MSIE:"SaveRef" turns Zone off
MSIE:"SaveRef" turns Zone off [digest] MSIE: you can execute jscript in any zone by saving the reference of "(NewWindow).location.assign". (content after the "[exp]" section is not directly related to the flaw, so skip it if you are in a hurry;) [tested]MSIEv6(CN version) {IEXPLORE.EXE file version: 6.0.2600.} {MSHTML.DLL file version: 6.00.2600.} Win98 [demo] at http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm or clik.to/liudieyu ==> SaveRef-MyPage section. [exp] javascript-protocol URL can cause CSS at client side, so microsoft blocked "(NewWindow).location.assign" method(there is no other explanation at all). but we can save the reference(mostly the same as 'pointer' in C) of "(NewWindow).location.assign" when we can access it, then we can access it forever -- regardless of NewWindow's zone, which means we can execute jscript in any zone. simple, that's all. [BTW] thanx to : 0. all knowledge bases 1."dror shalev", without his "Who Framed IE" demo at http://drorshalev.brinkster.net/dev/Search and his words, i wouldn't have discovered this flaw.(both "SaveRef" & "Who Framed IE" hurt microsoft's heart -- OOP/COM/DCOM ;) 2."the Pull", his words at http://home.austin.rr.com/wiredgoddess/thepull/UnorthodoxBugFinding.txt are inspiring&practical. [apology] i am always late for online issues because of everything around me( one example is my parents), but i've never been absent;) [contact] [EMAIL PROTECTED] or clik.to/liudieyu ===> "how to contact liu die yu" section
[security bulletin] SSRT2371 HP OpenVMS Potential POP server localvulnerability (fwd)
David Ahmad Symantec KeyID: 0x26005712 Fingerprint: 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SECURITY BULLETIN REVISION: 0 Title: SSRT2371 HP OpenVMS Potential POP server local vulnerability NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact. RELEASE DATE: September 2002 SEVERITY: High SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services Software Security Response Team REFERENCE: SSRT2371 PROBLEM SUMMARY This bulletin will be posted to the support website within 24 hours of release to - http://thenew.hp.com/country/us/eng/support.html Use the SEARCH IN feature box, enter SSRT2371 in the search window. SSRT2371 POP server potential vulnerability (Severity HIGH) A potential vulnerability has been reported where, under certain circumstances, a local authorized non-privileged user may gain unauthorized access to privileged files or unauthorized privileges. The report is of a potential locally exploitable file corruption issue with HP TCP/IP services for OpenVMS POP server. This problem does not exist if the POP server is disabled. VERSIONS IMPACTED HP TCP/IP services for OpenVMS version 5.3 HP TCP/IP services for OpenVMS version 5.1 HP TCP/IP services for OpenVMS version 5.0a HP TCP/IP services for OpenVMS version 4.2 RESOLUTION HP TCP/IP Services for OpenVMS V5.3 ALPHA (all supported versions of HP OpenVMS ALPHA): Install: HP TCP/IP Services for OpenVMS V5.3 ECO 1 Prerequisite : HP TCP/IP Services for OpenVMS V5.3 for HP OpenVMSALPHA Kit Name: DEC-AXPVMS-TCPIP_ECO-V0503-181-4 Kit Location: http://ftp1.support.compaq.com/patches/public/vms/axp/v7.3/tcpip/5.3/ HP TCP/IP Services for OpenVMS V5.3 VAX (all supported versions of HP OpenVMS VAX): Install:HP TCP/IP Services for OpenVMS V5.3 ECO 1 Prerequisite : HP TCP/IP Services for OpenVMS V5.3 for HP OpenVMS VAX Kit Name: DEC-VAXVMS-TCPIP_ECO-V0503-181-4 Kit Location: http://ftp1.support.compaq.com/patches/public/vms/vax/v7.3/tcpip/5.3/ Note: Please review the README file(s) for this patch prior to installation. HP TCP/IP services for OpenVMS 5.1 VAX & ALPHA*: Upgrade to HP TCP/IP Services for OpenVMS V5.3 and install ECO 1 listed above. * If you are unable to upgrade please contact your normal HP services OpenVMS support channel and request HP OpenVMS services elevate a case to TCP/IP Services for OpenVMS Support Engineering. HP TCP/IP services for OpenVMS 5.0a VAX & ALPHA: HP TCP/IP services for OpenVMS 4.2 VAX & ALPHA: Upgrade to HP TCP/IP Services for OpenVMS V5.3 and install ECO 1 listed above if possible. If upgrading is not possible, contact your normal HP services OpenVMS support channel and request HP OpenVMS services elevate a case to TCP/IP Services for OpenVMS Support Engineering. To determine if the service is enabled, execute the following command: $ tcpip show service pop Service Port ProtoProcess AddressState POP 110 TCP TCPIP$POP 0.0.0.0Enabled After completing the update, HP strongly recommends that you perform an immediate backup of your system disk so that any subsequent restore operations