Summary of Security Items from January 5 through January 11, 2005
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
Bugs,
Holes, & Patches
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
- High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
- Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
- Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name | Risk | Source |
3CDaemon 2.0 revision 10 | Multiple vulnerabilities exist: a buffer overflow vulnerability exists when a remote malicious user submits a specially crafted FTP username, which could lead to the execution of arbitrary code; a buffer overflow vulnerability exists in several FTP commands, including cd, send, ls, put, delete, rename, rmdir, literal, stat, and cwd, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability exists when a malicious user submits an FTP user command with format string characters; a format string vulnerability exists in the cd, delete, rename, rmdir, literal, stat, and cwd [and others] commands, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability exists when a malicious user connects to the TFTP service and requests an MS-DOS device name; a vulnerability exists when the directory to an MS-DOS device name or a filename is changed, which could let a remote malicious user obtain sensitive information. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | 3Com 3CDaemon Multiple Remote Vulnerabilities | Low/Medium/ High (Low if a DoS; Medium if sensitive information can be obtained; and High if arbitrary code can be executed) | [I.T.S] Security Research Team Advisory, January 4, 2005 |
Amp II 3D Game Engine | A remote Denial of Service vulnerability exists due to a failure to handle exceptional conditions. No workaround or patch available at time of publishing. A Proof of Concept exploit script has been published. | Amp II 3D Game Engine Remote Denial of Service | Low | Secunia Advisory, SA13754, January 7, 2005 |
Jeuce Personal Web Server 2.13 | Multiple vulnerabilities exist: a Directory Traversal vulnerability exists due to insufficient sanitization of user-supplied input data, which could let a remote malicious user obtain sensitive information; and a remote Denial of Service vulnerability exists when handling certain URLs. No workaround or patch available at time of publishing. Proofs of Concept exploits have been published. | Jeuce Personal Web Server Directory Traversal & Denial of Service | Low/Medium (Medium if sensitive information can be obtained) | GSSIT - Global Security Solution IT Advisory, January 6, 2005 |
Soldner Secret Wars 30830 | Several vulnerabilities exist: a remote Denial of Service vulnerability exists when a malicious user submits a UDP packet that contains 1402 or more bytes; a format string vulnerability exists which could let a remote malicious user cause a Denial of Service or execute arbitrary code; and a Cross-Site Scripting vulnerability exists in the administrative web interface log display, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. An exploit script has been published. | Soldner Secret Wars Multiple Remote Vulnerabilities | Low/High (High if arbitrary code can be executed) | SecurityTracker Alert ID, 1012790, January 6, 2005 |
FrontPage 2000 | A vulnerability exists in the DATA Access Internet Publishing Service Provider Distributed Versioning and Authoring (DAV) functionality, which could let a remote malicious user execute arbitrary code. No workaround or patch available at time of publishing. A Proof of Concept exploit script has been published. | Microsoft FrontPage 2000 DAV File Upload | High | SecurityFocus, December 31, 2004 |
Internet Explorer 6.0, SP1&SP2 | A vulnerability exists in the DHTML Edit ActiveX control, which could let a remote malicious user inject arbitrary scripting code into a different window on the target user's system.
No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Microsoft Internet Explorer DHTML Edit Control Script CVE Name: | High | Bugtraq, December 15, 2004 US-CERT Vulnerability Note, VU#356600, January 6, 2005 |
Windows (XP SP2 is not affected) | A Denial of Service vulnerability exists in the parsing of ANI files. A remote user can cause the target user's system to hang or crash. A remote user can create a specially crafted Windows animated cursor file (ANI file) that, when loaded by the target user, will cause the target system to crash. The malicious file can be loaded via HTML, for example. Updates available at: http://www.microsoft.com/technet/security/bulletin/ A Proof of Concept exploit has been published. | Microsoft Windows ANI File Parsing Errors CVE Name: | Low | VENUSTECH Security Lab, December 23, 2004 Microsoft Security Bulletin MS05-002, January 11, 2005 US-CERT Vulnerability Notes, VU#177584 & VU#697136, January 11, 2005 |
Windows (XP SP2 is not affected) | An integer overflow vulnerability was reported in the LoadImage API. A remote user can execute arbitrary code. A remote user can create a specially crafted image file that, when processed by the target user, will trigger an overflow in the USER32 library LoadImage API and execute arbitrary code. The code will run with the privileges of the target user. Updates available at: http://www.microsoft.com/technet/security/bulletin/ A Proof of Concept exploit has been published. | Microsoft Windows LoadImage API Buffer Overflow CVE Names: | High | VENUSTECH Security Lab. December 23, 2004 Microsoft Security Bulletin MS05-002, January 11, 2005 US-CERT Vulnerability Note, VU#625856, January 11, 2005 |
WindowsXP SP1 & prior service packs, 2003 | A buffer overflow vulnerability exists in the Indexing Service due to the way query validation is handled, which could let a remote malicious user cause a Denial of Service or execute arbitrary code. Updates available at: http://www.microsoft.com/technet/security/bulletin/ms05-003.mspx Currently we are not aware of any exploits for this vulnerability. | Microsoft Windows Indexing Service Buffer Overflow CVE Name: | Low/High (High if arbitrary code can be executed) | Microsoft Security Bulletin MS05-003, January 11, 2005 |
Windows 2000 SP3 & SP4, XP SP1 & SP2, XP 64-Bit Edition SP1, XP 64-Bit Edition Version 2003, Windows Server 2003, Windows Server 2003 64-Bit Edition, Windows 98, 98SE, ME | A cross-domain vulnerability exists in the HTML Help ActiveX control, which could let a remote malicious user execute arbitrary code. Updates available at: http://www.microsoft.com/technet/security/bulletin/ Exploits have been published. | Microsoft Windows HTML Help ActiveX Control CVE Name: | High | Microsoft Security Bulletin MS05-001, January 11, 2005 |
Norton AntiVirus 2004, 2004 Professional Edition | A remote Denial of Service vulnerability exists due to a buffer overflow in the 'CcErrDsp.ErrorDisplay.1' ActiveX object. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Symantec 'CcErrDsp.ErrorDisplay.1' ActiveX Buffer Overflow | Low | Bugtraq, January 6, 2005 |
Winace 2.5, 2.6 Beta 4 | A Directory Traversal vulnerability exists due to an input validation error when No workaround or patch available at time of publishing. Proofs of Concept exploit scripts have been published. | Winace Remote Directory Traversal | Medium | Secunia Advisory, SA13734, January 6, 2005 |
WinHKI 1.4 d | Several vulnerabilities exist: a remote Denial of Service vulnerability exists when a malicious user creates a BH compressed file with a specially crafted header; a remote Denial of Service vulnerability exists when processing LHA files; and a Directory Traversal vulnerability exists when the application processes malformed BH, CAB, and ZIP compressed files, which could let a remote malicious user modify information. No workaround or patch available at time of publishing. There is no exploit required; however, Proofs of Concept exploits have been published. | WinHKI Multiple Remote Vulnerabilities | Low/Medium (Medium if information can be modified) | SecurityTracker Alert ID, 1012798, January 6, 2005 |
| UNIX / Linux Operating Systems Only | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name | Risk | Source |
Simple PHP Blog 0.3.7 c | A Directory Traversal vulnerability exists in the 'entry' parameter due to insufficient sanitization of user-supplied input data, which could let a remote malicious user obtain sensitive information. Patch available at: There is no exploit code required; however, a Proof of Concept exploit has been published. | Alexander Palmo Simple PHP Blog Remote Directory Traversal | Medium | Bugtraq, January 7, 2005 |
pcal 0.7.1 | Two vulnerabilities were reported in pcal. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted calendar file that, when processed by the target user with pcal, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflows reside in the getline() function in 'pcalutil.c' and the get_holiday() function in 'readfile.c'. Debian: A Proof of Concept exploit script has been published. | Andrew W. Rogers CVE Name: | High | SecurityTracker Alert ID, 1012592, December 16, 2004 Debian Security Advisory, |
abctab2ps 1.6.3 | A vulnerability was reported in abctab2ps. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted ABC file that, when processed by the target user with abctab2ps, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflows reside in the write_heading() function in 'subs.cpp' and the trim_title() function in 'parse.cpp.'
