id Software Quake II Server Remote Information Disclosure Vulnerability BugTraq ID: 4744 Remote: Yes Date Published: May 15 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4744 Summary:
Quake II is a multiplayer game released by id Software. The source code has been made publically available, and versions are available for Windows and Linux. A vulnerability has been reported in some versions of the Quake II server. Quake II allows variable expansion in commands. For example, the $rcon_password variable will be automatically expanded to the system password. Under normal usage, these variables are expanded on the client side before being transmitted to the server. However, it has been reported that a modified or artifically constructed client may fail to expand this variable. When the server then processes the command, it will expand the variable within it's local context. As a result, a number of system parameters may be disclosed to a remote attacker, including the server password. An attacker may exploit this vulnerability to gain administrative rights to the vulnerable server. SonicWall SOHO3 Content Blocking Script Injection Vulnerability BugTraq ID: 4755 Remote: No Date Published: May 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4755 Summary: The Sonicwall SOHO3 is an Internet security appliance that provides firewall security solutions. Reportedly, a vulnerability exists in the product that allows for a script injection attack to be launched from a malicious user within the internal LAN. The vulnerability has been reported in Sonicwall SOHO3 firmware revision 6.3.0.0 and ROM version 5.0.1.0. It is possible to configure Sonicwall to block domains from a list of user entered domains. Sonicwall will deny local users access to the websites that have been blocked. A malicious user may be able to inject script code as part of a URL of a blocked domain. Attempts to access blocked domains will be entered into the log files of Sonicwall. An administrator viewing the log files will automatically cause the malicious script code execute. Sonicwall will log attempts to access banned domain names. Injected script code within the URL of a banned domain will automatically execute when the log files are viewed. It is reported that any script code will be able to execute. This may lead to a denial of service attack by a malicious user. It should be noted that an attacker must be aware of a domain that is already on the blocked list of the SOHO3 appliance. If the attacker's script code is injected into the logfile then the administrator will not be able to access the log normally. To regain access to the logs the appliance will need to be rebooted. It should be noted that rebooting the appliance will cause the logs to be cleared and will effectively eliminate any indication in the logs of which user initiated the attack. [ hardware ] GNU SharUtils UUDecode Symbolic Link Attack Vulnerability BugTraq ID: 4742 Remote: No Date Published: May 14 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4742 Summary: Sharutils is a freely available, open source suite of tools maintained by the GNU. It is designed for use on Unix and Linux operating systems. A problem with sharutils may make it possible to exploit symbolic link attacks. The problem is in the uudecode program. Prior to decoding a uuencoded file, uudecode does not check for the existence of the file to be created from the decoded archive. As a result, a decoded file may overwrite another file in the temporary directory, provided the user of uudecode has write permission to the file. This problem is further compounded by the fact that uudecode does not check whether or not the file is a symbolic link. In the event of the temporary file being a symbolic link, the file at the end of the symbolic link would be overwritten. This could result in a corruption or loss of data. This problem makes it possible to exploit a symbolic link attack, and potentially overwrite files. It could additionally lead to elevated privileges. SuSE AAA_Base_Clean_Core Script RM Race Condition Vulnerability BugTraq ID: 4758 Remote: No Date Published: May 16 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4758 Summary: SuSE Linux is a freely available, open source operating system. It is maintained by SuSE. A problem in the operating system could result in a denial of service. The problem is in the creation of temporary directories. A user could create a deeply nested directory structure that would be descended by the recursive rm command, executed by the aaa_base_clean_core script daily. Upon descent into this directory tree, a user could move the current working directory of the process higher in the directory structure, causing the rm process to ascend higher than intended and remove system files, including the root directory. This problem could make it possible for a local user to deny service to legitimate users of the system. This vulnerability based on the problem described in Bugtraq ID 4266, though the problem in this case is insecure creation of a temporary directory by the aaa_base_clean_core script. tinyproxy HTTP Proxy Memory Corruption Vulnerability BugTraq ID: 4731 Remote: Yes Date Published: May 13 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4731 Summary: tinyproxy HTTP Proxy is a small HTTP proxy. A vulnerability has been reported in the handling of some invalid proxy requests by TinyProxy. Under some circumstances, an invalid request may result in allocated memory being freed twice. It may be possible for an attacker