April 2001 Advisories and Exploits


April 27, 2001

Debian Security Advisory DSA-053-1-nedit - insecure temporary file allows attacker to overwrite arbitrary files

Mandrake MDKSA-2001:043-rpmdrake - A temporary file vulnerability exists in rpmdrake.

Mandrake MDKSA-2001:044-gftp - A format string vulnerability exists in all versions of gftp prior to version 2.0.8. This vulnerability has been fixed upstream in version 2.0.8.

Redhat RHSA-2001:050-04-mgetty (UPDATE) - Previously-issued mgetty packages did not log messages correctly.

AFFECTS: v6.x & v7.x

Redhat RHSA-2001:052-02-iptables - A security hole has been found that does not affect the default configuration of Red Hat Linux, but can affect some custom configurations of Red Hat Linux 7.1 only. The bug is specific to the Linux 2.4 kernel series

Redhat RHSA-2001:053-06-gftp - gftp format string vulnerability corrected


April 25, 2001

Mandrake MDKSA-2001:042-nedit - A temporary file vulnerability exists in NEdit, the Nirvana Editor. When printing the entire text or selected parts of the text within theeditor, nedit creates a temporary file in an insecure manner. This could be exploited to gain access to other user privileges including root.


April 24, 2001

Mandrake MDKSA-2001-041-hylafax - A problem exists with the HylaFAX program, hfaxd. When hfaxd tries to change it's queue directory and fails, it prints an error message via syslog by directly passing user supplied data as the format string. If hfaxd is installed setuid root, this behaviour can be exploited to gain root access locally. Note that Linux-Mandrake does not ship hfaxd setuid root by default.


April 23, 2001

Debian Security Advisory DSA 051-1-Netscape - The Netscape browser does not escape the GIF file comment in the image information page. This allows javascript execution in the "about:" protocol and can for example be used to upload the History (about:global) to a webserver, thus leaking private information.

Debian Security Advisory DSA 052-1-sendfile - Daniel Kobras has discovered and fixed a problem in sendfiled which caused the daemon not to drop privileges as expected when sendnig notification mails. Exploiting this a local user can easily make it execute arbitrary code under root privileges.

FreeBSD-SA-01:34-Hylafax - hylafax contains local compromise

FreeBSD-SA-01:35-Licq - licq contains multiple remote vulnerabilities

FreeBSD-SA-01:36 -Samba - samba ports contain locally exploitable /tmp races

FreeBSD-SA-01:37-slrn - slrn contains remotely-exploitable buffer overflow

FreeBSD-SA-01:38-sudo - sudo contains local buffer overflow


April 20, 2001

Debian DSA-050-1 - Colin Phipps and Daniel Kobras discovered and fixed several serious bugs in the saft daemon `sendfiled' which caused it to drop privileges incorrectly. Exploiting this a local user can easily make it execute arbitrary code under root privileges.

Mandrake MDKSA-2001:040 - samba temp files

Microsoft MS01-015 Revision 2.0 - IE can Divulge Location of Cached Content

SuSE-SA:2001:15 - The HylaFax program hfaxd(8c) implements the server part of the HylaFax package. It is started either by inetd(8) or runs in standalone mode. hfaxd(8c) offers three different protocols to process fax jobs. When hfaxd(8c) tries to change to it's queue directory and fails, it prints an error message via syslog by directly passing user supplied data as format string. As long as hfaxd(8c) is installed setuid root, this behavior could be exploited to gain root access locally.

AFFECTS: [6.1, 6.2,] 6.3, 6.4, 7.0, 7.1


April 19, 2001

Conectiva CLA-2001:394 - Several vulnerabilities have been found in the GNU/Linux kernel versions prior to 2.2.19. It is possible for local users to obtain root privileges, modify kernel memory and even crash the machine. A full list of the security problems can be found at http://www.linux.org.uk/VERSION/relnotes.2219.html. A security problem in the ReiserFS code has also been fixed, where long directory or file names could cause unexpected results. This update limits the maximum length to 255 bytes.

AFFECTS: kernels prior to 2.2.19

Conectiva CLA-2001:395 - Samba is a file server for Windows 9x/NT <-> Unix interoperability over the SMB protocol. Versions below 2.0.8 have a temporary file vulnerability which could be used by a remote attacker with a local account on the server to corrupt block devices such as a hard disk (/dev/hda).

AFFECTS: 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0

Debian Security Advisory DSA-046-2 - exuberant-ctags for sparc - The updated exuberant-ctags that was mentioned in DSA-046-1 was unfortunately compiled incorrectly: the stable chroot we used turned out to be running unstable instead.