begin with updated software. Otherwise, you must reapply the update after a future restore operation. Also, if at some future time you upgrade your system to a later patch version, you may need to reapply the appropriate update. SUPPORT: For further information, contact HP Services. SUBSCRIBE: To subscribe to automatically receive future Security Advisories from the Software Security Response Team (SSRT) via electronic mail: http://www.support.compaq.com/patches/mailing-list.shtml REPORT: To report a potential security vulnerability with any HP or Compaq supported product, send email to: [EMAIL PROTECTED] HP and Compaq appreciate your cooperation and patience. As always, HP and Compaq urge you to periodically review your system management and security procedures. HP and Compaq will continue to review and enhance the security features of its products and work with our customers to maintain and improve the security and integrity of their systems. "HP and Compaq are broadly distributing this Security Bulletin in order to bring to the attention of users of the affected Compaq products the important security information contained in this Bulletin. HP and Compaq recommend that all users det
[BUGZILLA] Security Advisory
Bugzilla Security Advisory October 1st, 2002 All Bugzilla installations are advised to upgrade to the latest versions of Bugzilla, 2.14.4 and 2.16.1, both released today. Security issues of varying importance have been fixed in both. These vulnerabilities affect all previous 2.14 and 2.16 releases. 2.14.x users are additionally encouraged to upgrade to 2.16.1 as soon as possible, as the 2.14 branch will no longer be maintained by the Bugzilla team beyond the end of this year. Individual patches to upgrade Bugzilla are available at http://ftp.mozilla.org/pub/webtools/ (however these patches are only valid for 2.14.3 and 2.16 users). Full release downloads and CVS upgrade instructions are available at http://www.bugzilla.org/download.html Complete bug reports for all the following bugs may be obtained at http://bugzilla.mozilla.org/ The following security issues were fixed in both 2.14.4 and 2.16.1: - Permissions leak when using "usebuggroups" and more than 47 groups; permissions are granted to users in higher groups when they shouldn't be. (bug 167485; comment 12 has additional detection/recovery information) http://bugzilla.mozilla.org/show_bug.cgi?id=167485#c12 - bugzilla_email_append.pl calls processmail insecurely; command injection possible. (bug 163024) The following additional security issue was fixed in 2.16.1: - Apostrophes are not properly handled during account creation; SQL injection possible. (bug 165221) General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.mozilla.org/community.html has directions for accessing these forums. -- Dave Miller Project Leader, Bugzilla Bug Tracking System Lead Software Engineer/System Administrator, Syndicomm Online http://www.syndicomm.com/http://www.bugzilla.org/
XSS bug in Compaq Insight Manager Http server
Advisory name: XSS bug in Compaq Insight Manager Http server Application: Compaq Insight Manager Http server Date: 01.10.2002 Impact: XSS code execution [DESCRIPTION] XSS bug in Compaq Insight Manager Http server [ISSUE] The Compaq Insight Manager Http server is vulnerable to the Cross Site Scripting (XSS) vulnerability. This vulnerability is caused by the results returned to a user when a non-existing file is requested. The vulnerability would allow an attacker to make the server present another user with malicious JavaScript/HTML code that is interpreted and executed without the users knowledge (e.g. the result contains the JavaScript provided in the request). This vulnerability was identified with a popular open-source vulnerability assessment tool and confirmed using the following XSS test. [XSS TEST] http://:2301/alert('Test') [VERSIONS TESTED] CompaqHTTPServer/4.2 CompaqHTTPServer/4.37 [SUPPORTING INFO] http://www.cert.org/advisories/CA-2000-02.html [VENDOR RESPONSE] There is a 3rd party software tool that can be used for security assessments that flags any web server as potentially having this problem. Our web servers do not, to our knowledge, have this vulnerability. We have investigated it but it is a non-issue for us. This issue is just a 'potential vulnerability' rather than a 'for sure' problem. In other words, the tool is guessing that all web servers can have this problem. Thank You, HP E-Services