Upgrade available at: A Proof of Concept exploit script has been published. | Christoph Dalitz abctab2ps Buffer Overflows | High | SecurityTracker Alert ID, 1012578, December 16, 2004 SecurityFocus, January 5, 2005 |
Dillo 0.8.3 a& prior | A format string vulnerability exists in 'capi.c' in the 'a_interface_msg()' function, which could let a remote malicious user execute arbitrary code. Update available at: http://www.dillo.org/ Gentoo: A Proof of Concept exploit has been published. | Dillo 'a_Interface_msg()' Format String | High | Gentoo Linux Security Advisory, GLSA 200501-11, January 9, 2005 |
CUPS 1.1.21, 1.1.22 rc1, 1.1.22 | A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted HTTP GET request. Upgrades available at: A Proof of Concept exploit has been published. | CUPS HTTP GET Denial of Service | Low | SecurityTracker Alert ID, 1012811, January 7, 2005 |
GNU / GPL Samba 3.0.0 - 3.0.4 and 2.2.9 and prior
| Multiple buffer overflow vulnerabilities exist in Samba that could allow a remote user to execute arbitrary code on the target system. These are caused by boundary errors when decoding base64 data and when handling 'mangling method = hash.' Upgrade to version 3.0.5 or 2.2.10 available at: http://us2.samba.org/samba/ftp/ Conectiva: RedHat: RedHat Enterprise Linux AS 3, ES 3, WS 3: Gentoo: Mandrakesoft: Mandrake Multi Network Firewall 8.x, 9.x; Mandrake Corporate Server 2.x SuSE: SuSE Linux, Email, Database, and Enterprise Servers Trustix: Sun: http://sunsolve.sun.com/search/ Sun: A working exploit has been published. | Samba Buffer Overflow Vulnerabilities
CVE Names: | High | Samba Release Notes 3.0.5, July 20, 2004 Gentoo, RedHat, Mandrakesoft, SuSE, Trustix, Conectiva Advisories Sun(sm) Alert Notification, 57664, October 25, 2004 Sun(sm) Alert Notification, 57664, January 26, 2005 updated |
a2ps 4.13b | Two vulnerabilities exist in GNU a2ps, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerabilities are caused due to the fixps.in and psmandup.in scripts creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running a vulnerable script. Debian: Gentoo: Currently we are not aware of any exploits for these vulnerabilities. | GNU a2ps Two Scripts Insecure Temporary File Creation | Medium | Secunia SA13641, December 27, 2004 Gentoo Linux Security Advisory, GLSA 200501-02, January 4, 2005 |
a2ps 4.13 | A vulnerability exists that could allow a malicious user to execute arbitrary shell commands on the target system. a2ps will execute shell commands contained within filenames. A user can create a specially crafted filename that, when processed by a2ps, will execute shell commands with the privileges of the a2ps process. A patch for FreeBSD is available at: Debian: Gentoo: A Proof of Concept exploit has been published. | GNU a2ps Filenames Shell Commands Execution | High | SecurityTracker Alert ID, 1012475, December 10, 2004 Debian Security Advisory Gentoo GLSA 200501-02, January 5, 2005 |
MPlayer 1.0pre5 | A vulnerability was reported in MPlayer in the processing of ASF streams. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted ASF video stream that, when viewed by the target user with MPlayer, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. Gentoo: Conectiva: A Proof of Concept exploit script has been published. | GNU MPlayer ASF Streams Processing Buffer Overflow | High | SecurityTracker Alert ID, 1012562, December 16, 2004 Gentoo GLSA 200412-21 / MPlayer, December 12, 2004 Conectiva Advisory, CLSA-2005:910, January 5, 2005 |
Vim 6.x, GVim 6.x | Multiple vulnerabilities exist which can be exploited by local malicious users to gain escalated privileges. The vulnerabilities are caused due to some errors in the modelines options. This can be exploited to execute shell commands when a malicious file is opened. Successful exploitation can lead to escalated privileges but requires that modelines is enabled. Apply patch for vim 6.3: f Gentoo: Red Hat: Mandrake: Currently we are not aware of any exploits for these vulnerabilities. | GNU Vim / Gvim Modelines Command Execution Vulnerabilities CVE Name: | Medium | Gentoo Linux Security Advisory, GLSA 200412-10 / vim, December 15, 2004 Red Hat Advisory RHSA-2005:010-05, January 5, 2005 Mandrakelinux Security Update Advisory, MDKSA-2005:003, January 6, 2005 |
xine prior to 0.99.3 | Multiple vulnerabilities exist that could allow a remote user to execute arbitrary code on the target user's system. There is a buffer overflow in pnm_get_chunk() in the processing of the RMF_TAG, DATA_TAG, PROP_TAG, MDPR_TAG, and CONT_TAG parameters. The vendor has issued a fixed version of xine-lib (1-rc8), available at: http://xinehq.de/index.php/releases A patch is also available at: Gentoo: A Proof of Concept exploit has been published. | GNU xine Buffer CVE Name: | High | iDEFENSE Security Advisory 12.21.04 Gentoo, GLSA 200501-07, January 6, 2005 |
xine-lib 1.x | Multiple vulnerabilities with unknown impacts exist due to errors in the PNM and Real RTSP clients. Update to version 1-rc8: Gentoo: Currently we are not aware of any exploits for these vulnerabilities. | GNU xine-lib CVE Name: | Not Specified | Secunia Advisory, SA13496, December 16, 2004 Gentoo Linux Security Advisory, GLSA 200501-07, January 6, 2005 |
Xpdf prior to 3.00pl2 | A buffer overflow vulnerability exists that could allow a remote user to execute arbitrary code on the target user's system. A remote user can create a specially crafted PDF file that, when viewed by the target user, will trigger an overflow and execute arbitrary code with the privileges of the target user. A fixed version (3.00pl2) is available at: http://www.foolabs.com/xpdf/download.html A patch is available: KDE: Gentoo: Fedora: Ubuntu: Mandrakesoft (update for koffice): Mandrakesoft (update for kdegraphics): http://www.mandrakesoft.com/security/ Mandrakesoft (update for gpdf): Mandrakesoft (update for xpdf): Mandrakesoft (update for tetex): Debian: Fedora (update for tetex): Fedora: http://download.fedora.redhat.com/pub/ Gentoo: Currently we are not aware of any exploits for this vulnerability. | GNU Xpdf Buffer Overflow in doImage() CVE Name: | High | iDEFENSE Security Advisory 12.21.04 KDE Security Advisory, December 23, 2004 Mandrakesoft, MDKSA-2004:161,162,163,165, 166, December 29, 2004 Fedora Update Notification, Gentoo Linux Security Advisory, GLSA 200501-13, January 10, 2005 |
Zip 2.3 | A buffer overflow vulnerability exists due to a boundary error when doing recursive compression of directories with 'zip,' which could let a remote malicious user execute arbitrary code.
