The Domain Name System (DNS) has been in the news a bit recently, mostly
because of a ham-handed
attempt
by the US Department of Homeland Security (DHS) to control the master
signing key for the DNS Security Extensions (DNSSEC) root zone. While the
impact of that is still being
debated,
it certainly does not help alleviate
the fears that other countries have regarding US control of the Internet.
Meanwhile, the DHS is
pushing adoption of DNSSEC
which further fans the flames, even while there are serious
questions
about the protocol and what, if any, real problems it solves.
On another front, Bugtraq readers will have noticed a
call to action
regarding DNS issues from security researcher Gadi Evron. All of this
seems like a good reason to take a look at DNS and DNSSEC and to try to
shed some light on the state of Internet name lookups.
DNS is one of the most
commonly used services on the Internet, every time one puts 'lwn.net' into
a browser, it is used to turn that name into an IP address. In a naive
implementation, the browser causes the machine to talk to one of the 13
root servers (k.root-servers.net for example) requesting information
about a nameserver for 'net'; it will get a response listing the 13 servers
that handle requests for the 'net' top-level domain
(D.GTLD-SERVERS.NET for example).
As part of the answer, it also receives the IP address for D.GTLD-SERVERS.NET
(otherwise it would have to query for that IP address which could lead to
an infinite loop) and it uses that address to query for a nameserver for
'lwn.net'. The response is a set of hosts and their IP addresses that are
the nameservers for the 'lwn.net' domain and these in turn can be queried
to get the IP address of the host of interest. After all that, the browser
can connect to the IP address on port 80 and commence with the HTTP request.
In most cases, all of that traffic does not get generated each time a hostname
needs to be resolved because there are caches that store
information on intermediate hosts. Hosts are typically configured to talk
to a caching nameserver when they make DNS requests. The caching nameservers
store name-to-IP mappings for as long as the time-to-live (TTL) value will
allow. TTL values are an amount of time in seconds that the
information returned is valid; they are chosen by a domain owner as a
tradeoff between quick responses to changes and DNS traffic reduction;
typical values range from two hours to two days. When a caching nameserver
finds a mapping in its cache with time still left in the TTL, it can just
provide that information to a requester without making any queries upstream.
DNS has worked, by and large, for a long time, but it is not without its
problems. Anyone who can intercept DNS queries and/or reply in a way that
looks like it
came from the queried server can control the name resolution process,
providing a number of opportunities for phishing and other kinds of
malfeasance. Because the information is typically cached, one redirection
with an enormous TTL can have a large impact in what is known as a DNS cache
poisoning attack. A poisoned cache sufficiently high in a hierarchy of
caching DNS servers can affect large swaths of the Internet as the redirection
can trickle down to each of the nameservers below it.
It is against this backdrop of cache poisoning and exploitable flaws in
some DNS implementations (Wikipedia has some good examples
here) that
calls to implement
DNSSEC have increased. By using public
key encryption,
DNSSEC removes the possibility of spoofing the nameserver for a domain
through a DNS reply. DNSSEC replies will be signed using the private
key of the domain and can then be verified using the public key. If the
response does not verify, it does not contain valid information for that
domain and should be discarded. At first blush, this seems like a good
thing that will eliminate some existing problems; as with many things,
though, the devil is in the details.
In order to verify any signed queries, one must obtain the public key from a
trusted source; invalid public keys just lead to the same forgery issues
that are present in the current system. The public keys will have to
be signed in a hierarchy that corresponds to the domain name hierarchy and
the top-level master signing key will be the key at the top of the heap.
Its public portion will be distributed with DNSSEC enabled software and the
private part will
sign the keys for the root servers. The root servers will sign the keys for
the TLD servers which will in turn sign keys for each of the domains. By
verifying each step before caching the information, nameservers can ensure
they have correct DNS mappings.
There are some inherent problems in DNSSEC and perhaps the highest profile
issue is with the exposure of all the zone data. Because DNSSEC is tasked
with providing an authoritative 'not found' message for hosts without an
entry, it enables enumeration of all hosts in a zone. The 'not found'
messages need to be signed, but it is deemed important not to have the
private keys online (in case of a security breach); it also cannot just
be a single signed 'not found' message because it could be replayed, in
effect knocking a valid host out of the DNS. The solution involves
ranges of invalid hostnames each with their own signed 'not found' message.
