Summary of Security Items from August 4 through August 17, 2004

Released
Aug 17, 2004
Document ID
SB04-231

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 



This bulletin provides a summary of
new or updated vulnerabilities, exploits, trends and viruses identified between
August 4 and August 17, 2004.















href="#bugs">Bugs, Holes, & Patches



  • href="#windows">Windows Operating Systems
  • href="#unix">UNIX / Linux Operating Systems
  • href="#other">Multiple Operating Systems

href="#exploits">Recent Exploit Scripts/Techniques

href="#trends">Trends

href="#viruses">Viruses/Trojans

 


name=bugs>Bugs, Holes,
& Patches

The table below summarizes vulnerabilities
that have been identified, even if they are not being exploited. Updates to
items appearing in previous bulletins are listed in bold.
Complete details about patches or workarounds are available from the source of
the information or from the URL provided in the section. CVE numbers are listed
where applicable. Vulnerabilities that affect both Windows and
Unix Operating Systems are included in the Multiple Operating
Systems section.

Note: All the information included in the
following tables has been discussed in newsgroups and on web sites.

Windows Operating
Systems Only

UNIX / Linux Operating
Systems Only


Multiple
Operating Systems - Windows / UNIX / Linux / Other




 


Risk is defined as
follows:



  • High - A high-risk
    vulnerability is defined as one that will allow an intruder to immediately
    gain privileged access (e.g., sysadmin or root) to the system or allow an
    intruder to execute code or alter arbitrary system files. An example of a
    high-risk vulnerability is one that allows an unauthorized user to send a
    sequence of instructions to a machine and the machine responds with a command
    prompt with administrator privileges.
  • Medium - A medium-risk
    vulnerability is defined as one that will allow an intruder immediate access
    to a system with less than privileged access. Such vulnerability will allow
    the intruder the opportunity to continue the attempt to gain privileged
    access. An example of medium-risk vulnerability is a server configuration
    error that allows an intruder to capture the password file.
  • Low - A low-risk
    vulnerability is defined as one that will provide information to an intruder
    that could lead to further compromise attempts or a Denial of Service (DoS)
    attack. It should be noted that while the DoS attack is deemed low from a
    threat potential, the frequency of this type of attack is very high. DoS
    attacks against mission-critical nodes are not included in this rating and any
    attack of this nature should instead be considered to be a "High"
    threat.























































































































Windows Operating
Systems Only


Vendor &
Software Name

Vulnerability
- Impact
Patches - Workarounds
Attacks Scripts

Common
Name

face="Arial, Helvetica, sans-serif">Risk

face="Arial, Helvetica, sans-serif">Source

Adobe Systems


Adobe Acrobat 5.0.5 and prior, possibly 6.0.2


A buffer overflow vulnerability exists in Acrobat/Acrobat Reader due to
a boundary error within the "pdf.ocx" ActiveX component supplied with
Adobe Acrobat Reader. A remote malicious user can exploit this
vulnerability via a malicious website using a specially crafted URL to
potentially execute arbitrary code. Successful exploitation allows remote
malicious users to utilize the arbitrary word overwrite to redirect the
flow of control and eventually take control of the affected system. Code
execution will occur under the context of the user that instantiated the
vulnerable version of Adobe Acrobat.


No solution is available at this time.


Vendor asserts this vulnerability is fixed in version 6.0.2. However,
proof of concept code exists that causes a Denial of Service.


Adobe Acrobat/Acrobat Reader ActiveX Control Buffer
Overflow Vulnerability


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0629">CAN-2004-0629


High
iDEFENSE Security Advisory 08.13.04

Acme Laboratories


thttpd 2.07 beta 0.4 10dec99


A input validation vulnerability exists in the Windows
port of thttpd. A remote user can view files on the target system that are
located outside of the web document directory. thttpd does not properly
validate user-supplied requests. A remote user can submit a request
containing directory traversal characters or a direct path to view files
on the system.


No solution is available at this time.


A Proof of Concept exploit has been published.


thttpd Input Validation Error
Discloses Files to Remote Users

Medium
SecurityTracker, 1010850,
August 4, 2004

Clearswift


MAILsweeper prior to 4.3.15


Several vulnerabilities exist in MAILsweeper in the processing of
encoded or compressed files. A remote user may be able to send a MIME
attachment that will not be properly scanned by MAILsweeper. MAILsweeper
fails to properly detect several common compression formats, including ZIP
6.0, RAR, and HQX. A remote malicious user can create a malicious
attachment in certain formats and have the attachment pass through
MAILsweeper without detection.


A Denial of Service vulnerability also exists due to an error when
processing malformed PowerPoint files which may cause the service to enter
an endless loop and exhaust all CPU resources.


Update to version 4.3.15 available at: href="http://download.mimesweeper.com/www/Patches/MAILsweeper_Patches_495ReadMe.htm">http://download.mimesweeper.com/www/Patches/MAILsweeper_Patches_495ReadMe.htm


We are not aware of any exploits for this vulnerability.


MAILsweeper Fails to Detect and Analyze Some Attachment
Formats


CVE Names:
face="Arial, Helvetica" alink="#999999" vlink="#999999" link="#999999"> href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0928"
target=" ">CAN-2003-0928
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0929"
target=" ">CAN-2003-0929
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0930"
target=" ">CAN-2003-0930


Medium

Secunia, SA12301, August 13, 2004


SecurityTracker, vlink="#999999" link="#999999">1010953, August 13, 2004


MAILsweeper for SMTP 4.3.15 Release Notes, July 28, 2004


Clearswift


MIMEsweeper for Web prior to 5.0.4


An input validation vulnerability exists in MIMEsweeper for Web, which
can be exploited by a malicious user to retrieve arbitrary files outside
the web root via directory traversal attacks using the "..\", "..\\",
"../\", and "../" character sequences.


Update to version 5.0.4 or later available at: href="http://download.mimesweeper.com/www/Patches/MSW4WEB504_ReadMe.htm">http://download.mimesweeper.com/www/Patches/MSW4WEB504_ReadMe.htm


A Proof of Concept exploit has been published.


MIMEsweeper for Web Directory Traversal Vulnerability

Medium

MIMEsweeper for Web Version 5.0.4 Release Notes


IceWarp


IceWarp Web Mail prior to 5.2.8


Multiple vulnerabilities exist in IceWarp Web Mail,
which could allow a malicious user to conduct cross-site scripting and SQL
injection attacks, access sensitive information, and manipulate the file
system.


Update to version 5.2.8 available at: href="http://www.icewarp.com/Download/">http://www.icewarp.com/Download/


We are not aware of any exploits for this
vulnerability.


IceWarp Web Mail Multiple
Unspecified Vulnerabilities

High

Secunia, SA12269, August 11, 2004


IceWarp Web Mail Release Notes, 5.2.8, August 10,
2004


Keene Software


Keene Digital Media Server 1.0.2


Multiple vulnerabilities exist in Keene Digital Media Server, which can
be exploited by a malicious user to retrieve sensitive information such as
passwords and perform administrative tasks. 1) Keene Digital Media Server
stores passwords in clear text in the file "dmscore.db" in the
installation directory. This may disclose sensitive information to
malicious local users. 2) An input validation error within the processing
of HTTP requests can be exploited to retrieve arbitrary files via
directory traversal attacks. It is possible to bypass the user
authentication and perform administrative tasks by accessing the script
"/dms/adminusers.kspx" directly.


No solution is available at this time. The vendor has stated that the
vulnerabilities will be fixed in version 1.0.4.


A Proof of Concept exploit has been published.


Keene Digital Media (KDM) Server
Multiple Vulnerabilities

Medium

SecurityTracker: 1010928, August 11, 2004


Secunia, SA12272, August 12, 2004

Microsoft

MS Windows 2000 SP
2, 3, and 4; XP and XP SP1; XP 64-Bit Edition SP 1

A remote code execution vulnerability exists in the Task
Scheduler because of an unchecked buffer during application name
validation. A malicious user who successfully exploited this vulnerability
could take complete control of an affected system.

Updates
available at: href="http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx">http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx


Exploit script has been published.


Microsoft Windows Task Scheduler Vulnerability


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0212">CAN-2004-0212

class=style3> class=highrisk>High

Microsoft Security Bulletin MS04-022, July 13,
2004


PacketStorm, August 5, 2004


Microsoft


INTERIX 2.2

This security bulletin was
updated to include the INTERIX product. A privilege elevation
vulnerability exists in the POSIX operating system component (subsystem)
due to an unchecked buffer. This vulnerability could allow remote code
execution on an affected system.

Updates available at: href="http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx">http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx

Currently,
we are not aware of any exploits for this vulnerability.

POSIX Vulnerability Could Allow Code
Execution


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0210">CAN-2004-0210



High
Microsoft Security Bulletin MS04-020, Updated:
August 10, 2004

Microsoft


Microsoft Exchange Server 5.5 SP4

An input validation vulnerability exists in
Microsoft Outlook Web Access in which a malicious user could conduct
cross-site scripting attacks. A remote user can access the target user's
cookies (including authentication cookies), if any, associated with the
site running the Outlook Web Access software, access data recently
submitted by the target user via web form to the site, or take actions on
the site acting as the target user.

Update available at: href="http://www.microsoft.com/downloads/details.aspx?FamilyId=66E4E033-5A4C-4EEC-84F1-31F0CA878092&displ aylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=
66E4E033-5A4C-4EEC-84F1-31F0CA878092&displ
aylang=en


The update does not require a restart, but the it will
restart Microsoft Internet Information Services (IIS), the Exchange Store,
and the Exchange System Attendant Services. Customers that have customized
certain ASP pages should check the advisory for some important caveats: href="http://www.microsoft.com/technet/security/bulletin/ms04-026.mspx">http://www.microsoft.com/technet/security/bulletin/ms04-026.mspx


class="tabletext style3">Currently, we are not aware of any exploits for
this vulnerability.


