MDKSA-2002:032 - tcpdump update

[Mandrake Linux Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Mandrake Linux Security Update Advisory


Package name:   tcpdump
Advisory ID:MDKSA-2002:032
Date:   May 16th, 2002
Affected versions:  7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1
Single Network Firewall 7.2


Problem Description:

 Several buffer overflows were found in the tcpdump package by FreeBSD
 developers during a code audit, in versions prior to 3.5.  However, 
 newer versions of tcpdump, including 3.6.2, are also vulnerable to
 another buffer overflow in the AFS RPC decoding functions, which was
 discovered by Nick Cleaton.  These vulnerabilities could be used by
 a remote attacker to crash the the tcpdump process or possibly even
 be exploited to execute arbitrary code as the user running tcpdump,
 which is usually root.

 The newer libpcap 0.6 has also been audited to make it more safe by
 implementing better buffer boundary checks in several functions.


References:

 http://www.ciac.org/ciac/bulletins/l-015.shtml
 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump.asc


Updated Packages:

 Linux-Mandrake 7.1:
 a17ec464d576bdbd870dc6a5d25fc59d  7.1/RPMS/libpcap-0.6.2-3.2mdk.i586.rpm
 ed780612ab8620e84e8310432a5df0b9  7.1/RPMS/libpcap-devel-0.6.2-3.2mdk.i586.rpm
 a186519910760e36b7e50456412ab20e  7.1/RPMS/tcpdump-3.6.2-2.2mdk.i586.rpm
 5e6091d2f916b180ffc80d60e2005a49  7.1/SRPMS/libpcap-0.6.2-3.2mdk.src.rpm
 a997724147a333e27e72670bff28e5ee  7.1/SRPMS/tcpdump-3.6.2-2.2mdk.src.rpm

 Linux-Mandrake 7.2:
 e39a58560c3ec60a574c63dd9e383fda  7.2/RPMS/libpcap-0.6.2-3.2mdk.i586.rpm
 4600b4d1a435d17a77560a36e28ddc70  7.2/RPMS/libpcap-devel-0.6.2-3.2mdk.i586.rpm
 fc014253b27e44c8a230f936d7eadf9e  7.2/RPMS/tcpdump-3.6.2-2.2mdk.i586.rpm
 5e6091d2f916b180ffc80d60e2005a49  7.2/SRPMS/libpcap-0.6.2-3.2mdk.src.rpm
 a997724147a333e27e72670bff28e5ee  7.2/SRPMS/tcpdump-3.6.2-2.2mdk.src.rpm

 Mandrake Linux 8.0:
 d8deeabab302271054ecad942a14013e  8.0/RPMS/libpcap0-0.6.2-3.1mdk.i586.rpm
 b2aa6d27578b8699640b6ed2e76ba228  8.0/RPMS/libpcap0-devel-0.6.2-3.1mdk.i586.rpm
 16eac5435d8b8e1075c10d393a2914a5  8.0/RPMS/tcpdump-3.6.2-2.1mdk.i586.rpm
 4b1956a781b1185e693a26037d4804a5  8.0/SRPMS/libpcap-0.6.2-3.1mdk.src.rpm
 683c3b6f0ae7754090cbcf480cd731b0  8.0/SRPMS/tcpdump-3.6.2-2.1mdk.src.rpm

 Mandrake Linux 8.0/ppc:
 4a4f5cca7fc50d1616b857b89afe3ae3  ppc/8.0/RPMS/libpcap0-0.6.2-3.1mdk.ppc.rpm
 11be44f15a54a9654cd48b5b8aed04ba  ppc/8.0/RPMS/libpcap0-devel-0.6.2-3.1mdk.ppc.rpm
 68255f8f80d88b91fd488d6379db81df  ppc/8.0/RPMS/tcpdump-3.6.2-2.1mdk.ppc.rpm
 4b1956a781b1185e693a26037d4804a5  ppc/8.0/SRPMS/libpcap-0.6.2-3.1mdk.src.rpm
 683c3b6f0ae7754090cbcf480cd731b0  ppc/8.0/SRPMS/tcpdump-3.6.2-2.1mdk.src.rpm

