June 2001 Advisories and Exploits

June 30 2001

Linux /proc Filesystem May Disclose Memory Contents Under Specific Circumstances to Local Users

CylantSecure Linux Kernel Security Program Allows Local Users to Disable the Security Mechanism

June 29 2001

Cert CA-2001-15 - a buffer overflow exists in sun solaris .lpd print daemon that allows a remote intruder to execute arbitrary code with the privileges of the running daemon (root)

June 28 2001

Apple Mac OS Personal Web Sharing Can Be Crashed with Long Passwords from Remote Users

Cert Advisory CA-2001-14 - Cisco IOS HTTP Server authentication vulnerability allows attacker to execute commands on the router.

SCO CSSA-2001-SCO.4 - UnixWare uucp Utilities Let Local Users Gain Elevated Privileges

TrendMicro's InterScan VirusWall Lets Local Users Execute Arbitrary Code on the Host with System Privileges and Gain Control of the Operating System

Active Classifieds Web Software Lets Remote Users Run Arbitrary Code on the Server

SCO CSSA-2001-SCO.2 - UnixWare's su Substitute User Shell Utility May Let Local Users Obtain Root Level Access on the Host

COVERT-2001-04 - Oracle 8i Lets Remote Users Execute Arbitrary Code and May Remote Users Give Full Control of the Operating System

June 27 2001

Gnatsweb GNU Bug Tracking System Lets Remote Users Retrieve Files from the Server and Execute Commands on the Server via the Web Interface

Cisco IOS Gives Remote Users Full Control of IOS Devices When HTTP Server Authentication with Local Authorization is Enabled

Living Waterfalls Screen Saver Lets Local Users Circumvent Screen Saver Password Protection

June 26 2001

FreeBSD SA -01-23 - Icecast Audio Broadcasting Server Discloses MP3 Files Located Anywhere on the Installed Drive to Remote Users and Can Be Crashed Remotely

Solaris 8 libsldap LDAP Naming Services Library Can Lead to Local Users Gaining Root Level Privileges on the Host

Microsoft SA MS01-036 - Windows 2000 LDAP Server Lets Remote Users Gain Administrator Access to the Domain Controller When Configured to Support LDAP over SSL

June 25 2001

Perception LiteServe Web Server - MS-DOS filename vulnerability Discloses CGI Script Source Code to Remote Users

June 23, 2001

Debian Security Advisory DSA-065-1 samba - remote file append/creation

KTVision - for KDE is vulnerable to symbolic link attack leading to root

Samba - remote file creation vulnerability

June 22, 2001

Microsoft MS00-077 Version 2 Netmeeting Desktop Sharing - A new variant of the originally reported vulnerability has been found. The patch has been updated to address both the original and new variants.

Microsoft MS01-034 word macro - Malformed Word Document Could Enable Macro to Run Automatically.

Microsoft MS01-035 frontpage - FrontPage Server Extension Sub-Component Contains Unchecked Buffer.

Caldera Systems Inc CSSA-2001-SCO.1 - curses buffer overflow

IBM AIX - root shell spawning possible via "diagrpt" in versions 4.3.x and 5.1

June 20, 2001

Mandrake MDKSA-2001:056 tcpdump update - A number of remote buffer overflows were discovered in the tcpdump package that would allow a remote attack of the local tcpdump process. Intrusion detection using tcpdump would no longer be useful due to the attack stoping all network activity on the system. As well, this new version of tcpdump fixes the vulnerability with decoding AFS ACL packets which would allow a remote attacker to run arbitrary code on the local system with root privilege.

Mandrake MDKSA-2001:057 proftpd - Clarifying that the Cert advisory recently released with incorrect management of buffers due to glob() function does not pertain to proftpd on the Linux platform.

Mandrake MDKSA-2001:058 ispell - The ispell program uses mktemp() to open temporary files. This makes it vulnerable to symlink attacks. The program now has a patch from OpenBSD applied that uses mkstemp() instead, and switches gets() to fgets() for dealing with user input.

Mandrake MDKSA-2001:059 webmin - Recently, Caldera found that when webmin starts a system daemon from the web frontend it does not clear its environment variables. Since these variables contain the authorization of the administrator, any daemon would also get these variables.

Mandrake MDKSA-2001:060 rxvt - Samuel Dralet discovered a vulnerability in the rxvt terminal emulator recently, concerning a buffer overflow in the command.c file. This overflow can be exploited to provide elevated privileges on the system if rxvt is installed setgid. Because rxvt has never been installed setgid on any Mandrake Linux system, Mandrake Linux is not vulnerable to the problem.

June 19, 2001

CERT Advisory CA-2001-13 - Buffer Overflow In IIS Indexing Service DLL

Conectiva CLA-2001:403 - Wolfram Kleff reported [1] that fetchmail would segfault when receiving emails with large "To:" headers. This was due to a buffer overflow in the header parser and it could be exploited remotely.

Conectiva CLA-2001:404 - Two security fixes for xinetd

Redhat RHSA-2001:077-05 - LPRng fails to drop supplemental group membership.