Exchange Server 5.5 Outlook Web Access
Could Allow Cross-Site Scripting and Spoofing Attacks


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0203">CAN-2004-0203


High

Microsoft Security Bulletin MS04-026, August 10,
2004


 


US-CERT Vulnerability Note VU#948750, August 11, 2004


Microsoft


Microsoft Internet Explorer 5.01, 5.5, 6


A vulnerability exists in Internet Explorer, which potentially can be
exploited by a malicious user to conduct phishing attacks against a
user.The vulnerability is caused due to Internet Explorer failing to
update the address bar after a sequence of actions has been performed on a
named window. This can be exploited to display content from a malicious
site while displaying the URL of a trusted site in the address bar.


Workaround: Disable Active Scripting. Currently known attack vectors do
not work on Windows XP systems with SP2 applied.


A Proof of Concept exploit has been published.


Internet Explorer Address Bar
Spoofing Vulnerability

Medium
Secunia, SA12304, August 16, 2004

Next Generation Security


StackDefender 1.10 and 2.0


Multiple input validation vulnerabilities exist in
StackDefender in the processing of certain hooked kernel function
parameters which could allow a local or remote malicious user to cause the
target system to crash. StackDefender fails to validate the
'ObjectAttributes' parameter supplied to the ZwOpenFile() and
ZwCreateFile() kernel API functions. Also, the 'BaseAddress' parameter
supplied to the ZwAllocateVirtualMemory() and ZwProtectVirtualMemory()
kernel API functions is not properly validated and can be exploited in a
similar fashion.


Upgrade to StackDefender 2.10 available at: href="http://ngsec.com/ngproducts/stackdefender/download.php">http://ngsec.com/ngproducts/stackdefender/download.php


We are not aware of any exploits for this
vulnerability.


NGSEC StackDefender 1.10 Invalid
Pointer Dereference Vulnerability

CVE Names:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0767">CAN-2004-0767
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0766">CAN-2004-0766


Low
iDEFENSE Security Advisory, August 3, 2004

Rhinosoft


Serv-U FTP Server 4.x through 5.1.0.0 inclusive


A default login vulnerability exists in Serv-U that
could allow a local unprivileged user to execute commands with SYSTEM
privileges using a problem with Serv-U administration. The Serv-U
FTP server in all its platforms has a local administration account that
can be used to configure the server. This account has a default login and
password credentials and is only available through the loopback interface.
An unprivileged user can connect to the server with the default login
information and use the "SITE EXEC" command to execute arbitrary commands.
The commands are run with SYSTEM privileges hence turning Serv-U to a
conduit through which administrative commands can be run.


No solution is available at this time.


A Proof of Concept exploit has been published.


Serv-U Local Privilege Escalation
Vulnerability

Medium
Securities, August 15, 2004

name=blackjumbodog>SapporoWorks


BlackJumboDog FTP Server 3.6.1

A buffer overflow vulnerability exists in
which a remote malicious user can execute arbitrary code on the target
system. A remote user can send a specially crafted FTP command with a long
parameter string to trigger the flaw. The USER, PASS, RETR, CWD, XMKD,
XRMD, and other commands are affected. The software reportedly copies the
user-supplied parameter string to a 256 byte buffer.

Update to version 3.6.2, available at: href="http://homepage2.nifty.com/spw/software/bjd/">http://homepage2.nifty.com/spw/software/bjd/


A Proof of Concept exploit has been
published.


BlackJumboDog Has Buffer
Overflow in the FTP Service


High

US-CERT VU#714584, August 3, 2004


SecuriTeam, August 4, 2004


Sun Microsystems


Java Runtime Environment (JRE)

A Denial of Service vulnerability exists in
Sun's Java Runtime Environment. A remote malicious user can create a Java
applet that alerts using a native win32 assertion that will, when loaded
by the target user, cause the target user's system to crash.

No solution is available at this time.


A Proof of Concept exploit has been published.


Sun JRE Win32 Native Assertion
Error Lets malicious Applets Deny Service

Low
SecurityTracker, 1010846, August 3,
2004

Sygate


Sygate Secure Enterprise prior to 3.5MR3 and Sygate
Enforcer 4.0 and later


Multiple vulnerabilities exist in Sygate Secure
Enterprise (SSE) in the processing of client logging messages which could
allow a remote malicious user to cause a Denial of Service or bypass
security restrictions. A remote user can cause the service to consume all
available resources on the target system by continually replaying HTTP
messages and discovery datagrams (UDP). The system does not provide replay
protection for messages sent from Sygate Security Agent clients. An
optional component, Sygate Enforcer, does not correctly filter broadcast
traffic sent prior to authentication, allowing malicious users to bypass
the authentication.


Update to SSE version 3.5MR3 and a Sygate Enforcer
version later than 4.0 available at: href="http://www.sygate.com/products/sygate-secure-enterprise.htm">http://www.sygate.com/products/sygate-secure-enterprise.htm


We are not aware of any exploits for this
vulnerability.


Sygate Secure Enterprise Multiple
Vulnerabilities


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0163">CAN-2004-0163


Low

SecurityTracker, 1010919, August 10, 2004


Corsaire Security Advisories c031120-001 - 3, August
8-10, 2004


Symantec


Symantec Clientless VPN Gateway 4400 Series


Multiple vulnerabilities exist in Symantec Clientless
VPN Gateway 4400 Series, where some have an unknown impact and others can
be exploited to conduct cross-site scripting attacks or manipulate users'
signon information. Various unspecified vulnerabilities affect the ActiveX
and HTML file browsers; input validation errors within the end user UI can
be exploited to conduct cross-site scripting attacks; an error within the
end user UI can be exploited by a malicious user to manipulate other
users' signon information (including username and password).


A hotfix is available at: href="ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/sym_clientless_vpn_5/updates/SCVG5-20040806-00.tgz">ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/
sym_clientless_vpn_5/updates/SCVG5-20040806-00.tgz


We are not aware of any exploits for this
vulnerability.


Symantec Clientless VPN Gateway
4400 Series Multiple Vulnerabilities

High
Symantec, Hotfix: SCVG5-20040806-00, August 2004

Venta Association


VentaFax 5.4


 


A vulnerability exists in VentaFax that could allow a
local malicious user to obtain elevated privileges. A local malicious user
can access the application via the system tray and can execute commands
with Local System privileges.


No solution is available at this time.


A Proof of Concept exploit has been published.


VentaFax Command Execution Lets
Local Users Gain Elevated Privileges

Medium
SecurityTracker, 1010902, August 9,
2004

WIDCOMM


WIDCOMM Bluetooth Connectivity Software versions prior to 3.0 on the
BTW and BT-CE/PPC platforms


BTStackServer 1.3.2.7 and 1.4.2.10 on both Windows XP and Windows
98


HP IPAQ 5450 running WinCE 3.0 with Bluetooth software version
1.4.1.03.


Multiple buffer overflow vulnerabilities exist in WIDCOMM Bluetooth
Connectivity Software which a malicious user can use to execute arbitrary
code. The vulnerabilities are caused due to boundary errors when handling
various malformed service requests. These can be exploited by sending
specially crafted service requests through a wireless Bluetooth connection
to a vulnerable system.


No solution is available at this time. The vendor reports that issues
will be fixed in version 3.


A Proof of Concept exploit has been written.


WIDCOMM Bluetooth Connectivity Software Buffer Overflow
Vulnerabilities


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0775">CAN-2004-0775



High

Secunia, SA12275, August 12, 2004


Pentest Limited Security Advisory, ptl-2004-03, August 11, 2004


[back to
top]













































































































































































UNIX /
Linux Operating Systems Only

Vendor &
Software Name

Vulnerability
- Impact
Patches - Workarounds
Attacks Scripts

face="Arial, Helvetica, sans-serif">Common
Name

face="Arial, Helvetica, sans-serif">Risk

face="Arial, Helvetica, sans-serif">Source

Adobe Systems


Adobe Acrobat Reader 5.05 and 5.06


An input validation and boundary error vulnerability exists in in the
uudecoding feature of Adobe Acrobat Reader, which can be exploited by a
malicious user to compromise a user's system. An input validation error
injection of arbitrary shell commands. The boundary vulnerability can be
exploited to cause a buffer overflow via a malicious PDF document with an
overly long filename. Successful exploitation may allow execution of
arbitrary code, but requires that a user is tricked into opening a
malicious document.


Update to version 5.09 for UNIX available at: href="http://www.adobe.com/products/acrobat/readstep2.html">http://www.adobe.com/products/acrobat/readstep2.html


We are not aware of any exploits for this vulnerability.


Adobe Acrobat Reader Shell Command Injection and Buffer
Overflow Vulnerability


CVE Names:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0630">CAN-2004-0630
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0631">CAN-2004-0631


High

Secunia, SA12285, August 13, 2004


iDEFENSE Advisories 08.12.04

name=Apache2049>Apache Software Foundation

Apache 2.0.49
(Win32) with PHP 5.0.0 RC2

A Denial of Service vulnerability exists in the Apache
web server when running with PHP due to a flaw when invoking certain
functions such as fopen and fsockopen in an endless loop.


Hewlett-Packard: Install updated version of
Apache from Software Depot. href="http://software.hp.com">http://software.hp.com


Conectiva: href="http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000857">http://distro.conectiva.com.br/atualizacoes/
index.php?id=a&anuncio=000857


A Proof of Concept exploit has been published.


Apache
Can Be Crashed By PHP Code

class=tabletext>Low

SecurityTracker, 1010674, July 9, 2004


href="http://www.uscert.gov/cas/bulletins/SB04-203.html">US-CERT Cyber
Security Bulletin SB04-203


HP SSRT4777 rev. 0 HP-UX Apache, PHP, August 2,
2004


Secunia, SA12243, August 9, 2004


Benchmark Design


WHM Autopilot 2.4.5 and prior


A login vulnerability exists due to a bug in client
login code and the built-in login backdoor. It is possible to generate the
hash required to get a user's username and plain-text password.


