Summary of Security Items from September 15 through September 21

Released
Sep 21, 2017
Document ID
SB04-266

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 

Vulnerability Severity:

type=text/css rel=stylesheet>




This bulletin
provides a summary of new or updated vulnerabilities, exploits, trends, viruses,
and trojans identified between September 13 and September 20, 2004. class=style50>Updates to items appearing in previous bulletins are listed in
bold text. The text in the Risk column appears in red for vulnerabilities
ranking High. The risks levels applied to
vulnerabilities in the Cyber Security Bulletin are based on how the "system" may
be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch
Available" column that indicates whether a workaround or patch has been
published for the vulnerability which the script exploits.
















href="#bugs">Bugs, Holes, & Patches



href="#exploits">
Recent Exploit Scripts/Techniques

href="#trends">Trends

href="#viruses">Viruses/Trojans

name=bugs>Bugs, Holes,
& Patches

face="Arial, Helvetica, sans-serif">The table below summarizes vulnerabilities
that have been identified, even if they are not being exploited. Complete
details about patches or workarounds are available from the source of the
information or from the URL provided in the section. CVE numbers are listed
where applicable. Vulnerabilities that affect both Windows and
Unix Operating Systems are included in the Multiple Operating
Systems section.

Note: All the information included in the following tables
has been discussed in newsgroups and on web sites.


The Risk levels
defined below are based on how the system may be impacted:



  • High - A
    high-risk vulnerability is defined as one that will allow an intruder to
    immediately gain privileged access (e.g., sysadmin or root) to the system or
    allow an intruder to execute code or alter arbitrary system files. An example
    of a high-risk vulnerability is one that allows an unauthorized user to send a
    sequence of instructions to a machine and the machine responds with a command
    prompt with administrator privileges.
  • Medium - A
    medium-risk vulnerability is defined as one that will allow an intruder
    immediate access to a system with less than privileged access. Such
    vulnerability will allow the intruder the opportunity to continue the attempt
    to gain privileged access. An example of medium-risk vulnerability is a server
    configuration error that allows an intruder to capture the password
    file.
  • Low - A
    low-risk vulnerability is defined as one that will provide information to an
    intruder that could lead to further compromise attempts or a Denial of Service
    (DoS) attack. It should be noted that while the DoS attack is deemed low from
    a threat potential, the frequency of this type of attack is very high. DoS
    attacks against mission-critical nodes are not included in this rating and any
    attack of this nature should instead be considered to be a "High"
    threat.













































































name=windows>Windows Operating Systems Only


Vendor &
Software Name

Vulnerability
- Impact
Patches - Workarounds
Attacks Scripts

Common
Name

face="Arial, Helvetica, sans-serif">Risk

face="Arial, Helvetica, sans-serif">Source

Google


Toolbar 1.1.41-1.1.49, 1.1.53-1.1.60, 2.0.114.1

An input validation vulnerability exists in the 'About' section of the
Google Toolbar due to insufficient filtering of HTML code, which could let
a remote malicious user execute arbitrary HTML and JavaScript code.

No workaround or patch available at time of
publishing.


A Proof of Concept exploit script has been published.



Google Toolbar Input Validation


High
Bugtraq, September 17, 2004

IBM


Microsoft Windows XP SP1 OEM Version,


Microsoft Windows XP OEM
Version

A vulnerability exists due to a default hidden administrative account
that fails to set a password, which could let a malicious user obtain
administrative access.

No workaround or patch available at time of
publishing.


There is no exploit code required; however, a Proof of Concept exploit
has been published.


IBM OEM Microsoft Windows Default Administrative
Account

High
SECNAP Advisory, September 15, 2004

McAfee


VirusScan 4.5, 4.5.1

A vulnerability exists in 'System Scan' via the system tray applet due
to the failure to drop privileges, which could let a malicious user
execute arbitrary code.

This issue has reportedly been addressed by the vendor in Patch 48,
which may be obtained by customers with a valid contract grant number
through McAfee Corporate Technical Support.


There is no exploit code required.


McAfee VirusScan Arbitrary Code Execution

High
iDEFENSE Security Advisory, September 15, 2004

Microsoft


Windows CE 2.0, 3.0, 4.2

A vulnerability exists in the kernel memory structure KDataStruct,
which could let a malicious user obtain sensitive information.

No workaround or patch available at time of
publishing.


This vulnerability is exploited by the virus WinCE.Duts.A.


Microsoft Windows CE KDatastruct Information
Disclosure

Medium
Airscanner Mobile Security Advisory, September 18, 2004

Microsoft


Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows
XP Professional SP1
Microsoft Windows XP Professional

A Denial of Service vulnerability exists in 'Explorer.exe' due to the
way certain TIFF format images are handled,

No workaround or patch available at time of
publishing.


A Proof of Concept exploit has been published.


 


Microsoft Windows XP Explorer.EXE TIFF Image Denial of
Service

Low
SecurityFocus, September 16, 2004

Microsoft


Internet Explorer 6.0 SP2


A vulnerability exists due to a design error, which could let a
malicious user bypass the user confirmation requirement.


No workaround or patch available at time of
publishing.


There is no exploit code required; however, a Proof of Concept exploit
has been published.


Microsoft Internet Explorer User Security Confirmation
Bypass

Medium
Bugtraq, September 15, 2004

Microsoft


Microsoft .NET Framework 1.x, Digital Image Pro 7.x, 9.x, Digital Image
Suite 9.x, Frontpage 2002, Greetings 2002, Internet Explorer 6, Office
2003 Professional Edition, 2003 Small Business Edition, 2003 Standard
Edition, 2003 Student and Teacher Edition, Office XP, Outlook 2002, 2003,
Picture It! 2002, 7.x, 9.x, PowerPoint 2002, Producer for Microsoft Office
PowerPoint 2003, Project 2002, 2003, Publisher 2002, Visio 2002, 2003,
Visual Studio .NET 2002, 2003, Word 2002;
Avaya DefinityOne
Media Servers, IP600 Media Servers, S3400 Modular Messaging, S8100 Media
Servers

A buffer overflow vulnerability exists in the processing of JPEG image
formats, which could let a remote malicious user execute arbitrary code.

Frequently asked questions regarding this vulnerability and the patch
can be found at: href="http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx">http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx


Proofs of Concept exploit scripts have been
published



Microsoft JPEG Processing Buffer Overflow


CVE Name:

CAN-2004-0200


High

Microsoft Security Bulletin, MS04-028, September 14, 2004


US-CERT Vulnerability Note VU#297462, September 14, 2004


Technical Cyber Security Alert TA04-260A, September 16, 2004


SecurityFocus, September 17, 2004

RhinoSoft.com

DNS4Me 3.0 .0.4

Two vulnerabilities exist: a Denial of Service vulnerability exists
due to an error when processing incoming traffic; and a Cross-Site
Scripting vulnerability exists due to insufficient sanitization of
user-supplied URI input, which could let a remote malicious user execute
arbitrary HTML and script code.

No workaround or patch available at time of
publishing.


There is no exploit code required; however, a Proof of Concept exploit
has been published for the Cross-Site Scripting vulnerability.


DNS4Me Denial Of Service & Cross-Site Scripting
Vulnerabilities


Low/High


(High if arbitrary code can be executed)

GulfTech Security Research Advisory, September 16, 2004

Snitz Forums


2000 Snitz Forums 2000 3.0, 3.1, 3.3 .03, 3.3 .02, 3.3 .01, 3.3, 3.4
.04, 3.4.03, 3.4 .02


A vulnerability exists in the 'down.asp' script due to insufficient
sanitization of the 'location' parameter, which could let a remote
malicious user execute arbitrary code.


No workaround or patch available at time of
publishing.


A Proof of Concept exploit has been published.


Snitz Forums 'Down.ASP' Input Validation

High
Securiteam, September 19, 2004

Tech-Noel Inc.


Pigeon Server 3.2.143

A remote Denial of Service vulnerability exists when a malicious user
submits a login parameter value longer than 8180 characters to port 3103.

Upgrade available at:
href="ftp://ftp.tech-noel.com/PigeonServerUpd.exe">ftp://ftp.tech-noel.com/PigeonServerUpd.exe


There is no exploit code required.


Pigeon Server Remote Denial of Service

Low
Securiteam, September 19, 2004

Virtual Programming


VP-ASP 5.0

A remote Denial of Service vulnerability exists because a malicious
user can restore a previous order using 'shoprestoreorder.asp.'

Fix available at: href="http://www.vpasp.com/virtprog/info/faq_securityfixes.htm">http://www.vpasp.com/virtprog/info/faq_securityfixes.htm


We are not aware of any exploits for this vulnerability.


VP-ASP 'shoprestoreorder.asp' Remote Denial of Service

Low
SecurityTracker Alert ID, 1011359, September 19, 2004

[back to
top]



























































































































































































































































name=unix>UNIX / Linux Operating Systems Only

Vendor &
Software Name

Vulnerability
- Impact
Patches - Workarounds
Attacks Scripts

Common
Name

face="Arial, Helvetica, sans-serif">Risk

face="Arial, Helvetica, sans-serif">Source

Apache Software Foundation


Apache 2.0 a9, 2.0, 2.0.28 Beta, 2.0.28, 2.0.32, 2.0.35-2.0.50

A remote Denial of Service vulnerability exists in Apache 2 mod_ssl
during SSL connections.

Apache: href="http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964">http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964


RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-349.html">http://rhn.redhat.com/errata/RHSA-2004-349.html


SuSE: href="ftp://ftp.suse.com/pub/suse/i386/update/">ftp://ftp.suse.com/pub/suse/i386/update/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-21.xml">http://security.gentoo.org/glsa/glsa-200409-21.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


Trustix: href="http://http.trustix.org/pub/trustix/updates/">http://http.trustix.org/pub/trustix/updates/


We are not aware of any exploits for this vulnerability.