Through a series of queries, an attacker can gain all of the 'not found'
ranges which leaves the available hostnames obvious in the gaps.
This is very different from the current DNS where one could only ask for
hosts by name and essentially get a yes or no answer.
This information leakage was at first considered to be a non-issue by the
IETF group working on DNSSEC. They have since been convinced that this
problem would prohibit adoption in some jurisdictions and would severely
limit some of the more interesting uses for DNS after it becomes
secured. The latest proposals provide for a 'not found' message that
contains a canned signed portion along with a cryptographic hash of the
hostname requested and recipients would need to verify both the signature
and that the hash corresponds to the request that they made before
accepting the response.
There are also legitimate questions about why DNS needs to be secured. Even
if you are certain you know the right address to use for a particular domain,
you are not guaranteed that a connection made to that IP actually gets to
your intended destination. In order to ensure that, you must have another
layer of encryption such as HTTPS or ssh using verified
keys. It also does not really help against the vast majority of phishing
scams as it does not assist users in recognizing that
'thisistotallynotpaypal.com' is not in any way the same as 'paypal.com' even
though they end the same way.
There are some interesting applications for secured services like DNSSEC, but
critics argue that those applications should be implemented separately from
DNS. There is no need to risk
breaking the currently working DNS system by adding additional complexity for
little or no gain. If putting DKIM keys
into a nameserver-like structure is desirable, and many would argue that it
is, create a new system, perhaps based on DNS/DNSSEC, that implements it.
In the meantime, they contend, we should leave DNS alone.
Given these questions and a bit of concern whenever any government - but
particularly the US government - tries to muscle in on Internet governance, it
should come as no surprise that there is a bit of an uproar regarding the
DHS key control attempt.
It is not completely clear why the DHS believes it must control the master
signing key; the theories range from the bland, through clueless and into
nefarious. It is possible that DHS believes it is the only entity that
can be trusted with the keys, a position which tends to cause muttering about US
arrogance. Another possibility is that DHS does not really understand what
the keys are and what can be done with them. The paranoid are concerned that
the keys might be used to set up a parallel set of root servers that
remake the Internet into something more in line with the Bush administration's
vision of what the Internet should look like. By co-opting or otherwise
manipulating Internet routing, the DHS, some fear, could stage a complete takeover via this
alternate sanitized hierarchy. No matter what the reason, it certainly stirs
up people who feel that Internet governance should be handled by
international organizations and not by the US government.
The problems that Gadi Evron brought to the attention of Bugtraq readers
are independent of the DNS vs. DNSSEC debate as neither address the issues
that he is trying to solve. A great deal of Internet malware, botnets,
spyware, viruses, phishing, etc. relies on name resolution in order to do
its work. They typically use nameservers and IP mappings with
very short TTL values which allows them to be highly mobile, rapidly
changing nameservers and IP addresses as they get detected and shut down in
the whack-a-mole game that gets played continuously on the Internet.
The white hats simply cannot move fast enough even if they do not run
up against slow moving or hostile ISP administrators.
The easiest place to handle this kind of domain is with its registrar, who
can completely shut it down by routing its nameservers to nonexistent hosts.
This ability to essentially remove a domain's existence can be abused
(as GoDaddy proved with
seclists.org earlier this year) and there need to be some strict policies and
procedures in place to govern how that power is to be used. In addition,
there are so-called black hat registrars that do not care and perhaps
encourage malicious behavior from some of their registrants. Evron
was reporting on a message he sent to the registrar operations mailing
list highlighting the problem and looking for solutions. His message to
Bugtraq reported on the progress and asked for further ideas.
DNS is a critical piece of Internet infrastructure and anything that impacts
it will be felt by a lot of people; anything that breaks it will break the
net. All of the services that we use rely, at least to a limited
extent, on DNS and any serious outage would make the Internet completely
unusable. Because of that, a conservative approach is required. Threats can
come from both criminals and governments (though some would claim that is
redundant) and we need to protect the net from both. Perhaps DNSSEC tips
things too far one way and another approach is needed. It will be interesting
to see how it plays out.
A flaw was discovered in the IPSec key exchange server "racoon". Remote
attackers could send a specially crafted packet and disrupt established
IPSec tunnels, leading to a denial of service.
