May 2001 Advisories and Exploits


May 29, 2001

FreeBSD-SA-01:23 - icecast port contains remote vulnerability (REVISED)


May 28, 2001

FreeBSD-SA-01:36 - samba ports contain locally exploitable /tmp races [REVISED]


May 15, 2001

CERT Advisory CA-2001-12 - Superfluous Decoding Vulnerability in IIS. A serious vulnerability in Microsoft IIS may allow remote intruders to execute commands on an IIS web server. This vulnerability closely resembles a previous vulnerability in IIS that was widely exploited. The CERT/CC urges IIS administrators to take action to correct this vulnerability.

Mandrake MDKSA-2001:047-1-pine - Versions of the Pine email client prior to 4.33 have various temporary file creation problems, as does the pico editor. These issues allow any user with local system access to cause any files owned by any other user, including root, to potentially be overwritten if the conditions were right.

Suse SuSE-SA:2001:17-cron-3.0.1-296 - The crontab program is running setuser-id root and invokes the editor specified in the EDITOR environment variable, usually vi. If crontab discovers that the format of the edited file is incorrect, it executes the editor again but fails to drop its root privileges before. Therefore it is possible to execute arbitrary commands as root. Sebastian Krahmer has found the bug. It has been fixed by properly dropping the privileges before executing the editor.


May 14, 2001

Mandrake MDKSA-2001:048-cups UPDATE - The version of cups shipped with Linux-Mandrake 8.0 has a problem where when a user prints a multi-page PostScript file with embedded pictures, the pages following the first with the picture are all printed on the same page, one on top of the other. From multi-page Abiword files (only text) only the last page is printed. This update resolves this bug. As well, the upstream 1.1.7 release of cups fixes some security issues.

Mandrake MDKSA-2001:049-Zope UPDATE - Another problem was discovered in Zope that fixes a problem with ZClasses. Any user can visit a ZClass declaration and change the ZClass permission mappings for methods and other objects defined within the ZClass, possibly allowing for unauthorized access within the Zope instance. The Zope Hotfix 2001-05-01 corrects this problem.

Mandrake MDKSA-2001:050-vixie-cron UPDATE - A recent security fix to cron introduced a new problem with giving up privileges before invoking the editor. A malicious local user could exploit this to gain root acces.

Microsoft MS01-026 - Superfluous Decoding Operation Could Allow Command Execution via IIS.


May 10, 2001

Mandrake MDKSA-2001:048-cups - The version of cups shipped with Linux-Mandrake 8.0 has a problem where when a user prints a multi-page PostScript file with embedded pictures, the pages following the first with the picture are all printed on the same page, one on top of the other. From multi-page Abiword files (only text) only the last page is printed. This update resolves this bug. As well, the upstream 1.1.7 release of cups fixes some security issues.

Mandrake MDKSA-2001:049-Zope - Another problem was discovered in Zope that fixes a problem with ZClasses. Any user can visit a ZClass declaration and change the ZClass permission mappings for methods and other objects defined within the ZClass, possibly allowing for unauthorized access within the Zope instance. The Zope Hotfix 2001-05-01 corrects this problem.

Mandrake MDKSA-2001:050-vixie-cron - A recent security fix to cron introduced a new problem with giving up privileges before invoking the editor. A malicious local user could exploit this to gain root acces.

Mandrake MDKSA-2001:051-minicom - Several format string vulnerabilities exist in the minicom program. These bugs can be exploited to obtain group uucp privilege. A simple fix is to simply remove the setgid bit on /usr/bin/minicom, however these new packages introduce some fixes for the vulnerabilties through a patch from Red Hat, and also strip the setgid bit.

Microsoft MS00-035 Version 2 - Patch Available for "SQL Server 7.0 Service Pack Password" Vulnerability. When SQL Server 7.0 Service Packs 1, 2, or 3 are installed on a machine that is configured to perform authentication using Mixed Mode, the password for the SQL Server standard security System Administrator (sa) account is recorded in plaintext in the files %TEMP%\sqlsp.log and %WINNT%\setup.iss. The default permissions on the files would allow any user to read them who could log onto the server interactively.

Microsoft MS01-025 - Index Server Search Function Contains Unchecked Buffer. The patches provided in the bulletin address two security vulnerabilities that are unrelated to each other except in the sense that both affect Index Server 2.0. The first vulnerability is a buffer overrun vulnerability. Index Server 2.0 has an unchecked buffer in a function that processes search requests. If an overly long value were provided for a particular search parameter, it would overrun the buffer. If the buffer were overrun with random data, it would cause Index Server to fail. If it were overrun with carefully selected data, code of the attacker's choice could be made to run on the server, in the Local System security context.