Apache mod_ssl Denial of Service


CVE Name:

CAN-2004-0748



Low

SecurityFocus, September 6, 2004


Mandrakelinux Security Update Advisory, MDKSA-2004:096,
September 15, 2004


Gentoo Linux Security Advisory, GLSA 200409-21, September 16,
2004


Trustix Secure Linux Security Advisory,TSLSA-2004-0047,
September 16, 2004


Apache Software Foundation


Apache 2.0.50


A remote Denial of Service vulnerability exists in 'char_buffer_read()'
when using a RewriteRule to reverse proxy SSL connections.


Patch available at:
href="http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126">http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126


SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-463.html">http://rhn.redhat.com/errata/RHSA-2004-463.html


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-21.xml">http://security.gentoo.org/glsa/glsa-200409-21.xml


Trustix: href="http://www.trustix.org/errata/2004/0047/">http://www.trustix.org/errata/2004/0047/


There is no exploit code required; however, Proofs of Concept exploits
have been published.



Apache mod_ssl
Remote Denial of Service


CVE Name:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751">CAN-2004-0751



Low

SecurityTracker Alert ID, 1011213, September 10, 2004


Mandrakelinux Security Update Advisory, MDKSA-2004:096,
September 15, 2004


RedHat Security Advisory, RHSA-2004:463-09, September 15, 2004


Gentoo Linux Security Advisory GLSA 200409-21, September 16,
2004


Trustix Secure Linux Security Advisory , TSLSA-2004-0047,
September 16, 2004


Apple


iChat 1.0.1, AV 2.0, 2.1

A vulnerability exists when a remote malicious iChat user submits a
specially crafted 'link' that, when activated by the target user, will
cause an application on the target user's system to run.

Patches available at: href="http://www.apple.com/support/downloads/">http://www.apple.com/support/downloads/


There is no exploit code required.



iChat Remote Link Application Execution


CVE Name:
CAN-2004-0873



High
Apple Security Advisory, APPLE-SA-2004-09-16, September 17, 2004

Apple


Mac OS X 10.2.8, 10.3.4, 10.3.5

A remote Denial of Service vulnerability exists in the QuickTime
Streaming Server when a malicious user submits a particular sequence of
operations.

Security update available at: href="http://www.apple.com/support/downloads/ ">http://www.apple.com/support/downloads/


We are not aware of any exploits for this vulnerability.



Apple QuickTime Streaming Server Remote Denial of Service


CVE Name:
CAN-2004-0825



Low

APPLE-SA-0024-09-07 Security Update, September 7, 2004


US-CERT Vulnerability Note VU#914870, September 15, 2004

Caolan McNamara and Dom Lachowicz

wvWare version 0.7.4, 0.7.5, 0.7.6 and 1.0.0

A buffer overflow vulnerability exists due to the insecure function
call strcat() without appropriate bounds checking, which could let a
remote malicious user execute arbitrary code.

Updates available at: href="http://www.abisource.com/bonsai/cvsview2.cgi?diff_mode=context&whitespace_mode =show&root=/cvsroot&subdir=wv&command=DIFF_FRAMESET&root=/cvsroot&file=field.c&rev1=1.19&rev2=1.20">http://www.abisource.com/bonsai/cvsview2.cgi?diff_
mode=context&whitespace_mode=show&root=/cvsroot&subdir=wv&command
=DIFF_FRAMESET&root=/cvsroot&file=field.c&rev1=1.19&rev2=1.20


Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200407-11.xml">http://security.gentoo.org/glsa/glsa-200407-11.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


Conectiva: href="ftp://atualizacoes.conectiva.com.br/">ftp://atualizacoes.conectiva.com.br/


Debian: href="http://security.debian.org/pool/updates/main/w/wv/">http://security.debian.org/pool/updates/main/w/wv/


A Proof of Concept exploit has been published.


wvWare Library
Buffer Overflow Vulnerability

CVE Name:
CAN-2004-0645



High
Securiteam, July 11, 2004

iDEFENSE Security Advisory, July 9, 2004


Conectiva Linux Security Announcement, CLA-2004:863, September 10,
2004


Debian Security Advisory, DSA 550-1, September 20, 2004


GNU


a2ps 4.13


A vulnerability exists in filenames due to insufficient validation of
shell escape characters, which could let a malicious user execute
arbitrary commands.


FreeBSD:
href="http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain">http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/
ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain


SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/


There is no exploit code required; however, a Proof of Concept exploit
has been published.


GNU a2ps Command Injection

High

Securiteam, August 29, 2004


SUSE Security Announcement, SUSE-SA:2004:034, September 17,
2004


GNU


Radius 0.92.1, 0.93-0.96, 1.1, 1.2


A remote Denial of Service vulnerability exists in the
'asn_decode_string()' function in 'snmplib/asn1.c' when a malicious user
submits a large unsigned integer in the SNMP parameter.


Update available at: href="ftp://alpha.gnu.org/gnu/radius/ ">ftp://alpha.gnu.org/gnu/radius/


We are not aware of any exploits for this vulnerability.



GNU Radius SNMP String Remote Denial of Service


CVE Name:
CAN-2004-0849



Low
iDEFENSE Security Advisory, September 15, 2004

GNU
Gentoo


Aspell 0.50.5; Gentoo Linux 1.4

A buffer overflow vulnerability exists in the 'word-list-compress'
utility due to insufficient bounds checking, which could let a malicious
user execute arbitrary code.

Gentoo: href="http://security.gentoo.org/glsa/glsa-200406-14.xml">http://security.gentoo.org/glsa/glsa-200406-14.xml


OpenPKG: href="ftp://ftp.openpkg.org/">ftp://ftp.openpkg.org/


Proofs of Concept exploits have been published.


GNU Aspell Stack Buffer Overflow

CVE Name:
CAN-2004-0548


High

Securiteam, June 14, 2004


Gentoo Linux Security Advisory, GLSA 200406-14, June 17, 2004


OpenPKG Security Advisory, OpenPKG-SA-2004.042, September 15,
2004


J. Schilling


CDRTools 2.0, 2.0.1 a18, 2.0.3.


A vulnerability exists in 'cdrecord,' which could let a malicious user
obtain root privileges.


Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-18.xml">http://security.gentoo.org/glsa/glsa-200409-18.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php"
target=_blank>http://www.mandrakesecure.net/en/ftp.php


TurboLinux: href="ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/">ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/


Exploit scripts have been published.



CDRTools Unspecified Privilege Escalation


CVE Name:
CAN-2004-0806




High


SecurityFocus, August 31, 2004


US-CERT Vulnerability Note VU#700326, September 17, 2004


J.Schilling


Star Tape Archiver 1.5a09-1.5a45


A vulnerability exists in the setuid function due to a failure to
properly implement the function when ssh is used for remote tape access,
which could let a malicious user obtain superuser access.


Update available at: href=" http://ftp.berlios.de/pub/schily/star/alpha/">http://ftp.berlios.de/pub/schily/star/alpha/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-11.xml">http://security.gentoo.org/glsa/glsa-200409-11.xml


We are not aware of any exploits for this vulnerability.



Star Tape Archiver Superuser Access


CVE Name:
CAN-2004-0850



High

SecurityTracker Alert ID: 1011195, September 8, 2004


US-CERT Vulnerability Note VU#339089, September 17, 2004


Jamie Cameron


Usermin 1.0 80, 1.0 70, 1.0 60, 1.0 51, 1.0 40, 1.0 30, 1.0 20, 1.0 10,
1.0 00, Webmin1.0 90,
1.0 80, 1.0 70, 1.0 60, 1.0 50, 1.0 20, 1.0 00,
1.100, 1.110, 1.121, 1.130, 1.140, 1.150


A vulnerability exists due to the insecure creation of temporary files
during installation, which could let a malicious user obtain sensitive
information.


Usermin:
href="http://freshmeat.net/redir/usermin/28573/url_tgz/usermin-1.090.tar.gz">http://freshmeat.net/redir/usermin/28573/url_tgz/usermin-1.090.tar.gz href="#">


Webmin:
href="http://prdownloads.sourceforge.net/webadmin/webmin-1.160.tar.gz">http://prdownloads.sourceforge.net/webadmin/webmin-1.160.tar.gz


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-15.xml">http://security.gentoo.org/glsa/glsa-200409-15.xml


Debian: href="http://security.debian.org/pool/updates/main/w/webmin/">http://security.debian.org/pool/updates/main/w/webmin/


There is no exploit code required.



Webmin / Usermin Insecure Temporary File


CVE Name:
CAN-2004-0559



Medium

SecurityFocus, September 10, 2004


Debian Security Advisory, DSA 544-1, September 14, 2004


LOGICNOW


PerlDesk


A vulnerability exists in the 'pdesk.cgi' software due to insufficient
validation of the 'lang' parameter, which could let a malicious user
obtain sensitive information.


No workaround or patch available at time of
publishing.


There is no exploit code required; however, Proof of Concept exploit
has been published.


PerlDesk
'lang' Parameter Input Validation

Medium
SecurityTracker Alert ID, 1011276, September 15, 2004

MacOSXLabs


RsyncX 2.1

Two vulnerabilities exist: a vulnerability exists due to a failure to
drop 'wheel' group privileges, which could let a malicious user execute
arbitrary programs; and a vulnerability exists in '/tmp/cron_rsyncxtmp'
because the temporary file is created insecurely, which could let a
malicious user obtain elevated privileges.

No workaround or patch available at time of
publishing.


Proofs of Concept exploits have been published.