Ubuntu: Fedora: Gentoo: Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php" SUSE: Red Hat: Debian: Currently we are not aware of any exploits for this vulnerability.
| Info-ZIP Zip Remote Recursive Directory Compression Buffer Overflow CVE Name: | High | Bugtraq, November 3, 2004 Ubuntu Security Notice, USN-18-1, November 5, 2004 Fedora Update Notification, Gentoo Linux Security Advisory, GLSA 200411-16, November 9, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:141, November 26, 2004 SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004 Red Hat Advisory, RHSA-2004:634-08, December 16, 2004 Debian DSA-624-1, January 5, 2005
|
HTGET 0.93 | A buffer overflow vulnerability was reported in HTGET. A remote malicious user can cause arbitrary code to be executed. A remote user can create a specially crafted URL that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code.
Debian: An exploit script has been published. | J Whitham HTGET CVE Name: | High | Debian Security Advisory PacketStorm, January 6, 2005 |
KDE 3.x, 2.x | A vulnerability exists in kio_ftp, which can be exploited by malicious people to conduct FTP command injection attacks. The vulnerability has been fixed in the CVS repository. Mandrakesoft: Debian: Currently we are not aware of any exploits for this vulnerability. | KDE kio_ftp FTP Command Injection Vulnerability CVE Name: | Medium | KDE Advisory Bug 95825, December 26, 2004 Debian Security Advisory, DSA 631-1, January 10, 2005 |
Konqueror prior to 3.32 | Two vulnerabilities exist in KDE Konqueror, which can be exploited by malicious people to compromise a user's system.The vulnerabilities are caused due to some errors in the restriction of certain Java classes accessible via applets and Javascript. This can be exploited by a malicious applet to bypass the sandbox restriction and read or write arbitrary files. Update to version 3.3.2: Apply patch for 3.2.3: Mandrakesoft: Currently we are not aware of any exploits for these vulnerabilities. | KDE Konqueror CVE Name: | High | KDE Security Advisory, December 20, 2004 Mandrakesoft MDKSA-2004:154, December 22, 2004 US-CERT Vulnerability Note, VU#420222, January 5, 2005 |
Perl 5.8.3 | A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.
Trustix: Ubuntu: Gentoo: Debian: There is no exploit code required. | Perl CVE Name: | Medium | Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004 Ubuntu Security Notice, USN-16-1, November 3, 2004 Gentoo Linux Security Advisory, GLSA 200412-04, December 7, 2004 Debian Security Advisory, DSA 620-1, December 30, 2004 |
NASM 0.98.38 | A vulnerability was reported in NASM. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted asm file that, when processed by the target user with NASM, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflow resides in the error() function in 'preproc.c.' Gentoo: Debian: Mandrake: A Proof of Concept exploit script has been published. | LGPL NASM error() Buffer Overflow CVE Name: | High | Secunia Advisory ID, SA13523, December 17, 2004 Debian Security Advisory Mandrakelinux Security Update Advisory, MDKSA-2005:004, January 6, 2005 |
LibTIFF 3.6.1 Avaya MN100 (All versions), Avaya Intuity LX (version 1.1-5.x), Avaya Modular Messaging MSS (All versions)
| Several buffer overflow vulnerabilities exist: a vulnerability exists because a specially crafted image file can be created, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; a remote Denial of Service vulnerability exists in 'libtiff/tif_dirread.c' due to a division by zero error; and a vulnerability exists in the 'tif_next.c,' 'tif_thunder.c,' and 'tif_luv.c' RLE decoding routines, which could let a remote malicious user execute arbitrary code. Debian: Gentoo: Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/"> OpenPKG: Trustix:
href="ftp://ftp.trustix.org/pub/trustix/updates/"> Mandrake: SuSE:
href="ftp://ftp.suse.com/pub/suse/"> RedHat:
href="http://rhn.redhat.com/errata/RHSA-2004-577.html"> Slackware: Conectiva: KDE: Update to version 3.3.2: Apple Mac OS X: Gentoo: KDE kfax: Avaya: No solution but workarounds available at: http://support.avaya.com/elmodocs2/security/ASA-2005-002_RHSA-2004-577.pdf Proofs of Concept exploits have been published. | LibTIFF Buffer CVE Name: | Low/High (High if arbitrary code can be execute) | Gentoo Linux Security Advisory, GLSA 200410-11, October 13, 2004 Fedora Update Notification, OpenPKG Security Advisory, OpenPKG-SA-2004.043, October 14, 2004 Debian Security Advisory, DSA 567-1, October 15, 2004 Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:109 & MDKSA-2004:111, October 20 & 21, 2004 SuSE Security Announcement, SUSE-SA:2004:038, October 22, 2004 RedHat Security Advisory, RHSA-2004:577-16, October 22, 2004 Slackware Security Advisory, SSA:2004-305-02, November 1, 2004 Conectiva Linux Security Announcement, CLA-2004:888, November 8, 2004 US-CERT Vulnerability Notes VU#687568 & VU#948752, December 1, 2004 Gentoo Linux Security Advisory, GLSA 200412-02, December 6, 2004 KDE Security Advisory, December 9, 2004 Apple Security Update SA-2004-12-02 Gentoo Security Advisory, GLSA 200412-17 / kfax, December 19, 2004 Avaya Advisory ASA-2005-002, January 5, 2005 Conectiva Linux Security Announcement, CLA-2005:914, January 6, 2005 |
LinPopUp 1.2.0 | A buffer overflow vulnerability exists that could allow a remote malicious user to execute arbitrary code on the target system. A remote user can send a specially crafted message to LinPopUp to trigger a buffer overflow in strexpand() in 'string.c' and execute arbitrary code. The code will run with the privileges of the LinPopUp process. Debian: Gentoo: A Proof of Concept exploit script has been published. | Little Igloo LinPopUp strexpand() Buffer Overflow | High | SecurityTracker Alert ID, 1012542, December 16, 2004 Gentoo GLSA 200501-01, January 5, 2005 Debian Security Advisory, DSA 632-1, January 10, 2005 |
Kerberos 5 krb5-1.3.5 and prior | A buffer overflow exists in the libkadm5srv administration library. A remote malicious user may be able to execute arbitrary code on an affected Key Distribution Center (KDC) host. There is a heap overflow in the password history handling code. A patch is available at: Gentoo: Currently we are not aware of any exploits for this vulnerability. | Kerberos CVE Name: | High | SecurityTracker Alert ID, 1012640, December 20, 2004 Gentoo GLSA 200501-05, January 5, 2005
|
Mozilla Browser 1.7, rc1-rc3, beta, alpha, 1.7.1-1.7.3, 1.8 Alpha 1-4, Firefox Preview Release | A vulnerability exists in the 'Open with' option because the software saves the file in the '/tmp' directory with world-readable permissions, which could let a malicious user obtain sensitive information. Fixes are available in the CVS repository. Gentoo: There is no exploit code required. | Mozilla Temporary File Insecure Permissions Information Disclosure | Medium | Secunia Advisory, Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005 |
Linux kernel 2.6.10, 2.6.9 | A Denial of Service vulnerability exists in the 'mlockall()' system call due to a failure to properly enforce defined limits.
