Re: J2EE EJB privacy leak and DOS.
[Alan Rouse <[EMAIL PROTECTED]>] > Without more details, it sounds to me as if an attacker would first have > to deploy her own code in the EJB server, before she could attack the > target user's objects. If the attacker has that capability, can't she > accomplish the same end with or without this vulnerability? > > Or is there a way to exploit this without the attacker having power to > deploy her own code? > The whole point of EJB application servers is to have pluggable applications that can be bought and deployed. This hole would allow my code from, say, an email component to grab objects used by the credit-card processing module. -- Ari Gordon-Schlosberg http://www.nebcorp.com/~regs/pgp for PGP public key
Openwall GNU/*/Linux (Owl) 1.0 release
Hi,
For those who don't know yet, Openwall GNU/*/Linux (or Owl) is a
security-enhanced operating system with Linux and GNU software as its
core, intended as a server platform. And, of course, it's free. More
detailed information is available on the web site:
http://www.openwall.com/Owl/
After over a year of development and many public Owl-current
snapshots, we're pleased to announce that Owl 1.0 is finally out.
The major changes made since 0.1-prerelease are documented:
http://www.openwall.com/Owl/CHANGES-1.0.shtml
The release may be freely downloaded from our FTP mirrors or ordered
on a CD. Of course, we prefer the latter, but it's your choice.
Similarly, you may choose to pay just what it costs to get the CD to
you, or you may also support our project.
CDs (and ISO-9660 images available via the FTP mirrors) are bootable
on x86 and include a live system and x86 binary packages, as well as
full source code which may be rebuilt with one simple command ("make
buildworld"). Security tools such as John the Ripper are usable right
off the CD, without requiring a hard disk -- this way Owl may also be
considered an alternative to Trinux.
Currently available via the FTP mirrors only are the Owl 1.0 binary
packages for SPARC and Alpha architectures.
PGP-signed mtree(8) specifications for all of the above are available
via FTP and in the root directory of Owl CDs (such that you don't even
have to blindly trust CDs arriving via mail).
The 0.1-stable branch is now officially unsupported, in favor of the
1.0 release and its corresponding stable branch. The change logs for
0.1-stable (which include security fix information) are no longer on
the web site, however 0.1-stable is still available on the FTP mirrors
(for reference only) and will of course remain available via anoncvs.
Owl 1.0-stable already exists in the CVS (in fact, it's been started
prior to the 1.0 release this time) and will also be made available
via FTP once the need arises (that is, a critical post-release fix is
applied).
Development will continue primarily in Owl-current, although we might
make another release based on 1.0-stable as well.
--
/sd
[GIS 2002021001] SkyStream EMR5000 DVB router DoS.
Global InterSec LLC
http://www.globalintersec.com
GIS Advisory ID:2002021001
Changed:10/16/2002
Author: [EMAIL PROTECTED]
Reference: http://www.globalintersec.com/adv/skystream-2002021001.txt
Summary:
SkyStream's Edge Media Router-5000 (EMR5000) a DVB to
multicast router suffers from a vulnerability in its modified Linux
kernel.
Impact:
A remote user may cause a denial of service attack against
the device, causing it to crash (kernel panic).
Versions Tested:
1.16
1.17
1.18
Description:
The Linux based kernel, which the EMR5000 uses, has been modified
to work with SkyStream's customized PCB. Modifications include
proprietary DVB card drivers.
A problem exists within the kernel code which could cause a
kernel panic, when the device is no longer able to process data
being pushed into the ethernet ring buffers.
Rather than dropping packets, or even temporarily disabling the
interrupt address for the ethernet device, a null pointer exception
will occur in the interrupt handler, leading to a kernel panic.
Although the EMR5000 uses Intel's 82559ER ethernet controller, which
is supported by the eepro100 driver (included in the 2.4.x tree),
this condition could not be replicated on other systems, also with
the 82559ER onboard and using the eepro100 drivers. This is almost
certainly down to how SkyStream have implemented DMA, in order to
work with their PCB configuration and is therefore a problem which
is inherent to the EMR5000 and not necessarily other systems using
the eepro100 kernel modules.
Scope for attack:
Because this bug is directly connected to the EMR5000's network
interface, the above bug may be exploited remotely. It may also
be triggered fairly anonymously, with the use of spoofed SYN
packets for example.
In our early tests, the EMR5000 did not reboot on a kernel panic
and required a manual (cold) reboot. The most recent boot version
did handle the condition and reboot cleanly.