No solution is available at this time.


We are not aware of any exploits for this
vulnerability.


Benchmark Designs' WHM Autopilot
Backdoor Allows Plaintext Credential
Leakage

Medium
SecuriTeam, August 3, 2004

cvstrac.org


CVSTrac 1.1.3


An input validation vulnerability exists in CVSTrac due
to insufficient sanitization of input passed to 'filediff,' which could
allow a malicious user to execute arbitrary code.


Fix available in the CVS repository at: href="http://www.cvstrac.org/cvstrac/wiki?p=DownloadCvstrac">http://www.cvstrac.org/cvstrac/wiki?p=DownloadCvstrac


A Proof of Concept exploit has been published.


CVSTrac "filediff" Arbitrary
Command Execution Vulnerability

High
Bugtraq, August 5, 2004
Ethereal


Ethereal 0.x

Multiple Denial of Service and buffer overflow
vulnerabilities exist due to errors in the iSNS, SNMP, and SMB dissectors
which may allow a malicious user to run arbitrary code or crash the
program.

Updates available at: href="http://www.ethereal.com/download.html">http://www.ethereal.com/download.html
or disable the affected protocol dissectors.

Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

Debian:
href="http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00129.html">http://lists.debian.org/debian-security-announce/debian-
security-announce-2004/msg00129.html


Exploit script has been published.


Ethereal: Multiple security
problems

CVE
Names:
 href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0633">CAN-2004-0633
 href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0634">CAN-2004-0634
 href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0635">CAN-2004-0635


High

Etheral Advisory, enpa-sa-00015, July 6, 2004


Gentoo Linux Security Advisory, GLSA 200407-08 / Ethereal, July
9, 2004


Secunia Advisory, 12034 & 12035, July 12, 2004


SecurityFocus, August 5, 2004


Gaim


  Gentoo


Multiple vulnerabilities were reported in Gaim in the
processing of the MSN protocol. A remote user may be able to execute
arbitrary code on the target system. Several remotely exploitable buffer
overflows were reported in the MSN protocol parsing functions.


Gentoo: href="http://security.gentoo.org/glsa/glsa-200408-12.xml">http://security.gentoo.org/glsa/glsa-200408-12.xml


SuSE: href="http://www.suse.de/de/security/2004_25_gaim.html">http://www.suse.de/de/security/2004_25_gaim.html


We are not aware of any exploits for this
vulnerability.


Gaim Buffer Overflows in Processing MSN
Protocol



CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0500">CAN-2004-0500


High
SecurityTracker, 1010872, August 5,
2004

Geeklog.net


Geeklog 1.39


A configuration vulnerability exists in Geeklog. The installation
software leaves the 'install' file in the 'admin' directory, which is
accessible to remote users. A remote malicious user can invoke the
installation script with specially crafted URLs.


No solution is available at this time.


We are not aware of any exploits for this vulnerability.


Geeklog Default Installation Lets Remote Users Access
the Installation Script

Low
SecurityTracker 1010948, August 13, 2004

Gentoo Linux 1.x


versions prior to "www-servers/tomcat-5.0.27-r3"


A privilege escalation vulnerability exists in the tomcat package for
Gentoo, which can be exploited by a local malicious user to escalate their
privileges. tomcat initialization scripts are owned by the "tomcat" user
and group, but are run with "root" privileges during system startup. This
can be exploited by users in the "tomcat" group to execute commands as
root.


Update to "www-servers/tomcat-5.0.27-r3" or later. href="http://security.gentoo.org/glsa/glsa-200408-15.xml">http://security.gentoo.org/glsa/glsa-200408-15.xml


We are not aware of any exploits for this vulnerability.


Gentoo Tomcat Privilege Escalation Vulnerability

Medium
Gentoo Security Advisory, GLSA 200408-15 / tomcat, August 15,
2004

gv Postscript and PDF viewer 3.5.8
and prior


Gentoo


A buffer overflow vulnerability exists in gv that could
allow a local malicious user to execute arbitrary code. To exploit this
vulnerability, a malicious user would have to trick a user into viewing a
malformed PDF or PostScript file from the command.


Gentoo: href="http://www.gentoo.org/security/en/glsa/glsa-200408-10.xml">http://www.gentoo.org/security/en/glsa/glsa-200408-10.xml


A Proof of Concept exploit script has been
published.


gv Local Buffer
Overflow

High
SecuriTeam, August 4, 2004

Hewlett-Packard


HP-UX Process Resource Manager C.02.01[.01] and
prior


HP-UX Workload Manager


A vulnerability was reported in the HP-UX Process
Resource Manager that could allow non-root local malicious users to
corrupt data files on a system that has the Process Resource Manager
installed. Workload Manager (version A.02.01 and prior) includes the
Process Resource Manager and, therefore, is also affected.


For Proc-Resrc-Mgr.PRM-RUN (PRM-Sw-Lib.PRM-LIB),
install revision C.02.02 or subsequent. For WLM-Monitor (Workload-Mgr),
install revision A.02.02 or subsequent. Update information and patch
matrix is available at: href="http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=PSD_HPSBUX01065">http://h20000.www2.hp.com/bizsupport/TechSupport/
Document.jsp?objectID=PSD_HPSBUX01065


We are not aware of any exploits for this
vulnerability.


HP-UX Process
Resource Manager Bug Lets Local Users Corrupt Files

Medium

HP SSRT4785 rev. 0 HP-UX Process Resource Manager (PRM)
potential data corruption, August 5, 2004


SecurityTracker: 1010914, August 10, 2004


Hewlett-Packard


HP-UX release B.11.04 with VirtualVault A.04.50 -
A.04.70 or Webproxy A.02.00 - A.02.10


Multiple vulnerabilities exist in Apache affecting HP
VirtualVault and HP Webproxy, which can be exploited by a malicious user
to cause a DoS (Denial of Service), bypass security restrictions, or
compromise a vulnerable system.


Install patches available at: href="http://itrc.hp.com">http://itrc.hp.com


We are not aware of any exploits for this
vulnerability.


HP VirtualVault / Webproxy
Multiple Vulnerabilities in Apache

High

Secunia, SA12246, August 10, 2004


SSRT4788 rev. 0 HP-UX Apache, August 8, 2004


SSRT4789 rev. 0 HP-UX Apache, August 8, 2004

KDE 3.2.3 and prior

Two vulnerabilities exist in KDE which a local malicious user can
exploit to gain escalated privileges and unauthorized access to files on
the system.1) Certain directories and files are created insecurely when a
user runs a KDE application outside the KDE environment or as another
user. This can be exploited via symlink attacks to overwrite or truncate
arbitrary files or prevent KDE applications from accessing certain
directories. 2) The DCOPServer creates temporary files, which are used for
authentication related purposes, insecurely. This can be exploited to
potentially gain the privileges of any user running a KDE application.


Apply patches available at: href="ftp://ftp.kde.org/pub/kde/security_patches/">ftp://ftp.kde.org/pub/kde/security_patches/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200408-13.xml">http://security.gentoo.org/glsa/glsa-200408-13.xml


We are not aware of any exploits for this vulnerability.


KDE Insecure Temporary File Creation Vulnerability


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0690">CAN-2004-0690


Medium

KDE Security Advisories 20040811-1 and 20040811-2, August 11,
2004

KDE 3.2.3 and prior

A frame injection vulnerability exists in the Konqueror web browser
that allows websites to load web pages into a frame of any other
frame-based web page that the user may have open. A malicious website
could abuse Konqueror to insert its own frames into the page of an
otherwise trusted website. As a result the user may unknowingly send
confidential information intended for the trusted website to the malicious
website.


Source code patches have been made available which fix these
vulnerabilities. Refer to advisory: href="#">http://www.kde.org/info/security/advisory-20040811-3.txt


A Proof of Concept exploit has been published.


Konqueror Frame Injection Vulnerability


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721">CAN-2004-0721


Low
KDE Security Advisory 20040811-3, August 11, 2004
Linux
2.4.27

A permissions vulnerability exists in the sys_chown()
module of the Linux kernel. A remote authenticated user can modify the
group permissions of files on the target system. A remote malicious user
can modify the group ID of arbitrary files on the system due to a missing
check for fsuid in the sys_chown() function. An NFS client may be able to
make unauthorized changes to the group ownership of files on a remote
system.


Upgrade to Linux 2.4.27 RC5.


We are not aware of any exploits for this
vulnerability.


Linux Kernel sys_chown() Bug May Let
Remote NFS Users Modify Group Permissions on Files


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497">CAN-2004-0497


Medium
SecurityTracker, 1010859,
August 4, 2004

name=Linuxkernel>Linux
  Fedora
  RedHat
  SuSE


Linux kernel 2.4 through 2.4.26, 2.6 through
2.6.7

A vulnerability exists in the Linux kernel in
the processing of 64-bit file offset pointers thus allowing a local
malicious user to view kernel memory. The kernel's file handling API does
not properly convert 64-bit file offsets to 32-bit file offsets. In
addition, the kernel provides insecure access to the file offset member
variable. As a result, a local user can gain read access to large portions
of kernel memory.

Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


RedHat:
href="http://rhn.redhat.com/">http://rhn.redhat.com/


SuSE:
href="http://www.suse.de/de/security/2004_24_kernel.html">http://www.suse.de/de/security/2004_24_kernel.html


A Proof of Concept exploit has been published.


