Thanks for reading
As we journey into an unknown future for LWN, I wanted to take this
opportunity to say "Thank You" to everyone who has read the security
page in 2002.
It has been my pleasure to assemble information for you each week
that has, I sincerely hope, been of real value.
Safe Travels,
Dennis Tenney, LWN.net Security Page Editor
Comments (5 posted)
Security news
Security warning draws DMCA threat (News.com)
Here's
a News.com
article about a new attempt to use the DMCA to suppress security
vulnerability information. This time the DMCA is being wielded by HP.
"
In a letter sent on Monday, an HP vice president warned SnoSoft, a
loosely organized research collective, that its members 'could be fined up
to $500,000 and imprisoned for up to five years' for its role in publishing
information on a bug that lets an intruder take over a Tru64 Unix
system." (Thanks to Christof Damian).
Comments (6 posted)
Copyright as Cudgel (Chronicle)
The Chronicle of Higher Education
takes a look at the
DMCA. "
Since 1998, the DMCA has revealed itself to be a
failure. It has not been effective at preventing piracy in cyberspace, yet
it has managed to stifle harmless and even beneficial uses of material for
research and teaching."
Comments (1 posted)
Security reports
Firewall circumvention possible with Mozilla
This XWT Foundation Security Advisory warns that
a security flaw in JavaScript's
"Same Origin Policy" (SOP) allows
any JavaScript-enabled web
browser, including Mozilla, to be used by an attacker to
retrieve content from any server behind a firewall.
The exploit depends on getting a client browser behind the
firewall to visit a maliciously crafted web page.
Full Story (comments: none)
Slackware security updates
We don't have advisories from Slackware, but
the
latest changelog notice shows updates to mod_ssl, libmm, the DNS
resolver libraries, OpenSSL, and PHP.
Comments (2 posted)
Fake Identd - remote root exploit vulnerability
Tomi Ollila's Fake Identd is reported to have a remote root exploit vulnerability.
"Fake Identd is a small standalone ident server with static replies. It is
designed to be suitable for firewalls, IP masquerading hosts, etc."
Full Story (comments: none)
sendform.cgi Form Mailer v1.45 fixes directory traversal vulnerability
Version 1.45 of Rod Clark's
sendform.cgi Form Mailer fixes
this directory transversal vulnerability reported by Steve Christey
with credits to Brian Caswell and Erik Tayler.
Full Story (comments: none)
ezContents multiple vulnerabilities
Ulf Harnhammar reports multiple vulnerabilities in
ezContents.
ezContents is an Open-Source website content management system based on PHP and MySQL. Features include maintaining menus and sub-menus, adding authors that write contents, permissions, workflow, and layout possibilities for the entire look of the site by simple use of settings.
Full Story (comments: 1)
php dotProject by pass authentication vulnerability
dotProject Beta version 0.2.1.5 is reported to have a anthentication
bypass vulnerability which allows anyone to login as Admin.
dotproject is a PHP+MySQL beta level web based project management tool that dotmarketing started in Dec. 2000 then left fallow for about 10 months. It is about 50% there (there being a very high quality product, not some half-baked simple form-into-db pages). With a little open source love, dotproject could be an MS Project killer. While dotproject was specifically designed for dotmarketing's needs, it could probably be extremely useful for any sort of service agency that requires the ability to track a project to completion.
Full Story (comments: none)
Uninets StatsPlus 1.25 script injection vulnerabilities
Brain Rawt reports script injection vulnerabilities in
Uninets StatsPlus
version 1.25.
StatsPlus
"provides a convient way to get indepth statistics about
visitors to your site" which
doesn't appear to have been updated since 1998.
Full Story (comments: none)
(Proprietary product) W3Mail remote access and download vulnerabilities
Tim Brown reports a
"medium security hole"
in
W3Mail from
CascadeSoft.
Full Story (comments: none)
New vulnerabilities
HylaFAX 4.1.3 fixes multiple vulnerabilities
| Package(s): | hylafax |
CVE #(s): | CAN-2001-1034
|
| Created: | July 30, 2002 |
Updated: | October 9, 2002 |
| Description: |
The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
|
| Alerts: |
|
Comments (none posted)
OpenSSL remotely-exploitable buffer overflow vulnerabilities
| Package(s): | OpenSSL |
CVE #(s): | CAN-2002-0655
CAN-2002-0656
CAN-2002-0657
CAN-2002-0659
|
| Created: | July 30, 2002 |
Updated: | September 24, 2002 |
| Description: |
Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit.
Both client and server applications are affected.
The vulnerabilities are described in this security alert from the OpenSSL team.
A nasty exploit for one of the vulnerabilities is described in
CERT Advisory CA-2002-27 Apache/mod_ssl Worm.
Compromise by the Apache/mod_ssl worm indicates that a remote attacker
can execute arbitrary code as the apache user on the victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.
If you haven't already, applying an update is a very good thing
to do today.
