SecurityFocus
1. marbles Local Home Environment Variable Buffer Overflow Vuln...
BugTraq ID: 8710
Remote: No
Date Published: Sep 26 2003
Relevant URL:
http://www.securityfocus.com/bid/8710
Summary:
marbles is a freely available, open source game for the Linux platform.
A problem in the handling of data in the Home environment variable has
been reported in the marbles program. This may make it possible for a
local attacker to gain elevated privileges.
The problem is in the checking of bounds on data stored in the Home
environment variable. By placing a string of excessive length in the
environment variable, it is possible to overwrite sensitive process
memory. This could lead to the execution of arbitrary code, and
potentially privilege escalation to groupid games.
2. SMC Router Random UDP Packet Denial Of Service Vulnerability
BugTraq ID: 8711
Remote: Yes
Date Published: Sep 26 2003
Relevant URL:
http://www.securityfocus.com/bid/8711
Summary:
The SMC SMC2404WBR BarricadeT Turbo 11/22 Mbps Wireless Cable/DSL
Broadband Router is routing hardware that is intended to be deployed in
home or small office networks.
A denial of service has been reported in the SMC SMC2404WBR BarricadeT
Turbo 11/22 Mbps Wireless Cable/DSL Broadband Router. It is possible to
trigger this condition by sending UDP packets randomly to ports 0-65000.
The impact of the issues seems to vary, sometimes the router will need a
"soft reset" to regain normal functionality and sometimes a "hard reset"
will be required. The time it takes for the router to recover after being
reset may also vary. In any of these cases, the availability of a network
which depends on the router will be denied to legitimate users.
This condition was reportedly reproduced using one of the exploits for BID
8525.
The SMC7004VWBR router is also affected by this vulnerability.
SMC7004VWBR firmwares are reportedly affected even when security features
such as Stateful Packet Inspection, Anti-DoS and UDP sessions are enabled.
This may also be the case with other routers.
7. freesweep Environment Variable Handling Buffer Overflow Vuln...
BugTraq ID: 8716
Remote: No
Date Published: Sep 28 2003
Relevant URL:
http://www.securityfocus.com/bid/8716
Summary:
freesweep is a curses-based clone of the game "Minesweeper". It is
installed setgid "games" on some systems.
It has been reported that freesweep is vulnerable by a buffer overflow
condition related to the processing of several environment variables.
This vulnerability may be exploited by local attackers to gain group
"games" privileges.
It is likely that freesweep copies the value of certain environment
variables into local buffers of a predefined size without bounds checking.
As a result, it may be possible for attackers to execute code of their
choice by overwriting the saved return address on the stack. Any code
executed would run as effective groupid "games".
8. GuppY HTML Injection Vulnerability
BugTraq ID: 8717
Remote: Yes
Date Published: Sep 29 2003
Relevant URL:
http://www.securityfocus.com/bid/8717
Summary:
GuppY is a free suite of PHP scripts for creating an online portal.
It has been reported that one of the scripts included with GuppY is
vulnerable to an HTML injection attack. The script, "postguest.php", does
not perform input validation to prevent the inclusion of HTML/script
content in messages posted to the portal by remote clients. The flaw is
present in the implementation of the "[c]" tag, which can be used by users
posting messages in the forum or in the guestbook components of GuppY
portals.
According to the report, the value of the tag's "c" parameter is not
validated before being output again by the server. As a result, any
embedded HTML or script code may become part of the affected HTML
document. Consequently, malicious users may create and then inject into
the context of the portal arbitrary content that may either
inappropriately alter the presentation of the portal or manipulate the
client-server session (e.g. transmit cookies to a remote server).
The vendor is aware of the vulnerability and has released an updated
version, 2,4p1, that eliminates the issue.
9. Multiple Geeklog Vulnerabilities
BugTraq ID: 8718
Remote: Yes
Date Published: Sep 29 2003
Relevant URL:
http://www.securityfocus.com/bid/8718
Summary:
Multiple vulnerabilities have been reported in Geeklog. The following
issues were reported:
An HTML injection vulnerability that may allow unauthenticated remote
attackers to send hostile HTML and script code to Geeklog users via
Shoutbox.
Multiple cross-site script issues in the index.php, brokenfile.php and
read-story.php scripts that may permit remote attackers to construct
malicious links to a Geeklog site that include hostile HTML.
The HTML injection and cross-site scripting issues could potentially be
exploited to steal cookie-based authentication credentials from legitimate
users. Other attacks are also possible.
Several SQL injection issues have been reported in the index.php,
viewtopic.php, visit.php, viewcat.php, comment.php, read-story.php and
singlefile.php scripts. These issues could permit remote attackers to
inject malicious SQL syntax into database queries, potentially allowing
unauthorized access to sensitive information or other consequences.