 Mandrake Linux 8.1:
 39715d1c613144e859f0386ee583377a  8.1/RPMS/tcpdump-3.6.2-2.1mdk.i586.rpm
 683c3b6f0ae7754090cbcf480cd731b0  8.1/SRPMS/tcpdump-3.6.2-2.1mdk.src.rpm

 Mandrake Linux 8.1/ia64:
 6331901e596e243099aa6474481ea88a  ia64/8.1/RPMS/tcpdump-3.6.2-2.1mdk.ia64.rpm
 683c3b6f0ae7754090cbcf480cd731b0  ia64/8.1/SRPMS/tcpdump-3.6.2-2.1mdk.src.rpm

 Mandrake Linux 8.2:
 8c36a78c9a086c2d582d70d431533650  8.2/RPMS/tcpdump-3.6.2-2.1mdk.i586.rpm
 683c3b6f0ae7754090cbcf480cd731b0  8.2/SRPMS/tcpdump-3.6.2-2.1mdk.src.rpm

 Mandrake Linux 8.2/ppc:
 081041c2713a9c76c5bf2fc727a03c45  ppc/8.2/RPMS/tcpdump-3.6.2-2.1mdk.ppc.rpm
 683c3b6f0ae7754090cbcf480cd731b0  ppc/8.2/SRPMS/tcpdump-3.6.2-2.1mdk.src.rpm

 Corporate Server 1.0.1:
 a17ec464d576bdbd870dc6a5d25fc59d  1.0.1/RPMS/libpcap-0.6.2-3.2mdk.i586.rpm
 ed780612ab8620e84e8310432a5df0b9  1.0.1/RPMS/libpcap-devel-0.6.2-3.2mdk.i586.rpm
 a186519910760e36b7e50456412ab20e  1.0.1/RPMS/tcpdump-3.6.2-2.2mdk.i586.rpm
 5e6091d2f916b180ffc80d60e2005a49  1.0.1/SRPMS/libpcap-0.6.2-3.2mdk.src.rpm
 a997724147a333e27e72670bff28e5ee  1.0.1/SRPMS/tcpdump-3.6.2-2.2mdk.src.rpm

 Single Network Firewall 7.2:
 e39a58560c3ec60a574c63dd9e383fda  snf7.2/RPMS/libpcap-0.6.2-3.2mdk.i586.rpm
 4600b4d1a435d17a77560a36e28ddc70  snf7.2/RPMS/libpcap-devel-0.6.2-3.2mdk.i586.rpm
 fc014253b27e44c8a230f936d7eadf9e  snf7.2/RPMS/tcpdump-3.6.2-2.2mdk.i586.rpm
 5e6091d2f916b180ffc80d60e2005a49  snf7.2/SRPMS/libpcap-0.6.2-3.2mdk.src.rpm
 a997724147a333e27e72670bff28e5ee  snf7.2/SRPMS/tcpdump-3.6.2-2.2mdk.src.rpm


Bug IDs fixed (see https://qa.mandrakesoft.com for more information):



To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG

RE: MS02-023 does not patch actual issue!

[David McKenzie]

In addition - this patch introduces a lack of functionality in one of out
apps:

Scenario:

Non-administrative user with a SSL session runs a JavaScript popup.
When the popup window is closed, the user must reauthenticate.

Behavior introduced within one of the patches in the security rollup

Tested Windows 2000 IE6 and IE 5.5.

PHOOEY

-Original Message-
From: GreyMagic Software [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 16, 2002 3:56 AM
To: NTBugtraq; Bugtraq; [EMAIL PROTECTED]
Subject: MS02-023 does not patch actual issue!