Work around:
Firewall all inbound traffic to the EMR5000, other than IGMP(2).
This is not a bullet proof work-around as the bug may also be
exploited through the use of IGMP.
Credit:
The vulnerabilities disclosed in this advisory were discovered
during routine penetration tests. They were further researched
at Global InterSec's facility.
The research division can be reached at [EMAIL PROTECTED]
Vendor Status:
Ellie Abdollahi ("Director of Software") of SkyStream INC was
notified of this problem on July 26, 2002. SkyStream has denied
responsibility for this problem, given their use of the Intel
ethernet controller and the eepro100 kernel module.
Subsequently, no fix has been provided. SkyStream was given GIS's
statutory 60 day advanced warning of this problem, along with a
copy of this advisory before its publication.
Proof of concept/Exploit:
The following was the result of high volumes of IGMPv2 requests being
sent to the ethernet interface.
SkyStream Networks
Edge Media Router
Please login as 'emradmin' for Command-Line Interface
emr5000 login: Oops: Exception in kernel mode, sig: 4
NIP: C00FB4F4 XER: LR: C00FB4F4 SP: C01D79A0 REGS: c01d78f0
TRAP: 0700
MSR: 9230 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR:
11
TASK = c01d6030[0] 'swapper' Last syscall: 120
last math last altivec
GPR00: C00FB4F4 C01D79A0 C01D6030 001C 1230 0001 C022
GPR08: C022 C01E 1236 C01D78E0 24004024 10068BC4 000C0A04
GPR16: FFFE2198 2FB6 1230 001D7A80
C01D82C8
GPR24: 01C0 C022 C01ECF00 0007 C01D82C8 C01E
C45976E0
Call
backtrace:
C00FB4F4 C00FEBE0 C00C4318 C0003BA0 C0003CCC C0002A38 C00FB40C
C00FB65C C00FEBE0 C00C3FE4 C0003BA0 C0003CCC C0002A38 2000
C0003CCC C0002A38 C010C214 C00FF13C C001885C C0002A84 C002354C
C0004294 C00042BC C01ED8A0 C00023C4
Kernel panic: Aiee, killing interrupt handler!
In interrupt handler - not syncing
Rebooting in 180 seconds..
Legal:
This advisory is the intellectual property of Global InterSec LLC
but may be freely distributed with the conditions that:
a) No fee is charged.
b) Appropriate credit is given.
c) Distribution of the advisory does not break NDA' s issued by GIS.
(c) Global InterSec LLC 2002
[CLA-2002:532] Conectiva Linux Security Announcement - sendmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -- PACKAGE : sendmail SUMMARY : Local vulnerability DATE : 2002-10-16 15:49:00 ID: CLA-2002:532 RELEVANT RELEASES : 6.0, 7.0, 8 - - DESCRIPTION Sendmail is a widely used Mail Transfer Agent (MTA). "smrsh" is an application intended as a replacement for the sh shell for use with Sendmail. It imposes some restrictions to what programs can be executed when parsing ~/.forward and system wide mail aliases. Zen-parse and Pedram Amini found two ways[1] to exploit smrsh in order to make it execute any program on the system. The first one is by inserting specially formatted commands in the .forward file located in the user's home directory. The second one is by directly calling smrsh with special parameters. By exploiting this vulnerability, users who have no shell account or are not allowed to execute some programs can use smrsh to bypass such restrictions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1165 to this issue[2]. SOLUTION All sendmail users should upgrade. REFERENCES: 1.http://www.sendmail.org/smrsh.adv.txt 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1165 DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-8.11.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-cf-8.11.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-doc-8.11.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sendmail-8.11.6-1U60_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_1cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - - All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - - All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - - subscribe: [EMAIL PROTECTED] unsubscribe: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9racN42jd0JmAcZARAktnAKDferWuXLqHuCmNNVcO4OOrBB3VoQCcDr8t Al+K1yh074tp3SIMO0rl1xM= =OS1v -END PGP SIGNATURE-
Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882switches