June 18, 2001

Mandrake MDKSA-2001:046-2 (Update) - A problem exists with the kdesu component of kdelibs. It created a world-readable temporary file to exchange authentication information and delete it shortly after. This can be abused by a local user to gain access to the X server and could result in a compromise of the account that kdesu would access.

Microsoft MS01-033 - Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise

June 17, 2001

Debian Security Advisory DSA-063-1 - zen-parse reported on bugtraq that there is a possible buffer overflow in the logging code from xinetd. This could be triggered by using a fake identd that returns special replies when xinetd does an ident request.

Another problem is that xinetd sets it umask to 0. As a result any programs that xinetd start that are not careful with file permissions will create world-writable files.

June 16, 2001

Debian Security Advisory DSA-060-1 - Wolfram Kleff found a problem in fetchmail: it would crash when processing emails with extremely long headers. The problem was a buffer overflow in the header parser which could be exploited.

Debian Security Advisory DSA-061-1 - fish stiqz reported on bugtraq that there was a printf format problem in the do_get() function: it printed a prompt which included the filename that was being decrypted without checking for possible printf format attacks. This could be exploited by tricking someone into decrypting a file with a specially crafted filename.

The second bug is related to importing secret keys: when gnupg imported a secret key it would immediately make the associated public key fully trusted which changes your web of trust without asking for a confirmation. To fix this you now need a special option to import a secret key.

Debian Security Advisory DSA-062-1 - Samuel Dralet reported on bugtraq that version 2.6.2 of rxvt (a VT102 terminal emulator for X) have a buffer overflow in the tt_printf() function. A local user could abuse this making rxvt print a special string using that function, for example by using the -T or -name command-line options. That string would cause a stack overflow and contain code which rxvt will execute.

Since rxvt is installed sgid utmp an attacker could use this to gain utmp which would allow him to modify the utmp file.

June 13, 2001

Conectiva CLA-2001:402 - Format string vulnerability in exim

Mandrake MDKSA-2001:056 - A number of remote buffer overflows were discovered in the tcpdump package that would allow a remote attack of the local tcpdump process. Intrusion detection using tcpdump would no longer be useful due to the attack stoping all network activity on the system. As well, this new version of tcpdump fixes the vulnerability with decoding AFS ACL packets which would allow a remote attacker to run arbitrary code on the local system with root privilege.

Microsoft MS01-030 Version 3.0 - Incorrect Attachment Handling in Exchange OWA Can Execute Script

June 12, 2001

Debian Security Advisory DSA-059-1 - Luki R. reported a bug in man-db: it did handle nested calls of drop_effective_privs() and regain_effective_privs() correctly which would cause it to regain privileges to early. This could be abused to make man create files as user man.

Microsoft MS01-032 - SQL Query Method Enables Cached Administrator Connection to be Reused.

Redhat RHSA-2001:073-04 - discovered format string in gnupg

Redhat RHSA-2001:074-03 - The ispell program uses mktemp() to open temporary files - this makes it vulnerable to symlink attacks.

Redhat RHSA-2001:075-04 -Xinetd runs with umask 0 - this means that applications using the xinetd umask and not setting the permissions themselves (like swat from the samba package), will create world writable files.

June 11, 2001

Mandrake MDKSA-2001:054 - Several buffer overflow vulnerabilities have been found in the UW-IMAP package by the authors and independant groups. These vulnerabilities can be exploited only once a user has authenticated which limits the extent of the vulnerability to a remote shell with that user's permissions.

Mandrake MDKSA-2001:055 - A bug exists in xinetd as shipped with Mandrake Linux 8.0 dealing with TCP connections with the WAIT state that prevents linuxconf-web from working properly. As well, xinetd contains a security flaw in which it defaults to a umask of 0. This means that applications using the xinetd umask that do not set permissions themselves (like SWAT, a web configuration tool for Samba), will create world writable files.

June 9, 2001

Debian Security Advisory DSA-058-1 - Megyer Laszlo found a printf format bug in the exim mail transfer agent. The code that checks the header syntax of an email logs an error without protecting itself against printf format attacks.

Microsoft MS01-030 Version 2.0 - Incorrect Attachment Handling in Exchange OWA Can Execute Script

June 8, 2001

Microsoft MS01-031 - Predictable Name Pipes Could Enable Privilege Elevation via Telnet

June 7, 2001

CONECTIVA CLA-2001:399 - Fix for two gnupg vulnerabilities

Microsoft MS01-030 - Incorrect Attachment Handling in Exchange 2000 OWA Can Execute Script.

June 4, 2001

FreeBSD-SA-01:40 - fts(3) routines contain race condition [REVISED]

June 3, 2001

SuSE SA:2001:020 - A format string vulnerability allowing local privilege escalation in versions of GnuPG before 1.0.6 has been found.
Copyright © 1998 - 2004 RHP Studios
All Rights Reserved!
Report errors to webmaster@rhpstudios.com
Last Updated on July 24,2004 @ 11:45 hrs EST