with the compressed zone transfer (ZXFR) implementation, if named is configured for zone transfers and recursive resolving, it will crash after a ZXFR for the authoritative zone and a query of a remote hostname. Since named is not configured under a watchdog process which will automatically restart it after a failure, this will lead to the denial of DNS service on the server.

- All versions of FreeBSD 3.x prior to the correction date including 3.5.1-RELEASE are vulnerable to this problem. In addition, the bind8 port in the ports collection is also vulnerable. FreeBSD 4.x is not affected since it contains versions of BIND 8.2.3.

- Malicious remote users can cause the named daemon to crash, if it is configured to allow zone transfers and recursive queries.


Debian Security Advisory DSA-017-1: jazip

Released January 23, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - With older versions of jazip a user could gain root access for members of the floppy group to the

local machine. The interface doesn't run as root anymore and this very exploit was prevented. The program now also truncates DISPLAY to 256 characters if it is bigger, which closes the buffer overflow (within xforms).

SAFER - We recommend you upgrade your jazip package immediately.

FreeBSD Security Advisory SA-01:09: crontab

Released January 23, 2001 Affects FreeBSD 3.x, 4.x (all prior to 4.2) FreeBSD 3.5.1-STABLE and 4.1.1-STABLE Reference http://www.freebsd.org/ Problem - crontab(8) was discovered to contain a vulnerability that may allow local users to read any file on

the system that conform to a valid crontab(5) file syntax. Due to crontab(5) syntax requirements, the files that may be read is limited and subject to the following restrictions: * The file is a valid crontab(5) file, or: * The file is entirely commented out; every line contains either only whitespace, or begins with a '#' character.

- The greatest security vulnerability is the disclosure of crontab entries owned by other users, which may contain sensitive data such as keying material (although this would often be publically disclosed anyway at the time when the crontab job executes, via process arguments and environment, etc).

- All released versions of FreeBSD prior to the correction date including FreeBSD 4.1.1 are vulnerable to this problem. The problem was corrected prior to the release of FreeBSD 4.2.

- Malicious local users can read arbitrary local files that conform to a valid crontab file syntax. SAFER - Upgrade the vulnerable FreeBSD system.


Oracle Security Alerts

Released January 23, 2001 Affects Oracle XSQL Servlet 1.00 up to 1.0.3, Oracle 8i 8.1.7.0.0 Ent., DB server 8.1.7.0.0 Reference http://www.oracle.com/ Problem - A potential security vulnerability in Oracle XSQL Serv let has been discovered when using

stylesheets as URL parameters which permits the execution of arbitrary Java code on the Oracle 8.1.7.0.0 database server with elevated privileges. This vulnerability was discovered in Oracle8i, Release 8.1.7.0.0, Enterprise Edition running Oracle Internet Application Server (iAS) and XSQL Servlet, Release 1.0.0.0, on MS Windows 2000. It also exists in XSQL releases 1.0.1.0 to 1.0.3.0 on all platforms.

SAFER - Oracle has corrected this vulnerability in the new release of XSQL Servlet as well as provided

more secure behavior by default. The new release of XSQL Servlet, Release 1.0.4.0, can be obtained from Oracle Technology Network, OTN, http://otn.oracle.com/tech/xml/xsql_servlet. A patch will also be available in the upcoming Oracle8i, Release 8.1.7.1, patch set and available for use with iAS Release 1.0.2.1.

FreeBSD Security Advisory SA-01:08: ipfw/ip6fw

Released January 23, 2001 Affects FreeBSD 3.x, FreeBSD 4.x, FreeBSD 3.5-STABLE and 4.2-STABLE Reference http://www.freebsd.org/ Problem - Due to overloading of the TCP reserved flags field, ipfw and ip6fw incorrectly treat all TCP packets

with the ECE flag set as being part of an established TCP connection, which will therefore match a - corresponding ipfw rule containing the 'established' qualifier, even if the packet is not part of an

established connection. - The ECE flag is not believed to be in common use on the Internet at present, but is part of an

experimental extension to TCP for congestion notification. At least one other major operating system will emit TCP packets with the ECE flag set under certain operating conditions.

- Only systems which have enabled ipfw or ip6fw and use a ruleset containing TCP rules which make use of the 'established' qualifier, such as "allow tcp from any to any established", are vulnerable. The exact impact of the vulnerability on such systems is undetermined and depends on the exact ruleset in use.

- All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable, but it was corrected prior to the (future) release of FreeBSD 4.3.

- Remote attackers who construct TCP packets with the ECE flag set may bypass certain ipfw rules, allowing them to potentially circumv ent the firewall.

SAFER - Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE, or or 4.2-STABLE after the

correction date.

Caldera Security Advisory CSSA-2001-005.0: kdesu

Released January 23, 2001 Affects Caldera Linux 2.4 Reference http://www.calderasystems.com/ Problem - KDE2 comes with a program called kdesu that is used to run certain administration commands

under the account of the super user (for instance, every time the KDE control center asks you for the root password, you actually talk to kdesu).

- There is a bug in kdesu that allows any user on the system to steal the passwords you enter at the kdesu prompt.

SAFER - The upgrade packages can be found on Caldera's FTP site.


FreeBSD Security Advisory SA-01:07: XFree86

Released January 23, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - The XFree86-3.3.6 port, versions prior to 3.3.6_1, has multiple vulnerabilities that may allow local

or remote users to cause a denial of service attack against a vulnerable X server. Additionally, local users may be able to obtain elevated privileges under certain circumstances.

- X server DoS: Remote users can, by sending a malformed packet to port 6000 TCP, cause the victim's X server to freeze for several minutes. During the freeze, the mouse does not move and the screen does not update in any way. In addition, the keyboard is unresponsive, including console-switch and kill-server key combinations. Non-X processes, such as remote command-line logins and non-X applications, are unaffected by the freeze.

- Xlib holes: Due to various coding flaws in libX11, privileged (setuid/setgid) programs linked against libX11 may allow local users to obtain elevated privileges.

- libICE DoS: Due to inadequate bounds checking in libICE, a denial of service exists with any application using libICE to listen on a network port for network services.

- The XFree86-aoutlibs port contains the XFree86 libraries from the 3.3.3 release of XFree86, in a.out format suitable for use with applications in the legacy a.out binaryformat, most notably being the FreeBSD native version of Netscape. It is unknown whether Netscape is vulnerable to the problems described in this advisory, but it believed that the only potential vulnerability is the libICE denial-of-service condition described above.

- Local or remote users may cause a denial of service attack against an X server or certain X applications. Local users may obtain elevated privileges with certain X applications.