In response to tbe below, we examined this issue on a Cajun P550 (not 550R) with software version 4.3.5. We found: 1) The accounts (manuf and diag) are clearly present in the config and easily seen with 'show running-conf' or 'show startup-conf' 2) They are system accounts and cannot be deleted 3) They have by default the passwords indicated by Mr. Lipkowski 4) They CAN have their passwords changed by the 'root user' and the changes save sucessfully across reloads. We'd ask that others verify (for other software/hardware combinations) whether they can change the account passwords ( 'username manuf password foo' ), and save them ( 'copy running-config startup-config' ), reload, and check whether the passwords changes have saved. As an aside: While testing, we noticed that accounts with the same password show the same saved hash, indicating that only one salt is in use. That may be a legacy item on the P550, which is discontinued and stuck at 4.3.5 version software. We'd ask others to check whether this (minor, but nevertheless real) issue is present in newer revisions as well. -Mike -- Michael Scher | Director, Neohapsis Labs [EMAIL PROTECTED] | General Counsel On Tue, 15 Oct 2002, Jacek Lipkowski wrote: > Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches > > 1. Problem Description > > Two undocummented accounts with default passwords allow access via telnet > and the web interface to Cajun P550R/P580/P880/P882 switches. Both > accounts give developer access to the switch. The vulnerability can be > avioded by upgrading to software version 5.3.0 or later and disabling the > accounts. > > 2. Tested systems > > The following versions were tested and found vulnerable: > > Avaya Cajun P580 software version 5.2.14 > > All previous software versions are assumed to be vulnerable. This > problem is present in P550R,P580,P880 and P882. > > 3. Details > > The vulnerable firmware installs the following strings into the switch > configuration by default: > > username "root" password encrypted-type1 "$tSfIcnbTP.pxRf7BrhGW31" > access-type admin > username "diag" password encrypted-type1 "$PQO.vGxkvDHkEDCJ2YsoD1" > access-type read-write > username "manuf" password encrypted-type1 "$seHFLP9b16m2v/534WCk90" > access-type read-write > > The only documented password is for the root user. This user can't > change the diag and manuf accounts. > > The un-documented passwords are: > > user password > > diag danger > manuf xxyyzz > > Both of these accounts give developer access to the switch (read-write > access-type), which is more priviliged than normal administrative access > (admin access-type). > > 4. Recommendations > > As always it is good administrative practice to block access to > administrative interfaces (telnet, web) at the firewall. Upgrading to > software version 5.3.0 or later and disabling the accounts resolves ths > issue. > > As a temporary workaround download the configuration file via tftp, edit > out these accounts, or change their password hashes, and upload it to the > switch. > > > 5. Vendor status > > AVAYA was informed on 2 Oct 2002. The vendor responded the same day, proved > responsive and worked promptly on the problem. I have agreed to release the > information after the release of the official AVAYA advisory. The official > Avaya advisory was out on 11 Oct 2002. The fixed software is avaliable from the > Avaya support site http://support.avaya.com. > > Official AVAYA security advisories are located at > http://support.avaya.com/security/ > > 6. Disclaimer > > Neither I nor my employer is responsible for the use or misuse of > information in this advisory. The opinions expressed are my own and not > of any company. Any use of the information is at the user's own risk. > > > Jacek Lipkowski [EMAIL PROTECTED] > > Andra Co. Ltd. > ul Wynalazek 6 > 02-677 Warsaw, Poland > http://www.andra.com.pl > > >
MSN Moster Strike Back ?!
In-Reply-To: <[EMAIL PROTECTED]> IS MSN Moster Strike Back ?! Less then 10 hours After i Post This message on BugTraq Hotmail Cancelled My Hotmail Account (my Primary email account). So Now I am a "Man Without Email Account". you can check out the Error MSG on my Security Workshop : http://sec.drorshalev.com/dev/hotmail/AccessDenied.JPG IS Redmond Monster Strike Back a Security Expert that find Bugs on there Software ? i think i rether should get Thanks for my Free QA. my MSN Passport is Still active ( hope it stay like this) i can be found @ [EMAIL PROTECTED] or [EMAIL PROTECTED] dror shalev AKA -Man without Email acount IE & MSN expose contact list & other info -- by spoofing IE security zone using Die Yu Liu % encoding bug (IE 6) this can lead to Privacy Risk MSN Status & hotmail Email Notification exposed by other IE versions MSN Contact demo http://sec.drorshalev.com/dev/friends/ MSN Contact demo More demos are on http://sec.drorshalev.com Feel Free to contact me! See my Security WorkShop Dror Shalev [EMAIL PROTECTED] Are You Safe? http://www.SafeCenter.NET
Apache 1.3.26
I recently did a very brief (and non-exhaustive) security audit of
Apache 1.3.26, and noticed some small potential bugs in some of the
helper programs that come with the distribution.