No workaround or patch available at time of publishing. A Proof of Concept exploit script has been published. | Linux Kernel Local RLIMIT_MEMLOCK Bypass Denial of Service | Low | Bugtraq, January 7, 2005 |
Exim 4.43 & prior | Multiple vulnerabilities exist that could allow a local user to obtain elevated privileges. There are buffer overflows in the host_aton() function and the spa_base64_to_bits() functions. It may be possible to execute arbitrary code with the privileges of the Exim process. The vendor has issued a fix in the latest snapshot: ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/ ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/ Also, patches for 4.43 are available at: Fedora: Ubuntu: Currently we are not aware of any exploits for these vulnerabilities. | GNU Exim Buffer Overflows CVE Names: | High | SecurityTracker Alert ID: 1012771, January 5, 2005 |
Linux kernel 2.,6 -test9-CVS, -test1-test11, | A vulnerability exists which could let a malicious user obtain sensitive information. Upgrades available at: Fedora: Currently we are not aware of any exploits for this vulnerability. | Linux Kernel | Medium | Fedora Update Notifications FEDORA-2004-581 & 582, January 3, 2005 |
Linux kernel 2.,6 -test9-CVS, -test1-test11, | A vulnerability exists in the SCM system due to a failure to properly call defined security module functions, which could let a malicious user bypass security measures.
Upgrades available at: Fedora: Currently we are not aware of any exploits for this vulnerability. | Linux Kernel Local | Medium | Fedora Update Notifications FEDORA-2004-581 & 582, January 3, 2005 |
Perl | A race condition vulnerability was reported in the 'File::Path::rmtree()' function. A remote user may be able to obtain potentially sensitive information. A remote user may be able to obtain potentially sensitive information or modify files. The vendor has released Perl version 5.8.4-5 to address this vulnerability. Customers are advised to contact the vendor for information regarding update availability. Debian: Ubuntu: Currently we are not aware of any exploits for this vulnerability. | Multiple Vendors Perl File::Path::rmtree() Permission CVE Name: | Medium | Ubuntu Security Notice, USN-44-1, December 21, 2004 Debian Security Advisory, DSA 620-1, December 30, 2004 |
Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha; | A vulnerability exists in the tiffdump utility, which could let a remote malicious user execute arbitrary code. Debian: Fedora: Gentoo: Mandrake: SuSE: Ubuntu: Currently we are not aware of any exploits for this vulnerability. | LibTIFF TIFFDUMP Heap Corruption CVE Name: | High | SecurityTracker Alert ID, 1012785, January 6, 2005 |
Linux Kernel | A vulnerability exists in the Linux kernel io_edgeport driver. A local user with a USB dongle can cause the kernel to crash or may be able to gain elevated privileges on the target system. The flaw resides in the edge_startup() function in 'drivers/usb/serial/io_edgeport.c'.
Red Hat: Fedora: Currently we are not aware of any exploits for this vulnerability. | Multiple Vendors Linux Kernel CVE Name: | Low/ Medium (Medium if elevated privileges can be obtained) | SecurityTracker Alert ID: 1012477, December 10, 2004 Fedora Update Notifications, |
Linux kernel 2.2-2.2.25, 2.3, 2.3.99, pre1-pre7, 2.4 .0, test1-test12, 2.4-2.4.28, 2.4.29 -rc2, 2.5 .0-2.5.65 | Multiple buffer overflow vulnerabilities exist in the 'drivers/char/moxa.c' file due to insufficient bounds checks prior to copying user-supplied data to fixed-size memory buffers, which could let a malicious user execute arbitrary code. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for these vulnerabilities. | Linux Kernel Multiple Local MOXA Serial Driver Buffer Overflows | High | Bugtraq, January 7, 2005 |
Linux kernel 2.4 .0-test1-test12, 2.4-2.4.27 | A vulnerability exists in the 'AF_UNIX' address family due to a serialization error, which could let a malicious user obtain elevated privileges or possibly execute arbitrary code.
Upgrades available at: SUSE: Ubuntu: Red Hat: Fedora: Currently we are not aware of any exploits for this vulnerability.
| Medium/ High (High if arbitrary code can be executed) | Bugtraq, November 19, 2004 SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004 SecurityFocus, December 14, 2004 Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005 | |
Linux kernel 2.4, 2.4 .0 test1-test 12, 2.4-2.4.28, 2.4.29 -rc2, 2.6 .10, 2.6, test1-test11, 2.6.1-2.6.10, 2.6.10 rc2 | An integer overflow vulnerability exists in the 'random.c' kernel driver due to insufficient sanitization of the 'poolsize_strategy' function, which could let a malicious user cause a Denial of Service or execute arbitrary code.
No workaround or patch available at time of publishing. A Proof of Concept exploit script has been published. | Linux Kernel Random Poolsize SysCTL Handler Integer Overflow | Low/High (High if arbitrary code can be executed) | Bugtraq, January 7, 2005 |
Linux Kernel 2.4.0 test1-test12, 2.4-2.4.28, 2.4.29 -rc2, 2.6, test1-test11, 2.6.1, rc1-rc2, 2.6.2-2.6.9, 2.6.10 rc2 | A vulnerability exists in the 'load_elf_library()' function in 'binfmt_elf.c' because memory segments are properly processed, which could let a remote malicious user execute arbitrary code with root privileges. No workaround or patch available at time of publishing. A Proof of Concept exploit script has been published. | Linux Kernel uselib() Root Privileges CVE Name: | High | iSEC Security Research Advisory, January 7, 2005 |
Linux Kernel 2.6 - 2.6.10 rc2 | The Linux kernel is prone to a local Denial of Service vulnerability. This vulnerability is reported to exist when 'CONFIG_SECURITY_NETWORK=y' and 'CONFIG_SECURITY_SELINUX=y' options are set in the Linux kernel. A local attacker may exploit this vulnerability to trigger a kernel panic and effectively deny service to legitimate users. Ubuntu: Fedora: Currently we are not aware of any exploits for this vulnerability. | Multiple Vendors Linux Kernel Sock_DGram_SendMsg Local Denial of Service CVE Name: | Low | Ubuntu Security Notice USN-38-1 December 14, 2004 Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005 |
Linux Kernel 2.6 - 2.6.9, 2.4 - 2.4.28 | Integer overflow vulnerabilities exist that could allow a local user to cause Denial of Service conditions. These overflows exist in ip_options_get() and vc_resize() and a memory leak in ip_options_get(). The vendor has issued a fix in 2.6.10rc3bk5 and possibly also in the 2.4 release candidate. Ubuntu: Fedora: A Proof of Concept exploit has been published. | Multiple Vendors Linux Kernel ip_options_get() and vc_resize() Integer Overflows | Low | Georgi Guninski Security Advisory #72, December 15, 2004 Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005 |
Linux Kernel 2.6 .10, 2.6, test-test11, 2.6.1-2.6.10, 2.6.10 rc2 | An integer overflow vulnerability exists in the 'scsi_ioctl.c' kernel driver due to insufficient sanitization of the 'sg_scsi_ioctl' function, which could let a malicious user execute arbitrary code.