A buffer overflow has been discovered in the man command that could allow an
attacker to execute code as the man user by providing specially crafted
arguments to the -H flag. This is likely to be an issue only on machines
with the man and mandb programs installed setuid.
Adobes acrobat reader has the following vulnerabilities:
The Adobe Reader Plugin has a cross site scripting vulnerability that
can be triggered by processes malformed URLs. Arbitrary JavaScript can
be served by a malicious web server, leading to a cross-site scripting
attack.
Maliciously crafted PDF files can be used to trigger two vulnerabilities,
if an attacker can trick a user into viewing the files, arbitrary code
can be executed with the user's privileges.
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header."
The Madynes research team at INRIA has discovered that Asterisk contains a
null pointer dereferencing error in the SIP channel when handling INVITE
messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to
properly handle SIP responses with return code 0. A remote attacker could
cause an Asterisk server listening for SIP messages to crash by sending a
specially crafted SIP message or answering with a 0 return code.
hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain
control of the Mouse and Keyboard Human Interface Device (HID) via a
certain configuration of two HID (PSM) endpoints, operating as a server,
aka HidAttack.
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time.
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system).
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Will Drewry of the Google Security Team discovered several buffer overflows
in cscope, a source browsing tool, which might lead to the execution of
arbitrary code.
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target.
Previous versions of the cups package could be forced to hang via a client
"partially negotiating" an ssl connection. In this state, cups would not
allow other connections to be made, a denial of service.
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate.
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable.
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions.
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers.
fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which
allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file
and cause a denial of service by adding arbitrary IP addresses to the sshd
log file, as demonstrated by logging in to ssh using a login name
containing certain strings with an IP address.
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges.
The "file" utility incorrectly checks the allocated heap memory size.
If a remote attacker can trick a user into looking at specially crafted
files with file, arbitrary code can be executed with the user's privileges.
According to this
advisory, the FTP protocol includes the PASV (passive) command which is
used by Firefox to request an alternate data port. The specification of the
FTP protocol allows the server response to include an alternate server
address as well, although this is rarely used in practice.
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service.
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user.
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable.
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations.
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header.
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code.
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user).
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote
attackers to execute arbitrary code via (1) a crafted DCM image, which
results in a heap-based overflow in the ReadDCMImage function, or (2) the
(a) colors or (b) comments field in a crafted XWD image, which results in a
heap-based overflow in the ReadXWDImage function, different issues than
CVE-2007-1667.
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges.
Inkscape has a format string vulnerability in its URI handling, possibly
allowing an attacker to execute code with user privileges via a specially
crafted file.
Format string vulnerability in the whiteboard Jabber protocol in Inkscape
before 0.45.1 allows user-assisted remote attackers to execute arbitrary
code via unspecified vectors.
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files.
The FTP protocol implementation in Konqueror 3.5.5 allows remote servers to
force the client to connect to other servers, perform a proxied port scan,
or obtain sensitive information by specifying an alternate server address
in a FTP PASV command.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Konqueror 3.5.5 does not properly parse HTML comments, which allows remote
attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS
protection schemes by embedding certain HTML tags within a comment, a
related issue to CVE-2007-0478.
The Linux kernel has a boundary error problem with the
Omnikey CardMan 4040 driver read and write functions. This can be used
to cause a buffer overflow and possible execution or arbitrary code with
kernel privileges.
The ipv6_getsockopt_sticky function in
net/ipv6/ipv6_sockglue.c is vulnerable to a NULL pointer dereference.
Local users can use this to crash the kernel or to disclose kernel
memory.
Linux kernel versions from 2.6.9 to 2.6.20 have a denial of service
vulnerability. A remote attacker can cause the key_alloc_serial
function's key serial number collision avoidance code to have a
null dereference, resulting in a crash.
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538)
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued.
The Linux kernel before 2.6.20.1 allows remote attackers to cause a denial
of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free
of an incorrect pointer.
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")."
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack.
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures.
The kdamind daemon can, in some situations, perform operations on uninitialized pointers. This bug could conceivably open up the system to a code execution attack by an unauthenticated remote attacker, but it appears to be difficult to exploit. See this advisory for details.
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges.