Apache maintainers have been notified, and the most serious of these
bugs have been fixed in 1.3.27. I'm sending this primarily to document
for the record what vulnerabilities existed and were fixed. This audit
can be found on Sardonix at https://sardonix.org/audit/apache-45.html
Also, I noticed a few suspicious code fragments, which weren't fixed
in 1.3.27. For the most part, their security consequences looked
less dire, or minimal. I'll describe these as well for completeness.
Can anyone else take a look at these and see if I overlooked anything?
1. Buffer overrun in support/ab.c:read_connection()
char buffer[8192];
char servername[1024];
static void read_connection(struct connection * c) {
...
r = ab_read(c->fd, buffer, sizeof(buffer));
...
char *p, *q;
p = strstr(c->cbuff, "Server:");
q = servername;
if (p) {
p += 8;
while (*p > 32)
*q++ = *p++;
}
*q = 0;
Impact: Anyone using ab to connect to a malicious server may be vulnerable
Fixed in 1.3.27: http://www.apacheweek.com/features/security-13
2. Race condition in support/htpasswd.c:main()
tempfilename = tmpnam(tname_buf);
ftemp = fopen(tempfilename, "w+");
...
copy_file(ftemp, fpw);
Impact: any local user can read, modify contents of Apache password file,
if she exploits this bug when an administrator runs htpasswd
Not fixed in 1.3.27
3. Race condition in support/htdigest.c:main()
tn = tmpnam(NULL);
if (!(tfp = fopen(tn, "w"))) ...
...
sprintf(command, "cp %s %s", tn, argv[1]);
system(command);
Impact: any local user can read, modify contents of Apache password file,
if she exploits this bug when an administrator runs htdigest
Not fixed in 1.3.27
4. Also, totally bogus call to system() in support/htdigest.c:main()
(see above)
Impact: probably none, but htdigest shouldn't be called from CGI scripts, etc.
Not fixed in 1.3.27
5. Buffer overruns in support/htdigest.c:main()
There are many, but here's one:
#define MAX_STRING_LEN 256
int main(int argc, char *argv[]) {
char user[MAX_STRING_LEN];
strcpy(user, argv[3]);
Impact: probably none, but htdigest shouldn't be called from CGI scripts, etc.
Not fixed in 1.3.27
6. strncat() used incorrectly in support/ab.c:main()
char cookie[1024];
int main(int argc, char **argv) {
while ((c = getopt(argc, argv, "..."))) {
switch (c) {
case 'C':
strncat(cookie, "Cookie: ", sizeof(cookie));
strncat(cookie, optarg, sizeof(cookie));
strncat(cookie, "\r\n", sizeof(cookie));
break;
Also, -A, -P, and -H are broken as well.
Impact: probably none, but ab shouldn't be called from CGI scripts, etc.
Fixed in 1.3.27: http://www.apacheweek.com/features/security-13
Acknowledgements: This audit was aided by RATS. Thanks to the RATS authors!
[CLA-2002:531] Conectiva Linux Security Announcement - fetchmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -- PACKAGE : fetchmail SUMMARY : Multidrop mode vulnerabilities DATE : 2002-10-16 13:05:00 ID: CLA-2002:531 RELEVANT RELEASES : 6.0, 7.0, 8 - - DESCRIPTION Fetchmail is a popular mail retrieval and forwarding utility. Stefan Esser discovered[1] two vulnerabilities in fetchmail functions responsible for parsing message headers. These vulnerabilities are present in unpatched versions of fetchmail prior to 6.1.0 and can be exploited only if it is running in "multidrop" mode. The first one is a broken boundary check, which can be exploited by a remote attacker who is able to send a specially crafted DNS packet to the victim. This attack can crash fetchmail, thus causing a Denial of Service (DoS). The second one is a buffer overflow. A remote attacker can exploit it by sending a message with a specially crafted 'Received:' header inside it. By exploiting this the attacker can execute arbitrary code with the privileges of the user running fetchmail. SOLUTION All fetchmail users should upgrade. IMPORTANT: if fetchmail is running as a daemon, it will have to be restarted in order to run the new version. REFERENCES: 1.http://security.e-matters.de/advisories/032002.html DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmail-5.9.12-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmailconf-5.9.12-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmail-doc-5.9.12-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/fetchmail-5.9.12-1U60_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmail-5.9.12-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmailconf-5.9.12-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmail-doc-5.9.12-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/fetchmail-5.9.12-1U70_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmail-5.9.12-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmailconf-5.9.12-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmail-doc-5.9.12-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/fetchmail-5.9.12-1U80_2cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - - All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - - All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - - subscribe: [EMAIL PROTECTED] unsubscribe: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9rYBU42jd0JmAcZARAgfrAJ92iPXP2azx+np0zZNKjGgMnOy1XwCfTmy2 UW3BcaWlPVdObb1Wsyswg/Y= =pyoh -END PGP SIGNATURE-