RsyncX Local Vulnerabilities


Medium/ High


(High if arbitrary code can be executed)

SecurityTracker
Alert ID, 1011352, September 17, 2004
MIT
Debian
Fedora
Gentoo

Immunix
Mandrake
OpenBSD
RedHat
SGI
Sun
Tinysofa

Trustix

Kerberos 5 1.0, 1.0.6, 1.0.8, 1.1, 1.1.1, 1.2.1-1.2.7, 1.3 -alpha1, 5.0
-1.3.3, 5.0 -1.2beta1&2, 5.0 -1.1.1, 5.0 -1.1, 5.0 -1.0.x;
tinysofa
enterprise server 1.0 -U1, 1.0

Multiple buffer overflow vulnerabilities exist due to boundary errors
in the ‘krb5_aname_to_localname()’ library function during conversion
of
Kerberos principal names into local account names, which could let a
remote malicious user execute arbitrary code with root privileges.

Patch available at: href="http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt">http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt


Mandrake: href="http://www.mandrakesoft.com/security/advisories">http://www.mandrakesoft.com/security/advisories


Tinysofa: href="http://www.tinysofa.org/support/errata/2004/009.html">http://www.tinysofa.org/support/errata/2004/009.html


Trustix: href="http://http.trustix.org/pub/trustix/updates/ ">http://http.trustix.org/pub/trustix/updates/


Debian: href="http://security.debian.org/pool/updates/main/k/krb5/">http://security.debian.org/pool/updates/main/k/krb5/


Fedora: href="http://securityfocus.com/advisories/6817">http://securityfocus.com/advisories/6817


RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-236.html">http://rhn.redhat.com/errata/RHSA-2004-236.html


SGI: href="ftp://patches.sgi.com/support/free/security/patches/ProPack/3/">ftp://patches.sgi.com/support/free/security/patches/ProPack/3/


Sun: href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57580">http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57580


Gentoo: href="http://security.gentoo.org/glsa/glsa-200406-21.xml">http://security.gentoo.org/glsa/glsa-200406-21.xml


Apple: href="http://www.apple.com/support/downloads/ ">http://www.apple.com/support/downloads/


Conectiva: href="http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000860">http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000860


Currently we are not aware of any exploits for this vulnerability.


Kerberos 5 ‘krb5_aname_to_
localname'
Multiple
Buffer Overflows

CVE Name:
CAN-2004-0523


High

MIT krb5 Security Advisory 2004-001, June 3, 2004


TA04-147A, href="http://www.kb.cert.org /vuls/id/686862">http://www.kb.cert.org
/vuls/id/686862tp


Apple Security Update, APPLE-SA-2004-09-07, September 7, 2004


Conectiva Security Advisory, CLSA-2004:860, September 10, 2004


Mozilla.org


Mozilla Browser 1.7, rc3, 1.7.1, 1.7.2; Firefox 0.9 rc,
0.9-0.9.3

A vulnerability exists due to improper file permissions, which could
let a remote malicious user execute arbitrary code.

Firefox
 href="http://www.mozilla.org/products/firefox/releases/0.10.html">http://www.mozilla.org/products/firefox/releases/0.10.html


Mozilla Browser:
href="http://www.mozilla.org/releases">http://www.mozilla.org/releases href="http://www.mozilla.org/releases/" target=_blank>/


There is no exploit code required.



Mozilla Firefox Default Installation File Permission


High

Bugtraq, September 13, 2004


US-CERT Vulnerability Note VU#653160, September 17, 2004


mpg123.de


mpg123 0.x


 


A buffer overflow vulnerability exists in the 'do_layer2()' function,
which could let a remote malicious user execute arbitrary code.


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-20.xml">http://security.gentoo.org/glsa/glsa-200409-20.xml


We are not aware of any exploits for this vulnerability.


mpg123 'do_layer2() Function' Remote Buffer Overflow

High

Securiteam, September 7, 2004


Gentoo Linux Security Advisory, GLSA 200409-20, September 16,
2004


Multiple Vendors


Apache Software Foundation Apache 2.0.50 & prior; Gentoo Linux 1.4;

RedHat Desktop 3.0, Enterprise Linux WS 3, ES 3, AS 3;
Trustix
Secure Enterprise Linux 2.0, Secure Linux 2.0, 2.1

A remote Denial of Service vulnerability exists in the Apache mod_dav
module when an authorized malicious user submits a specific sequence of
LOCK requests.

Update available at: href=" http://httpd.apache.org/">http://httpd.apache.org/


Gentoo: href="http://www.gentoo.org/security/en/glsa/glsa-200409-21.xml">http://www.gentoo.org/security/en/glsa/glsa-200409-21.xml


RedHat: href=" ftp://updates.redhat.com/enterprise">ftp://updates.redhat.com/enterprise


Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/


There is no exploit code required; however, Proof of Concept exploit
has been published.



Apache mod_dav Remote Denial of Service


CVE Name:
CAN-2004-0809




Low

SecurityTracker Alert ID, 1011248, September 14, 2004

Multiple Vendors


Apache Software Foundation Apache 2.0.50 & prior; Gentoo Linux 1.4;
MandrakeSoft Linux Mandrake 9.2, amd64, 10.0, AMD64;
RedHat Desktop
3.0, Enterprise Linux WS 3, ES 3, AS 3, Fedora Core1&2;
Trustix
Secure Enterprise Linux 2.0, Secure Linux 2.0, 2.1; Turbolinux Turbolinux
Desktop 10.0

A buffer overflow vulnerability exists in the apr-util library's IPv6
URI
parsing functionality due to insufficient validation, which could
let a remote malicious user execute arbitrary code. Note: On Linux
based Unix variants this issue can only be exploited to trigger a Denial
of Service condition.

Patch available at:
href="http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/CAN-2004-0747.patch ">http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/CAN-2004-0747.patch


Gentoo: href="http://www.gentoo.org/security/en/glsa/glsa-200409-21.xml">http://www.gentoo.org/security/en/glsa/glsa-200409-21.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


Redhat: href="http://rhn.redhat.com/errata/RHSA-2004-463.html">http://rhn.redhat.com/errata/RHSA-2004-463.html

href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/


SuSE: href="ftp://ftp.suse.com/pub/suse">ftp://ftp.suse.com/pub/suse


Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/


TurboLinxux:
href="ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/">ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates


We are not aware of any exploits for this vulnerability.



Apache Web Server Remote IPv6 Buffer Overflow


CVE Name:
CAN-2004-0786




Low/High


(High if arbitrary code can be executed)

SecurityFocus, September 16, 2004

Multiple Vendors


Apache Software Foundation Apache 2.0, 2.0.28, 2.0.32,
2.0.35-2.0.50;
Gentoo Linux 1.4;
MandrakeSoft Linux Mandrake 9.2,
amd64,10.0, AMD64;
RedHat Desktop 3.0, Enterprise Linux WS 3, ES 3, AS
3;
Trustix Secure Enterprise Linux 2.0, Secure Linux 2.0,
2.1;
Turbolinux Turbolinux Desktop 10.0


A buffer overflow vulnerability exists in the 'ap_resolve_env()'
function in 'server/util.c'.due to insufficient validation, which could
let a remote malicious user execute arbitrary code.


Apache:
Upgrade available at: href="http://www.apache.org/dist/httpd/httpd-2.0.51.tar.gz ">http://www.apache.org/dist/httpd/httpd-2.0.51.tar.gz

Patch available at:
href="http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/CAN-2004-0747.patch ">http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/CAN-2004-0747.patch


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-21.xml">http://security.gentoo.org/glsa/glsa-200409-21.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


RedHat: href=" ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm">ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm


SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/


We are not aware of any exploits for this vulnerability.


Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/


TurboLinxux:
href="ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/">ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/


We are not aware of any exploits for this vulnerability.



Apache Web Server Configuration File Buffer Overflow


CVE Name:
CAN-2004-0747



High

SITIC Vulnerability Advisory, September 15, 2004


US-CERT Vulnerability Note VU#481998, September 17, 2004


Multiple Vendors


Cisco VPN 3000 Concentrator 4.0 .x, 4.0, 4.0.1, 4.1 .x; Debian Linux
3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm,
alpha; Gentoo Linux 1.4 _rc1-rc3, 1.4; MandrakeSoft Corporate Server 2.1,
x86_64, Linux Mandrake 9.1, ppc,
9.2, amd64, 10.0, AMD64,

MandrakeSoft Multi Network Firewall 8.2; MIT Kerberos 5 1.0, 1.0.6,
1.0.8, 1.1, 1.1.1, 1.2-1.2.8, 1.3 -1.3.4; RedHat Desktop 3.0, Enterprise
Linux WS 3, ES 3, AS 3, Fedora Core2, Core1;
Sun SEAM 1.0.2

Multiple double-free vulnerabilities exist due to inconsistent memory
handling routines in the krb5 library: various double-free errors exist in
the KDC (Key Distribution Center) cleanup code and in client libraries,
which could let a remote malicious user execute arbitrary code; various
double-free errors exist in the 'krb5_rd_cred()' function, which could let
a remote malicious user execute arbitrary code; a double-free
vulnerability exists in krb524d, which could let a remote malicious user
execute arbitrary code; and a vulnerability exists in ASN.1 decoder when
handling indefinite length BER encodings, which could let a remote
malicious user cause a Denial of Service.

MIT Kerberos: href="http://web.mit.edu/kerberos/advisories/">http://web.mit.edu/kerberos/advisories/


Cisco: href="http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml">http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml


Debian: href="http://security.debian.org/pool/updates/main/k/krb5/ ">http://security.debian.org/pool/updates/main/k/krb5/


Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-09.xml">http://security.gentoo.org/glsa/glsa-200409-09.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


Sun: href="http://sunsolve.sun.com/search/document.do?assetkey=1-21-112908-15-1">http://sunsolve.sun.com/search/document.do?assetkey=1-21-112908-15-1


Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/ ">ftp://ftp.trustix.org/pub/trustix/updates/


Conectiva: href="http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000860">http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000860


OpenPKG: href="ftp://ftp.openpkg.org/release/">ftp://ftp.openpkg.org/release/


TurboLinux: href="ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/">ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/


We are not aware of any exploits for this vulnerability.