Debian Security Advisory DSA-016-1: wu-ftpd

Released January 23, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - Security people at WireX have noticed a temp file creation bug and the WU -FTPD development

team has found a possible format string bug in wu-ftpd. Both could be remotely exploited, though no such exploit exists currently.

- This additional advisory only announces a recompile of the package for the Intel ia32 architecture. The upload from yesterday was lacking PAM support. This only required a recompile and contains no other fixes.

SAFER - We recommend you upgrade your tinyproxy package immediately.

Red Hat Security Advisory RHSA-2001:003: MySQL

Released January 23, 2001 Affects Red Hat Linux 7.0 Reference http://www.redhat.com/ Problem - The MySQL database that shipped with Red Hat Linux 7 and the updates for it have been reported

by the MySQL authors to have security problems. These problems (buffer overflow and information protection issues) have been fixed in version 3.23.32, which also contains the earlier fixes.

- Note that MySQL has updated its client library since the initial version shipped with Red Hat Linux 7. A new package, mysqlclient9, must be used for running applications linked with the libmysqlclient.so.9 library.



Debian Security Advisory DSA-015-1: sash

Released January 23, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - Versions of the sash package prior to 3.4-4 did not clone /etc/shadow properly, causing it to be

made world-readable. This package only exists in stable, so if you are running unstable you won't see a bugfix unless you use the resources from the bottom of this message to the proper configuration.

SAFER - We recommend you upgrade your sash package immediately.

Caldera Security Advisory CSSA-2001-007.0: glibc

Released January 23, 2001 Affects Caldera Linux 2.3, 2.4 Reference http://www.calderasystems.com/ Problem - The ELF shared library loader that is part of glibc supports the LD_PRELOAD environment

variable that lets a user request that additional shared libraries should be loaded when starting a program. Normally, this feature should be disabled for setuid applications because of its security implications.

- However, the loader from glibc 2.1.1 and 2.1.3 will honor this variable even in setuid applications as long as it doesn't contain a slash. As a result, a user can ask that arbitrary libraries from ``system'' directories can be loaded (i.e. from those directories listed in /etc/ld.so.conf).

- This is a serious security problem and can be exploited to overwrite arbitrary files on the system, for instance.

SAFER - The proper solution is to upgrade to the latest packages.

Debian Security Advisory DSA-014-2: splitvt

Released January 23, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - It was reported recently that splitvt is vulnerable to numerous buffer overflow attack and a format

string attack. An attacker was able to gain access to the tty group. SAFER - We recommend you upgrade your splitvt package immediately.

Debian Security Advisory DSA-013: MySQL

Released January 23, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - Nicolas Gregoire has reported a buffer overflow in the mysql server that leads to a remote exploit.

An attacker could gain mysqld privileges (and thus gaining access to all the databases). SAFER - We recommend you upgrade your mysql package immediately.


Linux-Mandrake Security Update MDKSA-2001:014: MySQL & php

Released January 22, 2001 Affects Mandrake Linux 7.2 Reference http://www.linux -mandrake.com/ Problem - A security problem exists in all versions of MySQL after 3.23.2 and prior to 3.23.31. The problem

is that the SHOW GRANTS command could be executed by any user making it possible for anyone with a MySQL account to get the crypted password from the mysql.user table. The new 3.23.31 version fixes this.

- Due to library changes, the previously announced PHP update (MDKSA-2001:013) has been updated as well so that the php-mysql module supports this new version of MySQL. It also corrects the upgrade scripts in the package, however you will still need to verify that PHP support is enabled in your /etc/httpd/conf/httpd.conf Apache configuration file and verify that the installed modules are uncommented in your /etc/php.ini file.


Debian Security Advisory DSA-012-1: micq

Released January 22, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - PkC has reported that there is a buffer overflow in sprintf() in micq versio ns 0.4.6 and previous,

that allows to a remote attacker able to sniff packets to the ICQ server to execute arbitrary code on the victim system.

SAFER - We recommend you upgrade your micq package immediately.

Trustix security advisory: glibc

Released January 22, 2001 Affects Trustix Secure Linux (all versions) Reference http://www.trustix.net/ Problem - Trustix is, like many other linux distributions, based on Glibc 2.1.3 and is therefore open to the

"preload hole" discussed in various postings to bugtraq and other lists. SAFER - This is a local security hole, and all users of TSL should upgrade their boxes.

Immunix OS Security Advisory IMNX -2000-62-044-01: glibc

Released January 19, 2001 Affects Immunix OS 6.2 Reference http://www.immunix.org/ Problem - There is a bug in the current version of the GNU C Library (glibc) that is shipped with Immunix

Linux 6.2. This bug can allow unprivileged users to corrupt files that would normally be restricted to them (like /etc/shadow) by allowing them to preload libraries that were not specified by the system administrator.

SAFER - Packages have been created and released for Immunix 6.2 to fix this problem.


HP Security Bulletin #0137: Vulnerability in Support Tools Manager

Released January 18, 2001 Affects HP-UX 11.11, 11.00, and 10.20 Reference http://www.hp.com/ Problem - Hewlett-Packard Company has become aware of a defect in the Support Tool Manager

application, typically used for hardware diagnostic purposes. SAFER - The problem can be fully resolved by applying the appropriate patches to the system.

Linux-Mandrake Security Update MDKSA-2001:012: glibc

Released January 18, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 and CS 1.0.1 Reference http://www.linux -mandrake.com/ Problem - The LD_PRELOAD variable in the GNU C Library is honoured normally even for SUID/SGID

applications (but removed afterwards from the environm ent) if it does not contain '/' characters. There is a special check which only preloads found libraries if they have the SUID bit set. However, if a library has been found in /etc/ld.so.cache, this check was not performed. As a result, a malicious user could preload some library located in /lib or /usr/lib before SUID/SGID applications and create or overwrite a file he would not normally have permission to. As well, LD_PROFILE output from SUID programs would go into /var/tmp, making it vulnerable to variou s link attacks.


Immunix OS Security Advisory IMNX -2000-70-029-01: glibc

Released January 18, 2001 Affects Immunix OS 7.0-beta Reference http://www.immunix.org/ Problem - There is a bug in the current version of the GNU C Library (glibc) that is shipped with Immunix

Linux 7.0-beta. This bug can allow unprivileged users to read files that would normally be restricted (like /etc/shadow). This is done by setting the RESOLV_HOST_CONF environment variable to the file that the user wishes to read, and then running any setuid root program (like sudo or ssh.) This causes the restricted file to be written to stderr.

SAFER - Packages have been created and released for Immunix 7.0 beta to fix this problem.


Conectiva Announcement CLSA-2001:373: php4

Released January 18, 2001 Affects Conectiva Linux 6.0 Reference http://www.conectiva.com.br/ Problem - The php4 module shipped with Conectiva Linux 6.0 has two security problems that were recently

made public by the PHP development team based on a report by James Moore: - It is possible to specify PHP directives on a per-directory basis under apache. In the vulnerable

versions of PHP, a remote attacker could craft an HTTP request that would cause the next page to be served with the wrong values for these directives.

