Brief items
Here we go again... The Berkeley Internet Domain server (BIND)
versions 4 and 8 have a new
set of remotely exploitable vulnerabilities. They are well described in
this
ISS advisory; in short, the problems are:
- The really nasty one is a buffer overflow in the server's caching
code; this one could (and probably will) be used for remote root
exploits.
- The server can be made to terminate (with an assertion failure) when
fed a large OPT record with certain kinds of queries.
- BIND servers can also be made to crash (with a null pointer
dereference) when passed information with the right kind of bogus
expiration time.
The first vulnerability leaves much of the net open to root exploits,
worms, etc. There is no doubt that many servers will not be patched in
time, with the result that malware writers will find no shortage of fertile
ground for their unpleasant stuff. Business as usual, in other words.
The other result of this set of vulnerabilities is likely to be to force
many sites to upgrade, at last, to BIND version 9. That will reduce
the diversity of BIND implementations running on the net, thus ensuring
that the next vulnerability will affect even more systems. BIND 9 is
said to be more secure (having been rewritten with that goal in mind), but
there are, beyond doubt, more problems lurking in that body of code. Then
we'll get to go through this again.
Comments (8 posted)
Here we go again... the source distribution of a popular application has
been compromised by a trojan horse. This time around, the affected
application is tcpdump, which was compromised on November 11 and
remained available for download for two days. As with other trojans, this
one opens up a connection to a remote host, which can then execute shell
commands. The fact that tcpdump was compromised allowed an additional
twist, however: tcpdump will not show traffic to and from the hostile
remote system.
For more information, see this CERT
advisory.
Comments (none posted)
New vulnerabilities
BIND8: Multiple vulnerabilities
Comments (1 posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
kdenetwork: buffer overflow
| Package(s): | kdenetwork |
CVE #(s): | CAN-2002-1247
|
| Created: | November 11, 2002 |
Updated: | December 20, 2002 |
| Description: |
iDEFENSE reports a security vulnerability in the klisa package, that
provides a LAN information service similar to "Network Neighbourhood",
which was discovered by Texonet. It is possible for a local attacker
to exploit a buffer overflow condition in resLISa, a restricted
version of KLISa. The vulnerability exists in the parsing of the
LOGNAME environment variable, an overly long value will overwrite the
instruction pointer thereby allowing an attacker to seize control of
the executable. |
| Alerts: |
|
Comments (none posted)
kgpg: keys generated in wizard have an empty passphrase
| Package(s): | kgpg |
CVE #(s): | |
| Created: | November 11, 2002 |
Updated: | November 13, 2002 |
| Description: |
A bug in Kgpg's key generation affects all secret keys generated through
Kgpg's wizard. (Bug does not affect keys created in console/expert
mode). All keys created through the wizard have an empty passphrase, which
means that if someone has access to your computer and can read your secret
key, he/she can decrypt your files whitout the need of a passphrase. See
the full report for
details. |
| Alerts: |
|
Comments (none posted)
html2ps: arbitrary code execution
| Package(s): | html2ps |
CVE #(s): | |
| Created: | November 8, 2002 |
Updated: | December 6, 2002 |
| Description: |
The SuSE Security Team found a vulnerability in html2ps, a HTML to
PostScript converter, that opened files based on unsanitized input
insecurely. This problem can be exploited when html2ps is installed
as filter within lrpng and the attacker has previously gained access
to the lp account. |
| Alerts: |
|
Comments (none posted)
masqmail: buffer overflow
| Package(s): | masqmail |
CVE #(s): | CAN-2002-1279
|
| Created: | November 12, 2002 |
Updated: | November 13, 2002 |
| Description: |
A set of buffer overflows have been discovered in masqmail, a mail
transport agent for hosts without a permanent Internet connection. In
addition to this privileges were dropped only after reading a user supplied
configuration file. Together this could be exploited to gain unauthorized
root access to the machine on which masqmail is installed. |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | October 1, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
traceroute-nanog: buffer overflow and root exploit
| Package(s): | traceroute-nanog/nkitb |
CVE #(s): | |
| Created: | November 12, 2002 |
Updated: | February 27, 2003 |
| Description: |
Traceroute is a tool that can be used to track packets in a TCP/IP network
to determine it's route or to find out about not working routers.
Traceroute-nanog requires root privilege to open a raw socket. It does not
relinquish these privileges after doing so. This allows a malicious user to
gain root access by exploiting a buffer overflow at a later point. |
| Alerts: |
|
Comments (none posted)
wmaker: buffer overflow in Window Maker image handling code
| Package(s): | wmaker windowmaker |
CVE #(s): | CAN-2002-1277
|
| Created: | November 7, 2002 |
Updated: | February 6, 2003 |
| Description: |
Al Viro found a problem in the image handling code used in Window Maker,
a popular NEXTSTEP like window manager. When creating an image it would
allocate a buffer by multiplying the image width and height, but did not
check for an overflow. This makes it possible to overflow the buffer.
This could be exploited by using specially crafted image files (for
example when previewing themes). |
| Alerts: |
|
Comments (none posted)
Resources
Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright
published a paper at LISA 2002 entitled "Timing the Application of Security
Patches for Optimal Uptime." It is now available for download
in
PostScript format.
Full Story (comments: none)
The LinuxSecurity.com Linux Advisory Watch newsletter for November 8
is available.
Full Story (comments: none)
Events
MIS Training Institute has
announced
that the Conference on Mobile and Wireless Security will happen in
Scottsdale, Arizona on February 11 to 13, 2003.
Comments (none posted)
Page editor: Jonathan Corbet
Next page:
Kernel development>>