Kerberos 5 Double-Free Vulnerabilities


CVE Names:
CAN-2004-0642, href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772">CAN-2004-0643,

href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772">CAN-2004-0772




Low/High


 


(High if arbitrary code can be executed)


MIT krb5 Security Advisory, MITKRB5-SA-2004-002, August 31, 2004


US-CERT Technical Cyber Security Alert TA04-247A, September 5, 2004


US-CERT Vulnerability Notes, VU#350792, VU#795632, VU#866472, September
3, 2004


Conectiva Security Advisory, CLSA-2004:860, September 9,
2004


OpenPKG Security Advisory , OpenPKG-SA-2004.039, September 13,
2004


Turbolinux Security Advisory TLSA-2004-22, September 15, 2004


Multiple Vendors


Cisco VPN 3000 Concentrator 4.0 .x, 4.0, 4.0.1, 4.1 .x; Debian Linux
3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm,
alpha; Gentoo Linux 1.4 _rc1-rc3, 1.4; MandrakeSoft Corporate Server 2.1,
x86_64, Linux Mandrake 9.1, ppc,
9.2, amd64, 10.0, AMD64,

MandrakeSoft Multi Network Firewall 8.2; MIT Kerberos 5 1.2.2-1.2.8,
1.3 -1.3.4; RedHat Desktop 3.0, Enterprise Linux WS 3, ES 3, AS 3, Fedora
Core2, Core1;
Sun Solaris 9.0, 9.0 _x86

A remote Denial of Service vulnerability exists in the ASN.1 decoder
when decoding a malformed ASN.1 buffer.

MIT Kerberos: href="http://web.mit.edu/kerberos/advisories/">http://web.mit.edu/kerberos/advisories/


Cisco: href="http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml">http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml


Debian: href="http://security.debian.org/pool/updates/main/k/krb5/ ">http://security.debian.org/pool/updates/main/k/krb5/


Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-09.xml">http://security.gentoo.org/glsa/glsa-200409-09.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


Sun: href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-57631-1&searchclause=">http://sunsolve.sun.com/search/document.do?assetkey=1-26-57631-1&searchclause=


Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/ ">ftp://ftp.trustix.org/pub/trustix/updates/


Conectiva: href="http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000860">http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000860


OpenPKG: href="ftp://ftp.openpkg.org/release/">ftp://ftp.openpkg.org/release/


TurboLinux: href="ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/">ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/


We are not aware of any exploits for this vulnerability.



MIT Kerberos 5 ASN.1 Decoder Remote Denial of Service


CVE Name:
CAN-2004-0644



Low
MIT krb5 Security Advisory, MITKRB5-SA-2004-002, August 31, 2004

US-CERT Technical Cyber Security Alert TA04-247A, September 5, 2004


US-CERT Vulnerability Note VU#550464, September 3, 2004


Conectiva Security Advisory, CLSA-2004:860, September 9,
2004


OpenPKG Security Advisory , OpenPKG-SA-2004.039, September 13,
2004


Turbolinux Security Advisory TLSA-2004-22, September 15, 2004


Multiple Vendors


Easy Software Products CUPS 1.1.14-1.1.20; Trustix Secure Enterprise
Linux 2.0, Secure Linux 2.0, 2.1


 


A Denial of Service vulnerability exists in 'scheduler/dirsvc.c' due to
insufficient validation of UDP datagrams.


Update available at: href=" http://www.cups.org/software.php">http://www.cups.org/software.php


Debian: href=" http://security.debian.org/pool/updates/main/c/cupsys/">http://security.debian.org/pool/updates/main/c/cupsys/


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


RedHat: http://rhn.redhat.com/


SuSE: href=" ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/


Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/


A Proof of Concept exploit has been published.



CUPS Browsing Denial of Service


CVE Name:
CAN-2004-0558



Low
SecurityTracker Alert ID, 1011283, September 15, 2004

Multiple Vendors


Enlightenment Imlib2 1.0-1.0.5, 1.1, 1.1.1;
ImageMagick ImageMagick
5.4.3, 5.4.4 .5, 5.4.8 .2-1.1.0 , 5.5.3 .2-1.2.0, 5.5.6 .0- 2003040,
5.5.7,6.0.2;
Imlib Imlib 1.9-1.9.14

Multiple buffer overflow vulnerabilities exist in the Iimlib/Imlib2
libraries when handling malformed bitmap images, which could let a remote
malicious user cause a Denial of Service or execute arbitrary code.

lmlib: href="http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/">http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/


ImageMagick: href="http://www.imagemagick.org/www/download.html ">http://www.imagemagick.org/www/download.html


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-12.xml">http://security.gentoo.org/glsa/glsa-200409-12.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/


Debian: href="http://security.debian.org/pool/updates/main/i/imagemagick/">http://security.debian.org/pool/updates/main/i/imagemagick/


RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-465.html">http://rhn.redhat.com/errata/RHSA-2004-465.html


TurboLinux: href="ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/">ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/


We are not aware of any exploits for this vulnerability.


IMLib/IMLib2 Multiple BMP Image
Decoding Buffer
Overflows


 


CVE Names:
CAN-2004-0817,


CAN-2004-0802



Low/High


(High if arbitrary code can be executed)


SecurityFocus, September 1, 2004


Gentoo Linux Security Advisory, GLSA 200409-12, September 8, 2004


Mandrakelinux Security Update Advisory, MDKSA-2004:089, September 8,
2004


Fedora Update Notifications,
FEDORA-2004-300 &301, September 9,
2004


Turbolinux Security Advisory, TLSA-2004-27, September 15, 2004


RedHat Security Advisory, RHSA-2004:465-08, September 15,
2004


Debian Security Advisories, DSA 547-1 & 548-1, September
16, 2004


Multiple Vendors


Gentoo Linux 1.4;
KDE KDE 3.1.3, 3.2, 3.0- 3.0.3, 3.0.5b, 3.0.5,
3.1-3.1.3, 3.1.5, 3.2.1, 3.2.3;
MandrakeSoft Linux Mandrake 9.2,
amd64, 10.0, AMD64


A vulnerability exists while validating cookie domains, which could let
a remote malicious user hijack a target user's session.


KDE: href="ftp://ftp.kde.org/pub/kde/security_patches">ftp://ftp.kde.org/pub/kde/security_patches


Gentoo: href="http://security.gentoo.org/glsa/glsa-200408-23.xml">http://security.gentoo.org/glsa/glsa-200408-23.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php ">http://www.mandrakesecure.net/en/ftp.php


Conectiva: href="ftp://atualizacoes.conectiva.com.br/">ftp://atualizacoes.conectiva.com.br/


Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/


SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/


There is no exploit code required.



KDE Konqueror Cookie Domain Validation


CVE Name:
CAN-2004-0746



Medium

KDE Security Advisory, August 23, 2004


Fedora Update Notifications,
FEDORA-2004-290 & 291, September
8, 2004


Conectiva Linux Security Announcement, CLA-2004:864, September 13,
2004


SUSE Security Announcement, SUSE-SA:2004:026, September 16, 2004


Multiple Vendors


GNU Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64,
ia-32, hppa, arm, alpha;
GNOME gdk-pixbug 0.22 & prior; GTK GTK+
2.0.2, 2.0.6, 2.2.1, 2.2.3, 2.2.4;
MandrakeSoft Linux Mandrake 9.2,
amd64, 10.0, AMD64;
RedHat Advanced Workstation for the Itanium
Processor 2.1, IA64, Desktop 3.0, Enterprise Linux WS 3, WS 2.1 IA64, WS
2.1, ES 3, ES 2.1 IA64, ES 2.1, AS 3, AS 2.1 IA64, AS 2.1,
RedHat
Fedora Core1&2;
SuSE. Linux 8.1, 8.2, 9.0, x86_64, 9.1, Desktop
1.0, Enterprise Server 9, 8


Multiple vulnerabilities exist: a vulnerability exists when decoding
BMP images, which could let a remote malicious user cause a Denial of
Service; a vulnerability exists when decoding XPM images, which could let
a remote malicious user cause a Denial of Service or execute arbitrary
code; and a vulnerability exists when attempting to decode ICO images,
which could let a remote malicious user cause a Denial of Service.


Debian:
href="http://security.debian.org/pool/updates/main/g/gdk-pixbuf/">http://security.debian.org/pool/updates/main/g/gdk-pixbuf/


Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


RedHat: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/


SuSE: href=" ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/


We are not aware of any exploits for this vulnerability.



gdk-pixbug BMP, ICO, and XPM Image Processing Errors


CVE Names:

CAN-2004-0753,
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0782">CAN-2004-0782,
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0783">CAN-2004-0783,
 href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0788">CAN-2004-0788




Low/High


(High if arbitrary code can be executed)

SecurityTracker Alert ID, 1011285, September 17, 2004

Multiple Vendors


LinuxPrinting.org Foomatic-Filters 3.03.0.2, 3.1;
Trustix Secure
Enterprise Linux 2.0, Secure Linux 2.0, 2.1

A vulnerability exists in the foomatic-rip print filter due to
insufficient validation of command-lines and environment variables, which
could let a remote malicious user execute arbitrary commands.

Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


SuSE: href="ftp://ftp.suse.com/pub/suse">ftp://ftp.suse.com/pub/suse


Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/


We are not aware of any exploits for this vulnerability.