[CLA-2002:533] Conectiva Linux Security Announcement - XFree86
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -- PACKAGE : XFree86 SUMMARY : Several vulnerabilities DATE : 2002-10-16 19:55:00 ID: CLA-2002:533 RELEVANT RELEASES : 6.0, 7.0 - - DESCRIPTION XFree86 is a freely redistributable open-source implementation of the X Window System, which is a client/server interface between display hardware and the desktop environment. This advisory addresses several vulnerabilities[1] in XFree86-4.0.1 in Conectiva Linux 6.0 and XFree86-4.0.3 in Conectiva Linux 7.0. Conectiva Linux 8 was previously updated[2] and already contains these fixes. It also fixes several vulnerabilities present in XFree86 version 3.3.6a, which was distributed for compatibility reasons with Conectiva Linux 6.0 and 7.0. - MIT-SHM extension vulnerability Roberto Zunino discovered a vulnerability in the MIT-SHM extension of XFree86 prior to versions 4.2.1. The vulnerability allows a local user who can run XFree86 to gain read/write access to any shared memory segment in the system. Although the use of shared memory segments to store trusted data is not a comom practice, by exploiting this vulnerability the attacker potentially can get and/or change sensitive information. - Buffer overflow in glyph clipping for large origin. A buffer overflow vulnerability[3] was found in the glyph code when clipping large origins. A remote attacker could exploit this vulnerability to cause a denial of service and possibly run arbitrary code by, for example, using a large number of characters through web page search forms of some web browsers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-0955 to this issue[4]. Additional fixes from the XFree86 CVS tree are listed below and have also been applied to this update. - Check for negative reply length/overflow in _XAsyncReply(). Mike A. Harris sent[5] a patch to the XFree86 3.3 source tree to fix an overflow vulnerability. The vulnerability is also present in XFree86 4.x versions, and the patch was adapted to fix it. - XDM restrictions bypassed by non existent directory If the xdm auth directory did not exist, any user could connect to the Xserver using xdm. This was reported by Galen Hancock and the fix was made[6] by setting the authComplain variable to true as default. This is the expected behavior and is specified in the manual page of the xdm configuration. - Authentication issues with mmap() on drm devices Jeff Hartmann sent a fix[7] for a vulnerability in the way the mmap() system call was being used on DRM devices. - Kernel security hole in Linux int10 module Marc La France commited[8] to the XFree86 CVS tree a fix for a vulnerability in the linux int10 module. XFree86 3.3.6 compatiblity packages are being upgraded with the latest branch patches available. The changelog[9] entries from the XFree86 source related to security fixes since our last update are below: - Avoid DoS attacks on xdm (Keith Packard). - Check for negative reply length/overflow in _XAsyncReply (Xlib) (#4601, Mike Harris). - Fix possible buffer overflow (NOT on stack) in xdm xdmcp code (patch69 from Red Hat SRPMS). - Pull in fixes from 4.0.2 for the following problems: . XlibInt buffer overflow . libICE denial of service . XOpenDisplay buffer overflow (#4450, Branden Robinson) - Fix temp file problem in Imake.rules, InstallManPageAliases (Matthieu Herrb) - Pull in fixes from the main branch: . xfs DoS (Paulo Cesar Pereira de Andrade and Keith Packard), . _XAsyncReply() Xlib stack corruption, . Xaw temp file handling (Branden Robinson). - Safe tempfile handling for imake's probing of glibc version (based on #4257, Colin Phipps). - Fix a 1-byte overflow in Xtrans.c (#4182, Aaron Campbell). - Back port fix for http://www.securityfocus.com/archive/1/139436 from 4.0 (#4181, Matthieu Herrb). SOLUTION All XFree86 users are advised to upgrade. REFERENCES: 1.http://www.xfree86.org/security/ 2.http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000529&idioma=en 3.http://marc.theaimsgroup.com/?l=vuln-dev&m=100118958310463&w=2 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0955 5.http://www.xfree86.org/devel/archives/patch/2001-Apr/0069.shtml 6.http://www.xfree86.org/pipermail/cvs-commit/2001-October/003140.html 7.http://www.xfree86.org/pipermail/cvs-commit/2001-May/002350.html 8.http://www.xfree86.org/pipermail/cvs-commit/2001-March/001633.html 9.http://cvsweb.xfree86.org/cvsweb/~checkout~/xc/programs/Xserver/hw/xfree86/CHANGELOG?rev=3.390.2.341 DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.c
