March 2001 Advisories and Exploits

March 30, 2001

Cert CA-2001-05_snmpXdmid - The CERT/CC has received numerous reports indicating that a vulnerability in snmpXdmid is being actively exploited. Exploitation of this vulnerability allows an intruder to gain privileged (root) access to the system.

AFFECTS:  Any machine running Solaris 2.6, 7, or 8 with snmpXdmid installed

March 29, 2001

Microsoft MS01-020 - Incorrect MIME Header Can Cause IE to Execute E-mail Attachment and run code of attacker's choice.

AFFECTS:  Microsoft Internet Explorer

Suse Security - Kernel Backdoor - April Fool's Joke - The latest release of "Linux-Magazin", a monthly German magazine that focuses on Linux, contains an article by Mirko Dölle about security problems in the Linux kernel.

In particular, the article argues that IP packets could be forwarded to the address (there is a PTR record at, which has an A record back to the same address).

Many German Linux users have been calling SuSE support to learn details on how to deal with this problem, not willing to believe that the article is an April Fool's joke on security. None of the claims are correct, which makes a kernel update unnecessary for this particular problem.

March 28, 2001

Microsoft MS01-017-version 2 - re-release of MS01-017 adding fix

AFFECTS:  ALL Microsoft users

Microsoft MS01-019 - Data compression passwords can be recovered from the Compressed Folders feature in Plus! 98 and Windows Me

AFFECTS:  Plus!98 (Windows 98/98SE) and Windows Me

Suse SA-2001:08 - A buffer overflow exists in eperl package that allows local and remote compromise if setuid.

AFFECTS: all system using eperl package

Suse SA-2001:09 - An attacker could place a malicious joerc file in a public writeable directory, like /tmp, to execute commands with the privilege of any user (including root), which runs joe while being in this directory.

AFFECTS: all system using joe package

March 27, 2001

Mandrake MDKSA-2001:035 - Users could embed malicious VIM control codes into a file, and as soon as any user opened that file in vim-enhanced or vim-X11 with the status line option enabled in .vimrc, the commands would be executed as that user.

AFFECTS: 6.0/6.1/7.0/7.1/7.2/Corporate Server 1.0.1

Microsoft-MS01-018 - Visual Studio VB-TSQL Object Contains Unchecked Buffer that allows an attacker to run code of choice.

AFFECTS: Visual Studio 6.0 Enterprise Edition

March 23, 2001

SANS - Late last night, the SANS Institute (through its Global Incident Analysis Center) uncovered a dangerous new worm that appears to be spreading rapidly across the Internet. It scans the Internet looking for Linux computers with a known vulnerability. It infects the vulnerable machines, steals the password file (sending it to a site), installs other hacking tools, and forces the newly infected machine to begin scanning the Internet looking for other victims.

March 22, 2001

CERT Advisory CA-2001-04 - Unauthentic "Microsoft Corporation" Certificates

AFFECTED: Systems whose users run code signed by Microsoft Corporation.

FreeBSD-SA-01:30 - UFS/EXT2FS allows disclosure of deleted data

AFFECTED: All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem. This problem is not specific to FreeBSD systems and is believed to exist on many filesystems.

Mandrake MDKSA-2001-033 - There are several weaknesses in various implementations of the SSH (Secure Shell) protocols. When exploited, they let the attacker obtain sensitive information by passively monitoring encrypted SSH sessions. The information can later be used to speed up brute-force attacks on passwords, including the initial login password and other passwords appearing in interactive SSH sessions, such as those used with su. Versions of OpenSSH 2.5.2 and later have been fixed to reduce the impact of these traffic analysis problems, and as such all Linux- Mandrake users are encouraged to upgrade their version of openssh immediately.

AFFECTS: 7.0/7.1/7.2/Corporate Server 1.0.1

Mandrake MDKSA-2001-034 - The time server daemon, timed, tries to synchronize the local host time with the time of other machines on a local area network. A bug in timed, as reported by the FreeBSD Security Officer, that could be triggered remotely can crash the time server daemon.

AFFECTS: 6.0/6.1/7.0/7.1/7.2/Corporate Server 1.0.1

Microsoft Security Bulletin MS01-017 - Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard

AFFECTED: All Microsoft customers should read the bulletin.