LinuxPrinting.org Foomatic-Filter Arbitrary Code Execution


CVE Name:
CAN-2004-0801



High
Secunia Advisory, SA12557, September 16, 2004

Multiple Vendors


Luke Mewburn lukemftp 1.5, TNFTPD 20031217; NetBSD Current, 1.3-1.3.3,
1.4 x86, 1.4, SPARC, arm32, Alpha, 1.4.1 x86, 1.4.1, SPARC, sh3, arm32,
Alpha, 1.4.2 x86, 1,4.2, SPARC, arm32, Alpha, 1.4.3, 1.5 x86, 1.5, sh3,
1.5.1-1.5.3, 1.6, beta, 1.6-1.6.2, 2.0

Several vulnerabilities exist in the out-of-band signal handling code
due to race condition errors, which could let a remote malicious user
obtain superuser privileges.

Luke Mewburn Upgrade:
href="ftp://ftp.netbsd.org/pub/NetBSD/misc/tnftp/tnftpd-20040810.tar.gz ">ftp://ftp.netbsd.org/pub/NetBSD/misc/tnftp/tnftpd-20040810.tar.gz


Apple: href="http://wsidecar.apple.com/cgi-bin/ ">http://wsidecar.apple.com/cgi-bin/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-19.xml">http://security.gentoo.org/glsa/glsa-200409-19.xml


We are not aware of any exploits for this vulnerability.



TNFTPD Multiple Signal Handler Remote Privilege Escalation


CVE Name:
CAN-2004-0794



High

NetBSD Security Advisory 2004-009, August 17, 2004


Apple Security Update, APPLE-SA-2004-09-07, September 7, 2004


Gentoo Linux Security Advisory, GLSA 200409-19, September 16,
2004


Multiple Vendors


OpenBSD 3.4, 3.5; SuSE Linux 8.1, 8.2, 9.0, x86_64, 9.1, Linux
Enterprise Server 9, 8;
X.org X11R6 6.7.0, 6.8;
XFree86 X11R6
3.3.6, 4.0, 4.0.1, 4.0.2 -11, 4.0.3, 4.1 .0, 4.1 -12, 4.1 -11, 4.2 .0,
4.2.1, Errata, 4.3.0


Multiple vulnerabilities exist: a stack overflow exists in
'xpmParseColors()' in 'parse.c' when a specially crafted XPMv1 and XPMv2/3
file is submitted, which could let a remote malicious user execute
arbitrary code; a stack overflow vulnerability exists in the
'ParseAndPutPixels()' function in -create.c' when reading pixel values,
which could let a remote malicious user execute arbitrary code; and an
integer overflow vulnerability exists in the colorTable allocation in
'xpmParseColors()' in 'parse.c,' which could let a remote malicious user
execute arbitrary code.


Debian: href="http://security.debian.org/pool/updates/main/i/imlib/">http://security.debian.org/pool/updates/main/i/imlib/


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php"
target=_blank>http://www.mandrakesecure.net/en/ftp.php


OpenBSD:
href="ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/">ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/


SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/


X.org: http://x.org/X11R6.8.1/


Proofs of Concept exploits have been published.



LibXpm Image Decoding Multiple Remote Buffer Overflow


CVE Names:
CAN-2004-0687,

href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688">CAN-2004-0688



High
X.Org Foundation Security Advisory, September 16, 2004

Multiple Vendors


SuSE Linux 8.1, 8.2, 9.0, x86_64, 9.1, Linux Enterprise
Server 9, 8;
Samba 3.0-3.0.6


A remote Denial of Service vulnerability exists in the
smbd and nmbd daemons.


Samba:
href="http://us3.samba.org/samba/ftp/samba-3.0.7.tar.gz ">http://us3.samba.org/samba/ftp/samba-3.0.7.tar.gz


SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/


We are not aware of any exploits for this
vulnerability.


Samba-VScan Remote Denial of
Service

Low
SUSE Security Announcement, SA:2004:034,
September 17, 2004

OpenOffice


OpenOffice 1.1.2,
Sun StarOffice 7.0


A vulnerability exists in the '/tmp' folder due to insecure
permissions, which could let a malicious user obtain sensitive
information.


Upgrades available at: href="http://sunsolve.sun.com/search/">http://sunsolve.sun.com/search/


RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-446.html">http://rhn.redhat.com/errata/RHSA-2004-446.html


There is no exploit code required.



OpenOffice/
StarOffice Insure Temporary File Permissions


CVE Name:
CAN-2004-0752



Medium

Secunia Advisory, SA12302, September 13, 2004


RedHat Security Bulletin, RHSA-2004:446-08, September 15, 2004


Peter D. Gray


SUS 2.0, 2.0.1


A format string vulnerability exists in the 'log()' function due to
insufficient sanitization, which could let a malicious user obtain root
access.


Upgrades available at: href="http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z">http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-17.xml">http://security.gentoo.org/glsa/glsa-200409-17.xml


A Proof of Concept exploit has been published.



SUS Format String


High

LSS Security Advisories, September 14, 2004


Gentoo Linux Security Advisory, GLSA 200409-17, September 14, 2004


PHP
Group
  Debian
  Slackware
  Fedora


pp 4.3.7 and prior


Updates to fix multiple vulnerabilities with php4 which
could allow remote code execution.


Debian:
Update to Debian GNU/Linux 3.0 alias woody
at
href="http://www.debian.org/releases/stable/">http://www.debian.org/releases/stable/

Slackware:
href="http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.406480">http://www.slackware.com/security/viewer.php?l=slackware-
security&y=2004&m=slackware-security.406480


Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/


TurboLinux: href="ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/">ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/


We are not aware of any exploits for this
vulnerability.



PHP 'memory_limit' and strip_tags() Remote
Vulnerabilities

CVE Names:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594">CAN-2004-0594,

href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595">CAN-2004-0595



High

Secunia, SA12113 and SA12116, July 21, 2004


Debian, Slackware, and Fedora Security Advisories


Turbolinux Security Advisory TLSA-2004-23,
September 15, 2004


Samba


Samba 2.2.11, 3.0.6; SuSE Linux 8.1, 8.2, 9.0, x86_64, 9.1,
Enterprise Server 9, 8

A remote Denial of Service vulnerability exists due to the way print
change notify requests are processed.

Trustix: href="http://http.trustix.org/pub/trustix/updates/">http://http.trustix.org/pub/trustix/updates/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-14.xml">http://security.gentoo.org/glsa/glsa-200409-14.xml


Samba:
href="http://us4.samba.org/samba/ftp/samba-2.2.11.tar.gz">http://us4.samba.org/samba/ftp/samba-2.2.11.tar.gz


SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/


TurboLinux: href="ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32">ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32


We are not aware of any exploits for this vulnerability.



Samba Remote Print Change Notify Remote Denial of Service


CVE Name:
CAN-2004-0829



Low

Trustix Secure Linux Security Advisory, TSL-2004-0043, August 26, 2004


Gentoo Linux Security Advisory, [ERRATA UPDATE] GLSA
200409-14:02, September 9, 2004


Turbolinux Security Advisory, TLSA-2004-25, September 15, 2004


SUSE Security Announcement, SUSE-SA:2004:034, September 17,
2004



Samba.org


Samba version 3.0 - 3.0.6

Several vulnerabilities exist: a remote Denial of Service
vulnerability exists in the 'process_logon_packet()' function due to
insufficient validation of 'SAM_UAS_CHANGE' request packets; and a remote
Denial of Service vulnerability exists when a malicious user submits a
malformed packet to a target 'smbd' server.

Updates available at: href=" http://samba.org/samba/download/">http://samba.org/samba/download/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-16.xml">http://security.gentoo.org/glsa/glsa-200409-16.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


OpenPKG: href="ftp://ftp.openpkg.org/release/2.1/UPD/">ftp://ftp.openpkg.org/release/2.1/UPD/


SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/


Trustix: href="http://http.trustix.org/pub/trustix/updates/">http://http.trustix.org/pub/trustix/updates/


We are not aware of any exploits for this vulnerability.



Samba Remote Denials of Service


CVE Names:
CAN-2004-0807,

href="%20http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0808%20">CAN-2004-0808


Low

Securiteam, September 14, 2004


Gentoo Linux Security Advisory, GLSA 200409-16, September 13,
2004


Mandrakelinux Security Update Advisory, MDKSA-2004:092,
September 13, 2004


Trustix Secure Linux Bugfix Advisory, TSL-2004-0046, September
14, 2004


OpenPKG Security Advisory, OpenPKG-SA-2004.040, September 15,
2004


SUSE Security Announcement, SUSE-SA:2004:034, September 17,
2004


SnipSnap


SnipSnap 0.5.2 a


A vulnerability exists in the 'referer' parameter due to the way POST
requests are handled, which could let a remote malicious user execute
arbitrary code.


Upgrade available at:
href="http://snipsnap.org/space/snipsnap-DOWNLOAD">http://snipsnap.org/space/snipsnap-DOWNLOAD


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-23.xml">http://security.gentoo.org/glsa/glsa-200409-23.xml


A Proof of Concept exploit has been published.


SnipSnap HTTP Response Splitting

Medium

Bugtraq, September, 14, 2004


Gentoo Linux Security Advisory, GLSA 200409-23, September 17, 2004


SpamAssassin.org


SpamAssassin prior to 2.64


A Denial of Service vulnerability exists in
SpamAssassin. A a remote user can send an e-mail message with specially
crafted headers to cause a Denial of Service attack against the
SpamAssassin service.


Update to version (2.64), available at: href="http://old.spamassassin.org/released/">http://old.spamassassin.org/released/


Gentoo: href="http://security.gentoo.org/glsa/glsa-200408-06.xml">http://security.gentoo.org/glsa/glsa-200408-06.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


OpenPKG: href="ftp://ftp.openpkg.org/release/">ftp://ftp.openpkg.org/release/


We are not aware of any exploits for this
vulnerability.