Weaknesses in the Geeklog implementation have also been reported, such as
incorrect proxy logging and inadequate facilities for denying access by
IP.
Some of these issues may be related to previously documented
vulnerabilities in Geeklog. These issues are currently pending further
analysis. New BIDs will be created and existing BIDs updated where it is
appropriate when analysis is complete.
15. Webfs HTTP Server Information Disclosure Vulnerability
BugTraq ID: 8724
Remote: Yes
Date Published: Sep 29 2003
Relevant URL:
http://www.securityfocus.com/bid/8724
Summary:
WebFS is a simple web server that serves static content. It is available
for Linux and Unix variant operating environments.
An information disclosure vulnerability has been discovered in Webfs HTTP
server. The problem occurs due to insufficient sanitization of
user-supplied hostnames when accessing virtual hosts. Specifically,
placing dot-dot (..) sequences within a requested hostname can effectively
trigger this issue.
An attacker exploiting this issue may be capable of viewing the contents
of directories and files outside of the established web root. This issue
may only exist if the server has been configured to use virtual hosting.
16. Apache2 MOD_CGI STDERR Denial Of Service Vulnerability
BugTraq ID: 8725
Remote: No
Date Published: Sep 29 2003
Relevant URL:
http://www.securityfocus.com/bid/8725
Summary:
Apache HTTP Server is an open-source web server designed to run on a
number of different platforms.
Apache2 has been reported prone to a denial-of-service vulnerability. The
issue has been reported to present itself when a CGI script outputs 4k or
greater of data to STDERR. If this condition occurs the execution of the
script will reportedly pause indefinitely due to a locked write() call in
mod_cgi. Because Apache2 is waiting for further input from the malicious
CGI application, the httpd process may hang. When the maximum connection
limit is reached, Apache will no longer service requests, effectively
denying service to legitimate users.
This issue has been reported to affect Apache 2.0.47. Previous versions
may also be affected.
17. WebFS Long Pathname Buffer Overrun Vulnerability
BugTraq ID: 8726
Remote: Yes
Date Published: Sep 29 2003
Relevant URL:
http://www.securityfocus.com/bid/8726
Summary:
WebFS is a simple web server that serves static content. It is available
for Linux and Unix variant operating environments.
It has been discovered that WebFS is prone to a buffer overrun
vulnerability when handling path names of excessive length. As a result,
an attacker may be capable of triggering the condition and overwriting
sensitive memory with malicious data. This could ultimately allow for the
execution of arbitrary code with the privileges of the WebFS HTTP server.
It should be noted that for this condition to occur, an attacker must have
the ability to create directories on the affected system. This may be
accomplished by obtaining legitimate credentials, which allow for such
access, or possibly through the exploitation of another unrelated
vulnerability such as that described in BID 8724.
20. Mah-Jong MJ-Player Server Flag Local Buffer Overflow Vulnera...
BugTraq ID: 8729
Remote: No
Date Published: Sep 29 2003
Relevant URL:
http://www.securityfocus.com/bid/8729
Summary:
Mah-Jong is a freely available, open source implementation of the Mah-Jong
game. It is available for the Linux platform.
A problem in the handling of large requests supplied with certain flags
has been reported in Maj-Jong. Because of this, it may be possible for a
local attacker to gain elevated privileges.
The problem is in the handling of long parameters by mj-player. When
supplying a long parameter with the server flag (--server), a boundary
condition error occurs. This is due to insufficient bounds checking
during a strcpy() operation where the user-supplied server string is
copied into an internal buffer. As this program is typically installed
with privileges, it is possible for a user with local access to a system
with the vulnerable program installed to execute code with elevated
privileges.
This vulnerability may be related to the issues described that were
addressed in Debian Security Advisory DSA 378-1 and described in BID 8557.
If this is the case, this BID will be updated accordingly.
23. OpenSSL ASN.1 Parsing Vulnerabilities
BugTraq ID: 8732
Remote: Yes
Date Published: Sep 30 2003
Relevant URL:
http://www.securityfocus.com/bid/8732
Summary:
Multiple vulnerabilities were reported in the ASN.1 parsing code in
OpenSSL. OpenSSL does not directly implement ASN.1 but does use ASN.1
objects in X.509 certificates and various other cryptographic elements.
The following issues were reported:
Two flaws in the ASN.1 parser could lead to denial of service attacks.