Debian Security Advisory DSA-048-1 - cfingerd remote printf format attack - Megyer Laszlo report on Bugtraq that the cfingerd Debian as distributed with Debian GNU/Linux 2.2 was not careful in its logging code. By combining this with an off-by-one error in the code that copied the username from an ident response cfingerd could exploited by a remote user. Since cfingerd does not drop its root privileges until after it has determined which user to finger an attacker can gain root privileges.

Debian Security Advisory DSA-048-2 - The updated samba packages that were mentioned in DSA-048-1 were unfortunately compiled incorrectly: the stable chroot we used turned out to be running unstable instead.

FreeBSD SA-01:32-REVISED - IPFilter may incorrectly pass packets allowing malicious remote users to bypass filtering rules, allowing them to potentially circumvent the firewall.

AFFECTS: All versions of FreeBSD prior to the correction date

FreeBSD SA-01:33-REVISED - The glob() function contains potential buffer overflows that may be exploitable through the FTP daemon. If a directory with a name of a certain length is present, a remote user specifying a pathname using globbing characters may cause arbitrary code to be executed on the FTP server as user running ftpd, usually root.

AFFECTS:  All versions prior to the correction date


April 18, 2001

Debian Security Advisory DSA-048-1 - samba symlink - Marcus Meissner discovered that samba was not creating temporary files safely in two places:
1 - when a remote user queried a printer queue samba would creates a temporary file in which the queue data would be written. This was doing using a predictable filename and insecurely, allowing a local attacker to trick samba into overwriting arbitrary files. 2 - smbclient "more" and "mput" commands also creates temporary files in /tmp insecurely.

Microsoft MS01-022 - WebDAV Service Provider can allow scripts to levy requests as user.

SuSE-SA:2001:13 - The setuid application sudo(8) allows a user to execute commands under the privileges of another user (including root). sudo(8) previous to version 1.6.3p6 is vulnerable by a buffer overflow in it's logging code, which could lead to local root compromise.

AFFECTS: 6.1, 6.2, 6.3, 6.4, 7.0, 7.1

SuSE-SA:2001:14 - The Nirvana Editor, NEdit, is a GUI-style text editor based on popular Macintosh and MS Windows editors. When printing a whole text or selected parts of a text, nedit(1) creates a temporary file in an insecure manner. This behavior could be exploited to gain access to other users privileges, even root.

AFFECTS: [6.1, 6.2] 6.3, 6.4, 7.0, 7.1


April 17, 2001

Conectiva CLA-2001:393 - Remote javascript vulnerability exists in Netscape prior to version 4.77

AFFECTS: 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0

FreeBSD SA-01:33 - The glob() function contains potential buffer overflows that may be exploitable through the FTP daemon. If a directory with a name of a certain length is present, a remote user specifying a pathname using globbing characters may cause arbitrary code to be executed on the FTP server as user running ftpd, usually root.

AFFECTS:  All versions prior to the correction date

Mandrake MDKSA-2001:037 - A number of security problems have been found in the Linux kernels prior to the latest 2.2.19 kernel.

AFFECTS: 6.0, 6.1, 7.0, 7.1, 7.2, Corporate Server 1.0.1


April 16, 2001

Debian DSA-047-1 multiple kernel problems - The kernels used in Debian GNU/Linux 2.2 have been found to have multiple security problems. This is a list of problems based on the 2.2.19 release.

AFFECTS: Kernel 2.2.19

FreeBSD SA-01:32 - IPFilter may incorrectly pass packets allowing malicious remote users to bypass filtering rules, allowing them to potentially circumvent the firewall.

AFFECTS: All versions of FreeBSD prior to the correction date

Microsoft MS01-021 - Invalid Web Request Can Cause Access Violation in ISA Server Web Proxy Service causing a denial of service.

AFFECTS: ISA Server 2000

Redhat RHSA-2001-046-05 - New netscape packages are availabe to fix a problem with the handling of JavaScript in certain situations. By exploiting this flaw, a remote site could gain access to the browser history, and possibly other data.


April 15, 2001

Debian DSA-046-1 exuberant ctags - Colin Phipps discovered that the exuberant-ctags packages as distributed with Debian GNU/Linux 2.2 creates temporary files insecurely. This has been fixed in version 1:3.2.4-0.1 of the Debian package, and upstream version 3.5.


April 12, 2001

Virus Alert - I-Worm.Badtrans - Alias: W32.Badtrans.13312@mm Spread Method : Via E-Mail (A copy of the worm will be sent as a reply message to all unread emails in the users Inbox folder)

Description:

Worm part: When the attachment is executed the worm drops the trojan "hkk32.exe" into the Windows folder and executes itself. A copy of worm is created under the file name inetd.exe in Windows folder. The following line is added to "win.ini" in [windows] section: run=c:\windows\inetd.exe.