iDEFENSE Security Advisory 10.01.02: Sendmail smrsh bypass vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 iDEFENSE Security Advisory 10.01.02 Sendmail smrsh bypass vulnerabilities DESCRIPTION It is possible for an attacker to bypass the restrictions imposed by The Sendmail Consortiums Restricted Shell (SMRSH) and execute a binary of his choosing by inserting a special character sequence into his .forward file. SMRSH is an application intended as a replacement for sh for use in Sendmail. There are two attack methods both of which are detailed below. METHOD ONE This method takes advantage of the application's implementation of the '||' command. The process is best explained with an example: $ echo "echo unauthorized execute" > /tmp/unauth $ smrsh -c ". || . /tmp/unauth || ." /bin/sh: /etc/smrsh/.: is a directory unauthorized execute /tmp/unauth is executed despite the fact that it is not located in the SMRSH restricted directory /etc/smrsh. This happens because SMRSH first checks for '.', which exists, and does no further verification on the files listed after '||'. The same attack would look like the following in the attackers .forward file: "| . \|| . /tmp/unauth \|| ." METHOD TWO This method takes advantage of the following routine from smrsh.c: /* search backwards for last / (allow for 0200 bit) */ while (cmd > q) { if ((*--cmd & 0177) == '/') { cmd++; break; } } It is possible to feed SMRSH a command line that will be internally converted to a space thereby bypassing all filters, yet will still execute. Examples of these include: smrsh -c "/ command" smrsh -c "../ command" smrsh -c "./ command" smrsh -c "././ command" The listed routine will convert any of the above examples to a space. However, when the following execle() call is reached: (void) execle("/bin/sh", "/bin/sh", "-c", newcmdbuf, NULL, newenv); SMRSH will execute: /bin/sh -c command Notice that despite the double space command will still execute. The .forward variation of this attack works the same way. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1165 to this issue. ANALYSIS The following are required conditions for successful and meaningful exploitation of this vulnerability: - - - The target system must be utilizing SMRSH. - - - The attacker must have a valid local account on the system. - - - In method one the attacker must be able to create files. While this exploit obviously removes the restrictions imposed by SMRSH it also allows users to execute programs on systems that they do not have shell access to. Utilizing either of the above-described methods, an attacker who can modify his own .forward file can execute arbitrary commands on the target system with the privileges of his own account. Systems that forbid shell access generally do not have tightened local security, the ability to execute arbitrary commands through the SMRSH vulnerablity opens the target system to local privilege escalation attacks that otherwise would not be possible. DETECTION The latest versions of SMRSH are vulnerable. Including the version packaged with Sendmail 8.12.6 and Sendmail 8.11.6-15 (default install of Redhat 7.3). Older versions of SMRSH do not appear to be vulnerable (8.11 5/19/1998). The version of SMRSH available at ftp://ftp.uu.net/pub/security/smrsh is also not vulnerable. WORKAROUND Sendmail.org has provided a patch addressing the above-described issues. The patch is available for download at http://www.sendmail.org/patches/smrsh-20020924.patch. VENDOR FIX/RESPONSE Sendmail.org's official comment: "We would like to thank iDEFENSE, zen-parse, and Pedram Amini for bringing these problems to our attention. If you actually use a vulnerable smrsh version (which can be tested according to the descriptions given before), please apply the patch that has been made available. To figure out whether your configuration uses smrsh, check your sendmail.mc file, i.e., look for FEATURE(`smrsh') and check your sendmail.cf file (usually located in /etc/mail or /etc): grep '^Mprog.*smrsh' sendmail.cf Also consider whether you actually need this feature, e.g., if you make procmail available to your users then smrsh is basically useless." DISCLOSURE TIMELINE 9/1/2002 Disclosed to iDEFENSE 9/24/2002 Disclosed to [EMAIL PROTECTED] 9/24/2002 Disclosed to iDEFENSE clients 9/24/2002 Response from Greg Shapiro [EMAIL PROTECTED] 9/25/2002 Coordination from Claus Assmann [EMAIL PROTECTED] 10/1/2002 Public Coordinated Disclosure CREDIT Method One was exclusively disclosed to iDEFENSE by zen-parse ([EMAIL PROTECTED]) Method Two was discovered during the verification process by Pedram Amini ([EMAIL PROTECTED]) Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to [EMAIL PROTECTED], subject line: "subscribe" - -dave David Endler, CISSP Director,
Re: Another possible RFC 2046 vulnerability.