Linux Kernel 64-bit to 32-bit File Offset
Conversion Errors Disclose Kernel Memory to Local Users


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0767">CAN-2004-0415


High

ISEC Security Research, August 4, 2004


 


Paul L Daniels


ripMIME 1.3.2.2 and prior


An input validation vulnerability exists in ripMIME,
which may allow a virus to avoid detection and compromise the system.
Certain virus attachments may not be properly decoded. Some viruses use
encoded attachments that may contain blank lines or other invalid
characters to cause the Base64 decoding process to terminate prematurely.
As a result, an anti-virus system using this decoding method may fail to
detect a virus.


Update to version 1.3.2.3, available at: href="http://www.pldaniels.com/ripmime/downloads.php ">http://www.pldaniels.com/ripmime/downloads.php


We are not aware of any exploits for this
vulnerability.


ripMIME Base64 Decoding May
Terminate Prematurely When Decoding Virus Attachments

Medium
SecurityTracker, 1010858, August 4,
2004

Peter F. Brown


Simple Form prior to 2.2


An input validation vulnerability exists in Simple Form, which can be
exploited by a malicious user to use it as an open mail relay. Input
passed to the parameters "admin_email_to" and "admin_email_from" isn't
properly verified before being used in mails.


Update to version 2.2 available at: href="http://worldcommunity.com/opensource/utilities/simple_form.html">http://worldcommunity.com/opensource/utilities/simple_form.html


We are not aware of any exploits for this vulnerability.


Simple Form Open Mail Relay Vulnerability

Low
Secunia, SA12297, August 16, 2004

phpMyWebhosting version 0.3.4


Multiple input validation vulnerabilities exist in phpMyWebhosting that
allow malicious users to gain elevated privileges as well as enter to the
product's management system without knowing the administrative password.
phpMyWebhosting does not verifying incoming user input for arbitrary SQL
statements. If magic_quotes_gpc is disabled in PHP settings, a remote
malicious user can cause SQL injection vulnerability in
phpMyWebhosting.


No solution is available at this time.


We are not aware of any exploits for this vulnerability.


phpMyWebhosting SQL Injection Vulnerabilities

High
SecuriTeam, August 16, 2004

Redhat


GNOME VFS


Red Hat Enterprise Linux AS (Advanced Server) version 2.1
- i386, ia64;
Red Hat Linux Advanced Workstation 2.1 - ia64;
Red Hat
Enterprise Linux ES version 2.1 - i386;
Red Hat Enterprise Linux WS
version 2.1 - i386;
Red Hat Enterprise Linux AS version 3 - i386, ia64,
ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386,
x86_64;
Red Hat Enterprise Linux ES version 3 - i386, ia64,
x86_64;
Red Hat Enterprise Linux WS version 3 - i386, ia64,
x86_64


Multiple vulnerabilities exist in several of the GNOME
VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable
scripts, but they are not used by default. A malicious user who is able to
influence a user to open a specially-crafted URI using gnome-vfs could
perform actions as that user. Users of Red Hat Enterprise Linux should
upgrade to these updated packages, which remove these unused scripts.


Before applying this update, make sure that all
previously-released errata relevant to your system have been applied. Use
Red Hat Network to download and update your packages. To launch the Red
Hat Update Agent, use the following command: up2date


For information on how to install packages manually,
refer to the following Web page for the System Administration or
Customization guide specific to your system: href="http://www.redhat.com/docs/manuals/enterprise/ ">http://www.redhat.com/docs/manuals/enterprise/


We are not aware of any exploits for this
vulnerability.


GNOME VFS updates address extfs
vulnerability


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0494">CAN-2004-0494


High
Red Hat Security Advisory ID: RHSA-2004:373-01,
August 4, 2004
Shorewall 1.4.x, 2.0.x

A privilege escalation vulnerability is caused due to the
"shorewall" script creating temporary files insecurely, which can be
exploited via symlink attacks to overwrite arbitrary files with the
privileges of the user invoking the script (usually root).


Update available at:
http://shorewall.net/download.htm


Mandrakesoft: class=style20> href="http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:080">http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:080


Currently, we are not aware of any exploits for this
vulnerability.


Shorewall Insecure Temporary File Creation
Vulnerability


CVE Name:
 href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0647">CAN-2004-0647


Medium
Shorewall Security Vulnerability, June 28, 2004

rsync 2.6.2 and
prior
  Debian
  SuSE
  Trustix


A vulnerability exists in rsync when running in daemon mode with chroot
disabled. A remote user may be able read or write files on the target
system that are located outside of the module's path. A remote user can
supply a specially crafted path to cause the path cleaning function to
generate an absolute filename instead of a relative one. The flaw resides
in the sanitize_path() function.


Updates and patches are available at: href="http://rsync.samba.org/">http://rsync.samba.org/


SuSE: href="http://www.suse.de/de/security/2004_26_rsync.html">http://www.suse.de/de/security/2004_26_rsync.html


Debian: href="http://www.debian.org/security/2004/dsa-538">http://www.debian.org/security/2004/dsa-538


Trustix: href="http://www.trustix.net/errata/2004/0042/">http://www.trustix.net/errata/2004/0042/


We are not aware of any exploits for this vulnerability.


Rsync Input Validation Error in sanitize_path() May Let
Remote Users Read or Write Arbitrary Files

High

SecurityTracker 1010940, August 12, 2004


rsync August 2004 Security Advisory


Silicon Graphics


SGI IRIX 6.5.x, CDE 5.3.4


A buffer overflow vulnerability exist in the libDtHelp
module and a double-free vulnerability exists in the dtlogin module which
a malicious user can use to gain root access.


Upgrade to CDE 5.3.4 available at: href="ftp://patches.sgi.com/support/free/security/patches/6.5.25/">ftp://patches.sgi.com/support/free/security/patches/6.5.25/


We are not aware of any exploits for this
vulnerability.


SGI IRIX CDE Multiple Vulnerabilities


CVE Names:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0834">CAN-2003-0834
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0368">CAN-2004-0368


Medium
SGI Security Advisory, 20040801-01-P, August 3,
2004
name=Pavuk>Sourceforge.net
Gentoo Linux
Pavuk
0.x

Multiple vulnerabilities exist which could allow a malicious
user to run arbitrary code. The vulnerabilities are caused due to boundary
errors within the handling of digest authentication.


Gentoo: href="http://www.gentoo.org/security/en/glsa/glsa-200407-19.xml">http://www.gentoo.org/security/en/glsa/glsa-200407-19.xml


Exploit script has been published.


Pavuk Digest Authentication
Buffer Overflow Vulnerabilities

class=highrisk>High

Gentoo Security Advisory, GLSA 200407-19 /
Pavuk
Release Date July 26, 2004


SecurityFocus, August 7,
2004


sox.sourceforge.net
  Fedora

  Mandrakesoft
  Gentoo
  Conectiva
  RedHat

SoX 12.17.4, 12.17.3,
and 12.17.2

Multiple vulnerabilities exist that could allow a remote
malicious user to execute arbitrary code This is due to boundary errors
within the "st_wavstartread()" function when processing ".WAV" file
headers and can be exploited to cause stack-based buffer overflows.
Successful exploitation requires that a user is tricked into playing a
malicious ".WAV" file with a large value in a length field.


Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


Mandrakesoft: href="http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:076%20">http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:076


Gentoo: href="http://security.gentoo.org/glsa/glsa-200407-23.xml">http://security.gentoo.org/glsa/glsa-200407-23.xml


Conectiva: href="ftp://atualizacoes.conectiva.com.br">ftp://atualizacoes.conectiva.com.br


RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-409.html">http://rhn.redhat.com/errata/RHSA-2004-409.html

class=style38>Exploit script has been published.

SoX ".WAV" File Processing Buffer Overflow
Vulnerabilities


CVE Name:
href="#rsync">CAN-2004-0557


class=highrisk>High

Secunia, SA12175, 12176, 12180, July 29, 2004


SecurityTracker Alerts 1010800 and 1010801, July 28/29, 2004


Mandrakesoft Security Advisory MDKSA-2004:076, July 28, 2004


PacketStorm, August 5, 2004

name=SpamAssassin>SpamAssassin prior to 2.64

A Denial of Service vulnerability exists in
SpamAssassin. A a remote user can send an e-mail message with specially
crafted headers to cause a Denial of Service attack against the
SpamAssassin service.


Update to version (2.64), available at: href="http://old.spamassassin.org/released/">http://old.spamassassin.org/released/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200408-06.xml">http://security.gentoo.org/glsa/glsa-200408-06.xml


We are not aware of any exploits for this
vulnerability.


SpamAssassin
Lets Remote Users Deny of Service By Sending Malformed
Messages

Low
SecurityTracker: 1010903,
August 10, 2004

Team OpenFTPD

OpenFTPD 0.30.2 prior to July 16, 2004, and prior
versions

A vulnerability exists that could allow a remote malicious user
to execute arbitrary code on the target system. A remote authenticated
user can send a specially crafted message to another FTP user to trigger a
format string flaw and execute arbitrary code on the FTP server due to a
flaw in 'misc/msg.c'.


Update available at: href="http://www.openftpd.org:9673/openftpd/download_page.html">http://www.openftpd.org:9673/openftpd/download_page.html

class=style38>Exploit script has been published.
OpenFTPD Format String
Flaw Lets Remote Authenticated Users Execute Arbitrary Code

class=highrisk>High

VSA0402 - openftpd - void.at security notice,
July 31, 2004


PacketStorm, August 5, 2004


xine-Project


xine 0.99.2

A buffer overflow vulnerability exists in xine
in the processing of 'vcd://' protocol identifiers. A remote malicious
user can execute arbitrary code on the target system. A remote malicious
user can trigger a stack overflow in xine-lib by embedding a specially
crafted source identifier within a playlist file, for example. When the
target user plays the file, arbitrary code can be executed with the
privileges of the target user.