Hello,

Microsoft released a cumulative patch yesterday, which, among other issues,
allegedly patches the dialogArguments vulnerability
(http://jscript.dk/adv/TL002/).

In their bulletin Microsoft makes several severe errors:

1. "A cross-site scripting vulnerability in a Local HTML Resource..."

No, Microsoft, the problem is not plain cross site scripting, the problem is
that dialogArguments' security restrictions are bypassed and it is passed to
the dialog even though it shouldn't. Please re-read the advisories.

2. "A successful attack requires that a user first click on a hyperlink.
There
is no way to automate an attack using this vulnerability."

This is simply wrong, the user doesn't have to click anything for this issue
to
be exploited, it can run automatically.

3. Microsoft also claims that this issue only exists in IE6.

Microsoft obviously doesn't follow Bugtraq. This issue also exists in IE5
and
IE5.5, as we demonstrated in our GM#001-AX advisory.


In conclusion, Microsoft did not understand the problem. They only patched a
symptom of this vulnerability, not its root cause.

As a result of that incomplete "patch" IE5 and IE5.5 are still very much
vulnerable to this attack in other resources. For a demonstration see
http://sec.greymagic.com/adv/gm001-ax/.

We hope that Microsoft fixes the actual issue this time, and not just the
resource file.

Regards,
- GMS.

GNU rm fileutils race condition problems on SuSE

[Paul Starzetz]

Hi,

the following issue has been reported to SuSE about 2 months ago:


1. Problem description
--

There is an exploitable call to the vulnerable rm -rf command in 
/etc/cron.daily/aaa_base_clean_core as follows:

#
# paranoia settings
#
umask 022

PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
TMPDIR=/var/tmp/cron.daily.$$
rm -rf $TMPDIR


This script is run every day as ROOT even if the user didn't set the 
DELETE_OLD_CORE variable in /etc/rc.config!


2. Details
--

As pointed out by Wojciech Purczynski  
<[EMAIL PROTECTED] > there is a race condition in the 
GNU 'rm' utility while removing directories recursively. In particular 
it is possible to create a deply nested directory structure in /tmp, 
 wait for removal of one of the leafs and quickly move the directory 
root 2 levels up. This will force rm to chdir("..") two levels more than 
intended, resulting in the removal of the complete file system.

An exploit code will not be released, but exploitation is very 
straightforward, since the race window can be made mostly as big as 
needed (it is even possible to exploit this vulnerability 'by hand'). 
One needs to create a directory structure like this:

/tmp/cron.daily.PID/root/1/2/3/4/5/6/7/8/.../N
/(N+1)/(N+2)/.../2*N
.

and wait for the removal of the 'N' leaf. This can be easiliy 
acomplished since the clean_core script is called at a very well defined 
time (between 0:15:00 and about 0:15:15 every day) - so we can create X 
of those nested directories, wait until 15:00, get the next pid and 
begin to move those directories to match the next X pids. Guessing the 
next pid can be done by reading /proc/stat and evaluating the 
'processes' entry (or less elegant by continuous forking :-).


3. Impact
---

This vulnerability leads to a denial of service attack on SuSE Linux 
systems. As far as tested SuSE Linux <= 7.3 seems to be vulnerable. The 
8.0 release has not been tested yet.


/ih

Re: [security-intern] [security@suse.de] FWD - GNU rm fileutils racecondition problems on SuSE

[Thomas Biege]

Hi Paul.

This bug was fixed on Mar 19th and new RPM packages are available since
Mar 20th. Therefor SuSE 8.0 should not be affected by this bug.
It was also mentioned in our ucdsnmpd advisory.
http://www.suse.de/de/support/security/2002_012_ucdsnmp_txt.html

Thank you and have a nice 'Pfingsten'. :)


Bye,
 Thomas
-- 
  Thomas Biege <[EMAIL PROTECTED]>
  SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg
  Function: Security Support & Auditing
  "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka"
  Key fingerprint = 51 AD B9 C7 34 FC F2 54  01 4A 1C D4 66 64 09 83
-- 
Trete durch die Form ein, und trete aus der Form heraus.