On September 27, 2002 at 13:01, Jose Marcio Martins da Cruz wrote: > What's interesting is that in this case the message and the malicious > code passes through two different network paths : messages is sent by > mail and the malicious code will be get by receiver by anonymous ftp. > > In the case of previous vulnerability (fragmented message), message and > malicious code uses the same network path. > > Classical mail server virus scanners will never see the malicious code > pass through it, as they will never have available entire malicious > code. Since the external-body type uses other standard network protocols, then the security policies of a company for other protocols (like ftp) would take effect. It is no different than if someone sends a message to someone saying "go download ftp://";. > I can't say anything about others mail clients, as I'm sick at home and > I have no access to other MUAs. The venerable MH, and its successor nmh, support the message/external-body type. The only real security risk is if a badly designed MUA automatically retrieves the data specified in a message/external-body (and RFC 2046 gives a warning about this). Otherwise, it poses the same security problems as someone including a URL in a regular mail message (which many MUAs automatically convert into a hyperlink). --ewh P.S. You may be interested in RFC 2017 that defines the URL access type for message/external-body.
GLSA: unzip
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT - - PACKAGE :unzip SUMMARY :directory-traversal vulnerability DATE :2002-10-01 10:30 UTC - - OVERVIEW Archive extraction is usually treated by users as a safe operation. There are few problems with files extraction though. DETAIL Among them: huge files with high compression ratio are able to fill memory/disk (see "Antivirus scanner DoS with zip archives" thread on Vuln-Dev), special device names and special characters in file names, directory traversal (dot-dot bug). Probably, directory traversal is most dangerous among this bugs, because it allows to craft archive which will trojan system on extraction. This problem is known for software developers, and newer archivers usually have some kind of protection. But in some cases this protection is weak and can be bypassed. I did very quick (approx. 30 minutes, so may be I've missed something) researches on few popular archivers. Results are below. Read the full advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running app-arch/unzip-5.42-r1 and earlier update their systems as follows: emerge rsync emerge unzip emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9mXsMfT7nyhUpoZMRAmE2AJ42IOteK6437umkllOR4F0oJO0a4ACfY4QU u5jofs44arhh9ZKkAmPxv2A= =myfe -END PGP SIGNATURE-
PPTP
For those of you who have a desire to crash Microsoft's PPTP stack, I have a pptp .spk script linked off of http://www.immunitysec.com/spike.html. It would probably be good to run against other PPTP stacks as well. (Likewise, SPIKE's msrpcfuzzer takes down free software dce-rpc stacks just as fast as it takes down the non-free stacks.) It's not a bad demonstration of how to use SPIKE scripts either, if you're inclined to learn. Finding this bug took less than thirty minutes...() To run it: # first enable the shared library fun bash$ . ./ls.sh # now run the script against 192.168.1.100 after setting up PPTP on that machine. It's a good idea to set up SoftIce as well. bash$ ./generic_send_tcp 192.168.1.100 1723 ./pptp.spk 0 0 #wait for crash. It's in the second packet, I believe. Dave Aitel Immunity, Inc. References - [1] phion Information Technologies http://www.phion.com/ Exploit - phion Information Technologies will not provide an exploit for this issue. :> signature.asc Description: This is a digitally signed message part
Postnuke XSS patch
[For Immediate Release] The PostNuke Security Officer has updated the CVS version of Postnuke and a patch will be made available today to fix the outstanding issue shown here http://marc.theaimsgroup.com/?l=bugtraq&m=103306696427569&w=2 It is apparent that the Postnuke developers reviewed the material suggested vulnerable and deemed it worthy of a patch. Please refer to their website for patch availability, as I was not provided a specific URL to point you to. -- Mark Grimes <[EMAIL PROTECTED]> Stateful Labs
