N'installez pas de logiciels testant la vulnérabilité de BIND, c'est un troyan (pas BIND, le logiciel de test de vulnérabilité -- ce n'est pas la première fois). Cf bug-traq. Je publie désormais toutes les attaques contre des logiciels Open Source avec un lien avec Linux ou UNIX. Icecast Buffer Overflow Vulnerability BugTraq ID: 2264 Remote: Yes Date Published: 2001-01-21 Relevant URL: http://www.securityfocus.com/bid/2264 Summary: Icecast is an open source streaming audio server. Versions of icecast up to and including 1.3.8 beta2 exhibit a format string vulnerability in the print_client() function of utility.c. An insecurely-structured call to fd_write() directly passes user supplied characters as part of the format string to a *printf function. As a result, a malicious user can cause the *printf function to overwrite memory at possibly arbitrary addresses. This type of vulnerability can be exploited by a remote attacker to execute arbitrary code on the victim host. bing gethostbyaddr Buffer Overflow Vulnerability BugTraq ID: 2279 Remote: No Date Published: 2001-01-19 Relevant URL: http://www.securityfocus.com/bid/2279 Summary: bing is a freely available, open source software package written by Pierre Beyssac. The package is designed to calculate the capacity between two points by sending various sized ICMP packets and recording their return times. A problem in bing can allow a local user to gain administrative privileges. A static buffer used to store the name of the host using a gethostbyaddr function is allocated a static 80 byte buffer in memory. It is possible for a user with control of their on IN-ADDR.arpa zone to create a custom crafted entry in their zone records, appended with shell code. Upon receiving the IN-ADDR entry, the buffer could overflow, overwriting stack variables up through the return address, and therefore executing the shellcode in the zone entry. This problem makes it possible for a user with malicious motives to gain elevated privleges on a vulnerable system, including administrative access. FreeBSD ipfw Filtering Evasion Vulnerability BugTraq ID: 2293 Remote: Yes Date Published: 2001-01-23 Relevant URL: http://www.securityfocus.com/bid/2293 Summary: FreeBSD, like many other modern operating systems, ships with a packet filtering system built into the kernel. A vulnerability in this system has been uncovered that may allow attackers to evade certain rules. It has to do with FreeBSD's interpretation of the ECE flag in the TCP header. The ECE flag is an experimental extension to TCP, and is part of TCP's reserved options. Its purpose is for notification of network congestion. When the packet filter examines TCP packets that have this ECE flag set, it interprets them as being part of an established TCP connection. Thus if a filtering rule exists that permits packets belonging to an established connection, these packets will qualify and be let through. Attackers could use this vulnerability to circumvent firewall rules. Packets could be constructed so that the ECE flag is set for outgoing traffic and establish connections with services behind the firewall. Under normal circumstances, packets would only be recieved by these services if a TCP connection had already been established. Vulnerable services to be protected by this rule will be exposed to possibly hostile external networks. Wu-Ftpd Debug Mode Client Hostname Format String Vulnerability BugTraq ID: 2296 Remote: Yes Date Published: 2001-01-23 Relevant URL: http://www.securityfocus.com/bid/2296 Summary: Wu-ftpd is a widely used unix ftp server. It contains a format string vulnerability that may be exploitable under certain (perhaps even 'extreme') circumstances. If wu-ftpd is running in debug mode (ie, started by inetd with the -d or -v flag) it may be possible for an attacker to exploit a format string attack. When in debug mode, Wu-ftpd logs user commands and server responses via syslog() with 'DEBUG' designation. When a passive file transfer is initiated by the user (real or anonymous), this message is written to syslog: PASV port X assigned to HOSTNAME This string containing this message is constructed before the call to syslog(). The value of HOSTNAME within the string is resolved by the server. This string is then passed to syslog as its format string argument. As a result, any format specifiers that are within the string will be interpreted and acted upon. This could be exploited in the typical manner format string vulnerabilities are exploited. It is not known if any distributions of Wu-ftpd or distributions of software including Wu-ftpd ship with debug mode on by default. - Pour poster une annonce: [EMAIL PROTECTED]