A flaw was found in the username handling of the MIT krb5 telnet daemon
(telnetd). A remote attacker who can access the telnet port of a target
machine could log in as root without requiring a password. MIT krb5 Security Advisory 2007-001
Buffer overflows were found which affect the Kerberos KDC and the kadmin
server daemon. A remote attacker who can access the KDC could exploit this
bug to run arbitrary code with the privileges of the KDC or kadmin server
processes. MIT krb5 Security Advisory
2007-002
Bryan Burns of Juniper Networks discovered that KTorrent did not
correctly validate the destination file paths nor the HAVE statements
sent by torrent peers. A malicious remote peer could send specially
crafted messages to overwrite files or execute arbitrary code with user
privileges.
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
The /proc parsing routines in libgtop are vulnerable to a buffer overflow.
If an attacker can run a process in a specially crafted long
path then trick a user into running gnome-system-monitor,
arbitrary code can be executed with the user's privileges.
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application.
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow.
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim.
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code.
iDefense reported several overflow bugs in libwpd. An attacker could
create a carefully crafted Word Perfect file that could cause an
application linked with libwpd, such as OpenOffice, to crash or possibly
execute arbitrary code if the file was opened by a victim.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
Tatsuya Kinoshita discovered that Lookup, a search interface to electronic
dictionaries on emacsen, creates a temporary file in an insecure fashion
when the ndeb-binary feature is used, which allows a local attacker to
craft a symlink attack to overwrite arbitrary files.
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx.
A stack overflow flaw was found in the URI handler of mod_jk. A remote
attacker could visit a carefully crafted URL being handled by mod_jk and
trigger this flaw, which could lead to the execution of arbitrary code as the
'apache' user.
MPlayer versions up to 1.0rc1 have a buffer overflow in the
loader/dmo/DMO_VideoDecoder.c DMO_VideoDecoder_Open function.
user-assisted remote attackers can use this to create a buffer overflow
and possibly execute arbitrary code.
MySQL subselect queries using "ORDER BY" can be used by an attacker with
access to a MySQL instance in order to create an intermittent denial
of service.
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server.
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226).
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query.
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges.
The handling of setuid files in the OpenAFS filesystem is flawed in such a way that a sufficiently clever attacker could make an arbitrary executable file to appear to be setuid.
slapd in OpenLDAP before 2.3.25 allows remote authenticated users with
selfwrite Access Control List (ACL) privileges to modify arbitrary
Distinguished Names (DN).
The StarCalc parser in OpenOffice.org suffers from an "easily exploitable" stack overflow which could be exploited (via a malicious document) to execute arbitrary code.
Additionally, there is a failure to escape shell metacharacters in URLs, exposing users to command execution by way of hostile links.
SUSE reported vulnerabilities due to unspecified errors in OpenPBS. An
attacker might be able execute arbitrary code with the privileges of the
user running openpbs, which might be the root user.
packet.c in ssh in OpenSSH allows remote attackers to cause a denial of
service (crash) by sending an invalid protocol sequence with
USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
An unspecified vulnerability in portable OpenSSH before 4.4, when running
on some platforms, allows remote attackers to determine the validity of
usernames via unknown vectors involving a GSSAPI "authentication abort."
From the OpenSSH 4.5 announcement: "Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities."
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms.
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485).
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used)
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users.
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem.
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash.
Andreas Nolden discovered a bug in qt3, where the UTF8 decoder does not
reject overlong sequences, which can cause "/../" injection or (in the case
of konqueror) a "<script>" tag injection.
An error was found in the RPM library's handling of query reports. In
some locales, certain RPM packages would cause the library to crash. If
a user was tricked into querying a specially crafted RPM package, the
flaw could be exploited to execute arbitrary code with the user's
privileges.
Several flaws were found in the way SeaMonkey processed certain malformed
JavaScript code. A malicious web page could execute JavaScript code in such
a way that may result in SeaMonkey crashing or executing arbitrary code as
the user running SeaMonkey. (CVE-2007-0775, CVE-2007-0777)
Several cross-site scripting (XSS) flaws were found in the way SeaMonkey
processed certain malformed web pages. A malicious web page could display
misleading information which may result in a user unknowingly divulging
sensitive information such as a password. (CVE-2006-6077, CVE-2007-0995,
CVE-2007-0996)
A flaw was found in the way SeaMonkey cached web pages on the local disk. A
malicious web page may be able to inject arbitrary HTML into a browsing
session if the user reloads a targeted site. (CVE-2007-0778)
A flaw was found in the way SeaMonkey displayed certain web content. A
malicious web page could generate content which could overlay user
interface elements such as the hostname and security indicators, tricking a
user into thinking they are visiting a different site. (CVE-2007-0779)
Two flaws were found in the way SeaMonkey displayed blocked popup windows.