- Even though PHP is installed, it can be deactivated and activated via a directive like "engine=off" or "engine=on". This directive can be used on a per-directory basis or even per virtual host. Vulnerable versions of the php4 module could "leak" the "engine=off" setting to other virtual hosts on the same machine, effectively disabling PHP for those hosts and resulting in PHP source code being sent to the client instead of being executed on the server.

SAFER - It is recommended that all php4 module users upgrade their packages. A workaround for the

second problem is to explicitly enable PHP on all virtual hosts that require it if at least one virtual host has the "engine=off" directive. 3.0.x versions of the PHP module are not affected by these problems.

Linux-Mandrake Security Update MDKSA-2001:013: php

Released January 18, 2001 Affects Mandrake Linux 7.2 Reference http://www.linux -mandrake.com/ Problem - There are two security problems with php4 as shipped in Linux-Mandrake 7.2. It is possible to

specify PHP directives on a per-directory basis under Apache and a remote attacker could carefully craft an HTTP request that would cause the next page to be served with the wrong values for these directives. The second problem is that although PHP may be installed, it can be activated and deactivated on a per- directory or per-virtual host basis using the "engine=on" or "engine=off" directive. PHP can "leak" the "engine=off" setting to other virtual hosts on the same machine, effectively disabling PHP for those hosts and resulting in PHP source code being sent to the client instead of being executed on the server.

- These vulnerabilities are corrected in PHP 4.0.4pl1. SAFER - Update is available from Mandrake.

Caldera Security Advisory CSSA-2001-004.0: webmin

Released January 17, 2001 Affects Caldera Linux 2.3, 2.4 Reference http://www.calderasystems.com/ Problem - On several occasions, webmin creates temporary files insecurely. This can be exploited by a local

attacker to overwrite or create arbitrary files and possibly gain root privilege. - There are no known exploits for this problem. SAFER - The proper solution is to upgrade to the fixed packages.


Red Hat Security Advisory RHSA-2001:002-03: glibc

Released January 16, 2001 Affects Red Hat Linux 6.0, 6.1, 6.2 Reference http://www.redhat.com/ Problem - LD_PRELOAD variable is honoured normally even for SUID/SGID applications (but removed

afterwards from environment) if it does not contain `/' characters, but there is a special check which only preloads found libraries if they have the SUID bit set. However, if a library has been found in /etc/ld.so.cache, this check was not performed. As a result, a malicious user could preload some /lib or /usr/lib library before SUID/SGID application and create or overwrite a file he did not have permissions to.

- Also, LD_PROFILE output from SUID programs would go into /var/tmp, making it vulnerable to various link attacks.


FreeBSD Security Advisory SA-01:03: bash1

Released January 15, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - The bash port, versions prior to the correction date, creates insecure temporary files when the '<<'

operator is used, by using a predictable filename based on the process ID of the shell. An attacker can exploit this vulnerability to overwrite an arbitrary file writable by the user running the shell. The contents of the file are overwritten with the text being entered using the '<<' operator, so it will usually not be under the control of the attacker.

- Therefore the likely impact of this vulnerability is a denial of service since the attacker can cause critical files writable by the user to be overwritten. It is unlikely, although possible depending on the circumstances in which the '<<' operator is used, that the attacker could exploit the vulnerability to gain privileges (this typically requires that they have control over the contents the target file is overwritten with).

- This is the same vulnerability as that described in advisory 00:76 relating to the tcsh/csh shells. - Unprivileged local users can cause an arbitrary file writable by a victim to be overwritten when the

victim invokes the '<<' operator in bash1 (e.g. from within a shell script). SAFER - Upgrade your entire ports collection and rebuild the port.

Linux-Mandrake Security Update MDKSA-2001:001-02: wu-ftpd

Released January 15, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 Reference http://www.linux -mandrake.com/ Problem - WireX discovered a temporary file creation bug in the 2.6.1 release of wu-ftpd. The problem exists

in the privatepw helper program. As well, Linux-Mandrake 7.2 users must update to this package as it fixes security problems as discussed in the prior advisory, MDKSA-2000:014, which had not been previously addressed for 7.2.

- All of the updated packages for Linux Mandrake versions 6.0 through 7.1 and the packages for Corporate Server 1.0.1 installed the wrong pam support file which prevented anyone from logging into the FTP server.

SAFER - Correct update is now available from Mandrake.


FreeBSD Security Advisory SA-01:06: zope

Released January 15, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - The zope port, versions prior to 2.2.4, contains a vulnerability due to the computation of local roles

not climbing the correct hierarchy of folders, sometimes granting local roles inappropriately. This may allow users with privileges in one folder to gain the same privileges i n another folder.

- Zope users with privileges in one folder may be able to gain the same privileges in other folders. SAFER - Upgrade your entire ports collection and rebuild the port.

FreeBSD Security Advisory SA-01:05: stunnel

Released January 15, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - The stunnel port, versions prior to 3.9, contains a vulnerability which could allow remote

compromise. When debugging is turned on (using the -d 7 option), stunnel will perform identd queries of remote connections, and the username returned by the remote identd server is written to the log file. Due to incorrect usage of syslog(), a malicious remote user who can manipulate their identd username can take advantage of string-formatting operators to execute arbitrary code on the local system as the user running stunnel, often the root user.

- Malicious remote users may execute arbitrary code on the local system as the user running stunnel using stunnel, under certain circumstances.


FreeBSD Security Advisory SA-01:04: joe

Released January 15, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - The joe port, versions prior to 2.8_2, contains a local vulnerability: if a joe session with an unsaved

file terminates abnormally, joe creates a rescue copy of the file called ``DEADJOE'' in the same directory as the file being edited. The creation of this copy is made without checking if the file is a symbolic link. If the file is a link, joe will append the contents of the unsaved file to the linked file: therefore if the joe editor is run on a private file in a public directory such as /tmp, an attacker can access the contents of the edited file by causing it to be appended to a world-writable file owned by the attacker if the joe process terminates abnormally.

- Malicious local users, under certain restricted conditions, may obtain read access to non-readable files edited using the joe editor.



FreeBSD Security Advisory SA-01:03: bash1

Released January 15, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - The bash port, versions prior to the correction date, creates insecure temporary files when the '<<'

operator is used, by using a predictable filename based on the process ID of the shell. An attacker can exploit this vulnerability to overwrite an arbi trary file writable by the user running the shell. The contents of the file are overwritten with the text being entered using the '<<' operator, so it will usually not be under the control of the attacker.