No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Linux Kernel SCSI IOCTL Integer Overflow | High | Bugtraq, January 7, 2005 |
Samba 2.2.9, 3.0.8 and prior | An integer overflow vulnerability in all versions of Samba's smbd 0.8 could allow an remote malicious user to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges. Patches available at: Red Hat: Gentoo: Trustix: Red Hat (Updated): Fedora: SUSE: Mandrakesoft: Conectiva: RedHat: Currently we are not aware of any exploits for this vulnerability. | Multiple Vendors Samba smbd Security CVE Name: | High | iDEFENSE Security Advisory 12.16.04 Red Hat Advisory, RHSA-2004:670-10, December 16, 2004 Gentoo Security Advisory, GLSA 200412-13 / Samba, December 17, 2004 US-CERT, Vulnerability Note VU#226184, December 17, 2004 Trustix Secure Linux Advisory #2004-0066, December 17, 2004 Red Hat, RHSA-2004:670-10, December 16, 2004 SUSE, SUSE-SA:2004:045, December 22, 2004 RedHat Security Advisory, RHSA-2005:020-04, January 5, 2005 Conectiva Linux Security Announcement, CLA-2005:913,January 6, 2005 |
Eventum 1.3.1 | Multiple vulnerabilities exist which can be exploited by malicious people to conduct Cross-Site Scripting and script insertion attacks and potentially bypass certain security restrictions. 1) Input passed to the 'email' parameter in 'index.php' and 'forgot_password.php,' and the 'title' and 'outgoing_sender_name' parameters in 'projects.php' is not properly sanitized before being returned to users. 2) Input passed to the 'full_name,' 'sms_email,' 'list_refresh_rate,' and 'emails_refresh_rate' parameters in 'preferences.php' is not properly sanitized 3) Eventum has a undocumented default administrator account. Upgrades available at: Currently we are not aware of any exploits for theses vulnerabilities. | MySQL Eventum Multiple Vulnerabilities | High | CIRT-200404 and CIRT-200405: December 28, 2004 SecurityFocus, January 5, 2005
|
Namazu 2.0.13 and prior | A vulnerability exists which can be exploited by malicious people to conduct Cross-Site Scripting attacks. Input passed to 'namazu.cgi' isn't properly sanitized before being returned to the user if the query begins from a tab ('%09'). This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. Update to version 2.0.14: Fedora: Debian: Currently we are not aware of any exploits for this vulnerability. | Namazu Cross-Site Scripting Vulnerability CVE Name: | High | Namazu Security Advisory, December 15, 2004 Debian Security Advisory, DSA 627-1, January 6, 2005 |
mod_dosevasive 1.9 and prior | A vulnerability exists in 'mod_dosevasive' for Apache that could allow a local user to obtain elevated privileges. The software creates unsafe temporary files. A local user can create a symbolic link (symlink) from a non-existent file on the system to a predictably named temporary file in the '/tmp' directory. When mod_dosevasive is run, the symlinked file will be created with the privileges of the web service. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Nuclear Elephant mod_dosevasive Symlink Flaw | Medium | LSS Security Advisory #LSS-2005-01-01, January 4, 2005 |
SHOUTcast 1.9.4 | A format string vulnerability exists that could allow a remote user to execute arbitrary code on the target system. A remote user can supply a specially crafted request to the target server containing format string characters to cause the target service to crash or execute arbitrary code. Gentoo: Currently we are not aware of any exploits for this vulnerability. | Nullsoft SHOUTcast Format String Flaw | High | SecurityTracker Alert ID: 1012675, December 24, 2004 Gentoo GLSA 200501-04, January 5, 2005
|
Vilistextum 2.6.6 | A vulnerability was reported in Vilistextum that could allow a remote malicious user to cause arbitrary code to be executed by the target user. A remote user can create a specially crafted HTML file that, when processed by the target user with Vilistextum, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflow resides in the get_attr() function in 'html.c.' Gentoo: A Proof of Concept exploit script has been published. | Patric Müller CVE Name: | High | SecurityTracker Alert ID, 1012558, December 16, 2004 Gentoo Linux Security Advisor, GLSA 200501-10, January 6, 2005 |
PHPGroupWare 0.9.16.03 | PHPGroupWare contains multiple input validation vulnerabilities; it is prone to multiple SQL injection and Cross-Site Scripting issues. These issues are all due to a failure of the application to properly sanitize user-supplied input. A malicious user could exploit these vulnerabilities to execute arbitrary code. Upgrade available at: http://download.phpgroupware.org/now A Proof of Concept exploit has been published. | PHPGroupWare Multiple Cross-Site Scripting and SQL Injection | High | GulfTech Security Research December 14th, 2004 SecurityFocus, January 6, 2005 |
GNOME VFS Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64; | Multiple vulnerabilities exist in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. A malicious user who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts. Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: href="http://www.redhat.com/docs/manuals/enterprise/ ">http://www.redhat.com/docs/manuals/enterprise/ Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/"> SUSE: SGI: RedHat: We are not aware of any exploits for these vulnerabilities. | Red Hat GNOME VFS updates address CVE Name: | High | Red Hat Security Advisory ID: RHSA-2004:373-01, August 4, 2004 Fedora Update Notification SecurityFocus, Bugtraq ID: 10864, December 7, 2004 RedHat Security Advisory, RHSA-2004:464-09, January 5, 2005 |
LibTIFF 3.x | A vulnerability exists potentially can be exploited by malicious people to execute arbitrary code on the target system. The vulnerability is caused due to an unspecified integer overflow in the tiffdump utility. Gentoo: Currently we are not aware of any exploits for this vulnerability. | Remote Sensing LibTIFF Integer Overflow Vulnerability in tiffdump | High | Secunia SA13728, January 6, 2005 |
zgv Image Viewer 5.5 | Several vulnerabilities exist due to various integer overflows when processing images, which could let a remote malicious user execute arbitrary code.
Gentoo: Debian: The vendor has issued a patch, available at: Gentoo: Currently we are not aware of any exploits for these vulnerabilities. | Russell Marks ZGV Image Viewer Multiple Remote Integer CVE Name: | High | Bugtraq, October 26, 2004 Gentoo Linux Security Advisory, GLSA 200411-12:01, November 7, 2004 Debian Security Advisory, DSA-608-1 zgv, December 14, 2004 SecurityTracker Alert ID: 1012546, December 16, 2004 Gentoo Linux Security Advisory, GLSA 200501-09, January 6, 2005 |
Squid 2.x | A remote Denial of Service vulnerability exists in the NTLM fakeauth_auth helper when running under a high load or for a long period of time, and a specially crafted NTLM type 3 message is submitted.