MDKSA-2002:031 - fileutils update

[Mandrake Linux Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Mandrake Linux Security Update Advisory


Package name:   fileutils
Advisory ID:MDKSA-2002:032
Date:   May 16th, 2002
Affected versions:  8.1, 8.2


Problem Description:

 Wojciech Purczynski reported a race condition in some utilities in the
 GNU fileutils package that may cause root to delete the entire
 filesystem.  This only affects version 4.1 stable and 4.1.6 development
 versions, and the authors have fixed this in the latest development
 version.


References:

 http://isec.pl/vulnerabilities/0002.txt
 http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html


Updated Packages:

 Mandrake Linux 8.1:
 593e200c8b2f2c83e7a6bb90a54cd853  8.1/RPMS/fileutils-4.1-4.1mdk.i586.rpm
 77b378e3eb3a323033cdd3acfafac1cc  8.1/SRPMS/fileutils-4.1-4.1mdk.src.rpm

 Mandrake Linux 8.1/ia64:
 ae05f3577f84578b724d1afbeba157ce  ia64/8.1/RPMS/fileutils-4.1-4.1mdk.ia64.rpm
 77b378e3eb3a323033cdd3acfafac1cc  ia64/8.1/SRPMS/fileutils-4.1-4.1mdk.src.rpm

 Mandrake Linux 8.2:
 1e6190c59f161345caef5ea22680b820  8.2/RPMS/fileutils-4.1.5-4.1mdk.i586.rpm
 7b018b86d14fc646058ca3cabc395b84  8.2/SRPMS/fileutils-4.1.5-4.1mdk.src.rpm

 Mandrake Linux 8.2/ppc:
 b76265d9f7f096a43ee05bfca2615bcd  ppc/8.2/RPMS/fileutils-4.1.5-4.1mdk.ppc.rpm
 7b018b86d14fc646058ca3cabc395b84  ppc/8.2/SRPMS/fileutils-4.1.5-4.1mdk.src.rpm


Bug IDs fixed (see https://qa.mandrakesoft.com for more information):



To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one 
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of
FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:

  rpm --checksig 

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:

  https://www.mandrakesecure.net/RPM-GPG-KEYS

Please be aware that sometimes it takes the mirrors a few hours to 
update.

You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

  http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

  [EMAIL PROTECTED]


Type Bits/KeyID Date   User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <[EMAIL PROTECTED]>


- -BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn
7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
lA==
=0ahQ
- -END PGP PUBLIC KEY BLOCK-

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU

Re: MS02-023 does not patch actual issue!

[Tom Gilder]

On Thursday, May 16, 2002, 4:46:18 PM, you wrote:
> I was unable to run the demonstration code on
> http://sec.greymagic.com/adv/gm001-ax/.
> I get the following error:
> "An error has occurred in this dialog."
> ...
> I am running Windows XP Professional 32bit with the latest patches.

GreyMagic software stated that:

> As a result of that incomplete "patch" IE5 and IE5.5 are still very much
> vulnerable to this attack in other resources. For a demonstration see
> http://sec.greymagic.com/adv/gm001-ax/.

If you have Windows XP, you will have IE6.


-- 
Tom Gilder
[EMAIL PROTECTED]

SuSE Security Announcement: shadow (SuSE-SA:2002:017)

[Sebastian Krahmer]

-BEGIN PGP SIGNED MESSAGE-

__

SuSE Security Announcement

Package:shadow/pam-modules
Announcement-ID:SuSE-SA:2002:017
Date:   Thu May 16 12:00:00 MEST 2002
Affected products:  8.0
Vulnerability Type: local privilege escalation
Severity (1-10):5
SuSE default package:   yes
Other affected systems: No.