- Therefore the likely impact of this vulnerability is a denial of service since the attacker can cause critical files writable by the user to be overwritten. It is unlikely, although possible depending on the circumstances in which the '<<' operator is used, that the attacker could exploit the vulnerability to gain privileges (this typically requires that they have control over the contents the target file is overwritten with).

- This is the same vulnerability as that described in advisory 00:76 relating to the tcsh/csh shells. SAFER - Upgrade your entire ports collection and rebuild the port.

FreeBSD Security Advisory SA-01:02: syslog-ng

Released January 15, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - The syslog-ng port, versions prior to 1.4.9, contains a remote vulnerability. Due to incorrect log

parsing, remote users may cause syslog-ng to crash, causing a denial-of-service if the daemon is not running under a watchdog process which will automatically restart it in the event of failure.

- Malicious remote attackers may cause syslog-ng to crash, causing a denial-of-service if the daemon is not running under a watchdog process which will automatically restart it in the event of failure. The default installation of the port/package is therefore vulnerable to this problem.


FreeBSD Security Advisory SA-01:01: OpenSSH

Released January 15, 2001 Affects FreeBSD Reference http://www.freebsd.org/ Problem - If agent or X11 forwarding is disabled in the ssh client configuration, the client does not request

these features during session setup. This is the correct behaviour. However, when the ssh client receives an actual request asking for access to the ssh-agent, the client fails to check whether this feature has been negotiated during session setup. The client does not check whether the request is in compliance with the client configuration and grants access to the ssh-agent. A similar problem exists in the X11 forwarding implementation.

- Hostile SSH servers can access your X11 display or your ssh-agent when connected to, which may allow access to confidential data or other network accounts, through snooping of password or keying material through the X11 session, or reuse of the SSH credentials obtained through the SSH agent.

SAFER - Patch is available from FreeBSD.


PHP Security Advisory - Apache Module bugs

Released January 13, 2001 Affects PHP 4.0 through PHP 4.0.4 Reference http://www.php.net/ Problem - PHP supports a configuration mechanism that allows users to configure PHP directives on a per-

directory basis. Under Apache, this is usually done using .htaccess files. Due to a bug in the Apache module version of PHP, remote 'malicious users' might be able to create a special HTTP request that would cause PHP to serve the next page with the wrong values for these directives. In certain (fairly rare) situations, this could result in a security problem.

- PHP supports the ability to be installed, and yet disabled, by setting the configuration option 'engine = off'. Due to a bug in the Apache module version of PHP, if one or more virtual hosts within a single Apache server were configured with engine=off, this value could 'propagate' to other virtual hosts. Because setting this option to 'off' disables execution of PHP scripts, the source code of the scripts could end up being sent to the end clients.

SAFER - The recommended solution is to upgrade to PHP 4.0.4pl1.

Caldera Security Advisory CSSA-2001-003.0: dhcp

Released January 12, 2001 Affects Caldera Linux 2.3, 2.4 Reference http://www.calderasystems.com/ Problem - The DHCP server and client shipped as part of OpenLinux had security problems in the error

logging code. An attacker can potentially overflow a static buffer, and provide a string containing formatting directives.

SAFER - The upgrade packages can be found on Caldera's FTP site.

Trustix security advisory: diffutils, squid

Released January 12, 2001 Affects Trustix Secure Linux (all versions) Reference http://www.trustix.net/ Problem - Trustix released updated versions of the diffutils and squid packages with patches fixing insecure

tempfile handling leading to potential local root compromise. SAFER - All versions of Trustix Secure Linux are, as far as we know, vulnerable and should be updated.

Sun Security Bulletin Sun-00200: arp

Released January 12, 2001 Affects Sun Solaris 2.4, 2.5, 2.5.1, 2.6, 7.0, 8.0 Reference http://sunsolve.sun.com/security/ Problem - The arp program displays and modifies the Internet-to-Ethernet address translation tables used by

the address resolution protocol (arp). Prior to Solaris 8, arp was setgid making it susceptible to certain setgid attacks.

- A malicious user could overflow the stack and execute shellcode which could allow unauthorized root access.

SAFER - Sun has released patches for this vulnerability.


Linux-Mandrake Security Update MDKSA-2001:011: linuxconf

Released January 12, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2, CS 1.0.1 Reference http://www.linux -mandrake.com/ Problem - WireX discovered a potential temporary file race problem in the vpop3d program in the linuxconf

package. SAFER - Update is available from Mandrake.

Caldera Security Advisory CSSA-2001-002.0: mgetty /tmp

Released January 12, 2001 Affects Caldera Linux 2.3, 2.4 Reference http://www.calderasystems.com/ Problem - There is a /tmp/ file problem in the fax reception code of mgetty which could allow determined

attackers to overwrite system files. SAFER - The upgrade packages can be found on Caldera's FTP site.

Microsoft Security Bulletin (MS01-001)

Released January 11, 2001 Affects Office 2000, Windows 2000, and Windows Me Reference http://www.microsoft.com/technet/security/bulletin/MS01 -001.asp Problem - The Web Extender Client (WEC) is a component that ships as part of Office 2000, Windows 2000,

and Windows Me. WEC allows IE to view and publish files via web folders, similar to viewing and adding files in a directory through Windows Explorer. Due to an implementation flaw, WEC does not respect the IE Security settings regarding when NTLM authentication will be performed - instead, WEC will perform NTLM authentication with any server that requests it. If a user established a session with a malicious user's web site - either by browsing to the site or by opening an HTML mail that initiated a session with it - an application on the site could capture the user's NTLM credentials. The malicious user could then use an offline brute force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources.

- The vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. It would not, by itself, allow a malicious user to gain control of another user's computer or to gain access to resources to which that user was authorized access. In order to leverage the NTLM credentials (or a subsequently cracked password), the malicious user would have to be able to remotely logon to the target system. However, best practices dictate that remote logon services be blocked at border devices, and if these practices were followed, they would prevent an attacker from using the credentials to logon to the target system.

SAFER - A patch from Microsoft is available to fix this vulnerability.


Red Hat Security Advisory RHSA-2001:001-05: glibc

Released January 11, 2001 Affects Red Hat Linux 7.0 Reference http://www.redhat.com/ Problem - Because of a typo in glibc source RESOLV_HOST_CONF and RES_OPTIONS variables were not

removed from environment for SUID/SGID programs. LD_PRELOAD variable is honoured normally even for SUID/SGID applications (but removed afterwards from environment) if it does not contain `/' characters, but there is a special check which only preloads found libraries if they have the SUID bit set. If a library has been found in /etc/ld.so.cache this check was not done though, so malicious user could preload some /lib or /usr/lib library before SUID/SGID application and e.g. create or overwrite a file he did not have permissions to.