[SECURITY] [DSA 176-1] New gv packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 176-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 16th, 2002 http://www.debian.org/security/faq - -- Package: gv Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0838 BugTraq ID : 5808 Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim. This problem has been fixed in version 3.5.8-26.1 for the current stable distribution (woody), in version 3.5.8-17.1 for the old stable distribution (potato) and version 3.5.8-27 for the unstable distribution (sid). We recommend that you upgrade your gv package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1.dsc Size/MD5 checksum: 555 3aa3cb663f578cbf02c09f370951a814 http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1.diff.gz Size/MD5 checksum:29382 2e9e7149b69bf36a80632c8b695b6495 http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8.orig.tar.gz Size/MD5 checksum: 369609 8f2f0bd97395d6cea52926ddee736da8 Alpha architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_alpha.deb Size/MD5 checksum: 278646 b12dd5fef60ff840b3921a511eb28c74 ARM architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_arm.deb Size/MD5 checksum: 238918 52892bea304128845836b4c9976d39a3 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_i386.deb Size/MD5 checksum: 226416 4f44d7df45cec7b132c1c7c9a6ba84ea Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_m68k.deb Size/MD5 checksum: 217712 2decb437f1a28beac92edb63f3d31444 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_powerpc.deb Size/MD5 checksum: 244382 cb3bd27b214e391ada83ce0593e16715 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_sparc.deb Size/MD5 checksum: 237878 ba1bdf19f68f62d36c8f58c015867287 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1.dsc Size/MD5 checksum: 559 e7a2b5dfb91d7217d1b171b24682ea41 http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1.diff.gz Size/MD5 checksum:18453 f9910a58912e1a6fbaef33ff4fe27b94 http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8.orig.tar.gz Size/MD5 checksum: 369609 8f2f0bd97395d6cea52926ddee736da8 Alpha architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_alpha.deb Size/MD5 checksum: 273262 6cb8adebf56cc25ef43d1358636dc9ca ARM architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_arm.deb Size/MD5 checksum: 243382 2707a8a87e133a45cc2a98dd223e7c8f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_i386.deb Size/MD5 checksum: 226106 304f32b84e649761a26c9dc5c1fd Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_ia64.deb Size/MD5 checksum: 313888 522c58c4d2fecb99424533c4980d1409 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_hppa.deb Size/MD5 checksum: 252054 aa50a00ebb6d5c304ec94bbf1e65a2c9 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_m68k.deb Size/MD5 checksum: 216922 d11c3c10e70fb1593ce15c2b6c3863be Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_mips.deb Size/MD5 checksum: 252064 6b944b4c04f4488ea380063bdf3324ad Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_mipsel.deb Size/MD5 checksum: 250914 87afe
phptonuke allows Remote File Retrieving
The file "phptonuke.php" from myphpnuke allows Remote File Retrieving. Exploit Example: http://website.com/phptonuke.php?filnavn=/etc/passwd Zero X, member of www.Lobnan.de -- Get your free email from www.linuxmail.org Powered by Outblaze
RE: Who Need Friends ? IE & MSN expose contact list & other info
This is not a vulnerability or even privacy exposure in MSN, but just a demonstration of zone spoofing by using the %2F encoding bug. All the exposed MSN contact list and information is intentionally, and safely, exposed in the My Computer zone. Regards Thor Larholm, Security Researcher PivX Solutions, LLC Are You Secure? http://www.PivX.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 15. oktober 2002 15:05 To: [EMAIL PROTECTED] Subject: Who Need Friends ? IE & MSN expose contact list & other info
Designing Shellcode Demystified
Hi, Here is a paper about shellcode design fundamentals. Available both in English and Turkish: http://www.enderunix.org/docs/en/sc-en.txt [English] http://www.enderunix.org/docs/sc-tr.txt [Turkish] -- Murat Balaban http://www.enderunix.org/
X Windows zlib/MIT-SHM/huge font DoS vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
__
SGI Security Advisory
Title: X Windows zlib/MIT-SHM/huge font DoS vulnerabilities
Number: 20021001-01-P
Date: October 15, 2002
References: CVE CAN-2002-164
References: CVE CVE-2002-0059
References: CERT CA-2002-07
__
- ---
- --- Issue Specifics ---
- ---
This bulletin covers several graphics-related security issues:
o It's been reported that the zlib libraries that ship with x_eoe
have a "double free" vulnerability.