SuSE-SA:2001:07 - security vulnerability resolved: timed, in.ftpd

AFFECTED: versions 6.1/6.2/6.3/6.4/7.0/7.1

March 21, 2001

SuSE-SA:2001:06 - security vulnerability resolved: omap, ipop2d, ipop3d problem description, discussion, solution and upgrade information

AFFECTED: version 6.1

SuSE-SA:2001:06 - Note: released with correct signature. security vulnerability resolved: omap, ipop2d, ipop3d problem description, discussion, solution and upgrade information

AFFECTED: version 6.1

March 14, 2001

Redhat RHSA-2001:027-02 - Updated sgml-tools packages fix insecure temporary file handling

AFFECTED: Redhat v5.2/6.x/7.0

March 13, 2001

Debian Security Advisory DSA-044-1 - mailx buffer overflow - The mail program (a simple tool to read and send email) as distributed with Debian GNU/Linux 2.2 has a buffer overflow in the input parsing code. Since mail is installed setgid mail by default this allowed local users to use it to gain access to mail group.

Since the mail code was never written to be secure fixing it properly would mean a large rewrite. Instead of doing this we decided to no longer install it setgid. This means that it can no longer lock your mailbox properly on systems for which you need group mail to write to the mailspool, but it will still work for sending email.

This has been fixed in mailx version 8.1.1-10.1.5. If you have suidmanager installed you can also make this manually with the following command: suidregister /usr/bin/mail root root 0755

Fixed in: Debian 2.2 (potato)

Redhat RHSA-2001:029-02 - New mutt packages fix IMAP vulnerability/incompatibility

March 12, 2001

FreeBSD-SA-01:23 - icecast port contains remote vulnerability

FreeBSD-SA-01:26 - interbase contains remote backdoor account with full read/write access, which was apparently introduced by the vendor in 1992. The interbase source code has recently been released and is the basis for a derivative project called firebird, who are credited with discovering the vulnerability.

AFFECTED: Ports collection prior to the correction date.

FreeBSD-SA-01:27 - cfengine is a system for automating the configuration and maintenance of large networks.The cfengine port, versions prior to 1.6.1, contained several format string vulnerabilities which allow a remote attacker to execute arbitrary code on the local system as the user running cfengine, usually user root.

AFFECTED: Ports collection prior to the correction date.

FreeBSD-SA-01:28 - timed allows remote denial of service

AFFECTED: All released versions of FreeBSD 3.x, 4.x/FreeBSD 3.5-STABLE prior to the correction date/FreeBSD 4.2-STABLE prior to the correction date.

FreeBSD-SA-01:29 - rwhod allows remote denial of service

AFFECTED: All released versions of FreeBSD 3.x, 4.x/FreeBSD 3.5-STABLE prior to the correction date/FreeBSD 4.2-STABLE prior to the correction date.

March 09, 2001

Debian Security Advisory DSA-040-1 - buffer overflow in slrn

Debian Security Advisory DSA-041-1 - Christer Öberg of Wkit Security AB found a problem in joe (Joe's Own Editor). joe will look for a configuration file in three locations: the current directory, the users homedirectory ($HOME) and in /etc/joe. Since the configuration file can define commands joe will run (for example to check spelling) reading it from the current directory can be dangerous: an attacker can leave a .joerc file in a writable directory, which would be read when a unsuspecting user starts joe in that directory.

AFFECTED: versions prior to version 2.8-15.3

Debian Security Advisory DSA-042-1 - a remote buffer overflow and weak security vulnerability in gnuserv and xemacs21

Debian Security Advisory DSA-043-1 - This advisory covers several vulnerabilities in Zope that have been addressed.

Redhat RHSA-2001:028-02 - buffer overflow in slrn - An overflow exists in the slrn pacakge as shipped in Red Hat Linux 7 and Red Hat Linux 6.x, which could possibly lead to remote users executing arbitrary code as the user running slrn.

March 08, 2001

Debian Security Advisory DSA-038-1 - Former versions of sgml-tools created temporary files directly in /tmp in an insecure fashion. Version 1.0.9-15 and higher create a subdirectory first and open temporary files within that directory.