Content of this advisory:
1) security vulnerability resolved: write() disruption in shadow utils
   problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)

__

1)  problem description, brief discussion, solution, upgrade information

The shadow package contains several useful programs to maintain the
entries in the /etc/passwd and /etc/shadow files.
The SuSE Security Team discovered a vulnerability that allows local
attackers to destroy the contents of these files or to extend the group
privileges of certain users. This is possible by setting evil filesize
limits before invoking one of the programs modifying the system files.
Depening on the permissions of the system binaries this allows a local
attacker to gain root privileges in the worst case. This however is not
possible in a default installation.
The bug has been fixed by ensuring the integrity of the data written
to temporary files before moving them to the appropriate location of the
system. There is no workaround so we recommend an update in any case.
It is necessary to update the shadow package as well as the pam-modules
package in order to prevent the truncation attacks.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.


i386 Intel Platform:

SuSE-8.0
ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/shadow-4.0.2-88.i386.rpm
  a4e0d03ecf7707eb7ca1f0422cae89f1
ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/pam-modules-2002.3.9-31.i386.rpm
  70322584f014ac3e2dc2dad0beecdefb

source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/shadow-4.0.2-88.src.rpm
  33af2433d9a8822202e9f6ebdc6d3e2c
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/pam-modules-2002.3.9-31.src.rpm
  1bc5bbd169ffe5c35caa0a4ce681dcc0

__

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

- leafnode
The permissions of "/etc/leafnode" have been corrected. Please update
to the newly available packages if you use leafnode.

- xf86, xmodules, xloader
Incorrect permission checks in certain X11 functions allow local attackers
to read or write shared memory segments they should not have access to.
Corrected packages will soon be available on our ftp-servers.

__

3)  standard appendix: authenticity verification, additional information

  - Package authenticity verification:

SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.

1) execute the command
md5sum 
   after you downloaded the file from a SuSE ftp server or its mirrors.
   Then, compare the resulting md5sum with the one that is listed in the
   announcement. Since the announcement containing the checksums is
   cryptographically signed (usually using the key [EMAIL PROTECTED]),
   the checksums show proof of the authenticity of the package.
   We disrecommend to subscribe to security lists which cause the
   email message containing the announcement to be modified so that
   the signature does not match after transport through the mailing
   list software.
   Downsides: You must be able to verify the authenticity of the
   announcement in the first place. If RPM packages ar

Update and comments on the MS02-023 patch, holes still remain

[Thor Larholm]

The latest cumulative patch from Microsoft,
http://www.microsoft.com/technet/security/bulletin/MS02-023.asp , promises
to eliminate "six newly discovered vulnerabilities", but fails to do so.

First, we find what MS calls "A cross-site scripting vulnerability in a
Local HTML Resource". This is obviously a reference to the dialogArguments
vulnerability, and as such this mislabelling name does not bode well to
begin with. In fact, MS seems to have misunderstood quite a number of issues
surrounding this vulnerability. The first such is found in their list of
mitigating factors:

"A successful attack requires that a user first click on a hyperlink. There
is no way to automate an attack using this vulnerability. "

The above is blatantly untrue, and was repeatedly demonstrated to MS both in
the initial notification phase and when we worked together to reproduce the
issue. Nothing in the world stops this vulnerability from being
automatically exploited.
Another 'mitigating' factor:

"Outlook 98 and 2000 (after installing the Outlook Email Security Update),
Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted
Sites Zone. As a result, customers using these products would not be at risk
from email-borne attacks. "

The above is merely misinformation on their parts. The Restricted Sites Zone
tries to disable scripting ( a requisite for the dialogArguments
vulnerability ), but many vulnerabilities allow you to circumvent this
setting ( one such listed on /unpatched/ ). As such, you can still script in
the Restricted Sites Zone, and as such "customers using these products" are
still at risk from email-borne attacks.