The first bug may be exploited to cause an out of bounds read operation to
occur, most likely resulting in a denial of service. This can be
triggered by a malformed or unusual ASN.1 tag value. The second of the
described bugs occurs if an application is configured to ignore public key
decode errors (specifically the
X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY error). This is reportedly
not a common configuration in production setups but some applications may
ignore decode errors for debugging reasons. As a result, the impact and
exposure will vary depending on the targeted application and some
applications may be more vulnerable to attacks than others. Remote
attackers can exploit this issue with a maliciously crafted SSL client
certificate. CAN-2003-0543 and CAN-2003-0544 correspond to these two
denial of service issues. The issues are reported to exist in SSLeay and
OpenSSL versions prior to 0.9.7c or 0.9.6k.
Another vulnerability related to ASN.1 parsing was reported in OpenSSL
0.9.7. ASN.1 encodings that are rejected by the parser due to being
invalid may potentially trigger a memory management error. In particular,
a double free may result due to an ASN.1 structure (ASN1_TYPE) being
deallocated incorrectly. This reportedly could be leveraged to corrupt
stack memory. In this manner, sensitive stack variables such as
instruction pointers could be overwritten with attacker-supplied values.
The issue could be exploited by remote attacks via a maliciously crafted
SSL client certificate. This issue has been assigned CVE name
CAN-2003-0545.
An additional weakness was reported that may aid in exploitation of these
issues. In some circumstances, a client may force a server to parse a
client certificate when one has not been specifically requested. This
could even occur with server implementations that don't enable client
authentication.
Any applications which use the OpenSSL ASN.1 library to handle external
data may present an attack vector for these vulnerabilities.
These issues are pending further analysis and will be separated into
individual BIDs when analysis is complete.
26. Silly Poker Local HOME Environment Variable Buffer Overrun V...
BugTraq ID: 8736
Remote: No
Date Published: Sep 30 2003
Relevant URL:
http://www.securityfocus.com/bid/8736
Summary:
Silly Poker is a simple poker card game developed for the Linux operating
system. It has been reported that on the Debian Linux distribution, the
sillypoker binary is installed setgid games by default.
*** It should be noted that new details released suggest that the
sillypoker binary is in fact not installed setgid games on Debian systems.
As such, the impact of this issue may be greatly limited.
A local buffer overrun vulnerability has been reported for Silly Poker.
The problem occurs due to insufficient bounds checking when handling
user-supplied data. As a result, an attacker may be capable of controlling
the execution flow of the sillypoker program and effectively executing
arbitrary code with elevated privileges.
Exploiting this condition may allow an attacker to gain group 'games'
privileges which could be used to modify sensitive information or could be
used to leverage attacks against other previously inaccessible utilities.
27. Invision Power Board Insecure Permissions Vulnerability
BugTraq ID: 8737
Remote: No
Date Published: Sep 30 2003
Relevant URL:
http://www.securityfocus.com/bid/8737
Summary:
Invision Power Board is web forum software. It is implemented in PHP and
is available for Unix and Linux variants and Microsoft Windows operating
systems.
Invision Power Board has been reported prone to a configuration issue that
could allow attackers with local interactive access to modify Invision
Power Board '.php' source files. The issue has been reported to present
itself because Invision Power Board does not correctly set permissions on
folders during the installation process. Specifically all folders are
created with group write permissions. Any local user who is a member of
the same group as Invision Power Board may make modifications to Invision
Power Board source files.
A local attacker may exploit this condition to execute arbitrary code with
the privileges of the web server.
It should be noted that although this vulnerability has been reported to
affect Invision Power Board versions 1.1.1 and 1.1.2, other versions might
also be affected.
29. Multiple DCP-Portal SQL Injection Vulnerabilities
BugTraq ID: 8739
Remote: Yes
Date Published: Oct 01 2003
Relevant URL:
http://www.securityfocus.com/bid/8739
Summary:
DCP-Portal is a web portal system implemented in PHP that uses a MySQL
backend database. The development cycle for this product has been
temporarily suspended.
Multiple SQL Injection vulnerabilities have been discovered that affect
DCP-Portal scripts. These issues are likely due to a lack of sufficient
sanitization performed on user supplied URI parameters. Attacks have been
demonstrated that inject partial SQL queries, as values for URI
parameters, in a manner that influences DCP-Portal SQL query logic to the
attackers benefit. The 'password' URI parameter associated with the
'advertiser.php' script and the 'email' URI parameter associated with the
'lostpassword.php' script has been demonstrated as vulnerable.
An attacker may exploit these conditions to disclose DCP-Portal
credentials, reset user passwords, or perform a denial of service type
attack via email spamming.
Although this issue has been reported to affect DCP-Portal version 5.5,
prior versions may also be affected.