Patch available at: Currently we are not aware of any exploits for this vulnerability. | Squid NTLM fakeauth_auth Helper Remote Denial of Service | Low | Secunia Advisory, SA13789, January 11, 2005 |
Virtual Hosting Control System Virtual Hosting Control System 2.2 | A vulnerability exists due to a file include vulnerability, which could let a remote malicious user execute arbitrary PHP code. No workaround or patch available at time of publishing. There is no exploit code required. | Virtual Hosting Control System SQL.PHP Remote File Include | High | SecurityFocus, January 6, 2005 |
| Multiple Operating Systems - Windows / UNIX / Linux / Other | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name | Risk | Source |
PhotoPost PHP Pro 4.x | Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. 1) Input passed to the "page", "cat", and "si" parameters in "showgallery.php" isn't properly sanitized before being returned to the user. 2) Input passed to the "cat" and "ppuser" parameters in "showgallery.php" isn't sanitized properly before being used in a SQL query. Update to version 4.86: An exploit script has been published. | All Enthusiast PhotoPost PHP Pro Cross-Site Scripting and SQL Injection | High | GulfTech Security Research Team, January 3, 2005 PacketStorm, January 5, 2005 |
ReviewPost PHP Pro 2.x | Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and compromise a vulnerable system. 1) Input passed to the "si" parameter in "showcat.php", "cat" and "page" parameters in "showproduct.php", and "report" parameter in "reportproduct.php" isn't properly sanitized before being returned to the user. 2) Input passed to the "cat" parameter in "showcat.php" and "product" parameter in "addfav.php" isn't properly sanitized before being used in a SQL query. 3) An error in the handling of file uploads for filenames with multiple extensions (e.g. "test.jpg.php.jpg.php") can be exploited. Update to version 2.84: An exploit script has been published. | All Enthusiast ReviewPost PHP Pro Multiple Vulnerabilities | High | GulfTech Security Research Team, January 3, 2005 PacketStorm, January 5, 2005 |
Tomcat 5.x | A Cross-Site Scripting vulnerability exists due to insufficient sanitization of various input passed to the 'Tomcat Manager,' which could let a remote malicious user execute arbitrary HTML and script code.
Patch available at: Proofs of Concept exploits have been published. | Apache Tomcat 'Tomcat Manager' Cross-Site Scripting | High | Secunia Advisory, SA13737, January 6, 2005 |
AirPort Express Firmware 6.1, AirPort Extreme Firmware 5.5 | A remote Denial of Service vulnerability exists when used in the Wireless Distribution System (WDS) mode. This issue could allow a remote attacker to cause the base station to stop processing traffic. Upgrades available at: There is no exploit code required. | Apple AirPort Wireless Distribution System Remote Denial of Service | Low | SecurityFocus January 3, 2004 |
b2evolution 0.8.2 .2, 0.8.2, 0.8.6 .2, 0.8.6 .1, 0.8.6, 0.8.7, 0.8.9, 0.9 .0.11, 0.9 .0.10, 0.9 .0.09, 0.9 .0.0, 0.9 .0.05, 0.9 .0.03 | A vulnerability exists the '_class_itemlist.php' script due to insufficient sanitization of 'title' parameter, which could let a remote malicious user execute arbitrary code.
Workaround available at: There is no exploit code required. | b2evolution '_class_itemlist.php' Script Input Validation | High | Securiteam, January 9, 2005 |
2Bgal 2.4 and 2.5.1 | A vulnerability exists that can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "id_album" parameter is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Upgrade available at: A Proof of Concept exploit has been published. | Ben3W 2Bgal "id_album" SQL Injection Vulnerability | High | Secunia SA13620, December 23, 2004 Packetstorm, December 31, 2004 SecurityFocus, January 7, 2005 |
IOS 12.2 ZA, SY, SXB, SXA, (17a) SXA, (14)ZA2, (14)ZA, (14)SY | A remote Denial of Service vulnerability exists when processing Internet Key Exchange (IKE) packets. Revision 1.2: Updated the 12.2(14)SY03 Release Notes URL in the Software Fixes and Versions section. Updates available at: Currently we are not aware of any exploits for this vulnerability. | Cisco IOS Malformed IKE Packet Remote Denial of Service | Low | Cisco Security Advisory 50430, April 8, 2004 Cisco Security Advisory 50430 Rev. 1.2, January 5, 2005 |
IOS R12.x, 12.x
| A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted TCP connection to a telnet or reverse telnet port. Revision 2.4: Updated availability information for IOS releases. Corrected fixed software version for 12.1E Maintenance release. Potential workarounds available at:
href="http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml"> Currently we are not aware of any exploits for this vulnerability. | Cisco IOS Telnet Service Remote Denial of Service | Low | Cisco Security Advisory, cisco-sa-20040827, August 27, 2004 US-CERT Vulnerability Note VU#384230 Cisco Security Advisory, 61671 Rev 2.2, October 20, 2004 Cisco Security Advisory, 61671 Rev 2.3, October 31, 2004 Cisco Security Advisory, 61671 Rev 2.4, December 31, 2004 |
QwikiWiki 1.4.1 | A Directory Traversal vulnerability exists due to insufficient validation of the 'page' parameter, which could let a remote malicious user obtain sensitive information. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit script has been published. | David Barrett QwikiWiki Remote Directory Traversal | Medium | Securiteam, January 5, 2005 |
DB2 Universal Database for AIX 7.0-7.2, 8.0, 8.1, DB2 Universal Database for HP-UX 7.0-7.2. 8.0, 8.1, DB2 Universal Database for Linux 7.0-7.2, 8.0, 8.1, DB2 Universal Database for Solaris 7.0-7.2, 8.0, 8.1, IBM DB2 Universal Database for Windows 7.0-7.2, 8.0, 8.1 | A vulnerability exists in the XMLVarcharFromFile and XMLClobFromFile functions, which could let a remote malicious user corrupt data, obtain sensitive information, and ultimately execute arbitrary code.
Patches available at: Currently we are not aware of any exploits for this vulnerability. | IBM DB2 XML Function | Medium/ High (High if arbitrary code can be executed) | NGSSoftware Insight Security Research Advisory, NISR05012005I, January 5, 2005 |
Invision Community Blog 1.0 | A vulnerability exists in the 'eid' parameter due to insufficient input validation, which could let a remote malicious user inject SQL commands. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit script has been published. | Invision Community Blog Input Validation | Medium | Bugtraq, January 9, 2005 |
Firefox 0.8, 0.9-0.9.3, 0.10, 0.10.1 | Multiple vulnerabilities exist: a vulnerability exists because web sites may include images from local resources, which could let a malicious user obtain sensitive information, cause a Denial of Service, and potentially steal passwords from Windows systems; a vulnerability exists in the file download dialog box because filenames are truncated, which could let a malicious user spoof downloaded file names; and a vulnerability exists on MacOSx because Firefox is installed with world-writable permissions, which could let a malicious user obtain elevated privileges.
