Caldera OpenLinux StartKDE Script LD_LIBRARY_PATH Vulnerability BugTraq ID: 4400 Remote: No Date Published: Apr 01 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4400 Summary:
OpenLinux is a freely available, open source implementation of the Linux operating system. It is maintained and distributed by Caldera. A problem with the OpenLinux startkde script could lead to arbitrary library attacks. The problem is in the initialization of an environment variable. The startkde script insecurely initializes the LD_LIBRARY_PATH environment variable. When the script is executed, it by default searches the current working directory. Any libraries needed by KDE that are found in the current working directory will be loaded. This vulnerability requires that a user start KDE with the startkde script outside of his or her home directory. Additionally, it requires that the directory the script is executed in be write accessible to other system users. OpenBSD PF TTL Fingerprinting Vulnerability BugTraq ID: 4401 Remote: Yes Date Published: Mar 31 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4401 Summary: PF is a packet filter implementation, available for OpenBSD. It is developed and maintained by the OpenBSD Project. A problem with PF could allow remote users to gain information about open ports on a system. The problem is in the response to some types of traffic. Under some circumstances, PF sends responses that can allow an attacker to gain information about the firewall ruleset. When an attempt is made to connect to a system via TCP on a port that is filtered by PF, and PF returns a RST, it is possible to differentiate between filtered and unfiltered ports. A port that is filtered will return a RST with a TTL field set to 128, whereas the operating system returns a value of 64 by default. In the event that a system is filtering certain ports, analysis of the TTL values returned by the system could lead to accurately predicting ports that are open but have no services running on them, as would be indicated by a TTL of 64. For ports filtered by PF, the returned TTL of 128 would give information about a port that can't be accessed due to PF. This vulnerability can only be exploited in rulesets which return RST values for unauthorized connection attempts. Rulesets that do not return RSTs but simply drop the incoming packet are not affected. IPFilter TTL Fingerprinting Vulnerability BugTraq ID: 4403 Remote: Yes Date Published: Mar 31 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4403 Summary: IPFilter is a freely available, open source firewall package written by Darren Reed. It is available for multiple platforms, including Unix and Linux operating systems. A problem with IPFilter could allow remote users to gain information about open ports on a system. The problem is in the response to some types of traffic. Under some circumstances, IPFilter sends responses that can allow an attacker to gain information about the firewall ruleset. When an attempt is made to connect to a system via TCP on a port that is filtered by IPFilter, and IPFilter returns a RST, it is possible to differentiate between filtered and unfiltered ports. A port that is filtered by IPFilter will return a RST with a TTL field set to 60, whereas the operating system will return it's default TTL value for a RST. In the event that a system is filtering certain ports, analysis of the TTL values returned by the system could lead to accurately predicting ports that are open but have no services running on them, as would be indicated by a TTL characteristic of the default operating system. For ports filtered by IPFilter, the returned TTL of 60 would give information about a port that can't be accessed due to filtering by IPFilter. This vulnerability can only be exploited in rulesets which return RST values for unauthorized connection attempts. Rulesets that do not return RSTs but simply drop the incoming packet are not affected. Firewalls that filter all ports by default will not exhibit this behavior. Cyrus SASL LDAP+MySQL Authentication Patch SQL Command Execution Vulnerability BugTraq ID: 4409 Remote: Yes Date Published: Apr 02 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4409 Summary: The Cyrus SASL LDAP+MySQL patch is a freely available, open source enhancement patch. It is designed for use on the Unix and Linux operating systems. A problem with the patch could make it possible for remote users to gain access to the mail account of any user. The problem is in the handling of user input. The Cyrus SASL LDAP+MySQL patch is designed to integrate LDAP and MySQL authentication with Cyrus SASL. This makes it possible to centralize authentication data. Due to a design problem in the patch, users may gain access to the mail accounts of others. By passing a specially crafted SQL command to the password challenge, it is possible to provoke a successful authentication response from the MySQL server. This would give access to the mail of the user specified in the login challenge. Exploitation of this vulnerability may offer intermitted success through the use of a string such as ') OR 1=1 HAVING FLOOR(RAND()*100)=1 AND ('1'='1. If the attacker has knowledge of database layout via another vulnerability that allows SQL command stuffing, the probability of exploitation increases significantly. This problem may allow a remote user to gain access to the mail spool of the desired user. [ des trucs avec Oracle et Lotus aussi ] - Pour poster une annonce: [EMAIL PROTECTED]