34. Mutant Penguin MPWeb PRO Directory Traversal Vulnerability
BugTraq ID: 8745
Remote: Yes
Date Published: Oct 01 2003
Relevant URL:
http://www.securityfocus.com/bid/8745
Summary:
Mutant Penguin MPWeb PRO is a Microsoft Windows based web server. It
allows users to create and host dynamic web sites.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to traverse outside the server root directory in order
to access sensitive server readable files. The issue presents itself due
to insufficient sanitization of user-supplied input and may allow an
attacker to access unauthorized information by issuing '/./../' character
sequences.
This vulnerability may be successfully exploited to gain sensitive
information about a vulnerable host that could be used to launch further
attacks against the system.
MPWeb PRO version 1.1.2 has been reported to be affected by this issue,
however other versions may be vulnerable as well.
35. OpenSSL SSLv2 Client_Master_Key Remote Denial Of Service Vul...
BugTraq ID: 8746
Remote: Yes
Date Published: Oct 02 2003
Relevant URL:
http://www.securityfocus.com/bid/8746
Summary:
OpenSSL is an open source implementation of the SSL protocol.
OpenSSL SSLv2 has been reported prone to a remotely triggered denial of
service when processing a specially crafted malicious CLIENT_MASTER_KEY
message.
It has been reported that a remote attacker may use a maliciously crafted
CLIENT_MASTER_KEY message to influence the execution flow of a vulnerable
service implementing SSLv2 into a die() procedure. This will effectively
cause the affected process to abort, denying service to legitimate users.
An attacker may flood an affected service with malicious CLIENT_MASTER_KEY
messages, persistently denying service for legitimate users. Other attacks
may also be possible. The impact and exposure may vary depending on the
particular applications that use vulnerable OpenSSL libraries.
This vulnerability is not reported to be present in OpenSSL versions
greater than 0.9.6f of the 0.9.6 series of releases, because the use of
the die() procedure is no longer implemented. It is not known whether the
0.9.7 series is also affected.
37. FreeBSD Kernel ProcFS Handler UIO_Offset Integer Overflow Vu...
BugTraq ID: 8748
Remote: No
Date Published: Oct 02 2003
Relevant URL:
http://www.securityfocus.com/bid/8748
Summary:
All versions of the FreeBSD kernel have been reported prone to an integer
overflow vulnerability. The issue presents itself in the procfs handling
procedures, and has been reported to be due to a lack of sufficient sanity
checks performed on 'uio' offset parameters.
It has been reported that a local attacker may exploit this condition
because it is possible to indirectly influence the value for the 'uio'
offset. Ultimately an attacker may trigger an integer overflow or
underflow condition. This may result in a read attempt from non-resident
kernel memory, triggering a kernel panic and effectively denying service
to legitimate users. A local attacker may also exploit this issue to
disclose potentially sensitive data stored in regions of memory that would
otherwise be restricted.
This issue has been reported to be exploitable on systems that have procfs
enabled.
38. FreeBSD Kernel Readv() Integer Overflow Vulnerability
BugTraq ID: 8749
Remote: No
Date Published: Oct 02 2003
Relevant URL:
http://www.securityfocus.com/bid/8749
Summary:
A local vulnerability has been discovered within the FreeBSD kernel. The
problem occurs within the readv() system call, which is used to read data
and scatter it into an arbitrary number of buffers specified by an
argument.
When a file is accessed by a system call in FreeBSD, such as open() or
dup2(), the reference counter (f_count) for that file is incremented using
the fhold() function and when access is complete the counter is
decremented by fdrop().
It has been discovered that the readv() system call fails to call the
fdrop() function after a specific procedure had previously triggered a
call to fhold(). As a result, by triggering a large number of calls to
fhold() in a call to readv(), it may be possible to cause the f_count
integer value to wrap.
It has been reported that this integer overflow can be triggered by
supplying an overly large iovcnt variable in a call to readv(). As a
result, an attacker may potentially be capable of trigger kernel memory
corruption. This could ultimately result in a system panic or could
possibly be leveraged to elevate local privileges to that of the root
user.
40. Inter7 VPopMail Configuration File Insecure Default Permissi...
BugTraq ID: 8751
Remote: No
Date Published: Oct 02 2003
Relevant URL:
http://www.securityfocus.com/bid/8751
Summary:
vpopmail is a freely available, open source virtual domain handling
software package. It is available for the Unix and Linux operating
systems.
A problem has been identified in the default configuration of vpopmail.
Because of this, an attacker may be able to gain access to potentially
sensitive information.
The problem is in the creation of the configuration file. When vpopmail
is compiled with MySQL support, authentication data is stored in the
/etc/vpopmail.conf file. This file is created with world-readable
permissions, which may reveal sensitive information such as authentication
credentials for the database. An attacker could use these credentials to
potentially gain access to the database as the vpopmail database user.
This problem has been reported on Gentoo Linux, but may affect other
operating systems.