A patch is available via CVS at: href="http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&forum_id=11923">http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&forum_id=11923


A Proof of Concept exploit has been published.



xine Buffer Overflow in Processing 'vcd' Identifiers
Lets Remote Users Execute Arbitrary Code

High

SecurityTracker: 1010895, August 8, 2004


Open security advisory #6, August, 8, 2004


[back to
top]



















































































































































































Multiple
Operating Systems - Windows / UNIX / Linux / Other

Vendor &
Software Name

Vulnerability
- Impact
Patches - Workarounds
Attacks Scripts

Common Name

face="Arial, Helvetica, sans-serif">Risk

Source

America Online


AOL Instant Messenger (AIM) 5.5


A buffer overflow vulnerability exists in America
Online's Instant Messenger (AIM) which can allow remote malicious users to
execute arbitrary code. The vulnerability specifically exists due to
insufficient bounds checking on user-supplied values passed to the
'goaway' function of the AOL Instant Messenger 'aim:' URI handler.


Upgrade to AIM beta version available at: href="http://www.aim.com ">www.aim.com


Proof of Concept exploit script has been published.


AOL Instant Messenger aim:goaway
URI Handler Buffer Overflow Vulnerability

High

iDEFENSE Security Advisory 08.09.04


Secunia, SA12198, August 9, 2004


 


US-CERT Vulnerability Note VU#735966, August 10, 2004

Apache Software Foundation

Apple
Mandrake
Trustix

Apache 2.0.47 2.0.49

A remote Denial of Service vulnerability exists in the
‘ap_get_mime_headers_core()’ function due to a failure to handle
excessively long HTTP header strings.

Patches available at: href="http://www.apache.org/dist/httpd/patches/apply_to_2.0.49/CAN-2004-0493.patch">http://www.apache.org/dist/httpd/patches/apply_to_2.0.49/CAN-2004-0493.patch


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/


Exploit scripts have been
published.



Apache ap_escape_html Remote
Denial of Service

CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493">CAN-2004-0493


Low

Mandrakelinux Security Update Advisory,
MDKSA-2004:064, June 29, 2004


Trustix Security Advisory, TSL-2004-0038, June 29,
2004


SecurityFocus, August 6, 2004


Apple


Apple Macintosh OS X


Safari 1.x


 


 


Apple has issued a security update for Mac OS X, which
fixes various vulnerabilities. Multiple vulnerabilities in libpng that can
exploited to cause a Denial of Service or compromise a user's system; a
vulnerability in the Safari browser can be used to steal sensitive
information from forms; a vulnerability in the processing of network
traffic that can be used to cause a DoS. The attack known as the "Rose
Attack" will cause the system to use too much system resources resulting
in DoS.


Apply Security Update 2004-08-09.


Mac OS X 10.3.5: href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=04216&platform=osx&method=sa/SecUpd2004-08-09Pan.dmg">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/
href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=04216&platform=osx&method=sa/SecUpd2004-08-09Pan.dmg">product=04216&platform=osx&method=sa/SecUpd2004-08-09Pan.dmg


Mac OS X 10.2.8: href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=04285&platform=osx&method=sa/SecUpd2004-08-09Jag.dmg">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/
product=04285&platform=osx&method=sa/SecUpd2004-08-09Jag.dmg


We are not aware of any exploits for this
vulnerability.


See also Multiple Vulnerabilities in
libpng.


Mac OS X Security Update Fixes
Multiple Vulnerabilities

High
Secunia, SA12249, August 10, 2004
CuteNews 1.3.1

An input validation vulnerability exists in CuteNews, which can be
exploited by a remote malicious user to conduct cross-site scripting
attacks. Input passed to the "archive" parameter in "show_archives.php" is
not sanitized properly before being returned to users. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected website by tricking the user into
visiting a malicious website or follow a specially crafted link.


No solution is available at this time.


A Proof of Concept exploit has been published.


CuteNews "archive" Parameter Cross-Site Scripting
Vulnerability

High
Secunia, SA12260, August 16, 2004

Concurrent Versions Systems (CVS) 1.11


A vulnerability exists in Concurrent Versions System (CVS) in which a
malicious user can exploit to determine the existence and permissions of
arbitrary files and directories. The problem is caused due to an
undocumented switch to the "history" command implemented in
"src/history.c". Using the "-X" switch and supplying an arbitrary
filename, CVS will try to access the specified file and returns various
information depending on whether the file exists and can be accessed.


Upgrade to version 1.11.17 or 1.12.9 available at: href="https://www.cvshome.org/">https://www.cvshome.org/


A Proof of Concept exploit has been published.


CVS Undocumented Flag Information Disclosure
Vulnerability


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0778">CAN-2004-0778

Low

iDEFENSE Security Advisory 08.16.04


Endonesia.Com


eNdonesia 8.3


Input verification vulnerabilities exist that could
allow a remote malicious user to conduct cross-site scripting attacks or
determine the installation path. The software does not properly filter
HTML code from user-supplied input in the "query" parameter. A remote user
can submit a request with certain invalid parameters to cause the system
to display the installation path.


No solution is available at this time.


A Proof of Concept exploit has been published.


eNdonesia
'mod.php' Input Validation Vulnerability in Search 'query' Parameter
Permits Cross-Site Scripting Attacks

High
SecurityTracker: 1010865, August 4,
2004
GoScript 2.0 An input validation vulnerability exists in
GoScript that could allow a remote user to execute arbitrary commands on
the target system. The 'go.cgi' script does not validate user-supplied
input. A remote user can supply a specially crafted URL to execute
operating system commands on the target system with the privileges of the
target web service.

No solution is available at this time.


A Proof of Concept exploit has been published.


GoScript Input
Validation Hole Lets Remote Users Execute Arbitrary
Commands

High
SecurityTracker 1010865, August
4, 2004

IBM


IBM Tivoli Access Manager for e-business 3.x, 4.x,
5.x


An input validation vulnerability exists in IBM Tivoli
Access Manager for e-business, which could allow a remote malicious user
to conduct cross-site scripting attacks and gain control over an affected
system.


Patch as appropriate at: href="http://www.ibm.com/support/us/">http://www.ibm.com/support/us/


We are not aware of any exploits for this
vulnerability.


IBM Tivoli Access Manager HTTP
Response Splitting Vulnerability

High
Secunia, SA12093, August 9, 2004

Juniper


Juniper Networks NetScreen firewalls with SSHv1 enabled - ScreenOS
prior to 5.0.0r8

A vulnerability exists in ScreenOS in the processing of SSHv1
management connections that could allow a remote malicious user cause the
device to crash. If SSH version 1 is enabled on the target device, a
remote user can connect to the management port and cause the device to
hang or to crash and reboot. Authentication is not required.

Updates available at: href="http://www.juniper.net/support/">http://www.juniper.net/support/


We are not aware of any exploits for this vulnerability.


NetScreen Firewalls ScreenOS Can Be Crashed By Remote
Users Due to an SSHv1 Implementation Bug

Low

Juniper Networks NetScreen Advisory 59147, August 3, 2004


SecurityTracker 1010848, August 3, 2004


US-CERT Vulnerability Note VU#749870, August 13, 2004


Mark Burgess


Cfengine 2.0.0 to 2.1.7p1.


Input validation and buffer overflow vulnerabilities
exist in Cfengine which could allow a remote malicious user to execute
arbitrary code or cause a DoS (Denial of Service). The vulnerabilities are
caused due to insufficient input validation and a boundary error in the
cfservd daemon when processing authentication requests. The problems lies
in the AuthenticationDialogue()" function, which is responsible for
performing RSA authentication and key agreement.


Update to version 2.1.8 available at: href="http://www.cfengine.org/mirrors.html">http://www.cfengine.org/mirrors.html


Gentoo: href="http://security.gentoo.org/glsa/glsa-200408-08.xml ">http://security.gentoo.org/glsa/glsa-200408-08.xml


We are not aware of any exploits for this
vulnerability.


Cfengine RSA Authentication Heap
Corruption


High

Core Security Technologies Advisory, Advisory ID:
CORE-2004-0714, August 9, 2004


Matt Johnston

Dropbear
SSH Server 0.42

A vulnerability exists that could allow a remote malicious user
to execute arbitrary code. This vulnerability is caused due to freeing of
uninitialized variables in the DSS verification code.


Update to version 0.43 available at: href="http://matt.ucc.asn.au/dropbear/">http://matt.ucc.asn.au/dropbear/


Exploit scripts have been
published.


Dropbear SSH Server DSS Verification
Vulnerability

class=highrisk>High

Secunia, SA12153, July 26, 2004


Dropbear Security Update


Packetstorm, August 4, 2004


moodle.org


Moodle versions prior to 1.3


An input validation vulnerability was reported in
Moodle in 'post.php' in which a remote malicious user can conduct
cross-site scripting attacks. 'post.php' does not properly filter HTML
code from user-supplied input in the reply variable. A remote user can
access the target user's cookies (including authentication cookies), if
any, associated with the site running the Moodle software, access data
recently submitted by the target user via web form to the site, or take
actions on the site acting as the target user.


Update to version 1.3 or above available at: href="http://moodle.org/mod/resource/view.php?id=8">http://moodle.org/mod/resource/view.php?id=8


A Proof of Concept exploit has been published.


Moodle Input Validation Flaw in
'post.php' in reply Variable Permits Cross-Site Scripting
Attacks

High
SecurityTracker, 1010893, August 7,
2004

Mozilla
Organization
  Mandrakesoft
  Slackware


Mozilla 1.7 and prior;
Firefox 0.9 and prior;

Thunderbird 0.7 and prior


Multiple vulnerabilities exist in Mozilla, Firefox, and
Thunderbird that could allow a malicious user to conduct spoofing attacks,
compromise a vulnerable system, or cause a Denial of Service. These
vulnerabilities include buffer overflow, input verification, insecure
certificate name matching, and out-of-bounds reads.