SpamAssassin Remote Denial of Service

Low

SecurityTracker: 1010903, August 10, 2004


Mandrake Security Advisory, MDKSA-2004:084, August 19,
2004


OpenPKG Security Advisory, OpenPKG-SA-2004.041,
September 15, 2004


Squid-cache.org


Squid Web Proxy Cache 2.0 PATCH2, 2.1 PATCH2, 2.3 STABLE5, 2.4,
STABLE7, 2.5 STABLE1-STABLE6, Squid Web Proxy Cache 3.0 PRE1-PRE3


A remote Denial of Service vulnerability exists in 'lib/ntlmauth.c' due
to insufficient validation of negative values in the 'function
"ntlm_fetch_string()' function.


Patches available at:
href="http://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/squid-2.5.STABLE6-ntlm_fetch_string.patch">http://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/squid-2.5.STABLE6-ntlm_fetch_string.patch


Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-04.xml">http://security.gentoo.org/glsa/glsa-200409-04.xml


Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php


Trustix: href="http://http.trustix.org/pub/trustix/updates/">http://http.trustix.org/pub/trustix/updates/


We are not aware of any exploits for this vulnerability.



Squid Proxy NTLM Authentication Remote Denial of Service


CVE Name:
CAN-2004-0832



Low

Secunia Advisory, SA12444, September 3, 2004


Mandrakelinux Security Update Advisory, MDKSA-2004:093,
September 15, 2004


Trustix Secure Linux Security Advisory, TSLSA-2004-0047,
September 16, 2004


Todd Miller


Sudo 1.6.8


 


A vulnerability exists due to insufficient validation of
symbolic
links when sudoedit ("sudo -u" option) copies temporary files,
which could let a malicious user access the contents of arbitrary files
with superuser privileges.


Upgrade available at:
href="ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.8p1.tar.gz">ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.8p1.tar.gz


There is no exploit code required; however, a Proof of Concept exploit
script has been published.




Sudo Information Disclosure


High
Secunia Advisory, SA12596, September 20, 2004

VBulletin


VBulletin 3.0, Gamma, beta 2-beta7, 3.0.1-3.0.3

A vulnerability exists in the 'x_invoice_num' parameter due to
insufficient validation, which could let a remote malicious user execute
arbitrary code.

No workaround or patch available at time of
publishing.


There is no exploit code required.


vBulletin SQL Injection

High
Securiteam, September 14, 2004

xinehq.de


xine 0.5.2 - 0.5.x; 0.9.x; 1-alpha.x; 1-beta.x; 1-rc - 1-rc5


Multiple vulnerabilities exist: a buffer overflow in the DVD subpicture
component, which could let a remote malicious user execute arbitrary code;
a buffer overflow vulnerability exists in the VideoCD functionality when
reading ISO disk labels, which could let a remote malicious user execute
arbitrary code; and a buffer overflow vulnerability exists when handling
text subtitles, which could let a remote malicious user execute arbitrary
code.


Upgrades available at:
href="http://prdownloads.sourceforge.net/xine/xine-lib-1-rc6a.tar.gz?download">http://prdownloads.sourceforge.net/xine/xine-lib-1-rc6a.tar.gz?download


We are not aware of any exploits for this vulnerability.



Xine-lib
Multiple Buffer Overflows

High
Secunia Advisory, SA12602 September 20, 2004

[back to
top] size=-2> 


























































































name=other>Multiple Operating Systems - Windows / UNIX / Linux / Other

Vendor &
Software Name

Vulnerability
- Impact
Patches - Workarounds
Attacks Scripts

Common
Name

face="Arial, Helvetica, sans-serif">Risk

face="Arial, Helvetica, sans-serif">Source

Business Objects


InfoView 5.1.4-5.1.8,
WebIntelligence 2.7-2.7.4


Two vulnerabilities exist: a vulnerability exists because some security
checks are performed on the client-side and not on the server-side, which
could let an authenticated remote malicious user delete arbitrary
documents; and a Cross-Site Scripting vulnerability exists due to
insufficient sanitization of user-supplied input when uploading documents,
which could let a remote malicious user execute arbitrary HTML and script
code.


The vendor has released patches dealing with this issue. Users are
recommended to contact the vendor for patch and update availability.


There is no exploit code required.



WebIntelligence Access Control Bypass &
Cross-Site Scripting


CVE Names:
CAN-2004-0533,
 href="CAN-2004-0534">CAN-2004-0534



Medium/ High


(High if arbitrary code can be executed)

Corsaire Security Advisory, September 17, 2004

Hewlett Packard Company


Web Jetadmin 7.5, 7.5.2456


An unspecified vulnerability exists which could let a remote malicious
user execute arbitrary code.


Upgrades available at: href="http://www.hp.com/go/webjetadmin">http://www.hp.com/go/webjetadmin


We are not aware of any exploits for this vulnerability.



HP Web Jetadmin Unspecified Arbitrary Command
Execution

High
HP Security Advisory, SSRT4739, September 15, 2004

Inkra Networks Corporation


1504GX VSM 2.1.4.b003


A remote Denial of Service vulnerability exists due to insufficient
validation of IP
options.


No workaround or patch available at time of
publishing.


There is no exploit code required; however, Proof of Concept exploit
has been published.


Inkra 1504GX Remote Denial of Service

Low
Secunia Advisory, SA12538, September 17, 2004

Matt Smith


ReMOSitory


An input validation vulnerability exists in the ReMOSitory add-on for
Mambo Open Server due to insufficient validation, which could let a remote
malicious user execute arbitrary code.


The vendor indicates that ReMOSitory is no longer supported; however,
Arthur Konze from mamboportal.com has provided a patch, available at: href="http://www.mamboportal.com/uploadfiles/remository_fix.zip">http://www.mamboportal.com/uploadfiles/remository_fix.zip


A Proof of Concept exploit has been published.


ReMOSitory SQL Injection

High
Bugtraq, September 18, 2004

Mozill.org


Mozilla 0.x, 1.0-1.7.x, Firefox 0.x, Thunderbird 0.x; Netscape
Navigator 7.0, 7.0.2, 7.1, 7.2


Multiple vulnerabilities exist: buffer overflow vulnerabilities exist
in 'nsMsgCompUtils.cpp' when a specially crafted e-mail is forwarded,
which could let a remote malicious user execute arbitrary code; a
vulnerability exists due to insufficient restrictions on script generated
events, which could let a remote malicious user obtain sensitive
information; a buffer overflow vulnerability exists in the
'nsVCardObj.cpp' file due to insufficient boundary checks, which could let
a remote malicious user execute arbitrary code; a buffer overflow
vulnerability exists in 'nsPop3Protocol.cpp' due to boundary errors, which
could let a remote malicious user execute arbitrary code; a heap overflow
vulnerability exists when handling non-ASCII characters in URLs, which
could let a remote malicious user execute arbitrary code; multiple integer
overflow vulnerabilities exist in the image parsing routines due to
insufficient boundary checks, which could let a remote malicious user
execute arbitrary code; a cross-domain scripting vulnerability exists
because URI links dragged from one browser window and dropped into another
browser window will bypass same-origin policy security checks, which could
let a remote malicious user execute arbitrary code; and a vulnerability
exists because unsafe scripting operations are permitted, which could let
a remote malicious user manipulate information displayed in the security
dialog.


Updates available at: link="#999999"> href=" http://www.mozilla.org/">http://www.mozilla.org/


Proofs of Concept exploits have been published.


Mozilla Multiple Vulnerabilities


Medium/ High


(High if arbitrary code can be executed)


Technical Cyber Security Alert TA04-261A, September 17, 2004


US-CERT Vulnerability Notes VU#414240, VU#847200, VU#808216, VU#125776,
VU#327560, VU#651928, VU#460528, VU#113192, September 17, 2004


Multiple Vendors


Microsoft Internet Explorer 6.0, SP1&SP2; Mozilla Firefox 0.9.2


A vulnerability exists while validating cookie domains, which could
let a remote malicious user hijack a target user's session.

No workaround or patch available at time of
publishing.


There is no exploit code required.



Multiple Browser Cookie Domain Validation


CVE Names:
CAN-2004-0866,

 href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0867">CAN-2004-0867



Medium
Westpoint Security Advisory, September 15, 2004

Multiple Vendors


HP HP-UX B.11.23, 11.11, 11.00;
Mozilla Network Security Services
(NSS) 3.2, 3.2.1, 3.3-3.3.2, 3.4-3.4.2, 3.5, 3.6, 3.6.1, 3.7-3.7.3, 3.7.5,
3.7.7, 3.8, 3.9; Netscape Certificate Server 1.0 P1, 4.2, Directory Server
1.3, P1&P5, 3.12, 4.1, 4.11-.4.13, Enterprise Server 2.0 a, 2.0, 2.0.1
C, 3.0 L, 3.0, 3.0.1 B, 3.0.1, 3.1, 3.2, 3.5, 3.6, SP1-SP3, 3.51, 4.0,
4.1, SP3-SP8, Enterprise Server for NetWare 4/5 3.0.7 a, 4/5 4.1.1, 4/5
5.0, Enterprise Server for Solaris 3.5, 3.6,
Netscape Personalization
Engine; Sun ONE Application Server 6.0, SP1-SP4, 6.5, SP1 MU1&MU2, 6.5
SP1, 6.5 MU1-MU3, 7.0 UR2 Upgrade Standard, 7.0 UR2 Upgrade Platform,
Standard Edition, Platform Edition, 7.0 UR1 Standard Edition, Platform
Edition, 7.0 Standard Edition, Platform Edition, Certificate Server 4.1,
Directory Server 4.16, SP1, 5.0, SP1&SP2, 5.1 x86
SP3 x86, 5.1,
SP1-SP3, 5.2, Web Server 4.1, SP1-SP14, 6.0, SP1-SP7, 6.1

A buffer overflow vulnerability exists in the Netscape Network
Security Services (NSS) library suite due to insufficient boundary checks,
which could let a remote malicious user which may result in remote execute
arbitrary code.