If a user can be convinced to open a blocked popup, it is possible to read
arbitrary local files, or conduct an XSS attack against the user.
(CVE-2007-0780, CVE-2007-0800)
Two buffer overflow flaws were found in the Network Security Services (NSS)
code for processing the SSLv2 protocol. Connecting to a malicious secure
web server could cause the execution of arbitrary code as the user running
SeaMonkey. (CVE-2007-0008, CVE-2007-0009)
A flaw was found in the way SeaMonkey handled the "location.hostname" value
during certain browser domain checks. This flaw could allow a malicious web
site to set domain cookies for an arbitrary site, or possibly perform an
XSS attack. (CVE-2007-0981)
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called.
The Snort intrusion detection system is vulnerable to a buffer overflow
in the DCE/RPC preprocessor code. Remote attackers can send
specially crafted fragmented SMB or DCE/RPC packets which can be used
to allow the the remote execution of arbitrary code.
Due to an internal error Squid-2.6 is vulnerable to a denial of service
attack when processing the TRACE request method. This problem allows any
client trusted to use the service to perform a denial of service attack on
the Squid service.
A anonymous researcher discovered that an error in the handling of a GIF
image with a zero width field block leads to a memory corruption flaw. An
attacker could entice a user to run a specially crafted Java applet or
application that would load a crafted GIF image, which could result in
escalation of privileges and unauthorized access to system resources.
Off-by-one buffer overflow in the parse_elements function in the 802.11
printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote
attackers to cause a denial of service (crash) via a crafted 802.11
frame. NOTE: this was originally referred to as heap-based, but it might be
stack-based.
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs.
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c
iDefense reported an integer overflow flaw in the XFree86 XC-MISC
extension. A malicious authorized client could exploit this issue to cause
a denial of service (crash) or potentially execute arbitrary code with root
privileges on the XFree86 server. (CVE-2007-1003)
iDefense reported two integer overflows in the way X.org handled various
font files. A malicious local user could exploit these issues to
potentially execute arbitrary code with the privileges of the X.org server.
(CVE-2007-1351, CVE-2007-1352)
An integer overflow flaw was found in the XFree86 XGetPixel() function.
Improper use of this function could cause an application calling it to
function improperly, possibly leading to a crash or arbitrary code
execution. (CVE-2007-1667)
Multiple format string vulnerabilities in (1) the cdio_log_handler function
in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and
the (2) cdio_log_handler and (3) vcd_log_handler functions in
modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in
VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to
execute arbitrary code via format string specifiers in an invalid URI, as
demonstrated by a udp://-- URI in an M3U file.
Moritz Jodeit discovered that the DirectShow loader of Xine did not
correctly validate the size of an allocated buffer. By tricking a user
into opening a specially crafted media file, an attacker could execute
arbitrary code with the user's privileges.
A buffer overflow was discovered in the Real Media input plugin in
xine-lib. If a user were tricked into loading a specially crafted stream
from a malicious server, the attacker could execute arbitrary code with the
user's privileges.
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed.
A race condition allows local users to see error messages generated during
another user's X session. This could allow potentially sensitive
information to be leaked.
xmms suffers from vulnerabilities in its handling of BMP images. Should a hostile image be included in an xmms skin, it could lead to code execution on the user's system.
Several X.org libraries and X.org itself contain system calls to
set*uid() functions, without checking their result. Local users could
deliberately exceed their assigned resource limits and elevate their
privileges after an unsuccessful set*uid() system call. This requires
resource limits to be enabled on the machine.
A cross-site scripting vulnerability in Zope, a web application server,
could allow an attacker to inject arbitrary HTML and/or JavaScript into the
victim's web browser by using unspecified vectors in a HTTP GET request.
This code would run within the security context of
the web browser, potentially allowing the attacker to access private data
such as authentication cookies, or to affect the rendering or behavior of
Zope web pages.
dmcox discovered a boundary error in the zzip_open_shared_io() function
from zzip/file.c . A remote attacker could entice a user to run a zziplib
function with an overly long string as an argument which would trigger the
buffer overflow and may lead to the execution of arbitrary code.
