It has been known for years that spammers harvest web sites for email
addresses to add to their lists. Various sites have responded by hiding or
obfuscating email addresses found on their pages; some people go to extreme
measures to keep their address from ever appearing on a page. One wonders
what they are worried about; your editor only receives a mere 3-4000 spams
per day to his highly-public email address, after all.
Suffice to say that without SpamAssassin LWN would likely have collapsed
under the flood years ago.
Some folks have decided that it is time to take a more active stance
against the harvesting of email addresses from web pages. The result is an
Apache module called mod_spambot;
version 0.47 was recently released. The
idea behind this module is to detect accesses by address harvesters and
shut them down. Unfortunately, the approach this module takes is too
simplistic to work in many situations.
mod_spambot is essentially a traffic throttling module. If a given site
pulls down too many pages in a given time period (default is 100 pages in
one hour), its access is cut off. There is also a "honeypot" option which
will, instead, feed the (presumed) harvester a set of pseudo-random pages
with bogus email addresses in them. This approach may well cut off some
spammers, but anybody who has maintained a busy web site can see a few
problems fairly quickly:
This approach will also cut off others who may be grabbing large
numbers of pages from the site. Search engines come to mind, as do
archive sites or anybody wanting to mirror a portion of a site.
Cutting off people who thoughtlessly run a recursive wget to
grab an entire site has some appeal; "download the site" operations
account for a substantial part of LWN's bandwidth usage. But most
site operators do not want to pull the plug on search engines and the
like. mod_spambot allows the administrator to construct a whitelist,
but who wants to figure out how to whitelist every possible search
engine of interest?
There are some very large networks out there hiding behind a
massive router and a single IP address. Traffic which looks like it
originates from a single host may, in fact, be generated by hundreds
of individual readers.
Increasingly large amounts of traffic are generated by robots whose
sole purpose is to get a referrer URL onto a "top referrers" page
somewhere on the site. Purveyors of Internet gambling experiences and
particular types of imagery appear to like this approach to
marketing. The interesting thing is that these accesses come
simultaneously from a large number of IP addresses. These people,
clearly, are using a network of zombie machines for their attacks.
Spammers already use zombies to deliver their mail; it is hard to
believe that they would not use those machines for address harvesting
as well.
So throttling robots based on IP address will miss some attackers while
blocking legitimate users of the site. It would be nice to prevent one's
web site from being used as a resource by spammers, but this approach is
not, yet, the way to that end.
Bruce Schneier looks
at current plans for RFID-enabled U.S. passports; it seems that things
are headed in the right direction. "The most important feature
they've included is an access-control system for the RFID chip. The data on
the chip is encrypted, and the key is printed on the passport. The officer
swipes the passport through an optical reader to get the key, and then the
RFID reader uses the key to communicate with the RFID chip. This means that
the passport-holder can control who has access to the information on the
chip; someone cannot skim information from the passport without first
opening it up and reading the information inside. Good security."
Here's a SecurityFocus column on how the recent GreaseMonkey vulnerability was handled. "If we must continue the discussion to encompass the model of open source, then I have to say that the approach Greasemonkey took shows what makes open source great: openness. Throughout the whole painful process, information was available to those who needed it: developers, IT folks, users, and security pros. No one was kept in the dark, and all the details -- code, communications, thought processes, and so on -- were always available so that interested parties could make decisions based on facts instead of promises and conjecture."
Bill Stearns discovered a bug in the way sysreport creates temporary files.
It is possible that a local attacker could obtain sensitive information
about the system when sysreport is run.
A denial of service bug was found in the way ucd-snmp uses network stream
protocols. A remote attacker could send a ucd-snmp agent a specially
crafted packet which will cause the agent to crash.
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened.
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus.
A buffer overflow in the Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2
and 3.2.0 allows remote attackers to execute arbitrary code via a long
filename in an OBEX file share. Also remote attackers may execute
arbitrary commands via shell metacharacters in the filename argument of a
PUT command.
Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification
callback. In order to exploit this issue the Apache server would need to
be configured to use a malicious certificate revocation list (CRL).
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor.
Clam AntiVirus versions < 0.86.2 is vulnerable to integer overflows when
handling the TNEF, CHM and FSG file formats. By sending a
specially-crafted file an attacker could execute arbitrary code with the
permissions of the user running Clam AntiVirus.
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute.
The CUPS printing system has a problem with queue name
case-sensitivity matching that can cause a security policy override. An
unauthorized user can use this to gain print to a protected queue.
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another
user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening.
Several vulnerabilities have been discovered in the ekg
contributed scripts. These include an
insecure temporary file creation problem, a
potential shell command injection problem, and an
arbitrary command execution problem.
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group.
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash.
The epiphany web browser had a vulnerability regression that was
caused by fixes to the Mozilla suite. This is specific to
Ubuntu Linux, the Mozilla fix was: USN-155-1.