Mozilla: href="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM/"
target=_blank>/ href="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM/">ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM/


Sun: href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-57643-1&searchclause=security">http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57643-1&searchclause=security


We are not aware of any exploits for this vulnerability.


NSS Buffer Overflow

High

Internet Security Systems Advisory, August 23, 2004


Sun(sm) Alert Notification, 57643,
September 16, 2004


myserverproject.net


MyServer 0.7


 


A Directory Traversal vulnerability exists due to an input validation
error, which could let a remote malicious user obtain sensitive
information.


Update available at: href=" http://sourceforge.net/project/showfiles.php?group_id=63119"> class=bodytext>
href="http://sourceforge.net/projects/myserverweb/ ">http://sourceforge.net/projects/myserverweb/


There is no exploit code required; however, a Proof of Concept exploit
has been published.


MyServer Directory Traversal

class=style52>Medium
securiteinfo.com advisory, September 15, 2004

PHP Group


PHP 5.0 - 5.0.1


 


A vulnerability exists in the 'phpinfo()' function, which could let a
remote malicious user obtain sensitive information.


Update available at: link="#999999">
 href="http://chora.php.net/php-src/main/php_variables.c">http://chora.php.net/php-src/main/php_variables.c


A Proof of Concept exploit has been published.


PHP
'phpinfo()' Function Information Disclosure

class=style52>Medium
SecurityTracker Alert ID, 1011279, September 15, 2004

PHPGroupWare


PHPGroupWare 0.9.12-0.9.16

A Cross-Site Scripting vulnerability exists in 'transforms.php' due to
insufficient sanitization of user-supplied URI input, which could let a
remote malicious user execute arbitrary HTML and script code.

Upgrade available at:
href="http://downloads.phpgroupware.org/files/0.9.16-release/phpgroupware-0.9.16.003.tar.gz ">http://downloads.phpgroupware.org/files/0.9.16-release/phpgroupware-0.9.16.003.tar.gz


Gentoo:
http://security.gentoo.org/glsa/glsa-200409-22.xml


There is no exploit code required.


PHPGroupWare Cross-Site Scripting

High
SecurityTracker Alert ID, 1011339, September 17, 2004

SMC


SMC7004VWBR 1.21 a, 1.22, 1.23, SMC7008ABR 1.32

A vulnerability exists which due to the way users are validated in the
web administration software, which could let a remote malicious user
obtain administrative access.

No workaround or patch available at time of
publishing.


There is no exploit code required.



SMC7004VWBR & SMC7008ABR Authentication
Bypass

High
Secunia Advisory, SA12601, September 20, 2004

YaBBSE.org


YaBB 1 Gold Release, SP 1.3.1, SP 1.3, SP 1.2,
SP 1, YaBB 1.40,
1.41, 9.1.2000, 9.11.2000

Several vulnerabilities exist: a vulnerability exists due to a failure
to properly validate access to administrative commands, which could let a
remote malicious user execute arbitrary commands; and a Cross-Site
Scripting vulnerability exists in the 'YaBB.pl' script, which could let a
remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of
publishing.


Proofs of Concept exploits have been published.



YaBB
Administrator Command Execution & Cross-Site Scripting


High
Bugtraq, September 16, 2004

ZyXEL Communications Corp.


Prestige 681

An information disclosure vulnerability exists in ARP requests, which
could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of
publishing.


There is no exploit code required.



ZyXEL P681
ARP Request Information Disclosure


Medium
Bugtraq, September 13, 2004

 


Recent
Exploit Scripts/Techniques

The table below
contains a sample of exploit scripts and "how to" guides identified during this
period. The "Workaround or Patch Available" column indicates if vendors,
security vulnerability listservs, or Computer Emergency Response Teams (CERTs)
have published workarounds or patches.

Note: At times,
scripts/techniques may contain names or content that may be considered
offensive.

































































































































































































Date of
Exploit
(Reverse face="Arial, Helvetica, sans-serif"> Chronological
Order)


Script
or Exploit Name

Workaround or Patch Available

face="Arial, Helvetica, sans-serif">Description
September 21, 2004 advisory-05-glFTPd.txt
No
Proof of concept exploit for the local stack overflow vulnerability in
the dupescan binary from glFTPd versions 2.00RC3 and below.
September 21, 2004ettercap-NG-0.7.1.tar.gz
N/A
Ettercap NG is a network sniffer/interceptor/logger for switched LANs.
It uses ARP poisoning and the man-in-the-middle technique to sniff all the
connections between two hosts.
September 21, 2004mambo45.jose.txt
Yes
Mambo versions 4.5 and below are susceptible to cross site scripting
and remote command execution flaws.
September 21, 2004 mambo451.txt


Yes

Proof of concept exploit for Mambo versions 4.5.1 and below SQL
injection vulnerability.
September 21, 2004 pigeonx.zip
Yes
Remote denial of service exploit for Pigeon versions 3.02.0143 and
below.
September 21, 2004 rsynxOSX.txt
Yes
Proof of concept exploit for RsyncX version 2.1, the frontend for
rsync on OS X, arbitrary program execution vulnerability.
September 21, 2004 sudoedit.txt
Yes
Proof of concept exploit for sudo version 1.6.8p1 that makes use of a
flaw in sudoedit.
September 18, 2004 sudo-exploit.c

Yes
Proof of Concept exploit for the Sudo Information Disclosure
vulnerability.
September 17, 2004 CRASH-TEST.zip
crash-netscape.jpg
jpegcompoc.zip
Yes
Proof of concept exploit for the Microsoft (Graphics Device Interface)
GDI+ JPEG handler integer underflow vulnerability.
September 17, 2004 jpegcompoc.zip
Yes
Proof of concept exploit for the JPEG buffer overrun vulnerability in
Windows XP.
September 17, 2004 lovethisgame.html
No
Proof of concept exploit for a file inclusion vulnerability in
PerlDesk 1.x due to insufficient input validation.
September 17, 2004 None
No
Example exploit for the DNS4Me denial of service and cross-site
scripting vulnerabilities.
September 17, 2004 None
No
Example exploit for the cross-site scripting vulnerability in the YaBB
forum 'YaBB.pl' script.
September 17, 2004 None
No
Proof of concept exploit for the Google Toolbar HTML injection
vulnerability. It is reported that the Google Toolbar 'ABOUT.HTML' page
allows the injection of HTML and JavaScript code.
September 17, 2004 None
No
Example exploit for the YaBB administrator command execution
vulnerability.
September 17, 2004 None
Yes
Proof of concept exploit for the Mozilla and
Firefox cross-domain scripting vulnerability.
September 17, 2004 None
Yes
Proof of concept exploit for the SnipSnap HTTP
response splitting vulnerability.
September 16, 2004 None
Yes
Proof of concept exploit for the Snitz Forums HTTP response splitting
vulnerability.
September 16, 2004 Tx.exe
Yes
A small universal Windows backdoor for all versions of Windows
NT/2K/XP/2003 with any service pack.
September 15, 2004 bbsEMarket.txt
Yes
Proof of concept exploit for BBS E-Market Professional path
disclosure, file download, file disclosure, user authentication bypass,
and php source injection vulnerabilities. BBS E-Market patch level bf_130,
version 1.3.0, and below is affected.
September 15, 2004 cdr-exp.sh
cdrecord-suidshell.sh
readcd-exp.sh
Yes
CDRTools is reportedly vulnerable to an RSH environment variable
privilege escalation vulnerability. This issue is due to a failure of the
application to properly implement security controls when executing an
application specified by the RSH environment variable.
September 15, 2004 challenges.tgz
N/A
This package contains example vulnerable C programs. There are
examples of buffer overflows (stack and heap) and format string
vulnerabilities. All examples are exploitable with a standard linux/x86
environment.
September 15, 2004 fwknop-0.4.1.tar.gz
N/A
fwknop is a flexible port knocking implementation that is based around
iptables. Both shared knock sequences and encrypted knock sequences are
supported.
September 15, 2004 myServer07.txt
Yes
myServer version 0.7 is susceptible to a simple directory traversal
attack.
September 15, 2004 netw-ib-ox-ag-5.24.0.tgz
N/A
Netwox is a utility that supports various protocols (DNS, FTP, HTTP,
NNTP, SMTP, SNMP) and performs low level functions like sniffing, spoofing
traffic, and playing client/server roles. Both Windows and Unix versions
are included.
September 15, 2004 None
Yes
Proof of concept vulnerability for the vulnerability in the Mozilla
'enablePrivilege' method.
September 15, 2004 None
Yes
Proof of concept exploit for the vulnerability in Mozilla and Firefox
browsers that could permit a remote site to gain access to contents of the
client user's clipboard.
September 15, 2004 pizzaicmp.c
N/A
ICMP-based triggered Linux kernel module that executes a local binary
upon successful use.
September 15, 2004 Rx.exe
Yes
A small universal Windows reverse shell for all versions of Windows
NT/2K/XP/2003 with any service pack.
September 14, 2004 getinternet.txt
No
Proof of concept exploit for getInternet SQL injection and remote
command execution vulnerabilities
September 14, 2004 getintranet.txt
No
Proof of concept exploit for getIntranet 2.x cross site scripting, SQL
injection, script insertion, and multiple other attacks
vulnerabilities.
September 14, 2004 LSS-2004-09-01.html
Yes
Proof of concept exploit for the format string vulnerability in SuS
logging function.
September 14, 2004 regulus.htm
No
Proof of concept exploit for various vulnerabilities exist in Regulus
2.x that allow for an attacker to gain access to sensitive information and
to bypass certain security restrictions.
September 13, 2004 None
Yes
Proof of concept exploit for Webmin / Usermin command execution
vulnerability when rendering HTML email messages. This issue is reported
to affect Usermin versions 1.080 and prior.
September 13, 2004 None
Yes
Proof of concept exploit for the Pingtel Xpressa handset remote denial
of service vulnerability.
September 13, 2004 None
No
Proof of concept exploit for the QNX Photon
MicroGUI buffer overflow vulnerabilities in MicroGUI utilities.
September 11, 2004 None
No
Proof of concept vulnerability for the Serv-U FTP
Server denial of service vulnerability.