SAFER - Updates are available from RedHat. In addition to fixing these security bugs, some non-security

related bugs have been fixed as well, namely RPC behaviour on unconnected UDP sockets with 2.4 kernels, alphaev6 memcpy bug causing random crashes on alphaev6.

Caldera Security Advisory CSSA-2001-001.0: inn

Released January 11, 2001 Affects Caldera Linux 2.3, 2.4 Reference http://www.calderasystems.com/ Problem - INN uses a temporary directory for several operations. Those operations use it in a unsecure

manner, which would allow an attacker to gain access to the 'news' user. Since INN is not supposed to work in a public temporary directory, please use the described workaround to change the temp directory to a news private one.

SAFER - Workaround is available.

Immunix OS Security Advisory IMNX -2000-70-027-01: shadow-utils

Released January 10, 2001 Affects Immunix OS 7.0-beta Reference http://www.immunix.org/ Problem - In an internal audit conducted while preparing Immunix Linux 7.0 we noticed a potential temp file

race problem in the useradd program within the shadowutils package. The useradd program creates its temp files in the protected directory /etc/default, but if this directory is changed to world writable, a problem could occur.

- The maintainer has been notified of this problem, and will release an update sometime in the future fixing this. A patch has been applied to our package that fixes this very minor problem now.


Debian Security Advisory DSA-011-1: mgetty

Released January 10, 2001 Affects Debian Linux 2.2 Reference http://www.debian.org/security/ Problem - Immunix reports that mgetty does not create temporary files in a secure manner, which could lead

to a symlink attack. This has been corrected in mgetty 1.1.21-3potato1. SAFER - We recommend you upgrade your mgetty package immediately.


Immunix OS Security Advisory IMNX -2000-70-026-01: rdist


race problem in the rdist program. The maintainer has been notified of this problem, and will release an update sometime in the future fixing this. A patch has been applied to our package that fixes the problem now.


Immunix OS Security Advisory IMNX-2000-70-025-01: getty_ps


race problem in the getty_ps program. A patch has been applied that fixes this problem, however the maintainer of the program never responded to our email message about this problem.


Immunix OS Security Advisory IMNX -2000-70-024-01: diffutils


race problem in the sdiff program within the diffutils package. A patch has been applied that fixes this problem, and the maintainers assure us that an updated release of the diffutils package will occur in the future with this problem solved.


Immunix OS Security Advisory IMNX -2000-70-023-01: inn


race problem in the inn program. This is partly due to the way that the inn program is compiled and set up on Immunix Linux, and partly due to the lack of information in the inn program detailing potential security problems if you do not tell inn to use a private temporary directory. We have applied a patch that creates temporary files safely for inn, AND moved all temp file creation by inn into it's own private directory which should solve this problem.



Immunix OS Security Advisory IMNX -2000-70-022-01: wu-ftpd


race problem in the privatepw helper program in the wu-ftpd package. The maintainers of the wu-ftpd package have placed a patch to fix this on their ftp site. Thanks go out to them for responding so quickly.


Linux-Mandrake Security Update MDKSA-2001:010: inn

Released January 10, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 Reference http://www.linux -mandrake.com/ Problem - WireX discovered a potential temporary file race condition in the inn program. This condition is due

partly to the way inn is compiled and configured on some Linux distributions, including Linux-Mandrake, and partly due to the lack of information in the i nn package detailing potential security problems if you do not tell inn to use a private temporary directory. The patch supplied by WireX that creates temporary files correctly has been applied, and the temporary directory that inn uses has been moved from /usr/tmp to /var/spool/news/tmp which is available solely to the news user which inn runs as.


Immunix OS Security Advisory IMNX -2000-70-021-01: gpm


race problem in the gpm program. The gpm package is currently unmaintained, but the author has placed a patch to fix this in the updates directory for the gpm program.


Linux-Mandrake Security Update MDKSA-2001:009: mgetty

Released January 10, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 Reference http://www.linux -mandrake.com/ Problem - WireX discovered a potential temporary file race condition in the mgetty program. All versions of

mgetty prior to 1.1.24 are vulnerable. SAFER - Update is now available from Mandrake.


Linux-Mandrake Security Update MDKSA-2001:008-1: diffutils

Released January 10, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 Reference http://www.linux-mandrake.com/ Problem - WireX discovered a potential temporary file race condition in the sdiff program within the diffutils

package. SAFER - Update is available from Mandrake.

Linux-Mandrake Security Update MDKSA-2001:007: shadow-utils

Released January 10, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 Reference http://www.linux -mandrake.com/ Problem - WireX discovered a potential temporary file race condition in the useradd program contained in the

shadow-utils package. The useradd program creates it's temporary files in the protected directory /etc/default, but if this directory is changed to world writable, a problem could occur. Update corrects the problem.


Immunix OS Security Advisory IMNX -2000-70-020-01: mgetty


race problem in the mgetty program. The mgetty maintainer has applied a patch to fix this, and have made a new release with this fix in it. Thanks go out to them for responding so quickly.


Linux-Mandrake Security Update MDKSA-2001:006: gpm

Released January 10, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 Reference http://www.li nux-mandrake.com/ Problem - WireX discovered a potential temporary file condition in the gpm program. SAFER - Update is available from Mandrake.

Immunix OS Security Advisory IMNX -2000-70-019-01: linuxconf


race problem in the vpop3d program in the linuxconf package. The linuxconf maintainers have applied a patch to fix this, and have made a new release with this fix in it. Thanks go out to them for responding so quickly.



Linux-Mandrake Security Update MDKSA-2001:005: rdist

Released January 10, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 Reference http://www.linux -mandrake.com/ Problem - WireX discovered a potential temporary file race condition in the rdist program. SAFER - Update is available from Mandrake.

Immunix OS Security Advisory IMNX -2000-70-018-01: squid


race problem in the way that the squid package sends out email notifying the admin about updating the program. This usually only happens if you are running a development version of squid, or if the clock on your system is incorrect.

- The squid maintainers have applied a patch to fix this, and can be found in latest version of both the development and stable releases of squid. Thanks go out to them for responding so quickly.


Linux-Mandrake Security Update MDKSA-2001:004: getty_ps

Released January 10, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 Reference http://www.linux -mandrake.com/ Problem - WireX discovered a potential temporary file race condition in the getty_ps program. SAFER - Update is available from Mandrake.

Immunix OS Security Advisory IMNX -2000-70-017-01: arpwatch


race problem in the arpwatch program which is a part of the tcpdump package. This problem had been fixed in a more recent version of the arpwatch program.