The second vulnerability affects both Index Server 2.0 and Indexing Service in Windows 2000, and is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006 (http://www.microsoft.com/technet/security/bulletin/MS00-006.asp). The new variant has almost the same scope as the original vulnerability, but potentially exposes a new file type If an attacker provided an invalid search request, she could read "include" files residing on the web server. The new patch eliminates all known variants of the vulnerability.


May 09, 2001

Conectiva CLA-2001:396-samba - Samba versions previous to 2.0.9 present a vulnerability that allows local users to corrupt block devices (e.g. disk partitions) as well as gain unauthorized priviledges.

Debian Security Advisory DSA-048-3-samba - Marc Jacobsen from HP discovered that the security fixes from samba 2.0.8 did not fully fix the /tmp symlink attack problem. The samba team released version 2.0.9 to fix that, and those fixes have been added to version 2.0.7-3.3 of the Debian samba packages.

VIRUS ALERT - VBS.Homepage.A@mm


May 08, 2001

CERT Advisory CA-2001-11 sadmind/IIS Worm - A new viral worm that afects Microsoft IIS and Solaris.

Debian Security Advisory DSA-055-1-gftp - The gftp package as distributed with Debian GNU/Linux 2.2 has a problem in its logging code: it logged data received from the network but it did not protect itself from printf format attacks. An attacker can use this by making a FTP server return special responses that exploit this.

Debian Security Advisory DSA-056-1-man-db - Ethan Benson found a bug in man-db packages as distributed in Debian/GNU/Linux 2.2. man-db includes a mandb tool which is used to build an index of the manual pages installed on a system. When the -u or - -c option were given on the command-line to tell it to write its database to a different location it failed to properly drop privileges before creating a temporary file. This makes it possible for an attacked to do a standard symlink attack to trick mandb into overwriting any file that is writable by uid man, which includes the man and mandb binaries.

Microsoft Security Advisory MS01-024 - Malformed Request to Domain Controller can Cause Memory Exhaustion creating denial of service.

AFFECTS: Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Datacenter Server

Redhat RHSA-2001:061-02-nedit - nedit creates temporary files in an insecure fashion.


May 07, 2001

Debian Security Advisory DSA-054-1-cron - A recent (fall 2000) security fix to cron introduced an error in giving up privileges before invoking the editor. A malicious user could easily gain root access.

Mandrake MDKSA-2001:047-pine - Versions of the Pine email client prior to 4.33 have various temporary file creation problems, as does the pico editor. These issues allow any user with local system access to cause any files owned by any other user, including root, to potentially be overwritten if the conditions were right.


May 04, 2001

Suse SuSE-SA:2001:16-sgmltool-1.0.9-266 - SGML perlmodule creates temporary files in an insecure way.

AFFECTS: 6.3, 6.4, 7.0, 7.1


May 03, 2001

Mandrake MDKSA-2001:045-gnupg - GnuPG version 1.0.5 has been released that fixes a few security problems, including a vulnerability that makes it easier for an attacker to recover your private key if they are able to steal your keyring.

AFFECTS: 7.1, 7.2, 8.0, Corporate Server 1.0.1

Mandrake MDKSA-2001:046-kdelibs - A problem exists with the kdesu component of kdelibs. It created a world-readable temporary file to exchange authentication information and delete it shortly after. This can be abused by a local user to gain access to the X server and could result in a compromise of the account that kdesu would access.

AFFECTS: 8.0


May 02, 2001

CERT Advisory CA-2001-09 - Statistical Weaknesses in TCP/IP Initial Sequence Numbers

CERT Advisory CA-2001-10 - A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine, allowing them to gain complete administrative control of the machine.

A proof-of-concept exploit is publicly available for this vulnerability, which increases the urgency that system administrators apply the patch.

FreeBSD-SA-01:39-TCP ISN - TCP initial sequence number generation contains statistical vulnerability

Redhat RHSA-2001:059-03-kdelibs - Updated kdelibs packages fixing a security problem, some memory leaks and some minor bugs are available.

Redhat RHSA-2001:058-04-mount - Updated mount packages fixes swap file permissions improperly created during installation.


May 01, 2001

Microsoft MS01-023 - Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server


Copyright © 1998 - 2004 RHP Studios
All Rights Reserved!
Report errors to webmaster@rhpstudios.com
Last Updated on July 24,2004 @ 11:45 hrs EST