to manipulate data layout in memory so that an arbitrary word in memory is overwritten with a custom value when 'free()' is called for the second time. Arbitrary code may be executed if critical values such as function return addresses, GOT entries, etc., are overwritten. SuSE Shadow File Truncation Vulnerability BugTraq ID: 4757 Remote: No Date Published: May 16 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4757 Summary: SuSE Linux is a freely available, open source distribution of the Linux operating system. It is maintained by SuSE. shadow is a set of utilities for maintaining entries in the /etc/passwd and /etc/shadow files. A vulnerability has been discovered in the shadow package that ships with SuSE Linux. It has been reported that a local attacker may be able to cause data in /etc/passwd and /etc/shadow to be truncated or possibly even appended to with attacker-supplied data. This can occur of the attacker sets filesize limitations prior to invoking the shadow utilities that operate on these files. At the very least, local users can corrupt vital files. This may result in a denial of service. Under some circumstances successful exploitation of this vulnerability may enable a local attacker to elevate privileges, possibly even gaining root privileges. SuSE has stated that it is not possible for local attackers to obtain root privileges with the default configuration of SuSE Linux. Swatch Throttled Event Reporting Vulnerability BugTraq ID: 4746 Remote: Yes Date Published: May 15 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4746 Summary: Swatch is a freely available, open source log watching utility. It is available for the Unix and Linux platforms. Swatch may fail to report activities. The problem is in the design of the program. Under some circumstances, a message may not be reported by swatch. When an event occurs on a system numerous times, and swatch has placed a throttle on the event to prevent multiple alerts, swatch does not sufficiently handle events of the same type afterwards. When an event has occurred and alerts for the event are throttled, a bug in the swatch throttle code prevents swatch from reporting the event if it occurs a month later. This problem could allow an attacker with knowledge of an event that has previously occurred and been throttled on a system to reproduce the event without being noticed by swatch. Xerox DocuTech Printer Weak Default Configuration Vulnerability BugTraq ID: 4765 Remote: Yes Date Published: May 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4765 Summary: DocuTech is a printer and scanner combination system distributed and maintained by Xerox. A problem with the printer could make it possible for a user to gain arbitrary access to the system. The problem is in the default configuration. The printer portion of the DocuTech system is a Sun system running Solaris 8. By default, the Solaris 8 system is implemented insecurely, running numerous services and a known root password. In a default implementation, Solaris 8 runs services enabled in a default install of the operating system. Additionally, the system is deployed using the same root password ("service!") on all systems. The default deployment is further insecure by exporting numerous directories via NFS as world-writeable. This problem could make the compromise of an affected system trival, and lead to a remote attacker gaining local administrative privileges on a vulnerable system. [ kind of hardware ] Xerox DocuTech Scanner Insecure Default Configuration Vulnerability BugTraq ID: 4766 Remote: Yes Date Published: May 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4766 Summary: DocuTech is a printer and scanner combination system distributed and maintained by Xerox. A problem with the scanner could make it possible for a user to gain access to the system. The problem is in the default configuration. The scanner portion of the DocuTech system is a Microsoft Windows system running Windows NT. By default, the Windows NT system is implemented insecurely, with the entire C drive shared and copies of all jobs run on the system archived and available via a web interface. The archived copies of jobs on the system could allow a remote user to view all previously run jobs on the system, and the names of the users that have run them. This problem is further complicated by the fact that Xerox uses the same password for all NT scanner stations ("administ"), and makes a web interface available for remote users to anonymously submit jobs. This configuration could make it possible for a remote attacker to gain local access, and administrative privileges on a vulnerable system. [ kind of hardware ] GRSecurity Linux Kernel Memory Protection Weakness BugTraq ID: 4762 Remote: No Date Published: May 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4762 Summary: The grsecurity Linux Kernel patch is a source-code patch developed and maintained by the grsecurity development team. A design error may allow for attackers to bypass the protection of the patch. The patch operates by redirecting the write() system call when it is being used to write to a memory device. Unfortunately, there are other methods that can be used to write to system memory (such as mapping the device to memory using mmap()). Local attackers with root access may exploit this weakness to modify kernel data structures or inject backdoor code, evading the protection of the patch. [ quelques bugs CISCO aussi, et les usuels probl�mes avec PHP ] - Pour poster une annonce: [EMAIL PROTECTED]