Aside from these misunderstandings it could appear as though Microsoft is
not actively keeping up with the security community and its publications.
The dialogArguments issue was originally demonstrated with a ressource file
only found in Internet Explorer 6- Shortly after being disclosed GreyMagic
Software highlighted how another ressource file was also vulnerable, which
existed from IE5 and onwards. Microsoft has fixed the vulnerability in IE6
_only_.

I repeat, IE5 and IE5.5 are still vulnerable.

The same severity rating (Critical) also apply to IE5 and IE5.5, with the
exception that they still remain unpatched. The demonstration was fixed
instead of the vulnerability. If you want to convince yourself about this
(and still use the appareantly unsupported IE5 or IE5.5 browser), try the
examples in GreyMagics appendix to my advisory at
http://sec.greymagic.com/adv/gm001-ax/ .

Next, we find that the cssText vulnerability should be patched. Most of my
systems behave properly and appear to have this vulnerability patched,
though some still allow local file reading. More testing needed, but likely
not a job full done. So far it appears patched.

The "Script within Cookies Reading Cookies" vulnerability also have the same
incorrect 'mitigating' factor as dialogArguments, and claims that

"An attacker would have to entice a user to first click on a hyperlink to
initiate an attempt to exploit this vulnerability. There is no way to
automate an attack that exploits this vulnerability."

Of course, this is also untrue since Internet Explorer comes equipped with a
nice click method on links that a programmer can execute, duplicating an
actual click (
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/click.asp
). As such, nothing stops anyone from exploiting this vulnerability
automatically.

The "zone spoofing" vulnerability sounds interesting, but I can find no
further details (MS is not exactly full disclosure).

And finally we have two variants of the "Content Disposition" vulnerability.
The first depends on an unknown thirdparty program (your guess is as good as
mine). The second depends on an executable being present, and has a
misinforming mitigating factor:

"Any attempt to exploit the vulnerability requires that the attacker host a
malicious executable on a server accessible to the intended victim. If the
hosting server is unreachable for any reason, such as DNS blocking or the
server being taken down, the attack would fail. "

The above seems to discuss an email-borne attack, and as such there is no
dependancy on external servers. Outlook can easily parse attached
executables through CID: (Content-ID) and as such this mitigating factor is
quite minute since the email itself would act as the hosting server.

Yesterday I hosted a list of 14 publickly known unpatched vulnerabilities,
today I host a list of 12 such. It can still be found at
http://jscript.dk/unpatched/


Just my .02 kroner of comments :)


Regards
Thor Larholm
Jubii A/S - Internet Programmer

Re: MS02-023 does not patch actual issue!

[.-=D3FC0N/=-.]

Hello,

I was unable to run the demonstration code on 
http://sec.greymagic.com/adv/gm001-ax/.

I get the following error:

"An error has occurred in this dialog."

"Error: 23
`window.dialogArguments.document' is null or not an object.

I am running Windows XP Professional 32bit with the latest patches.

Regards,

L



We hope that Microsoft fixes the actual issue this time, and not just the
resource file.

Regards,
- GMS.

MS02-023 does not patch actual issue!

[GreyMagic Software]

Hello,

Microsoft released a cumulative patch yesterday, which, among other issues,
allegedly patches the dialogArguments vulnerability
(http://jscript.dk/adv/TL002/).

In their bulletin Microsoft makes several severe errors:

1. "A cross-site scripting vulnerability in a Local HTML Resource..."

No, Microsoft, the problem is not plain cross site scripting, the problem is
that dialogArguments' security restrictions are bypassed and it is passed to
the dialog even though it shouldn't. Please re-read the advisories.

2. "A successful attack requires that a user first click on a hyperlink. There
is no way to automate an attack using this vulnerability."

This is simply wrong, the user doesn't have to click anything for this issue to
be exploited, it can run automatically.

3. Microsoft also claims that this issue only exists in IE6.

Microsoft obviously doesn't follow Bugtraq. This issue also exists in IE5 and
IE5.5, as we demonstrated in our GM#001-AX advisory.