Linux-Mandrake Security Update MDKSA-2001:003: squid

Released January 10, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 Reference http://www.linux -mandrake.com/ Problem - WireX discovered a potential temporary file race condition in the way that squid sends out email

messages notifying the administrator about updating the program. Usually this will only happen if you are running a development version of squid or if the clock on your system is incorrect. This problem has been corrected in the latest stable and development versions of squid.



Immunix OS Security Advisory IMNX -2000-70-016-01: Apache


race problem in the apache helper programs, htdigest and htpasswd. We notified the apache development team but never received a response.

SAFER - Packages have been created and released for Immunix 7.0 beta to fix these problems.

Linux-Mandrake Security Update MDKSA-2001:002: arpwatch

Released January 10, 2001 Affects Mandrake Linux 6.0, 6.1, 7.0, 7.1, 7.2 Reference http://www.linux -mandrake.com/ Problem - WireX discovered a potential temporary file race condition in the arpwatch program. This problem

has been corrected in arpwatch version 2.1a10. SAFER - Update is available from Mandrake.

HP Security Bulletin #0136: Vulnerability in in inetd(1M)

Released January 09, 2001 Affects HP-UX 11.20, 10.24, 11.00 and 11.04 Reference http://www.hp.com/ Problem - A server that uses the 'swait' state in the /etc/inetd.conf file can be made to interfere with one or

more services started by inetd. This affects only installations where configuration alterations have been done to include 'swait' service entries. The standard configuration of the Internet Services product, InternetSrvcs, provided by Hewlett-Packard, including telnetd, ftpd, rlogind, etc., will not exhibit the behavior in question. This is possible Denial of Service.

SAFER - Install the appropriate patch.

Conectiva Announcement CLSA-2001:369: slocate

Released January 04, 2001 Affects Conectiva Linux 4.0, 4.0es, 4.1, 4.2, 5.0, e-commerce and graphic tools, 5.1, 6.0 Reference http://www.conectiva.com.br/ Problem - "slocate" is a program which catalogues existing files and allows for a quick lookup later. There is

a vulnerability present in previous versions. By giving it a crafted database, an attacker could make slocate execute arbitrary code as the "slocate" user.

- Additionally, a bug which caused slocate to segfault with large pathnames was fixed. SAFER - All users should upgrade the slocate package.


DENIAL -OF -SERVICE Denial-of-Service attacks are becoming an increasing concern. Below is a compilation of denial-of-service security problems found in January 2001.

Microsoft Windows NT 4.0 Mutex DoS Vulnerability

Released January 29, 2001 Affects Microsoft Windows NT 4.0, NT Terminal Server Reference http://www.securityfocus.com/bid/2303 Problem - Mutex is a component of Windows NT 4.0 which allow multiple threads to synchronize access to

shared resources. When a network resource (program or file etc.) is started, a Mutex is created and is locked by the thread. If other threads attempt to access the resource, the system will queue the thread and will gain control(lock) once the Mutex is available.

- Microsoft Windows NT 4.0 is subject to a denial of service due to the implementation of Mutex permissions. A local user could gain control of the Mutex on a networked machine and deny all network communication.

- A restart of the machine would be required in order to gain normal functionality. SAFER - Microsoft has release a patch which addresses this issue.

Netscape Enterprise Server Web Publishing DoS Vulnerability

Released January 25, 2001 Affects Netscape Enterprise Server 3.0 Reference http://www.safermag.com/advisories/ Problem - A denial of service condition exists in the Netscape Enterprise Server when Web Publishing is

enabled. If a remote user successfully connects to the server and submits a specially crafted command 'REVLOG / HTTP/1.0', the server will crash. This command would have to be submitted multiple times in order for the expected result. A restart of the server would be required in order to gain normal functionality.

- Successful exploitation of this vulnerability could assist in further attacks against the victim host. SAFER - Workaround is to disable Web Publishing, or disable REVLOG request.

Netopia R9100 Router Denial of Service Vulnerability

Released January 24, 2001 Affects Netopia R9100 Router firmware 4.6 Reference http://www.securityfocus.com/bid/2287 Problem - Under very specific circumstances, it is possible to cause the affected router to halt. By attempting

to make a looped connection from the router's IP address back to the same address, the unit will crash. This vulnerability has implications for system logging. Typically, all user connections and disconnections are logged by the device. If an attacker attempts to delete logs, there is still a trace of his presence when logging out. However, it is possible for this 'trace' to be subverted by crashing the system before a disconnect record is made.

- While the crash itself is logged, the system is unable to log the user who caused it. Thus, it is possible for the user to delete all traces of malicious activity, then crash the system. Doing so will prevent the user's disconnection from being recorded. This may allow an attacker to execute further attacks on the router or other hosts on its network.

SAFER - Vendor advises updating the unit to a current firmware version, 4.8.2 or later.


Netscape Enterprise Server DoS Vulnerability

Released January 24, 2001 Affects Netscape Enterprise Server 4.1SP5 Reference http://www.securityfocus.com/bid/2282 Problem - It is possible for a remote user to crash Netscape Enterprise Server. By composing a maliciously-

crafted GET request composed of approx 1344 '../' character sequences the server will stop responding. This vulnerability will affect both the web services and admin service. A restart of the server service is required in order to gain normal functionality.

- It should be noted that this vulnerability would have to be exploited twice in order to experience they expected result. Netscape Enterprise Server will restore both services after the first incident

SAFER - We are not aware of any solutions for this issue

Iris GET Denial of Service Vulnerability

Released January 24, 2001 Affects eEye Digital Security IRIS 1.0.1 Reference http://www.securityfocus.com/bid/2278 Problem - A maliciously-formed packet sent to Iris by a remote attacker, upon opening in the program for

analysis by a user, will cause Iris to terminate. The crash is caused by an inability of Iris to handle packets with malformed values in its headers.

- It should be noted that in order to properly exploit this issue, the invalid packet must be opened by a user in Iris.


Netscape FastTrak Cache Module DoS Vulnerability

Released January 23, 2001 Affects Netscape FastTrack Server 4.0.1 Reference http://www.securityfocus.com/bid/2273 Problem - Netscape FastTrak Server is subject to a denial of service. The cache module within Netscape

FastTrak Server contains nonexistent yet legitimate URLs, this cached information is kept f or approximately thirty minutes. If nonexistent URLs are continuously requested, Netscape FastTrak Server will consume all available memory, causing the server to exhibit diminished performance and, potentially, to stop responding entirely. A restart of the service is required in order to gain normal functionality.

- Successful exploitation of this vulnerability could assist in further attacks against the victim host. SAFER - We are not aware of any solutions for this issue.