Upgrade to the latest version of Mozilla, Firefox, or
Thunderbird available at: href="http://www.mozilla.org/download.html">http://www.mozilla.org/download.html


Slackware: href="http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.667659">http://www.slackware.com/security/viewer.php?l=
slackware-security&y=2004&m=slackware-security.667659


Mandrakesoft: href="http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:082">http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:082


We are not aware of any exploits for this
vulnerability.


Mozilla Multiple
Vulnerabilities

High
Secunia, SA10856, August 4, 2004

Nokia


Nokia IPSO 3.5, 3.5.1, 3.6, 3.7, 3.7.1, 3.8


A vulnerability exists in Nokia IPSO, which can be exploited by a
malicious user to cause a Denial of Service.


Update to the latest builds.


We are not aware of any exploits for this vulnerability.


Nokia IPSO Denial of Service Vulnerability

Low

Secunia, SA12280, August 12, 2004


Nokia Knowledge Base, Resolution 21008

Opera
Software

Opera 7.53

A spoofing vulnerability exists that could be
exploited by a malicious user to conduct phishing attacks against a user.
Opera fails to update the address bar if a web page is opened using the
"window.open" function and then "replaced" using the "location.replace"
function. This causes Opera to display the URL of the first website while
loading the content of the second website.


Update to 7.54 available at: href="http://www.opera.com/download/ ">http://www.opera.com/download/


Gentoo:
http://security.gentoo.org/glsa/glsa-200408-05.xml


A Proof of Concept exploit has been published.


Opera Browser Spoofing
Vulnerability


class=highrisk>High

Secunia, SA12162, July 27, 2004


Gentoo SA, GLSA 200408-05 / Opera, August 05, 2004


GreyMagic Security Advisory GM#008-OP, August 5,
2004


PHP Foundry


Jetbox One 2.0.8


An input validation vulnerability exists in Jetbox One
that could allow users with "Author" privileges in "IMAGES" to upload
arbitrary files including PHP code. The vulnerability exists because the
type of file being uploaded is not verified as a valid image file e.g.
GIF, JPEG. Once uploaded, the malicious user is then able to request the
file, which will be interpreted by the JetboxOne application.


Also, JetboxOne does not encrypt information in the
account information database. Any user with the ability to query the
database may be able to view confidential account information.


No vendor solution is available.


A Proof of Concept exploit has been published.


JetBoxOne CMS Arbitrary File Upload
Vulnerability


JetBoxOne Leaves Account Database
Unencrytped


High

Secunia, SA12230, August 5, 2004


US-CERT Vulnerability Note #417408, August 13, 2004


US-CERT Vulnerability Note #58670, August 13, 2004


Phpnuke.org


PHP-Nuke 7.x


An input verification vulnerability exists in PHP-Nuke
which a malicious user can exploit to conduct cross-site scripting
attacks. User input passed to the search box in the following modules is
not sanitized before being returned to users: Web_Links, Journal, Stories
Archive, Topics Archive.


No vendor solution is available.


A Proof of Concept exploit has been published.


PHP-Nuke Search Box Cross-Site
Scripting Vulnerabilities

High

Secunia, SA12271, August 11, 2004


SystemSecure.org, Advisory SS#23072004


PluggedOut


Blog 1.6 alpha and prior


An input validation vulnerability exists that could
allow a remote malicious user to conduct cross-site scripting attacks. The
software does not filter HTML code from user-supplied input in the
'blogid' variable. The malicious user can access the target user's cookies
(including authentication cookies), if any, associated with the site,
access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.


No vendor solution is available.


A Proof of Concept exploit has been published.


PluggedOut Blog Input Validation
Hole in 'blogid'

High
VulnWatch, August 7, 2004

PNG Development
Group
  Conectiva
  Debian
  Fedora
  Gentoo

  Mandrakesoft
  RedHat
  SuSE
  Sun
Solaris
  HP-UX
  GraphicsMagick
  ImageMagick
  Slackware


libpng 1.2.5 and 1.0.15


Multiple vulnerabilities exist in the libpng library
which could allow a remote malicious user to crash or execute arbitrary
code on an affected system. These vulnerabilities include:



  • libpng fails to properly check length of transparency chunk (tRNS)
    data,
  • libpng png_handle_iCCP() NULL pointer dereference,
  • libpng integer overflow in image height processing,
  • libpng png_handle_sPLT() integer overflow,
  • libpng png_handle_sBIT() performs insufficient bounds checking,
  • libpng contains integer overflows in progressive display image
    reading.

If using original, update to libpng version 1.2.6rc1
(release candidate 1) available at: href="http://www.libpng.org/pub/png/libpng.html">http://www.libpng.org/pub/png/libpng.html


Conectiva: href="http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000856">http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000856


Debian: href="http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00139.html">http://lists.debian.org/debian-security-announce/
debian-security-announce-2004/msg00139.html


Gentoo: href="http://security.gentoo.org/glsa/glsa-200408-03.xml">http://security.gentoo.org/glsa/glsa-200408-03.xml


Mandrakesoft: href="http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079">http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079


RedHat href="http://rhn.redhat.com/">http://rhn.redhat.com/


SuSE: href="http://www.suse.de/de/security/2004_23_libpng.html">http://www.suse.de/de/security/2004_23_libpng.html


Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


Sun Solaris: href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617">http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617


HP-UX: href="http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01065">http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01065


GraphicsMagick: href="http://www.graphicsmagick.org/www/download.html ">http://www.graphicsmagick.org/www/download.html


ImageMagick: href="http://www.imagemagick.org/www/download.html">http://www.imagemagick.org/www/download.html


Slackware: href="http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.439243">http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.439243


Yahoo: href="http://messenger.yahoo.com/">http://messenger.yahoo.com/


A Proof of Concept exploit has been published.


Multiple Vulnerabilities in libpng


CVE Names:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597">CAN-2004-0597
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598">CAN-2004-0598
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599">CAN-2004-0599


High

US-CERT Technical Cyber Security Alert TA04-217A,
August  4, 2004


 


US-CERT Vulnerability Notes VU#160448, VU#388984,
VU#817368, VU#236656, VU#477512, VU#286464, August 4, 2004.

QuiXplorer - Quick (PHP) Explorer 2.3 and prior

A directory traversal vulnerability was reported in QuiXplorer. A
remote user can view files on the target system. QuiXplorer does not
properly filter user-supplied input in the 'item' parameter. A remote user
can submit a specially crafted request to view files located anywhere on
the target system.


Update to 2.3.1, available at:


href="http://sourceforge.net/project/showfiles.php?group_id=72517">http://sourceforge.net/project/showfiles.php?group_id=72517


A Proof of Concept exploit has been published.


QuiXplorer Input Validation Hole in 'item' Parameter
Discloses Files to Remote Users

Medium
SecurityTracker 1010954, August 15, 2004

Simon Tatham
  Gentoo


PuTTY 0.54 and previous


Input validation and buffer overflow vulnerabilities
exist in PuTTY that could allow a remote malicious user to execute
arbitrary code. By sending specially crafted
packets to the client during the authentication process, a malicious user
is able to compromise and execute arbitrary code on the machine running
PuTTY or PSCP.


Update to version 0.55 available at: href="http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html">http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


Gentoo: href="http://www.gentoo.org/security/en/glsa/glsa-200408-04.xml">http://www.gentoo.org/security/en/glsa/glsa-200408-04.xml


A Proof of Concept exploit has been published.


PuTTY System Compromise
Vulnerability

High
Core Security Technologies Advisory number href="http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10">CORE-2004-0705

Sun Microsystems


Sun Solaris 7, 8, 9


A vulnerability has been reported in Solaris, which can
be exploited by malicious people to cause a Denial of Service. The
vulnerability is caused due to an unspecified error within the processing
of XDMCP requests. Successful exploitation crashes the X Display Manager
(xdm).


Apply patches or vendor workaround available at: href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57619">http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57619


We are not aware of any exploits for this
vulnerability.


Sun Solaris XDMCP Parsing
Vulnerability

Low

Sun Alert ID: 57619, August 9, 2004


US-CERT Vulnerability Note VU#139504, August 11, 2004


The Webmaster Guide, Inc.


Board Power v2.04 PF


An input validation vulnerability exists in Board Power
forum could allow a remote malicious user to conduct cross-site scripting
attacks and execute arbitrary code. Board Power fails to filter malicious
content passed into the "action" parameter of icq.cgi. This could be used
to "sniff" sensitive data from within the web page, including passwords,
credit card numbers, and any arbitrary information the user inputs.
Likewise, information stored in cookies can be stolen or corrupted.


No solution is available at this time.


A Proof of Concept exploit has been published.


Board Power forum contains
cross-site scripting vulnerability

High
US-CERT Vulnerability Note VU#744590, August 5,
2004

Thompson


SpeedTouch Home ADSL Modem firmware version GV8BAA3.270
(1003825) and earlier


A design error vulnerability exists in Thompson's
SpeedTouch Home ADSL modem that could allow a malicious user to spoof TCP
traffic on behalf of the device. The problem specifically exists due to
the predictable nature of the TCP Initial Sequence Number (ISN) generator
on the device.


No vendor solution is available at this time.


We are not aware of any exploits for this
vulnerability.


Thompson SpeedTouch Home ADSL Modem
Predictable TCP ISN Generation


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0641">CAN-2004-0641


Medium

iDEFENSE Security Advisory, August 5, 2004


SecuriTeam, August 9, 2004


Volker
Rattel


phpBB Fetch All 2.0.10 and 2.0.11


An input verification vulnerability exists in phpBB
Fetch All that could allow a malicious user to pass malicious SQl
statements to the underlying function. Successful exploitation could
result in compromise of the application, disclosure or modification of
data or may permit a malicious user to exploit vulnerabilities in the
underlying database implementation.