face="Arial, Helvetica, sans-serif">

[back to
top]

name=trends>Trends



  • Several
    vulnerabilities exist in the Mozilla web browser and derived products, the
    most serious of which could allow a remote attacker to execute arbitrary code
    on an affected system. Mozilla has released versions of the affected software
    that contain patches for these issues: Mozilla 1.7.3, Firefox Preview Release,
    Thunderbird 0.8. Users are strongly encouraged to upgrade to one of these
    versions: www.mozilla.org. For more
    information, see US-CERT Technical
    Cyber Security Alert TA04-261A: Multiple vulnerabilities in Mozilla products.
    Available at:     href="http://www.uscert.gov/cas/techalerts/TA04-261A.html">http://www.uscert.gov/cas/techalerts/TA04-261A.html

  • The volume of worms and viruses is increasing, but the rate
    of successful attacks has dropped, according to a new report from Symantec.
    The antivirus company's biannual Internet Security Threat Report found that
    4,496 new Windows viruses and worms were released between January and June, up
    more than 4.5 times from same period last year. But overall the daily volume
    of actual attacks decreased in the first six months of 2004. Alfred Huger, a
    senior director at Symantec's Security Response team said malicious code
    writers were increasingly going to spammers to sell them access to the
    computers that they hack, or break into. Spammers, after paying the hackers,
    then flood those hacked computers with unsolicited messages or spam. Symantec
    also said it expects more viruses and worms in the future to be written to
    attack systems that run on the Linux operating system and hand-held devices as
    they become more widely used. The report also noted that the rate at which
    personal computers are being hijacked by hackers rocketed in the first half of
    2004. An average of 30,000 computers per day were turned into enslaved
    “zombies”, compared with just 2000 per day in 2003. Report: href="http://enterprisesecurity.symantec.com/content.cfm?articleid=1539">http://enterprisesecurity.symantec.com/content.cfm?articleid
    =1539 ( href="http://news.com.com/Viruses+keep+on+growing/2100-7349_3-5374399.html?tag=nefd.top">CNET
    News.com, September 20, 2004)

href="#top">[back to top]


name=viruses>Viruses/Trojans


Top Ten Virus
Threats


A list of high threat
viruses, as reported to various anti-virus vendors and virus incident reporting
organizations, has been ranked and categorized in the table below. For the
purposes of collecting and collating data, infections involving multiple systems
at a single location are considered a single infection. It is therefore possible
that a virus has infected hundreds of machines but has only been counted once.
With the number of viruses that appear each month, it is possible that a new
virus will become widely distributed before the next edition of this
publication. To limit the possibility of infection, readers are reminded to
update their anti-virus packages as soon as updates become available. The table
lists the viruses by ranking (number of sites affected), common virus name, type
of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on
number of infections reported during the latest three months), and approximate
date first found.


 






































































face="Arial, Helvetica, sans-serif">Rank

Common
Name

Type
of Code

face="Arial, Helvetica, sans-serif">Trends

face="Arial, Helvetica, sans-serif">Date

1
Netsky-PWin32 WormStableMarch 2004

2
Zafi-BWin32 WormStableJune 2004

3
Netsky-ZWin32 WormStableApril 2004

4
Netsky-DWin32 WormStableMarch 2004

5
Netsky-BWin32 WormStableFebruary 2004

6
Mydoom.mWin32 WormIncreaseJuly 2004

7
Mydoom.qWin32 WormSlight Decrease August 2004

8
Bagle-AAWin32 WormSlight Decrease April 2004

9
Netsky-QWin32 WormStableMarch 2004

10
MyDoom-OWin32 WormDecreaseJuly 2004

Top Ten Table Updated September 17, 2004


Viruses or Trojans Considered to be a High Level of
Threat



  • href="#ibank">Troj/IBank-A: Sophos is warning computer users about a
    Trojan horse that helps hackers break into the bank accounts of customers of
    an Australian bank. The Troj/IBank-A Trojan horse is designed to steal
    information from Internet customers of the National Australia Bank, which
    could allow hackers to break into accounts and steal substantial amounts of
    money. Although this particular Trojan horses only targets users of an
    Australian bank, Sophos warns that others have been seen which affect banking
    customers in other parts of the world.

The following table provides, in
alphabetical order, a list of new viruses, variations of previously encountered
viruses, and Trojans that have been discovered during the period covered by this
bulletin. This information has been compiled from the following anti-virus
vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central
Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer
Associates, and The WildList Organization International. Users should keep
anti-virus software up to date and should contact their anti-virus vendors to
obtain specific information on the Trojans and Trojan variants that anti-virus
software detects.


NOTE: At times, viruses and
Trojans may contain names or content that may be considered offensive.










































































































































































































































































Name
face="Arial, Helvetica, sans-serif">Aliases
face="Arial, Helvetica, sans-serif">Type
Backdoor.Nemog.D Trojan
Backdoor.Sdbot.AA
 Trojan
Backdoor.Sdbot.AB Trojan
BackDoor-CIM Trojan
Bagle.BA W32/Bagle.BA.wormWin32 Worm
Downloader-OT Trojan
Downloader-PU Trojan
E2Give Trojan
Fightrub.A W32/Fightrub.A.worm
W32/Fightrub@MM
Win32 Worm
Hacktool.IPCscan Trojan
Java/Binny.A Trojan
JS/Zerolin.eml Trojan
Mitglieder.cc TrojanProxy.Win32.Mitglieder.ccTrojan
MyDoom.ABI-Worm.Mydoom.y
W32.Mydoom.AB@mm
W32/Mydoom.AB@mm
Win32.Mydoom.AA
Win32/Mydoom.AA.Worm		Win32 Worm
Troj/IBank-APWSteal.IbankTrojan: Password Stealer
Trojan.Anits Trojan
VBS.Vabi@mm Visual Basic Worm
W32.Mexer.E@mm Win32 Worm
W32.Sndog@mm Win32 VB Worm
W32.Spybot.CYM
 Win32 Worm
W32/Fightrub@MM Win32 Worm
W32/Forbot-AE
 Backdoor.Win32.Wootbot.gen
W32/Gaobot.worm.gen.f
Win32 Worm
W32/Forbot-Gen Win32 Worm
W32/Forbot-W Win32 Worm
W32/Mydoom.ab@MM Win32 Worm
W32/Mydoom-Y
 Win32.Evaman.D@mm
W32/Evaman.e@MM
I-Worm.Mydoom.w		Win32 Worm
W32/MyDoom-Z
I-Worm.Mydoom.yWin32 Worm
W32/Myfip-AW32/Myfip.wormWin32 Worm
W32/Pahac@MM Win32 Worm
W32/Rbot-JR Backdoor.Rbot.gen
WORM_RBOT.LU
Win32 Worm
W32/Rbot-KZ
 Backdoor.Rbot.gen Win32 Worm
W32/Sasser-GWorm.Win32.Sasser.gWin32 Worm
W32/Sdbot-PG
BKDR_SDBOT.GENWin32 Worm
W32/Sdbot-PITrojan.Win32.PakesWin32 Worm
W32/Sdbot-PJBackdoor.SdBot.genWin32 Worm
W32/Sdbot-PK Win32 Worm
W32/Squirrel-A Win32 Worm
Win32.Bagle.ALI-Worm.Bagle.ap
W32.Beagle.AQ@mm
W32/Bagle.aw
Win32/Bagle.AW.Worm		Win32 Worm
Win32.Daqa.DBackDoor-BDI
Backdoor.Win32.Agent.co
Win32.Daqa.D
Win32/Agent.CO.Trojan		Trojan
Win32.Evaman.DEvaman.D
I-Worm.MyDoom.gen
W32.Evaman.C@mm
W32/Evaman.D.worm
W32/Evaman.d@MM
Win32 Worm
Win32.Evaman.DEvaman.D
I-Worm.MyDoom.gen
W32.Evaman.C@mm
W32/Evaman.D.worm
W32/Evaman.d@MM		Win32 Worm
Win32.Evaman.EI-Worm.Mydoom.w
MyDoom.AC
W32/Evaman.e@MM
W32/Mydoom.AC@mm
Win32/Evaman.E.Worm
Win32 Worm
Win32.Mydoom.AAI-Worm.Mydoom.y
W32/Mydoom.ab@MM
Win32 Worm
Win32.Remadmin.A Win32 Worm
Win32.Slinbot.LYBackdoor.SdBot.gen
IRC/SdBot.BXT
W32/Sdbot.worm.gen.q
Win32/Slinbot.LY.Worm		Win32 Worm
Win32.Sokeven.D Win32/Sokeven.D.TrojanWin32 Worm
WM97/Bablas-FA MS Word Macro Virus
WORM_EVAMAN.C Win32 Worm
WORM_MEXER.E Win32 Worm
WORM_MYDOOM.UW32/Mydoom.u@MM
Win32 Worm
WORM_SDBOT.VQ Win32 Worm



[back to
top]


 


 

 


Last updated


Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.