Upgrades available at: Gentoo: An exploit script is not required | Mozilla Firefox Multiple Vulnerabilities | Low/ Medium (Low if a DoS) | Secunia Advisory, Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005 |
Mozilla 1.7.3 | A heap overflow vulnerability exists in the processing of NNTP URLs. A remote user can execute arbitrary code on the target system. A remote user can create a specially crafted 'news://' URL that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The flaw resides in the *MSG_UnEscapeSearchUrl() function in 'nsNNTPProtocol.cpp'.
The vendor has issued a fixed version (1.7.5), available at: http://www.mozilla.org/products/mozilla1.x/ Gentoo: A Proof of Concept exploit has been published. | Mozilla Buffer Overflow in Processing NNTP URLs | High | iSEC Security ResearchAdvisory, December 29, 2004 Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005 |
Ericsson T610; | A vulnerability exists in the application layer, and not in the actual Bluetooth protocol layer, which could let a remote malicious user utilize the mobile device to act as a modem.
No workaround or patch available at time of publishing. There is no exploit code required. | Multiple Vendor Bluetooth Device Unauthorized Serial Command Access | Medium | SecurityFocus, January 4, 2005 |
Microsoft Internet Explorer 6.0, SP1&SP2; Mozilla Firefox 0.8, 0.9 rc, 0.9-0.9.3, 0.10, 0.10.1; | Multiple vulnerabilities exist in the image handling functionality through the <IMG> tag, which could let a remote malicious user cause a Denial of Service, and obtain sensitive information. Mozilla: Gentoo: A Proof of Concept exploit has been published. | Multiple Browser IMG Tag Multiple Vulnerabilities | Low/ Medium (Medium if sensitive information can be obtained) | SecurityFocus, November 10, 2004 Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005 |
MyBulletinBoard RC4 | A vulnerability exists in the 'member.php' script due to insufficient validation of the 'uid' parameter, which could let al remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit script has been published. | MyBulletinBoard MEMBER.PHP SQL Injection | High | Securiteam, January 5, 2005 |
Greymatter 1.1 b, 1.2, 1.3, 1.21 a-1.21d, 1.21 | A vulnerability exists in the 'gm-comments.cgi' script due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however a Proof of Concept exploit has been published. | Noah Grey Greymatter 'GM-Comments.CGI' HTML Injection | High | SecurityFocus, January 6, 2005 |
Greymatter 1.3 | Several vulnerabilities exist: a vulnerability exists in the main entry pages' section because a temporary file is created that contained the username and plaintext password when rebuilding the section, which could let a remote malicious user obtain sensitive information; and a vulnerability exists in 'GM-CPLog.CGI' due to insufficient sanitization of user-supplied input during login, which could let a malicious user execute arbitrary code. No workaround or patch available at time of publishing. There is no exploit code required; however a Proof of Concept exploit has been published for the HTML injection vulnerability. | Noah Grey Greymatter Password Disclosure & HTML Injection | Medium/ High (High if arbitrary code can be executed) | SecurityFocus, January 6, 2005 |
Netware 5.1, SP4-SP6, 6.0 , SP1-SP3 | A remote Denial of Service vulnerability exists in 'CIFS.MLM.' Patches available at: There is no exploit code required. | Novell Netware CIFS.NLM Remote Denial of Service | Low | Novell Technical Information Document, TID2970488, January 5, 2005 |
Zeroboard 4.x | A vulnerability exists in 'error.php' due to insufficient verification of the 'dir' parameter, which could let a remote malicious user execute arbitrary code. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Zeroboard 'error.php' Include File | High | Secunia Advisory, SA13769, January 10, 2005 |
SugarCRM 1.0 g, 1.0 f, 1.0, 1.1 a-1.1 f, 1.1, 1.5 d, 2.0.1 a, 2.0.1, SugarSales 2.0.1 c | A vulnerability exists in the 'moduleDefaultFile' array due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing. There is no exploit code required; however a Proof of Concept exploit has been published. | SugarCRM/SugarSales 'moduleDefaultFile' array | High | Securiteam, January 9, 2005 |
Sun Java JRE 1.3.x, 1.4.x, | A vulnerability exists due to a design error because untrusted applets for some private and restricted classes used internally can create and transfer objects, which could let a remote malicious user turn off the Java security manager and disable the sandbox restrictions for untrusted applets. Updates available at: Conectiva: Gentoo: Symantec: Currently we are not aware of any exploits for this vulnerability. | Sun Java Plug-in Sandbox Security Bypass CVE Name: | Medium | Sun(sm) Alert Notification, 57591, November 22, 2004 US-CERT Vulnerability Note, VU#760344, November 23, 2004 Conectiva Linux Security Announcement, CLA-2004:900, November 26, 2004 Gentoo Linux Security Advisory, GLSA 200411-38, November 29, 2004 HP Security Bulletin, Sun(sm) Alert Notification, 57591, January 6, 2005 (Updated) Symantec Security Response, SYM05-001,
|
Brightmail Anti-Spam 6.0.1 | Two vulnerabilities exist: a remote Denial of Service vulnerability exists because the Sieve module fails to recognize malformed RFC 822 MIME attachment boundaries; and a remote Denial of Service vulnerability exists because Spamhunter fails to convert certain valid character encoding sets to UTF. Patch available at: Currently we are not aware of any exploits for these vulnerabilities. | Symantec Brightmail Remote Denials of Service | Low | SecurityTracker Alert ID, 1012612, December 17, 2004 US-CERT Vulnerability Note, VU#697598, January 6, 2005 |
Amphora Gate | A vulnerability exists in the 'free_loginpage.php' page because the '/validacion.php' page can be loaded using the previously assigned authentication credentials, which could let a remote malicious user obtain administrative access. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Vayris Amphora Gate Administrative Access | High | SecurityTracker Alert, 1012825, January 10, 2005 |
Burning Board Lite 1.0.0, 1.0.1 e | A Cross-Site Scripting vulnerability exists in 'formmail.php' due to insufficient sanitization of the 'userid' parameter, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | WoltLab Burning Board Lite Form Mail Script Cross-Site Scripting | High | Secunia Advisory, SA13782, January 11, 2005 |
PRADO Framework version 1.5 & prior | A vulnerability exists in the 'phonebook.php' script due to insufficient validation of the 'page' parameter, which could let a remote malicious user execute arbitrary code.
Update available at: A Proof of Concept exploit has been published. | PRADO 'phonebook.php' Include File | High | Securiteam, January 9, 2005 |
YPOPs! 0.x | Several buffer overflow vulnerabilities exist in the POP3 and SMTP services, which could let a remote malicious user execute arbitrary code. Upgrades available at: Proofs of Concept exploit scripts have been published. | YPOPs! Buffer Overflows | High | Hat-Squad Advisory, September 27, 2004 SecurityFocus, October 18, 2004 SecurityFocus, January 6, 2005 |
Recent Exploit Scripts/Techniques
The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.
Note: At times, scripts/techniques may contain names or content that may be considered offensive.