NETGEAR FVS318 Information Disclosure
Hi All.. I'm resending this..*without* the failure notice ;) Attached is an Advisory concerning Netgear's FVS318 Firewall/VPN/Router, and the fact that it stores Usernames and Passwords in plain text if the config is backed up. Thanks, [EMAIL PROTECTED] http://www.aisec.net Information Security Team. -=-=-=-=-=-=-=-=-=-=-=-=-=- === AIS advisory # 0006 NETGEAR FVS318 Firewall Router Firmware 1.1 Username/Password Disclosure ==Summary Netgear's FVS318 Firewall/VPN/Router stores Usernames and Passwords in plain text when a backup of the configuration is made. ==Software Affected== Netgear FVS318 firmware 1.1 and every firmware version before it. ===Vendor http://www.netgear.com =Product Description= Taken from their site : http://www.netgear.com "Want the utmost in network security for your office? NETGEAR's FVS318 ProSafe VPN Firewall provides business-class protection at a NAT router price. This completely equipped, broadband-capable Virtual Private Network (VPN) firewall is a true firewall and provides it all - Denial of Service (DoS) protection and Intrusion Detection using Stateful Packet Inspection (SPI), URL access and content filtering, logging, \reporting, and real-time alerts. It initiates up to 8 IPSec VPN tunnels simultaneously, reducing your operating costs and maximizing the security of your network. With 8 auto-sensing, Auto UplinkT switched LAN ports and Network Address Translation (NAT) routing, up to 253 users can access your broadband connection at the same time." Vulnerability The web interface includes a backup option to store your current config just in case anything happens For the most part, the file isn't readable except for a few words, in particular, your Username to your ISP internet connection, and the password to the web admin interface which listens on port 80 by default. This port can be changed to whatever you like, but probably not many people do that. I would consider this a local threat because you can only get to the web interface from inside the local LAN. Unless you enable Remote Management, which listens on port 8080 by default. The default username for the web interface can't be changed, it's always "admin"... Any good admin makes a backup of their working configs ;) FIX (if any) Use PGP to encrypt your files, if Netgear doesn't encrypt them for you. Discovered by [EMAIL PROTECTED] http://www.aisec.net Information Security Team
[CLA-2002:527] Conectiva Linux Security Announcement - python
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -- PACKAGE : python SUMMARY : os.execvpe() vulnerability DATE : 2002-10-01 11:48:00 ID: CLA-2002:527 RELEVANT RELEASES : 6.0, 7.0, 8 - - DESCRIPTION Python is an interpreted, interactive, object-oriented programming language. Zack Weinberg found[1] a vulnerability in the way the exevpe() method from the os.py module uses a temporary file name. A file which supposedly should not exist is created in a unsafe way and the method tries to execute it. The objective of such code is to discover what error the operating system returns in a portable way. This vulnerability affects all python versions and is fixed[2,3] in the python CVS repository (using a better approach). By exploiting this vulnerability a local attacker can execute arbitrary code with the privileges of the user running python code which uses the execvpe() method. SOLUTION All python users should upgrade. REFERENCES: 1.http://mail.python.org/pipermail/python-dev/2002-August/027223.html 2.http://python.org/sf/590294 3.http://python.org/sf/601077 4.http://distro.conectiva.com.br/bugzilla/show_bug.cgi?id=6595&idioma=en DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-1.5.2-14U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-devel-1.5.2-14U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-doc-1.5.2-14U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-idle-1.5.2-14U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tkinter-1.5.2-14U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/python-1.5.2-14U60_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-devel-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-doc-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-freeze-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-idle-