Check Point Firewall-1 4.1 Denial of Service Vulnerability

Released January 23, 2001 Affects Check Point Software Firewall-1 4.1, 1.4.1 SP2, 1.4.1 SP3 Reference http://www.securityfocus.com/bid/2238 Problem - A problem with the license manager used with the Firewall-1 package could allow a Denial of

Service. The problem manifests itself when the internal interface receives a large number of packets that are source routed and containing ficticious (or even valid) addresses. In a system containing a license with a limited number of protected IP addresses, the license manager calculates the address space protected by counting the number of addresses crossing the internal interface. When the large number of packets cross the internal interface, each IP address is added to the number calculated under license coverage. When the number of covered IP addresses is exceeded, an error message is generated on the console for each IP address outside of the covered range. With each error message generated, the load on the Firewall system CPU raises. This makes it possible for a user with malicious motives to make a firewall system inaccessible from the console by sending a large number of IP addresses to the internal interface.

SAFER - Check Point Software has acknowledged this vulnerability and a workaround is available. This

issue will be resolved in the next service pack.

GoodTech FTP Server Denial of Service

Released January 23, 2001 Affects GoodTech FTP Server NT/2000/95/98 3.0.1 Reference http://www.securityfocus.com/bid/2270 Problem - If an attacker makes an unusual number of connections to the FTP Server, approx 2060-2080

connections, GoodTech FTP Server will either crash or refuse any new connections. The result of this vulnerability is dependant on the rate at which the connections are made. If the connections are made rapidly the server will crash. If the connections are made in a timely manner the FTP banner will display followed by an immediate disconnection. A restart of the service is required in order to gain normal functionality.

- Successful exploitation of this vulnerability could assist in further attacks against the victim host. SAFER - GoodTech has addressed this issue in a new version of GoodTech FTP Server.

Fastream FTP++ Denial of Service Vulnerability

Released January 22, 2001 Affects Fastream FTP++Server 2.0 Reference http://www.securityfocus.com/bid/2261 Problem - Faststream FTP++ is subject to a denial of service. Once a user has logged into the FTP server,

requesting a malformed argument, composed of 2048 bytes or more, will cause the Fastream FTP++ server to stop responding. New connections to the server will be accepted but will not respond to any commands.

- Successful exploitation of this vulnerability could assist with further attacks against the victim host. SAFER - We are not aware of any solutions for this issue.


HP-UX Support Tools Manager Denial of Service Attack

Released January 19, 2001 Affects HP-UX 10.20, 11.0, 11.11 Reference http://www.securityfocus.com/bid/2239 Problem - A potential Denial of Service has been discovered in the three tools included in with the Support

Tools Manager (xstm, cstm, and stm). There are currently few details on this vulnerability. This problem affects HP9000 servers in the 700 and 800 series.

SAFER - Patches are available from HP.

Veritas Backup Denial of Service Vulnerability

Released January 15, 2001 Affects Veritas Software Backup 4.5 Reference http://www.securityfocus.com/bid/2204 Problem - Veritas offers a linux agent which listens on port 8192. If an attacker connects to this service, but

does not send any data, the service will block until the connection is terminated. The result is a denial of service. This condition is likely due to improper handling of network i/o.

- A restart of this service is required in order to gain normal functionality. SAFER - We are not aware of any solutions for this issue.

WebMaster ConferenceRoom Developer Edition DoS Vulnerability

Released January 10, 2001 Affects WebMaster ConferenceRoom 1.8.1 Reference http://www.securityfocus.com/bid/2178 Problem - It is possible to cause a denial of service in ConferenceRoom. By making duplicate connections

and executing special server commands in both sessions, ConferenceRoom will crash and refuse any new connections. A restart of the service is required in order to gain normal functionality.

SAFER - WebMaster has addressed this issue in the release of ConferenceRoom 1.8.2a.

NetScreen Firewall Denial of Service Vulnerability

Released January 08, 2001 Affects NetScreen Screen OS 1.73r1, 2.10r3, 2.1r6, 2.5r6 Reference http://www.securityfocus.com/bid/2176 Problem - It is possible to cause a denial of service in NetScreen Firewall. Requesting an unusually long

URL to WebUI listening on default port 80, will cause the firewall to crash. A restart of the service is required in order to gain normal functionality.

SAFER - NetScreen has released a fix for this issue.


IBM HTTP Server AfpaCache DoS Vulnerability

Released January 08, 2001 Affects IBM HTTP Server 1.3.12.2 Reference http://www.securityfocus.com/bid/2175 Problem - IBM HTTP Server is subject to a denial of service. Requesting multiple malformed HTTP GET

requests will cause the consumption of kernel memory and eventually lead to a denial of service. This condition is due to the AfpaCache module not releasing allocated memory after "Bad Request" HTTP requests. A restart of the service is required inorder to gain normal functionality.

- It should be noted that WebSphere is built based on IBM HTTP Server and is subject to this vulnerability.

SAFER - Peter <[email protected]> has provided the following workaround: Comment out the

three lines beginning with "Apfa" in the httpd.conf file (located in the conf directory in the web server folder).

StorageSoft ImageCast IC3 DoS Vulnerability

Released January 08, 2001 Affects StorageSoft ImageCast IC3 4.1 Reference http://www.securityfocus.com/bid/2174 Problem - ImageCast IC3 is subject to a denial of service. By sending unusually long strings to the ICCC

service listening on port 12002, the program will consume all available CPU usage refusing any new connections. Additionally, sending multiple packets containing long strings to port 8081 will cause the ICCC service (ICCC.exe) to crash completely. A restart of the application is required in order to gain normal functionality.

SAFER - This vulnerability will be addressed in a later release of ImageCast IC3. The release date is not yet

known.

Solaris mailx Lockfile Denial Of Service Vulnerability

Released January 03, 2001 Affects Sun Solaris 2.6, 7.0, 8.0 Reference http://www.securityfocus.com/bid/2169 Problem - The problem involves lockfiles in the /var/mail directory. By default, the /var/mail directory is world

writable as deployed with the Solaris Operating Environment. When a file is created in the /var/mail directory using the extension $LOGNAME.lock, it i s possible to deny service to a legitimate user of mailx if the $LOGNAME.lock file is not removable by the mailx user. This problem makes it possible for a user with malicious intent to deny service to any user of mailx.



SAFER ADVISORIES The following advisories have been researched by our own lab. We will report discoveries and relevant updates on a monthly basis.

S.A.F.E.R. Security Bulletin 010123.EXP.1.10

Title Buffer overflow in Lotus Domino SMTP Server Released January 23, 2001 Affects Lotus Notes/Domino 5 (up to and including 5.05) Reference http://www.safermag.com/ Problem - Buffer overflow exists in Lotus Domino SMTP server, which can lead to Denial-of-Service or

remote execution of code in context of user which SMTP server is running as. - Lotus Domino/Notes server has a 'policy' feature, which is used to define relaying rules. However,

improper bounds checking allow remote user to overflow the buffer and execute arbitrary code. If policy is enabled to check for domain name it is possible to trigger the overflow.