Mitel Networks has an update available which
closes this vulnerabilty for their SME Server software.
CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL |
| Alerts: |
|
Comments (none posted)
Local root vulnerability in chfn
| Package(s): | util-linux |
CVE #(s): | CAN-2002-0638
|
| Created: | July 29, 2002 |
Updated: | October 30, 2002 |
| Description: |
chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a
carefully crafted attack sequence can be performed to exploit a
complex file locking and modification race present in this utility,
and, as a result, alter /etc/passwd to escalate privileges in the
system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any
but the last 4 kB chunk of the file.
CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility |
| Alerts: |
|
Comments (none posted)
Temporary file vulnerability in mm library
| Package(s): | mm |
CVE #(s): | CAN-2002-0658
|
| Created: | July 30, 2002 |
Updated: | August 14, 2002 |
| Description: |
The OSSP mm library (libmm) is frequently used in Apache
setups using mod_ssl and/or mod_php.
A temporary file vulnerabiity in OSSP mm library (libmm) before
version 1.2.0
permits a local Apache user to gain privileges.
It can be exploited to obtain root privilege in some circumstances.
Upgrading sooner, rather than later, is recommended.
|
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
Denial of service vulnerability in version 9 of BIND
| Package(s): | bind |
CVE #(s): | CAN-2002-0400
|
| Created: | June 5, 2002 |
Updated: | August 19, 2002 |
| Description: |
Here is an advisory from the Computer Emergency Response Team (CERT)
regarding the denial of service vulnerability in version 9 of the BIND
nameserver, up to 9.2.1. An attacker can send a properly crafted packet
which triggers a check within BIND and causes it to shut down. The
vulnerability can not be exploited for any purpose beyond denial of
service, but that is bad enough; if you are running BIND 9, an upgrade
is probably a good idea.
Note that many or most systems out there will still be running
BIND 8, and thus will not be vulnerable.
News articles on the vulnerability appear in the
Register
and
Network World Fusion News. |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
CAN-2002-0353
CAN-2002-0401
CAN-2002-0402
CAN-2002-0403
CAN-2002-0404
|
| Created: | June 12, 2002 |
Updated: | October 27, 2002 |
| Description: |
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
- The SMB dissector could potentially dereference a NULL pointer in two cases.
- The X11 dissector could potentially overflow a buffer while parsing keysyms.
- The DNS dissector could go into an infinite loop while reading a malformed packet.
- The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Buffer overflow in groff
| Package(s): | groff |
CVE #(s): | CAN-2002-0003
|
| Created: | May 20, 2002 |
Updated: | December 9, 2002 |
| Description: |
The groff package has a buffer overflow
vulnerability; if it is used with the print system, it is conceivably
exploitable remotely.
|
| Alerts: |
|
Comments (none posted)
UW imapd remotely exploitable buffer overflow
| Package(s): | imap |
CVE #(s): | CAN-2002-0379
|
| Created: | June 5, 2002 |
Updated: | December 20, 2002 |
| Description: |
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23). |
| Alerts: |
|
Comments (2 posted)
Apache mod_ssl off-by-one local code execution and DoS vulnerability
| Package(s): | libapache-mod-ssl mod_ssl |
CVE #(s): | CAN-2002-0653
|
| Created: | July 2, 2002 |
Updated: | August 14, 2002 |
| Description: |
Mod-ssl provides strong cryptography for the Apache webserver
via the Secure Sockets Layer (SSL).
A maliciously-crafted .htaccess file, may
be used by an attacker to execute arbitrary
commands as the httpd user or launch a denial of service attack.
The problem is fixed in mod_ssl 2.8.10 which is available
from here.
For more information see the announcement. |
| Alerts: |
|
Comments (none posted)
libpng buffer overflow vulnerability
| Package(s): | libpng libpng2 libpng3 |
CVE #(s): | |
| Created: | July 17, 2002 |
Updated: | August 19, 2002 |
| Description: |
Versions of libpng prior to
1.2.4 and 1.0.14 have a buffer
overflow vulnerability that could lead to remote code execution.
Since libpng is used by programs that talk to the outside
world (i.e. mozilla), it is worth upgrading.
libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over five years.
|
| Alerts: |
|
Comments (2 posted)
LPRng accepts jobs from any host.
| Package(s): | LPRng |
CVE #(s): | CAN-2002-0378
|
| Created: | June 12, 2002 |
Updated: | October 31, 2002 |
| Description: |
Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators
with systems exposed to the general public.
|
| Alerts: |
|
Comments (none posted)
Mailman 2.0.11 fixes two cross-site scripting vulnerabilities
| Package(s): | mailman |
CVE #(s): | CAN-2002-0388
|
| Created: | June 5, 2002 |
Updated: | August 28, 2002 |
| Description: |
Barry A. Warsaw announced
the release of Mailman 2.0.11
"which fixes two
cross-site scripting exploits, one reported by "office" in the admin
login page, and another reported by Tristan Roddis in the Pipermail
index summaries.