April 11, 2001

CERT Advisory CA-2001-08 - Multiple Vulnerabilities in Alcatel ADSL Modems

Affected:

* Alcatel Speed Touch Home ADSL Modem

* Alcatel 1000 ADSL Network Termination Device


April 10, 2001

Backdoors in Alcatel ADSL Modems - multiple vulnerabilities in Alcatel ADSL Modems

CERT Advisory CA-2001-07 - File Globbing Vulnerabilities in Various FTP Servers. A variety of FTP servers incorrectly manage buffers in a way that can lead to remote intruders executing arbitrary code on the FTP server.

Redhat RHSA-2001:047-03 - A local denial of service attack and root compromise of the kernel have been corrected, drivers have been updated, and NFS version 3 has been integrated.

SuSE-SA:2001:11 - The Midnight Commander, mc(1), is a ncurses-based file manager. A local attacker could trick mc(1) into executing commands with the privileges of the user running mc(1) by creating malicious directory names. This attack leads to local privilege escalation.

AFFECTED: : 6.1, 6.2, 6.3, 6.4, 7.0, 7.1

SuSE-SA:2001:12 - The text editor vim, Vi IMproved, was found vulnerable to two security bugs. a tmp race condition and vim commands in regular files will be executed if the status line of vim is enabled in vimrc. Both vulnerabilities could be used to gain unauthorized access to more privileges.

AFFECTS: 6.1, 6.2, 6.3, 6.4, 7.0, 7.1


April 9, 2001

Conectiva Linux CLA-2001:392 - a remote buffer overflow exists in "xntp3", a package used to syncronize clocks between computers on a network.

AFFECTED: 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0

Redhat RHSA-2001:042-02 - Updated pine packages are now available for Red Hat Linux 7.0, 6.2, and 5.2. These new updated packages fix temporary file creation issues in the pine mail client and the pico text editor that comes with pine.

Redhat RHSA-2001:046-03 - New netscape packages are availabe to fix a problem with the handling of JavaScript in certain situations. By exploiting this flaw, a remote sitecould gain access to the browser history, and possibly other data.

SuSE-SA:2001:10 - ntp/xntp

AFFECTED: 6.0, 6.1, 6.2), 6.3, 6.4, 7.0, 7.1


April 6, 2001

FreeBSD-SA-01:31-ntp - An overflowable buffer exists in the ntpd daemon related to the building of a response for a query with a large readvar argument. Due to insufficient bounds checking, a remote attacker may be able to cause arbitrary code to be executed as the user running the ntpd daemon, usually root.

AFFECTED: 6.0, 6.1, 7.0, 7.1, 7.2, Corporate Server 1.0.1


April 5, 2001

Debian DSA 045-1- ntp - a remote root exploit has been found by Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL> who reported that ntp daemons such as that released with Debian GNU/Linux are vulnerable to a buffer overflow that can lead to a remote root exploit. This has been corrected for Debian 2.2 (potato) in ntp version 4.0.99g-2potato1


April 4, 2001

Adore worm targets linux - The third Linux worm in less than three months hit the Internet this week.

Known as the Adore worm, the program is designed to create so-called back doors in the security of Linux systems and send information identifying the compromised systems to four different e-mail addresses hosted on servers in China and the United States.

NOTE: RHP Studios installed/managed Linux systems can not be infected by this worm that exploits older versions of 4 seperate packages. This worm also installs modified version of ICMP and PS, which would clearly show up during a file system check using MD5 hashes.


April 3, 2001

Caldera CSSA-2001-012.0 - During code audits of the Linux Kernel several security problems have been found. Some of them allow a local attacker to gain root privileges through race conditions, others allow reading and possibly writing of random kernel memory. With these patches now being available in the 2.2.19 kernel, this update backports them to the kernels used in our products.

AFFECTS: OpenLinux 2.3 - All packages previous to linux-2.2.10-12

OpenLinux eServer 2.3.1 - All packages previous to & OpenLinux eBuilder linux-2.2.14-11S

OpenLinux eDesktop 2.4 - All packages previous to linux-2.2.14-7

Cert CA-2001-06 - Automatic Execution of Embedded MIME Types

AFFECTS:   All versions of Microsoft Internet Explorer 5.5 SP1 or earlier, except IE 5.01 SP2 and any software which utilizes vulnerable versions of Internet Explorer to render HTML

Defcom Labs Advisory - The Navision Financials Server contains a flaw that allows an attacker to crash the service.

AFFECTS: - Navision Financials Server V2.50 for Windows NT/2000/Navision Financials Server V2.60 for Windows NT/2000

SuSE-SA:2001:07 Updated - remote denial-of-service exists in nkitb/nkitserv

AFFECTS: versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1


Copyright © 1998 - 2004 RHP Studios
All Rights Reserved!
Report errors to webmaster@rhpstudios.com
Last Updated on July 24,2004 @ 11:45 hrs EST