- This vulnerability has been confirmed on Notes release for Linux and Windows. Others platforms have not been tested.

SAFER - Lotus has been informed about this problem on November 2nd, 2000. Mail has been 'silently

ignored', but the problem has eventually been fixed in 5.0.6 release, and it has been confirmed in a response to our attempt to inform them about the problem again on January 8th. Fix details at: http://www.notes.net/r5fixlist.nsf/6d4eae9850a5c2c28525690400551b57/5eea8322c479de968525697d00737ad5?OpenDocument. Lotus says that it was 'potential denial of service attack'. However, it is more serious than DoS - code execution is possible. All users that use policy feature should upgrade to Notes/Domino 5.0.6.


Title Netscape Enterprise Server - INDEX request problem Released January 24, 2001 Affects Netscape Enterprise Server 3.x and 4.x with Web Publishing enabled Reference http://www.safermag.com/ Problem - Problems exists that allows remote user to obtain directory listings on remote site running Web

Publishing. - It is possible to obtain directory listing on the remote web server by issuing command INDEX /

HTTP/1.0 - INDEX request will not work on 'aliased' directories (like CGI directories and similar). SAFER - Netscape has been contacted on multiple occasions. First time, more than a year ago. Although

other problems we have reported have been fixed, we have received no response for this issue - to date. Workaround is to disable Web Publishing, or disable INDEX request (which will, most likely, break web publishing feature).



Title PlanetIntra - Buffer Overflow Released January 25, 2001 Affects PlanetIntra v2.5 software Reference http://www.safermag.com/ Problem - A buffer overflow exists in PlanetIntra software that al lows remote execution of code. Details - A buffer overflow (at least one, possibly more) exists in 'pi' binary which allows remote user to

execute commands on the target system. For example, request like: GET /cgi -bin/pi?page=document/show_file&id=<A x 10024> will trigger the overflow.

SAFER - We are aware that patch for this issue has been made, but we have never received official

response/confirmation, and we are not aware if the current version available for download ( http://www.planetintra.com ) is vulnerable to this problem.

S.A.F.E.R. Security Bulletin 010125.DOS.1.5

Title Netscape Enterprise Server - REVLOG request problem Released January 25, 2001 Affects Netscape Enterprise Server 3.x with Web Publishing enabled Reference http://www.safermag.com/ Problem - Problems exists that allows remote user to crash Netscape Enterprise Server. - It is possible to crash Netscape Enterprise Server by issuing: REVLOG / HTTP/1.0. Request might

be repeated few times in order to crash NES completely. SAFER - Netscape has been contacted on multiple occasions. First time, more than a year ago. Although

other problems we have reported have been fixed, we have received no response for this issue - to date. Workaround is to disable Web Publishing, or disable REVLOG request.


UNDERGROUND TOOLS Here are the new tools that hackers/crackers will soon use against your systems. We do not recommend that you use such tools against any resources without prior authorization. We only list new tools published since the last issue of SAFER.

SCANNERS

nessus-1.0.7a.tar.gz Vulnerability scanner

arp-scan.c A tool which scans for alive hosts in a subnet using ARP packets.

sara-3.3.3.tar.gz Vulnerability scanner

EXPLOITS

nsfcheck.pl Exploit for Lotus Domino Server Directory Traversal Vulnerability

arpexp.c Exploit for Solaris arp Buffer Overflow Vulnerability

changerc.sh Exploit for SuSE rctab Race Condition Vulnerability

rcshell.sh Exploit for SuSE rctab Race Condition Vulnerability

spitvt.c Exploit for splitvt Format String Vulnerability

omnismash.pl Exploit for OmniHTTPD File Corruption and Command Execution Vulnerability

PKCtiny-ex.c Exploit for Tinyproxy Heap Overflow Vulnerability

wins2.pl Exploit for Microsoft WINS Domain Controller Spoofi ng Vulnerability

ssh1-exploit.c Exploit for SSH Secure-RPC Weak Encrypted Authentication Vulnerability

hpdisplay.c Exploit for HP JetDirect LCD Display Modification Vulnerability

sesquipedalian.c Exploit for Multiple Linux Vendor Zero -Length Fragment Vulnerability

micq-exp.c Exploit for mICQ Remote Buffer Overflow Vulnerability

MySQLXploit.c Exploit for Mysql Local Buffer Overflow Vulnerability

PKCicecast-ex.c Exploit for Icecast print_client() Buffer Overflow Vulnerability

cnt-exploit.pl Exploit for textcounter.pl Arbitrary Command Execution Vulnerability


ecepass.tgz Exploit for FreeBSD ipfw Filtering Evasion Vulnerability

mailmax-xpl.c Exploit for SmartMax MailMax SMTP Buffer Overflow Vulnerability

ns-shtml.pl Exploit for buffer overflow in Netsc ape Enterprise Server (iPlanet Web Server)

nlps_server.c Exploit for Solaris x86 nlps_server Buffer Overflow Vulnerability

ximp40-ex.c Exploit for Solaris ximp40 Library Buffer Overflow Vulnerability

DENIAL -OF -SERVICE

naptha-1.1.tgz DoS against various OS’s using established TCP connections in order to exhaust resources

mailx-lock.sh Exploit for Solaris mailx Lockfile Denial Of Service Vulnerability

proftpDoS.java Exploit for ProFTPD Remote Denial of Service Vulnerability

beck2.zip Exploit for Apache Web Server DoS Vulnerability

qmail.pl Exploit for QMail RCPT Denial of Service Vulnerability

qmail.c Exploit for QMail RCPT Denial of Service Vulnerability

iris-dos.c Exploit for Iris GET Denial of Service Vulnerability

thong.pl DoS attacks against Cisco routers/switches

PASSWORD CRACKERS

NONE NONE

OTHER

ettercap-0.1.0.beta.tar.gz Ettercap is a network sniffer/interceptor/logger for switched LANs

frel-1.0.beta.tgz Modified version of "fragrouter", used to evade NIDS.


STATISTICS - JANUARY 2000

Total number of vulnerabilities published in SAFER 33

115 111

24

226

37

0

50

100

150

200

250

Security AlertsSecurity AdvisoriesDenial-Of-ServiceTotalProblem without fix

Number of security advisories published in SAFER 33

2019

1615

87

65

3 3 3

1 1 1 1 1 1

0

5

10

15

20

25MandrakeFreeBSDDebianImmunixCalderaRed HatConectivaMicrosoftHPTrustixSuSEAllaireCiscoOracleTurboLinuxPHPSun

safer ecurity alert for enterprise resources · sambar server admin access vulnerability.....24...

Documents