Upgrade to 2.0.12 available at: href="http://prdownloads.sourceforge.net/phpbbfetchall/phpbb_fetch_all-2.0.12.zip?download ">http://prdownloads.sourceforge.net/phpbbfetchall/phpbb_fetch_all-2.0.12.zip?download


No exploit code required.


phpBB Fetch All SQL Injection
Vulnerability

High
SecurityFocus, August 4, 2004
vRating 4.0, 4.01

A disclosure vulnerability exists in vRating. A remote malicious user
can view and edit the 'settings.php' file with a specially crafted URL. A
malicious user can also access the 'admin' directory to gain access to the
administrative interface.


No solution is available at this time.


We are not aware of any exploits for this vulnerability.


vRating Discloses Sensitive Information and Grants
Administrative Access to Remote Users

Medium
SecurityTracker 1010951, August 13 2004

WackoWiki 3.x


An input validation vulnerability exists in WackoWiki
in which a malicious user can exploit to execute conduct cross-site
scripting attacks and arbitrary HTML and script code in a user's browser
session in context of an affected website.


Upgrade to version R4 available at: href="http://wackowiki.com/WackoDownload/InEnglish">http://wackowiki.com/WackoDownload/InEnglish


We are not aware of any exploits for this
vulnerability.


WackoWiki textsearch Cross-Site
Scripting Vulnerability

High
Secunia, SA12209, August 4, 2004

Xavier Cirac


Shuttle FTP Suite 3.2


An input verification vulnerability exists in Shuttle FTP Suite, which
can be exploited by a malicious user to read or place files in arbitrary
locations on a vulnerable system. Arguments passed to certain commands are
not properly verified. This can be exploited to access and write files
outside the FTP root using the classical directory traversal character
sequence "../" or absolute paths.


No solution is available at this time.


We are not aware of any exploits for this vulnerability.


Shuttle FTP Suite Directory Traversal Vulnerability

Medium
Secunia, SA12270, August 11, 2004

[back to
top] size=-2> 


Recent
Exploit Scripts/Techniques

face="Arial, Helvetica, sans-serif">The table below contains a sample of exploit
scripts and "how to" guides identified during this period. Items listed in
boldface/red (if any) are attack scripts/techniques for which vendors, security
vulnerability listservs, or Computer Emergency Response Teams (CERTs) have not
published workarounds or patches, or which represent scripts that malicious
users are utilizing.

Note: At times, scripts/techniques may contain names or content that may
be considered offensive.



















































































































































































Date of
Script
(Reverse face="Arial, Helvetica, sans-serif"> Chronological
Order)


Script
name

Script
Description
August 17, 2004 SpecificMAIL.theft.txtA freeware spam filter for Outlook and Outlook Express that is
extremely intrusive and acts more as spyware than a useful utility to
users.
August 16, 2004proc_kmem_dump.cScript that exploits the Linux Kernel Proc_kmem_dump vulnerability.
August 14, 2004 aimAway.cProof of concept exploit for AOL Instant
Messenger aim:goaway URI Handler Buffer Overflow
Vulnerability.
August 13, 2004 ethereal-0.10.6.tar.gzA GTK+-based network protocol analyzer, or sniffer, that lets you
capture and interactively browse the contents of network frames.
August 13, 2004 gv-exploit.cScript that exploits the gv Local Buffer
Overflow vulnerability.
August 13, 2004 netgearDG834G.txtThe Netgear DG834G has a hardcoded root password of zebra and a debug
mode that allows for an immediately available rootshell.
August 13, 2004 priv8afp.plRemote root exploit for Mac OS X Apple Filing Protocol Buffer Overflow
vulnerability.

August 12, 2004

aircrack-1.1.tgz

An 802.11 WEP cracking program that can recover a 40-bit
or 104-bit WEP key once enough encrypted packets have been gathered. It
implements the standard FMS attack along with some optimizations, thus
making the attack much faster compared to other WEP cracking tools.

August 12, 2004

freedom.c

Remote CVS exploit for the Double free() Heap Overflow
vulnerability.
August 12,
2004		mercantec_softcart.pmExploit for the Mercantec Softcart CGI
Buffer Overflow vulnerability.

August 12, 2004

pngslap.c

Script that exploits the Libpng Buffer Offset Calculation
Overflow vulnerability.

August 12, 2004

rkhunter-1.1.5.tar.gz

Rootkit Hunter scans files and systems for known and
unknown rootkits, backdoors, and sniffers.

August 11, 2004

0x4553_Exorcist.tar.gz

A tool that can be considered an anti-anti-ptrace utility
that unlocks the ptrace_traceme guard of a binary.

August 11, 2004

0x4553_Scorpion.tar.gz

Tool for infecting statically linked ELF binaries.

August 11, 2004

0x4553-Static_Infecting.html


White paper that discusses a method of infecting statically linked ELF
binaries.

August 11,
2004		c030224-001.txt Detailed exploit details for the
ServerMask Header Identification vulnerability.
August 11, 2004 framework-2.2.tar.gz The Metasploit Framework is an advanced open-source platform for
developing, testing, and using exploit code. This release includes 18
exploits and 27 payloads.
August 11, 2004 OllyExp.cScript that exploits the OllyDbg Debugger Messages
Format String vulnerability.
August 10, 2004 linuxKernelFileOffsetPointerHandlingExploit.cExploit for the Linux Kernel File 64-Bit Offset Pointer Handling
Kernel Memory Disclosure vulnerability.
August 9, 2004 Xines_Mine.c Script that exploits the Xine Buffer Overflow vulnerability.

August 9, 2004

align=left>yapig_script_injection.php
Exploit for the class=maintitle>YaPiG Remote Server-Side Script Execution
vulnerability.

August 8, 2004

servulocal.c

Script that exploist
the RhinoSoft Serv-U FTP Server Default Administration Account
vulnerability.

August 7, 2004

pavuk.c

Script that exploits the Pavuk
Digest Authentication Buffer Overflow Vulnerabilities.
August 7, 2004 pavukWebSpider.c Script that exploits the Pavuk Digest
Authentication Buffer Overflow Vulnerabilities.

August 6, 2004

apache-dos.pl

Perl script that exploits the Apache ap_escape_html
Remote
Denial of Service vulnerability.

August 6, 2004

apacheEscapeHeaderD0SExploit.c

Script that exploits the Apache ap_escape_html
Remote
Denial of Service vulnerability.
August 5, 2004 aircrack-1.0.tgz An 802.11 WEP cracking program that can recover a 40-bit or 104-bit
WEP key once enough encrypted packets have been gathered.
August 5, 2004 bjd361exp.cpp Proof of Concept exploit for the BlackJumboDog FTP Buffer Overflow
vulnerability.
August 5, 2004 C-MD5.tar.bz2 MD5 Brute Force Tool that tests the security of MD5 passwords by
attempting to brute force them.
August 5, 2004 evil_song.py Exploit for the SoX ".WAV" File Processing Buffer Overflow
Vulnerability.
August 5, 2004 hoagie_openftpd.cRemote root exploit for OpenFTPD Format String vulnerability.
August 5, 2004 HOD-ms04022-task-expl.c Exploit for the Microsoft Windows Task Scheduler
Remote Buffer Overflow vulnerability.
August 5, 2004 hydra-4.2-src.tar.gz A high quality parallelized login hacker for Samba, Smbnt, Cisco AAA,
FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5,
PCNFS, Cisco and more.
August 5, 2004 isec-0016-procleaks.txt

Exploit for the Linux Kernel 64-bit to 32-bit File
Offset Conversion vulnerability.


August 5, 2004

mailEnable.txt

Exploit for the MailEnable
Content-Length Denial Of Service vulnerability.
August 5, 2004 openf.c Remote root exploit for OpenFTPD Format String vulnerability.

August 5, 2004

pocExploitEtherealiSNSProtocolVuln.c

Proof of Concept exploit for the Ethereal iSNS Protocol
Denial of Service vulnerability.
August 4, 2004 drop-root.c Script that exploits the Dropbear SSH Server DSS Verification
Vulnerability.

August 4, 2004

FreeWebChat[Mir]DoS-po.cc

Script that exploits the class=maintitle>Free Web Chat Denial Of Service
Vulnerabilities.

August 4, 2004

FreeWebChat_ir_RC_poc.java

Exploit for the class=maintitle>Free Web Chat Denial Of Service
Vulnerabilities.

August 4, 2004

libpn.gc

Script that exploits the LibPNG
Graphics Library Denial of Service vulnerability.

August 4, 2004

linuxKernelFileOffsetPointerHandlingExploit.c

Script that exploits the Linux
Kernel File 64-Bit Offset Pointer Handling Kernel Memory Disclosure
Vulnerability.
August 4, 2004 soxWAVfilebufferoverflowexploi.tcExploit for the SoX ".WAV" File Processing Buffer Overflow
Vulnerability.
face="Arial, Helvetica, sans-serif">


[back to
top]


name=trends>Trends



  • Seven months since the W32/Bagle mass-mailing virus
    first appeared on the Internet, US-CERT continues to see new variants
    appearing and many variants (new and old) continuing to spread. Many variants
    of W32/Beagle are known to open a backdoor on an infected system which can
    lead to further exploitation by remote malicious users.