Date of Script | Script name | Workaround or Patch Available | Script Description |
| January 11, 2005 | tcpick-0.2.0.tar.gz | N/A | A textmode sniffer that can track TCP streams and saves the data captured in files or displays them in the terminal. |
| January 7, 2005 | amp2zero.zip | No | Proof of Concept for the Amp II 3D game engine Remote Denial of Service vulnerability. |
| January 7, 2005 | gr_poolsize.c | No | Proof of Concept Denial of Service exploit for the Linux Kernel Random Poolsize SysCTL Handler Integer Overflow vulnerability. |
| January 7, 2005 | isec-0021-uselib.txt binfmt_elf.c | No | Exploits for the Linux Kernel uselib() Root Privileges vulnerability. |
| January 7, 2005 | libvg-0.3.0.tar.gz | N/A | First public released of libvg, a runtime process manipulation library that was designed to provide a powerful and portable interface for writing non-complex programs that can get or change information of processes on the system. |
| January 7, 2005 | mlock-dos.tgz | No | Proof of Concept exploit for the Linux Kernel Local RLIMIT_MEMLOCK Bypass Denial of Service vulnerability. |
| January 7, 2005 | phpbb.ssh.D.tx | N/A | New version of the phpBB worm with bot install that makes use of Altavista. |
| January 6, 2005 | sql-injection.html | N/A | Whitepaper discussing SQL injection attacks that gives an illustrated overview showing the process of how these attacks are performed. |
| January 6, 2005 | un-htget_0.9x.txt | Yes | Exploit for the J Whitham HTGET Buffer Overflow vulnerability. |
| January 6, 2005 | WINACE-WINHKI ZIP TRANSVERSAL.zip winace gz file transversal.gz | No | Proof of Concept exploits for the Winace Remote Directory Traversal vulnerability. |
| January 5, 2005 | firewallbypass.tgz | N/A | A generic problem of common personal firewall products is the allowance of shortcuts or interfaces for controlling traffic. Manipulation of these functions can allow for firewall bypass altogether. Various proof of concepts are included for products such as Zone Alarm, Kerio, Agnitium Outpost firewall, Kaspersky Anti-Hacker, Symantec's Norton Personal Firewall, and more. |
| January 5, 2005 | hydra-4.5-src.tar.gz | N/A | A high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. |
| January 5, 2005 | mybbSQL.txt | No | Exploit for the MyBulletinBoard MEMBER.PHP SQL Injection vulnerability. |
| January 5, 2005 | PhotoPost.txt | Yes | Exploit for the All Enthusiast PhotoPost PHP Pro Cross-Site Scripting and SQL Injection vulnerabilities. |
| January 5, 2005 | QWikiwiki.txt | No | Exploit for the QwikiWiki Remote Directory Traversal vulnerability. |
| January 5, 2005 | ReviewPost.txt | Yes | Exploit for the All Enthusiast ReviewPost PHP Pro vulnerability. |
| January 5, 2005 | scanner_ndde.c | N/A | NetDDE scanner that makes use of a remote code execution vulnerability due to an unchecked buffer. |
| January 5, 2005 | thc-pptp-bruter-0.1.4.tar.gz | N/A | A brute force program that works against pptp vpn endpoints (tcp port 1723). It is fully standalone and supports the latest MSChapV2 authentication and exploits a weakness in Microsoft's anti-brute force implementation which makes it possible to try 300 passwords the second. |
| January 5, 2005 | top_ex.pl | Yes | Proof of concept exploit for an old format string vulnerability in setuid versions of top. This vulnerability has popped back up in the Solaris 10 Companion CD. |
| January 4, 2005 | SInAR-0.1.tar.gz | N/A | SInAR Solaris rootkit that was released at the 21st Chaos Communication Congress. |
| January 4, 2005 | soldnersock.tar soldnersock.zip | No | Script that exploits the Soldner Secret Wars Denial of Service vulnerability. |
| December 31, 2004 | DAV1.1-PoC.pl | No | A Proof of Concept exploit for the Microsoft FrontPage 2000 Internet Publishing Service Provider DAV File Upload Vulnerability. |
name=trends>Trends
- The US-CERT has received reports of new phishing scams targeting users sympathetic to the Tsunami tragedy that occurred in Southeast Asia. The US-CERT recommends using caution when reviewing solicitations for donations to help with the disaster and to only donate to reputable charities.
A list of reputable charities working to help the victims of the Tsunami can be found here:
http://www.cnn.com/2004/WORLD/asiapcf/12/28/tsunami.aidsites/ - Cyota, the leading provider of anti-fraud solutions for financial institutions, announced some of the key findings from its second annual Financial Institution Online Fraud Survey, conducted in November 2004.
- 50% of Accountholders Have Received Phishing Emails;
- Over 40% of Online Bankers Share Passwords Between Banks
- 37% of online bankers use their online banking password at other, less secure sites
- 79% of accountholders check for the little lock on the bottom of a secure web page, however less than 40% actually click on the lock to view the security certificate
- 70% of accountholders are less likely to respond to an email from their bank, and more than half are less likely to sign-up or continue to use their bank’s online services due to phishing. For more information, see http://www.cyota.com/viewReleases.cfm?id=78
name=viruses id="viruses">Viruses/Trojans Top Ten Virus Threats
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.
face="Arial, Helvetica, sans-serif">Rank | Common Name | Type of Code |
face="Arial, Helvetica, sans-serif">Trends |
face="Arial, Helvetica, sans-serif">Date |
1 | Netsky-P | Win32 Worm | Stable | March 2004 |
2 | Zafi-B | Win32 Worm | Slight Increase | June 2004 |
3 | Bagle-AU | Win32 Worm | Slight Increase | October 2004 |
4 | Sober-I | Win32 Worm | Decrease | November 2004 |
5 | Bagle-AA | Win32 Worm | Stable | April 2004 |
6 | Bagle.AT | Win32 Worm | Increase | October 2004 |
7 | Netsky-D | Win32 Worm | Slight Decrease | March 2004 |
8 | Bagle.BB | Win32 Worm | Increase | September 2004 |
9 | Netsky-Q | Win32 Worm | Decrease | March 2004 |
10 | Netsky-B | Win32 Worm | Return to Table | February 2004 |
Table Updated January 11, 2005
Viruses or Trojans Considered to be a High Level of Threat
Viruses or Trojans Considered to be a High Level of Threat
- LNK_ACESPADES.A: This is the first known .LNK file infector and is designed as a Proof of Concept virus. This file infector arrives as an .LNK file. Upon execution by a user, it overwrites all .LNK files in the folder where it is executed. These type of files are shortcut files, which are usually placed on the desktop for easy access to programs.
- Lasco.A spreads itself by searching all SIS installation files in the infected device, and inserts itself as embedded SIS file into them. Therefore any SIS file in the device that gets copied to another phone, as frequently happens as people swap software, will also contain a copy of Lasco.A.
In addition to spreading in infected SIS files, Lasco.A will also spread by sending itself directly via bluetooth like Cabir worms do, and Lasco.A will be able to spread from one device to another without a reboot.
The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.
NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.
Last updated
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.