Debian Security Advisory DSA-039-1 - The version of GNU libc that was distributed with Debian GNU/Linux 2.2 suffered from 2 security problems:

* It was possible to use LD_PRELOAD to load libraries that are listed in /etc/, even for suid programs. This could be used to create (and overwrite) files which a user should not be allowed to.

* by using LD_PROFILE suid programs would write data to a file to /var/tmp, which was not done safely. Again, this could be used to create (and overwrite) files which a user should not have access to.

Microsoft MS01-016 - Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources


March 07, 2001

Debian Security Advisory DSA-033-1 - The author of analog, Stephen Turner, has found a buffer overflow bug in all versions of analog except of version 4.16.

AFFECTED: The bugfix has been backported to the version of analog from Debian 2.2. Version 4.01-1potato1 is fixed

Debian Security Advisory DSA-034-1 - Fumitoshi Ukai and Denis Barbier have found several potential buffer overflow bugs in our version of ePerl as distributed in all of our distributions.

AFFECTED: versions prior to Version 2.2.14-0.7potato2

Debian Security Advisory DSA-035-1 - It has been reported that one can tweak man2html remotely into consuming all available memory (remote denial of service). This has been fixed by Nicolás Lichtmaier with help of Stephan Kulow.

Debian Security Advisory DSA-036-1 - It has been reported that a local user could tweak Midnight Commander of another user into executing a random program under the user id of the person running Midnight Commander. This behaviour has been fixed by Andrew V. Samoilov

Debian Security Advisory DSA-037-1 - It has been reported that the AsciiSrc and MultiSrc widget in the Athena widget library handle temporary files insecurely. Joey Hess has ported the bugfix from XFree86 to these Xaw replacements libraries.

March 06, 2001

Microsoft MS01-015 - IE can Divulge Location of Cached Content

March 05, 2001

Suse SuSE-SA:2001:05 - CUPS is an implementation of the Internet Printing Protocol (IPP) and is used as an alternative to the lpr and LPRng packages. The CUPS package aims to be a comprehensive printing solution for UN*X-systems. In SuSE-7.1 distribution, the cups package is not used by any configuration utilities unless the admin has decided to configure the package manually. The cups package has been introduced in the SuSE-7.1 distribution; enhanced support for future releases of the SuSE Linux distribution is planned. A SuSE-internal security audit conducted by Sebastian Krahmer and Thomas Biege revealed several overflows as well as insecure file handling. These bugs have been fixed by adding length-checks and securing the file-access. For a temporary workaround, remove the suid-bit from the 'lppasswd' program. Make sure nobody from outside your network can access the CUPS-server running on port 631. Allowing access to this port from outside is a bad idea regardless whether or not the used version is vulnerable.

AFFECTED: SuSE versions: 7.1/All UN*X-systems using cups < 1.1.6.

March 02, 2001

Redhat RHSA-2001:024-03 - When starting, joe looks for a configuration file in the current working directory, the user's home directory, and /etc/joe. A malicious user could create a .joerc file in a world writable directory such as /tmp and make users running joe inside that directory using a .joerc file that is customized to execute commands with their own userids. The current working directory has been removed from the list of possible directories with the .joerc configuration file.

AFFECTED: Red Hat Linux 5.2 - alpha, i386, sparc/Red Hat Linux 6.2 - alpha, i386, sparc/Red Hat Linux 7.0 - alpha, i386

March 01, 2001

Microsoft MS01-014 - Malformed URL can cause Service Failure in IIS 5.0 and Exchange 2000 - Denial of Service

AFFECTED: The flaw occurs in two different code modules, one of which installs as part of IIS 5.0 and both of which install as part of Exchange 2000, it is important for Exchange 2000 administrators to install both the IIS and Exchange patches. - A quick fix against RFP2101 - Recently Rain Forest Puppy released his advisory RFP2101 which contains exploits to steal usernames of users on a PHP-Nuke based site and to get passwords from the admins who run a PHP-Nuke site. This is a fix for the exploit to steal usernames.

Copyright © 1998 - 2004 RHP Studios
All Rights Reserved!
Report errors to
Last Updated on July 24,2004 @ 11:45 hrs EST