BSD ftpd Single Byte Buffer Overflow Vulnerability BugTraq ID: 2124 Remote: Yes Date Published: 2000-12-18 Relevant URL: http://www.securityfocus.com/bid/2124 Summary: The ftp daemon derived from 4.x BSD source contains a serious vulnerability that may compromise root access. There exists a one byte overflow in the replydirname() function. The overflow condition is due to an off-by-one bug that allows an attacker to write a null byte beyond the boundaries of a local buffer and over the lowest byte of the saved base pointer. As a result, the numerical value of the pointer decreases (and it thus points to a higher location (or lower address) on the stack than it should) and when the replydirname() function returns, the modified saved base pointer is stored in the base pointer register. When the calling function returns, the return address is read from an offset of where the base pointer points to. With the last byte of the base pointer zero, this will be a location other than where it should be. If this region of the stack is under the control of the attacker, such as the local variable which contained the extra byte in the first place, an arbitrary address can be placed there that will be used as the saved return address by the function. This is the case in ftpd. It is possible for an attacker to force the ftp daemon to look in user-supplied data for a return address and then execute instructions at the location as root. This vulnerability can be exploited on systems supporting anonymous ftp if a writeable directory exists (such as an "incoming" directory). This is rarely in place by default. It should noted that OpenBSD ships with ftp disabled, though it is an extremely commonly used service. Stunnel Local Arbitrary Command Execution Vulnerability BugTraq ID: 2128 Remote: No Date Published: 2000-12-18 Relevant URL: http://www.securityfocus.com/bid/2128 Summary: Stunnel is an SSL encryption wrapper by Michal Trojnara. It is available for a number of platforms including FreeBSD, Debian Linux and RedHat Linux. Insecurely-structured calls to syslog() found in certain versions of Stunnel (prior to version 3.9) pass user-supplied data to the syslog() function in such a way that maliciously embedded format specifiers in this data can cause the process to overwrite sections of its own memory with arbitrary data. This user-supplied data is obtained from an identd server of a connecting host. If an attacker controls an ident server, an arbitrary username value containing malicious format specifiers can be sent to Stunnel. This string would then be passed as part of the format string for the syslog() function, where the format specifiers would be interpreted. This can lead to remote access being gained by the attacker on the target host with privileges of Stunnel, which can be required to run as root. Stunnel Weak Encryption Vulnerability BugTraq ID: 2137 Remote: Yes Date Published: 2000-12-19 Relevant URL: http://www.securityfocus.com/bid/2137 Summary: Stunnel is an SSL encryption wrapper by Michal Trojnara. It is available for a number of platforms including Windows, Solaris, FreeBSD, Debian Linux and RedHat Linux. Due to inadequate seeding of the pseudorandom number generator, affected versions (3.8 and earlier) may provide insufficiently robust encryption. The vendor's advisory notes that this only affects versions which run on systems lacking /dev/urandom, including Solaris and Windows. This weakness could allow an attacker to more readily read protected information, which could in turn lead to further compromises of system security. GnuPG Detached Signature Verification False-Positive Vulnerability BugTraq ID: 2141 Remote: No Date Published: 2000-12-20 Relevant URL: http://www.securityfocus.com/bid/2141 Summary: All versions of Gnu Privacy Guard (GnuPG) have a security flaw relating to the proper checking of detached signatures. In certain situations, changes made to signed text detached from its signature file, could be modified by an attacker. This is due to a bug in GnuPG's command-line semantics. When verifying the integrity of a signed document which has its signature in a separate file, Ggnupg can be executed from the command line in the following manner: gpg --verify signature.sig <signed-file.txt The problem with this format, however, is that Gnupg's command-line options used to verify "normal" signed documents is: gpg --verify signed-file.txt If the specified signature file is itself a valid signed document when attempting to verify a document with a detached signature, GnuPG can verify the "signature file" and will not report any errors. Consequently, any modifications to the signed document (with the detached signature) will not be reported because it is not checked as such. For an attacker to exploit this bug, write access to the document's signature file (and signed document to be modified) is required. Korn Shell Redirection Race Condition Vulnerability BugTraq ID: 2148 Remote: No Date Published: 2000-12-21 Relevant URL: http://www.securityfocus.com/bid/2148 Summary: Korn Shell is a widely used, versatile shell distributed with most variants of the UNIX Operating System. A problem exists which could allow local users to append to files owned by other users. The problem occurs in redirection using the << operator. Scripts and command line operations using the << operator insecurely create files in the /tmp directory, creating files with the name tmp.<pid> where pid indicates the process id of the shell. It is possible to create symbolic links in the /tmp directory using the aforementioned file name, which will append the contents of a << request to the file symbolically linked. This design issue makes it possible for a user with malicious intent to corrupt files owned by another user, or potentially append content to other sensitive system files. - Pour poster une annonce: [EMAIL PROTECTED]