The ethereal network traffic analyzer has several vulnerabilities,
involving traffic dissectors. Dissectors have buffer overflows,
format string overflows, and crashing/denial of service issues.
The fetchmail POP3 client has an arbitrary code execution vulnerability
that may be triggered by a malicious POP server. See this advisory for more information.
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands.
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user.
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script.
GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see."
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program.
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names.
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks.
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Paul Starzetz has posted an
advisory for yet another kernel vulnerability.
In this case, by using a specially manipulated ELF binary, a local attacker
can compromise the system (via the core dump code) and obtain root access.
This vulnerability affects all kernels from 2.2 through 2.6.12-rc4.
Several vulnerabilities in the 2.6 kernel have been
fixed, including a subthread exec problem (CAN-2005-1913)
and a ia64 ptrace + sigrestore_context problem (CAN-2005-1761).
A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
The krb5 authentication has a double-free flaw which may be
initiated by a remote unauthenticated attacker.
Also, a single byte heap overflow in the krb5_unparse_name() function
can lead to a denial of service and an information disclosure may
be caused by a malicious telnet server. See
This report for more
information.
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code.
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library.
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function.
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content.
Wouter Hanegraaff discovered that the TIFF library did not
sufficiently validate the "YCbCr subsampling" value in TIFF image
headers. Decoding a malicious image with a zero value resulted in an
arithmetic exception, which caused the program that uses the TIFF
library to crash. This leads to a Denial of Service in server
applications that use libtiff (like the CUPS printing system) and can
cause data loss in, for example, the Evolution email client.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result.
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013).
NetworkManager: format string bug in nm_info_handler
Package(s):
networkmanager
CVE #(s):
Created:
August 1, 2005
Updated:
August 3, 2005
Description:
Network Manager passes logging messages straight to syslog as the format
string. This causes it to crash when connecting to access points that
contain format string characters. This was reported
initially by Ian Jackson.
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code.
Hyper-Threading technology, as used in FreeBSD other operating systems and
implemented on Intel Pentium and other processors, allows local users to
use a malicious thread to create covert channels, monitor the execution of
other threads, and obtain sensitive information such as cryptographic keys,
via a timing attack on memory cache misses. See this LWN article for more information.
PowerDNS before 2.9.18 has several vulnerabilities. The LDAP backend does
not properly escape all queries, allowing it to fail and not answer queries
anymore. Queries from clients without recursion permission can temporarily
blank out domains to clients with recursion permitted. This enables
outside users to blank out a domain temporarily to normal users.
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Steven Van Acker has discovered a buffer overflow vulnerability in the
"add_port()" function in Pound 1.8.2+. A remote attacker could send a
request for an overly long hostname parameter, which could lead to the
remote execution of arbitrary code with the rights of the Pound daemon
process.
Multiple format string vulnerabilities in ProFTPD before 1.3.0rc2 allow
attackers to cause a denial of service or obtain sensitive information via
certain inputs to the shutdown message from ftpshut, or the SQLShowInfo
mod_sql directive.
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option. An
attacker could craft a malicious PostScript file and entice a user to run
pstotext on it, resulting in the execution of arbitrary commands with the
permissions of the user running pstotext. See this Secunia advisory for more information.
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system.
Shorewall has a vulnerability in which a client that is accepted by
MAC address filtering can bypass other rules, allowing access to
all open services on the firewall.
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service.
Charles Morris discovered a race condition in sudo which could lead to
privilege escalation. If /etc/sudoers allowed a user the execution of
selected programs, and this was followed by another line containing
the pseudo-command "ALL", that user could execute arbitrary commands
with sudo by creating symbolic links at a certain time.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278)
Multiple vulnerabilities have been found in the Mozilla Thunderbird email
client, as well as the Mozilla Suite and Firefox and Mozilla based other
browsers. Bugs include an anonymous function handling bug, a JavaScript
validation problem, privileged UI code handling DOM nodes, a JavaScript
privilege escalation, a problem with Javascript in XBL controls, improper
handling of child frames, a DOM name code execution vulnerability, and
a base object clone problem.
A bug in Tor allows attackers to view arbitrary memory contents from an
exit server's process space. A remote attacker could exploit the memory
disclosure to gain sensitive information and possibly even private keys.
Georgi Guninski discovered
that it was possible to construct Vim 6.3 modelines that execute arbitrary
shell commands by wrapping them in glob() or expand() function calls. If an
attacker tricked an user to open a file with a specially crafted modeline,
he could exploit this to execute arbitrary commands with the user's
privileges.
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report.
wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite
certain files via a redirection URL containing a ".." that resolves to the
IP address of the malicious server, which bypasses wget's filtering for
".." sequences.
wget 1.8.x and 1.9.x does not filter or quote control characters when
displaying HTTP responses to the terminal, which may allow remote malicious
web servers to inject terminal escape sequences and execute arbitrary code.
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
zlib has a buffer overflow vulnerability that can be exploited
by inflation of corrupted files, this can be used to crash zlib
or possibly remotely execute code.