href="#top">[back to top]


name=#viruses>Viruses/Trojans


Top Ten Virus Threats


A list of high threat viruses, as reported to various
anti-virus vendors and virus incident reporting organizations, has been ranked
and categorized in the table below. For the purposes of collecting and collating
data, infections involving multiple systems at a single location are considered
a single infection. It is therefore possible that a virus has infected hundreds
of machines but has only been counted once. With the number of viruses that
appear each month, it is possible that a new virus will become widely
distributed before the next edition of this publication. To limit the
possibility of infection, readers are reminded to update their anti-virus
packages as soon as updates become available. The table lists the viruses by
ranking (number of sites affected), common virus name, type of virus code (i.e.,
boot, file, macro, multi-partite, script), trends (based on number of infections
reported during the latest three months), and approximate date first found.





































































































face="Arial, Helvetica, sans-serif">Rank

Common
Name

Type
of Code

face="Arial, Helvetica, sans-serif">Trends

face="Arial, Helvetica, sans-serif">Date


1
W32/Netsky-P
Win32 WormStable
March
2004


2
W32/Zafi-B
Win32 WormStable
June
2004


3
W32/Netsky-Q
Win32 WormIncrease
March
2004


4
W32/Netsky-D
Win32 WormSlight Increase
March
2004


5
W32/Netsky-B
Win32 WormSlight Increase
February
2004


6
W32/Netsky-Z
Win32 WormDecrease
April
2004


7
W32/Bagle-AA
Win32 WormDecrease
April
2004


8
W32/MyDoom-M
Win32 WormNew to Table
July 2004


9
W32/MyDoom-O
Win32 WormNew to Table
July 2004


9
I-Worm.Bagle.z
Win32 Worm New to Table
April 2004


9
I-Worm.Bagle.AI
Win32 Worm New to Table
July 2004

10
Worm_Sasser.B
Win32 WormDecrease
April
2004

10
W32/Netsky-C
Win32 WormReturn to Table
March 2004

10
W32/Mydoom.s@MMWin32 WormNew to Table
August 2004

10
W32/Mydoom.q
Win32 WormNew to Table
August 2004

 


New Viruses / Trojans


Viruses or Trojans Considered to be a High Level of
Threat



  • Brador/Bardoor These are the first
    known backdoor Trojans for the Pocket PC hand-held devices. They send the IP
    address of the infected handheld to the malicious user and opens various TCP
    ports. Brador only affects Windows Mobile 2003 (Pocket PC 2003 and Windows CE
    4.2) and ARM-based devices.

The following table provides, in
alphabetical order, a list of new viruses, variations of previously encountered
viruses, and Trojans that have been discovered during the period covered by this
bulletin. This information has been compiled from the following anti-virus
vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central
Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer
Associates, and The WildList Organization International. Users should keep
anti-virus software up to date and should contact their anti-virus vendors to
obtain specific information on the Trojans and Trojan variants that anti-virus
software detects.


NOTE: At times, viruses and
Trojans may contain names or content that may be considered offensive.











































































































































































































































































































class="style3 ">Name

face="Arial, Helvetica, sans-serif">Aliases

face="Arial, Helvetica, sans-serif">Type
Agobot-LTWORM_AGOBOT.OC
W32/Agobot-LT
Win32 Worm
Amus.AI-Worm.Amus.a
W32.Amus.A@mm
W32/Amus.A.worm
Win32.Amus.A
WORM_AMUS.A		Win32 Worm
Backdoor.Beasty.I Trojan
Backdoor-CFBW32/Backdoor-CFBWin32 Worm
BardoorBackdoor.Bardor.AWinCE Trojan
Bck/Surila.BSurila.B
W32/Mydoom.R		Trojan
BradorBrador.A
Backdoor.WinCE.Brador.a
Backdoor.Brador.A

Bck/WinCE.Brador.A

Troj/Brador-A
WINCE_BRADOR.A
WinCE/BackDoor-CHK
WinCE Trojan
Cata-AVBS/Cata-AVisual Basic Script Virus
Daqa.BBackDoor-BDI
Win32.Daqa.B
Win32/Daqa.B.Trojan		Win32 Worm
Daqa.CBackDoor-BDI
Win32.Daqa.C
Win32/Daqa.C.Trojan		Win32 Worm
Doep-AW32.Doep.A
W32/Doep-A

W32/Ourtime!p2p
Worm.P2P.Doep.a
WORM_DOEP.A
Win32 Worm
Downloader.Harnig Trojan
Downloader.OGTrj/Downloader.OGTrojan: Adware Downloader
Febelneck-A

W32/Febelneck-A
W32.Febelneck@mm
Febelneck
trojan
I-Worm.Febelneck

Win32 Worm
Frear.A

class=tabletext>Win32.Frear.A
Win32/FriTear.A
Worm.P2P.Delf.u
Win32/Frear.A.Worm		Win32 Worm
JS/Zerolin Java Script Trojan
Keylog-Melcarr Trojan
Lovgate.ANW32.Lovgate.AN@mmWin32 Worm
MyDoom.R

class=tabletext>W32/MyDoom-R
W32/Mydoom.r@MM
WORM_MYDOOM.R
W32.Mydoom.P@mm		Win32 Worm
Myfip.AW32.Myfip.AWin32 Worm
Nachi.LMS03-026
W32/Nachi.worm.m
Win32.Nachi.L
Win32/Nachi.L
Worm.Win32.Welchia.l
Worm/Nachi.S
WORM_NACHI.L		Win32 Worm
Nachi-K W32/Nachi-K
W32/Nachi.worm.m
Worm.Win32.Welchia.l
W32.Welchia.gen		Win32 Worm
Padodor-LTroj/Padodor-LTrojan
PE_LOVGATE.EWin32.Lovgate.AYFile Infector Virus
PWSteal.PerfectspyTrojan: Spyware Installer
Reign.V

class=tabletext>TrojanProxy.Win32.Agent.ag
W32/Agent.T
Win32.Reign.V
Win32/Agent.T.DLL.Trojanbr
Win32.Reign.W
Win32/Reign.29227.Trojan
Win32/TrojanProxy.Agent.AG
Win32 Worm
Saros

class=tabletext>I-Worm.Saros.a
Saros.A
W32.Saros@mm
W32/Saros@MM
Win32.Saros.A
WORM_SAROS.A

CRYPT.WIN32 virus
IW32/Saros-A		Win32 Worm
Sconato.AKeylog-Sconato
Trj/Sconato.A
Troj/Sconato-A
Trojan.ScoNato.A
Trojan.Win32.Sconato.a
Trojan: Keylogger
Sdbot-LUW32/Sdbot.worm.gen
Backdoor.SdBot.nv
BKDR_SDBOT.GEN
W32/Sdbot-LU
Win32 Worm
Sndc.AW32.IRCBot
W32/Pcbot.A@p2p
W32/Sndc.worm!p2p
Win32.Sndc.A
Win32/P2P.Sndc.Worm
Worm.P2P.Krepper.c
Win32 Worm
Startpage.FZStartPage-DU
Trojan.Win32.StartPage.ix
Win32.Startpage.FZ
Win32/StartPage.IX		Win32 Worm
StartPage-EM Trojan
SYMBOS_QDIAL.A

Mquito
SymbOS/Mquito
Trojan.Mquito
SymbOS/QDial26

Trojan
Trj/Leritand.ALeritand.ATrojan
Trj/Leritand.BLeritand.BTrojan
Trj/Leritand.CLeritand.CTrojan
Troj/Bdoor-CHRBackDoor-CHR
BackDoor-CHR.sys		Trojan
Troj/CmjSpy-Z Trojan
Troj/Daemoni-G Trojan
Troj/Iefeat-K Trojan
Troj/Mosqit-A Trojan
Troj/Padodor-L Trojan
Troj/ProxDrop-A Trojan
TROJ_BAGLE.AC Trojan
Trojan.Boxed.E Trojan
Trojan.Cargao.B Trojan
Trojan.Nullpos Trojan
Trojan.StartPage.F

TROJ_STRTPAGE.CQ
Troj/CWS-C
StartPage-CQ.gen
TrojanDownloader.Win32.Small.lc

Trojan
Trojan.StartPage.G Trojan
VBS.Mywav@mm Visual Basic Script Worm
W32/Agobot-LXWin32/Agobot.3.ZQ
W32/Gaobot.worm.pp
Win32 Worm
W32/Agobot-MA Win32 Worm
W32/Agobot-ZX Win32 Worm
W32/Annil-GI-Worm.Annil.gWin32 Worm
W32/Apribot-CBackdoor.IRCBot.gen
W32/Sdbot.worm.gen.m virus		Win32 Worm
W32/Bagle.aq@MM

HTML_BAGLE.AC
I-Worm.Bagle.al
W32.Beagle.AO@mm
W32/Bagle-AQ

W32/Bagle.AJ@mm
W32/Bagle.AM.worm
WORM_BAGLE.AC
JS/IllWill

JS/Dword.dr
TR/RunMe.Dldr.1
W32/Bagle.aq@MM

Bagle.AG

Win32 Worm
W32/Cali-A Win32 Worm
W32/Gobot-CBackdoor.IRC.Bot
Backdoor.Gobot.s		Win32 Worm
W32/Lovgate-F Win32 Worm
W32/MyDoom-Q

W32/Mydoom.q@MM
W32/Evaman.c@MM

Win32 Worm
W32/MyDoom-R Win32 Worm
W32/Neveg.b@MMW32/Cali@MMWin32 Worm
W32/Neveg.c@MM Win32 Worm
W32/Rbot-FQBackdoor.Rbot.gen
W32/Sdbot.worm.gen.g
Win32 Worm
W32/Rbot-FV Win32 Worm
W32/Rbot-FY Win32 Worm
W32/Rbot-GFW32/Sdbot.worm.gen.k
Backdoor.Rbot.af		Win32 Worm
W32/Sdbot-MH Win32 Worm
Win32.Daqa.B

BackDoor-BDI
Win32/Daqa.B.Trojan
Win32/Daqa.C.Trojan

Win32.Daqa.C

Trojan
WORM_ATAK.C Internet Work
WORM_LOVGATE.E

HLLM.Lovgate.18
I-Worm.Win32.Lovgate.171520

Worm/Lovgate.BJ
I-Worm.LovGate.ah
Win32/Lovgate.AS

Internet Worm
WORM_RATOS.A

W32.Mydoom.Q@mm
I-Worm.Win32.Ratos
W32/Mydoom.s@MM

W32/MyDoom-S
Win32.Mydoom.S
WORM_RATOS.A

Win32 Worm
WORM_SDBOT.LD Internet Worm


[back to
top]


 


 

 


Last updated


Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.