It is recommended that all sites upgrade their 2.0.x systems to this
version."
|
| Alerts: |
|
Comments (none posted)
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 |
CVE #(s): | |
| Created: | July 22, 2002 |
Updated: | February 18, 2003 |
| Description: |
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
CERT Advisory: CA-2002-21 Vulnerability in PHP |
| Alerts: |
|
Comments (1 posted)
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla |
CVE #(s): | CAN-2002-0354
|
| Created: | May 20, 2002 |
Updated: | October 18, 2002 |
| Description: |
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
String format bug in pam_ldap logging
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0374
|
| Created: | June 5, 2002 |
Updated: | October 29, 2002 |
| Description: |
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism. |
| Alerts: |
|
Comments (none posted)
Remotely exploitable vulnerability in pine
| Package(s): | pine |
CVE #(s): | CAN-2002-0014
|
| Created: | May 20, 2002 |
Updated: | November 27, 2002 |
| Description: |
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
|
| Alerts: |
|
Comments (none posted)
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils |
CVE #(s): | CAN-2002-0178
|
| Created: | May 20, 2002 |
Updated: | October 30, 2002 |
| Description: |
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid |
CVE #(s): | |
| Created: | July 8, 2002 |
Updated: | November 15, 2002 |
| Description: |
Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following
changes:
- Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
- Security fixes in how Squid parses FTP directory listings into
HTML
- FTP data channels are now sanity checked to match the address
of the requested FTP server. This to prevent theft or injection
of data. See the new ftp_sanitycheck directive if this sanity
check is not desired.
- The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
- A security issue in how Squid forwards proxy authentication
credentials has been fixed
|
| Alerts: |
|
Comments (none posted)
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump |
CVE #(s): | CAN-2002-0380
|
| Created: | June 5, 2002 |
Updated: | October 9, 2002 |
| Description: |
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
|
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in SNMP implementations
| Package(s): | ucdsnmp ucd-snmp |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
|
| Created: | May 20, 2002 |
Updated: | September 17, 2002 |
| Description: |
Most SNMP
implementations out there have a variety of buffer overflow vulnerabilities
and should be upgraded at first opportunity. See this CERT advisory for more. (First
LWN report: February 14).
|
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
Comments (1 posted)
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | May 7, 2003 |
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
|
| Alerts: |
|
Comments (1 posted)
xchat IC server based dns query vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2002-0382
|
| Created: | June 5, 2002 |
Updated: | September 24, 2002 |
| Description: |
A malicious IRC server may
return a response to a /dns query that executes arbitrary commands
with the privileges of the user running XChat.
Versions of XChat prior to 1.8.9 are vulnerable. |
| Alerts: |
|
Comments (none posted)
Resources
Linux Security Week and Advisory Watch
The
July 29nd Linux Security Week and
July 26th Linux Advisory Watch newsletters
from LinuxSecurity.com are available.
Comments (none posted)
LinuxSecurity Magazine Online - First Edition
Readers fluent in Portuguese are encouraged to check out the
first issue of Linux Security Magazine from the Brazilian free project
LinuxSecurity Brasil.
Full Story (comments: none)
Testing Safety-Critical Software with AdaTEST (Linux Journal)
The Linux Journal
looks at the
AdaTEST utility.
"
But how does Ada mix with Linux? In fact, it mixes quite well. The GNU Ada tool
chain (GNAT) is an Ada front-end to gcc, tying Ada closely with the
operating system. With standard facilities to import C
functions, Ada allows for metal-near programming by importing any C
functions, including system calls if need be."
Comments (none posted)
Events
Upcoming Security Events
| Date | Event | Location |
| August 1, 2002 | Black Hat Briefings 2002 | (Caesars Palace Hotel and Resort)Las Vegas, NV, USA |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
| August 6 - 9, 2002 | CERT Conference 2002 | Omaha, Nebraska, USA |
| August 19 - 21, 2002 | Canadian Security & Intelligence Conference(CSICON) | (Hyatt Regency)Calgary, Alberta Canada |
| August 28 - 30, 2002 | Workshop on Information Security Applications(WISA 2002) | Jeju Island, Korea |
| September 19 - 20, 2002 | SEcurity of Communications on the Internet 2002(SECI'02) | Tunis, Tunisia |
| September 23 - 26, 2002 | New Security Paradigms Workshop 2002 | (The Chamberlain Hotel)Hampton, Virginia, USA |
| September 23 - 25, 2002 | University of Idaho Workshop on Computer Forensics | (University of Idaho)Moscow, Idaho, USA |
| September 26 - 27, 2002 | HiverCon 2002 | (Hilton Hotel)Dublin, Ireland |
| September 27 - 29, 2002 | ToorCon 2002 | (San Diego Concourse)San Diego, CA, USA |
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
Comments (none posted)
Page editor: Dennis Tenney
Next page: Kernel development>>