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-tkinter-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/python-2.1-15U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-devel-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-doc-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-freeze-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-idle-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-tkinter-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/python-2.2-10U80_1cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - - All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - - All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - - subscribe: [EMAIL PROTECTED] unsubscribe: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9mbaw42jd0JmAcZARAhb6AJ9Uk2m4U9DW1SV/Ed4hMsj1Gge+SwCfevxF C8XCFcdvnkSvmNyxRSI88FU= =J9Ma -END PGP SIGNATURE-
GLSA: fetchmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT - - PACKAGE:fetchmail SUMMARY:remote vulnerabilities DATE :2002-10-01 09:30 UTC - - OVERVIEW Stefan Esser from e-matters has discovered several buffer overflows and a broken boundary check within Fetchmail. DETAIL If Fetchmail is running in multidrop mode these flaws can be used by remote attackers to crash it or to execute arbitrary code with the permissions of the user running fetchmail. Depending on the configuration this allows a remote root compromise. Read the full advisory at http://security.e-matters.de/advisories/032002.html SOLUTION It is recommended that all Gentoo Linux users who are running net-mail/fetchmai-0.59.14 and earlier update their systems as follows: emerge rsync emerge fetchmail emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9mW3bfT7nyhUpoZMRAj24AJ4v6eTU4W0kFymRqxVhVm+pzLzqvACcCLP0 X1kl66YrBuEJozTTNzpwhAg= =9mUU -END PGP SIGNATURE-
Insecure XML-RPC handling in Zope reveals the distribution physic al location.
Zope versions pre 2.5.1b2 do not handle correct some XML-RPC request. 1. Summary: Zope (www.zope.org) will reveal the complete physical location where the server and its components are installed if it receives "incorrect" XML-RPC requests. In some cases it will reveal also information about the serves in the protected LAN (10.x.x.x for example) on which current server is relaying. 2. Details: A request like the quoted below will cause Zope to produce stack traces in the response that will reveal the information mentioned above. See http://collector.zope.org/Zope/359 for more details. Ironically the quoted request was an example how to use XML-RPC. Note that starting Zope without -D option won't stop the exposure. telnet localhost 8080 POST /Documentation/comp_tut HTTP/1.0 Host: localhost Content-Type: text/xml Content-length: 93 objectIds 3. Vulnerable versions: Zope 2.3.2 - Yes (earlier versions ware not tested) Zope 2.4.1 (Stable) - Yes Zope 2.5.0 (Stable) - Yes Zope 2.5.1 (Stable) - Yes Zope 2.5.1b2 (Development) - Not Zope 2.6.0b1 (Development) - Not 4. Solution: Upgrade to 2.6.0b1 (Development) if possible. 5. Vendor information Notification was send to the vendor on March 22, 2002 The issue was officially resolved on Aug 29, 2002 but only in v2.6.0. Regards, Rossen Raykov --- Rossen Raykov COGNICASE U.S.A. Inc. (908) 860-1100 Ext. 1140 [EMAIL PROTECTED]
ASA-0000: GV Execution of Arbitrary Shell Commands
"After" Security Advisory Title: GV Execution of Arbitrary Shell Commands Affects: gv-3.5.8 and probably older versions Advisory ID: ASA- Release Date: 2002-10-01 Author: Marc Bevand URL: http://www.epita.fr/~bevand_m/asa/asa- --oOo-- 0. Table of Contents 0. Table of Contents 1. Introduction 2. Problem 3. Solution 4. Conclusion 5. References 6. Attached files --oOo-- 1. Introduction GV [0] is a PostScript and PDF previewer available on many unix systems and even on some non-unix systems. Technically, it is a user interface for Ghostscript [1], which is a PostScript and PDF language interpreter. GV is also able to automatically decompress GZip'ed [2] files on-the-fly before reading them. When GV detects that the document is either a PDF file or a GZip compressed file, it executes some commands with the help of the system() function. Unfortunately, these commands contain the filename, which can be considered as untrusted user input. It is then possible to distribute a file (with a meticulously choosed filename, that can even seems innocent) that causes execution of arbitrary shell commands when it is read with GV. --oOo-- 2. Problem GV detects PDF files or GZip compressed files by reading the first bytes of datas: o when "%PDF-" is read, GV assumes it is a PDF file and call system() with the following argument (default value of the GV.gsCmdScanPDF X11 ressource): "gs -dNODISPLAY -dQUIET -sPDFname=%s -sDSCname=%s pdf2dsc.ps -c quit" The 1st "%s" corresponds to the PDF filename, and the 2nd to a temporary filename. o when "\037\235" or "\037\213" is read, GV assumes it is a GZip compressed file and call system() with the following argument (default value of the GV.uncompressCommand X11 ressource): "gzip -d -c %s > %s" The 1st "%s" corresponds to the GZip compressed filename, and the 2nd to a temporary filename. In these conditions, trying to open, for example, a PDF file named "xxx & echo hello & xxx" leads to execution of "gs -dNODISPLAY -dQUIET -sPDFname=xxx & echo hello & xxx ...". Thus, "echo hello" (a part of the filename) is executed: $ file "xxx & echo hello & xxx" xxx & echo hello & xxx: PDF document, version 1.2 $ gv "xxx & echo hello & xxx" --> hello sh: xxx: command not found GS>hello sh: xxx..tmp: command not found The error messages ("sh: xxx: command not found", etc) are just results of the garbage introduced in the system() argument by the unusual "xxx & echo hello & xxx" filename. Moreover, GV displays a dialog box explaining that execution of Ghostscript failed. But all these "inconvenients" (from the malicious user point-of- view) can be easily avoided. Imagine a site where each host access a file server through the mount point "/sgoinfre", and suppose that someone (Charly) creates 2 files in this directory: o a PDF file named 'Huhu_"`source evil`".pdf' (doublequotes and backquotes are part of the filename) o a shell script named 'evil' that contains: #!/bin/sh echo '"`source evil`"' touch _it_works_ Now, here is what happens if someone else (Alice) wants to read the PDF file: $ cd /sgoinfre $ gv 'Huhu_"`source evil`".pdf' All works fine for Alice (no error messages, no dialog box), except that she hasn't realized that 'evil' has been executed under her identity: $ ls -l _it_works_ -rw---1 alice users 0 Jul 30 05:56 _it_works_ Note: this example works only if the /bin/sh shell executed by system() supports the 'source' builtin; that's the case when /bin/sh is a link to bash. --oOo-- 3. Solution The GV maintainer, Johannes Plass , has been e-mailed twice about this problem. Unfortunately, no response has been received, it seems that he has stopped his work on GV since 1997. However, I propose a temporary fix: the attached patch ("asa-.gv-3.5.8.patch"), done against GV 3.5.8, checks if the filename contains only allowed characters (alphanumeric and ``+,-./:=@\^_''). If this is not the case, an error message is displayed and system() is not called. --oOo-- 4. Conclusion GV contains a security hole allowing execution of arbitrary shell commands. Since the author seems to have stopped his work on GV, a temporary fix has been developped: see the attached patch done against GV 3.5.8. --oOo-- 5. References [0] GV http://wwwthep.physik.uni-mainz.de/~plass/gv/ [1] Ghostscript http://www.cs.wisc.edu/~ghost/index.html [2] GNU Zip http://www.gzip.org --oOo-- 6. Attached files The following file is also available at: http://www.epita.fr/~bevand_m/asa/asa-.gv-3.5.8.patch ---8<-- asa-.gv-3.5.8.patch - diff -ur
GLSA: tar
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT - - PACKAGE :tar SUMMARY :directory-traversal vulnerability DATE :2002-10-01 12:30 UTC - - OVERVIEW The tar utility contain vulnerabilities which can allow arbitrary files to be overwritten during archive extraction. DETAIL During testing by Redhat of the fix to GNU tar from the advisory below, it was discovered that GNU tar 1.13.25 was still vulnerable to a modified version of the same problem. Read the full original advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running sys-apps/tar-1.13.25-r2 and earlier update their systems as follows: emerge rsync emerge tar emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9mZcbfT7nyhUpoZMRAgTqAJ9TIgnwCf6vABCsQp7fZ/WpHUoCNACdGzJH 2yxb1ASJvjfl5ToRzzfJ8oM= =7aPP -END PGP SIGNATURE-