In conclusion, Microsoft did not understand the problem. They only patched a
symptom of this vulnerability, not its root cause.

As a result of that incomplete "patch" IE5 and IE5.5 are still very much
vulnerable to this attack in other resources. For a demonstration see
http://sec.greymagic.com/adv/gm001-ax/.

We hope that Microsoft fixes the actual issue this time, and not just the
resource file.

Regards,
- GMS.

SuSE Security Announcement: lukemftp, nkitb, nkitserv (SuSE-SA:2002:018)

[Thomas Biege]

-BEGIN PGP SIGNED MESSAGE-

__

SuSE Security Announcement

Package:lukemftp, nkitb, nkitserv
Announcement-ID:SuSE-SA:2002:018
Date:   Wednesday, May 15th 2002 12:30 MEST
Affected products:  6.4, 7.0, 7.1, 7.2, 7.3, 8.0
SuSE eMail Server III
SuSE Linux Database Server
SuSE Firewall Adminhost VPN
SuSE Linux Live-CD for Firewall
SuSE Linux Admin-CD for Firewall
SuSE Linux Connectivity Server
SuSE Linux Enterprise Server 7
SuSE Linux Enterprise Server for S/390
Vulnerability Type: remote command execution
Severity (1-10):3
SuSE default package:   yes
Other affected systems: all systems using lukemftp

Content of this advisory:
1) security vulnerability resolved: buffer overflow while parsing PASV
command
   problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)

__

1)  problem description, brief discussion, solution, upgrade information

Lukemftp (ftp(1), /usr/bin/ftp, /usr/bin/pftp) is a compfortable ftp
client from NetBSD.
A buffer overflow could be triggered by an malicious ftp server while the
client parses the PASV ftp command. An attacker who control an ftp server
to which a client using lukemftp is connected can gain remote access to
the clients machine with the privileges of the user running lukeftp.

The lukemftp RPM package is installed by default.
You need to update the package, as no temporary workaround is possbible.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.



i386 Intel Platform:

SuSE-8.0
  ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/lukemftp-1.5-249.i386.rpm
  0ae28f7ca49157bfa5783626d3e82cef
source rpm:
  ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/lukemftp-1.5-249.src.rpm
  d9fc530c338ea2de122b6a4a1f89a627

SuSE-7.3
  ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/lukemftp-1.5-256.i386.rpm
  aeb64a5ba64b5b334dfcf244423a9809
source rpm:
  ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/lukemftp-1.5-256.src.rpm
  cc94b939696c76cda0fec683d12ff384

SuSE-7.2
  ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/lukemftp-1.5-256.i386.rpm
  94812aeb3b164a67b0c85b0c9a61a450
source rpm:
  ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/lukemftp-1.5-256.src.rpm
5cd6642505a68be70ce9eac3ba5dd311

SuSE-7.1
  ftp://ftp.suse.com/pub/suse/i386/update/7.1/n1/lukemftp-1.5-251.i386.rpm
  836df6046ce81fcc82e9939fde5003d1
source rpm:
  ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/lukemftp-1.5-251.src.rpm
  788bc38fed7b486e857b5d780451b7a7

SuSE-7.0
  ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/nkitb-2002.5.8-0.i386.rpm
  e6199c28c700461a7ae10c3f7fba73a8
source rpm:
  ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/nkitb-2002.5.8-0.src.rpm
  e1c6379846842ea62a5c484167102cae

SuSE-7.0
  ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/nkitserv-2002.5.8-0.i386.rpm
  50bb6a7ae3f450ad530ad92ae8dad3e1

SuSE-6.4
  ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/nkitb-2002.5.9-0.i386.rpm
  6950a272cf3a30a02860cf179387a9e8
source rpm:
  ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/nkitb-2002.5.9-0.src.rpm
  09d7ac9ba5e1420eeddb016a6d812067



Sparc Platform:

SuSE-7.3
  ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/lukemftp-1.5-77.sparc.rpm
  295d90e7bfeb94f27f542616e016bd65
source rpm:
  ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/lukemftp-1.5-77.src.rpm
42e213cfc930e0a00aa871e9996d3cba

SuSE-7.1
  ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n1/lukemftp-1.5-76.sparc.rpm
  50fc0f99b42347aee746450624ed4817
source rpm:
  ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/lukemftp-1.5-76.src.rpm
  01cdff7ff9f908466b8d3269fe4529c5

SuSE-7.0
  ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/nkitb-2002.5.8-0.sparc.rpm
  210230a1a085af9f777f047a9edfa9f5
source rpm:
  ftp://ftp.suse.com/pub/sus

[SNS Advisory No.48] Microsoft Internet Explorer Still Download And Execute ANY Program Automatically

[[EMAIL PROTECTED]]

--
SNS Advisory No.48
Microsoft Internet Explorer Still Download And Execute ANY Program Automatically

Problem first discovered: Wed, 13 Feb 2002
Published: Mon, 18 Mar 2002
Revised: Thu, 16 May 2002
--

Overview:
-
  Microsoft Internet Explorer contains a vulnerability which allows 
  for downloading of a file and its automatic execution under several 
  circumstances without the knowledge of the user.  If a malicious 
  webmaster creates a website containing malicious contents that can 
  exploit this problem, and if the user has access to these contents 
  using Internet Explorer under specific environments, then arbitrary 
  programs specified by the administrator will be automatically 
  downloaded and executed on the user's system.

Problem Description:

  A vulnerability exists in Microsoft Internet Explorer which could 
  lead to automatic downloading and execution of a file under several 
  environments.  This can be achieved when a user views contents 
  including the following header in HTTP responses:

  Content-Type: audio/x-ms-wma
  Content-disposition: inline; filename="foo.exe"
  
  It is important to note that the above-mentioned description is just 
  an example and that this vulnerability has been confirmed exploitable 
  using other Content-Type: headers, such as Content-Type: audio/midi. 

  This vulnerability affects the following environments: (our previous 
  advisory stated that only IE 6 was affected by this vulnerability, 
  however, it has been confirmed through further investigation that 
  IE 5.01 SP2 is also vulnerable to this issue)  

  (1) Windows NT 4.0 Workstation + SP6a
  + IE 6 + all available fixes [Japanese version]
 
  (2) Windows NT 4.0 Workstation + SP6a + Windows Media Player 6.4  
  + IE 6 + all available fixes [Japanese version]
   
  (3) Windows 2000 Professional + SP2 + SRP1 + Windows Media Player 6.4
  + IE 6 + all available fixes [Japanese version]

  (4) Windows 2000 Professional + SP2 + SRP1 + Windows Media Player 6.4
  + IE 5.01 SP2 + all available fixes [Japanese version]

  (5) Windows 98 +  Windows 98 System Update + Windows Media Player 6.4
  + IE 6 + all available fixes [Japanese version] 

  (6) Windows 2000 Professional + SP2 + SRP1 + Windows Media Player 7.1
  + IE 6 + Office 2000 SR-1 + all available fixes [Japanese version]

  Note: Windows Media Player 6.4 is installed by default on Windows 2000 
  and Windows 98.

Solution:
-
  This problem can be eliminated by applying a patch based on the 
  information provided by Microsoft Security Bulletin MS02-023.

  Microsoft Security Bulletin 02-023:
  
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp

Discovered by:
--
  Yuu Arai (LAC)  [EMAIL PROTECTED]

Acknowledgements:
- 
  Thanks to:
 
  Microsoft Security Response Center
  Japan PSS Security Response Team of Microsoft Asia Limited

Disclaimer:
---
All information in these advisories are subject to change without any advanced 
notices neither mutual consensus, and each of them is released as it is. LAC 
Co.,Ltd. is not responsible for any risks of occurrences caused by applying those 
information. 

--
SecureNet Service(SNS) Security Advisory <[EMAIL PROTECTED]>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/