See: http://www.kb.cert.org/vuls/id/368819
o It's been reported that the IRIX X server has security vulnerabilities.
1) Under certain conditions, Mozilla can cause the X server to crash.
See: http://web.lemuria.org/security/mozilla-dos.html for details.
2) There is a vulnerability in the MIT-SHM code that can allow a local
user to read or write to any SHM segment.
See: http://www.linuxsecurity.com/advisories/caldera_advisory-2006.html
SGI has investigated the issue and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.
These issues have been corrected in future releases of IRIX and with patches.
- --
- --- Impact ---
- --
The X server (/usr/bin/X11/Xsgi) is installed by default on IRIX 6.5 systems
as part of x_eoe.sw.Server.
To determine the version of IRIX you are running, execute the following
command:
# uname -R
That will return a result similar to the following:
# 6.5 6.5.16f
The first number ("6.5") is the release name, the second ("6.5.15f" in this
case) is the extended release name. The extended release name is the
"version" we refer to throughout this document.
Exploitation of these vulnerabilities can result in a root compromise or a
Denial of Service attack. A local account is required to exploit these
vulnerabilities.
-
- --- Temporary Workaround ---
-
There is no good workaround available for these problems if running in
graphical mode is desired. SGI recommends either upgrading to IRIX 6.5.18
when it is released, or installing the appropriate patch from the listing
below.
If running in graphical mode is not needed, you can execute the command
"/usr/gfx/stopgfx" and it will turn the windowsystem configuration flag off,
kill the X server, and keep it from being restarted on next boot.
-
- --- Solution ---
-
SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.18 when available, or install the
appropriate patch.
OS Version Vulnerable? Patch # Other Actions
-- --- --- -
IRIX 3.xunknown Note 1
IRIX 4.xunknown Note 1
IRIX 5.xunknown Note 1
IRIX 6.0.x unknown Note 1
IRIX 6.1unknown Note 1
IRIX 6.2unknown Note 1
IRIX 6.3unknown Note 1
IRIX 6.4unknown Note 1
IRIX 6.5 yes Notes 2 & 3
IRIX 6.5.1yes Notes 2 & 3
IRIX 6.5.2yes Notes 2 & 3
IRIX 6.5.3yes Notes 2 & 3
IRIX 6.5.4yes Notes 2 & 3
IRIX 6.5.5yes Notes 2 & 3
IRIX 6.5.6yes Notes 2 & 3
IRIX 6.5.7yes Notes 2 & 3
IRIX 6.5.8yes Notes 2 & 3
IRIX 6.5.9yes Notes 2 & 3
IRIX 6.5.10 yes Notes 2 & 3
IRIX 6.5.11 yes Notes 2 & 3
IRIX 6.5.12 yes Notes 2 & 3
IRIX 6.5.13m yes 4709
IRIX 6.5.13f yes 4710
IRIX 6.5.14m yes 4648
IRIX 6.5.14f yes 4649
IRIX 6.5.15m yes 4648
IRIX 6.5.15f yes 4649
IRIX 6.5.16m yes 4663
IRIX 6.5.16f yes 4664
IRIX 6.5.17m yes 4757
IRIX 6.5.17f yes 4758
NOTES
1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system. See
http://support.sgi.com/irix/news/index.html#policy for more
information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://
Cisco Security Advisory: Cisco CatOS Embedded HTTP Server Buffer Overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco CatOS Embedded HTTP Server Buffer Overflow Revision 1.0 FINAL == For Public Release 2002 October 16 17:00 (UTC) - -- Please provide your feedback on this document. - -- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice Distribution Revision History Cisco Security Procedures - -- Summary === Cisco Catalyst switches running specific versions of Cisco CatOS software are vulnerable to a buffer overflow in an embedded HTTP server. Only CatOS versions from 5.4 up to and including 7.3 which contain a "cv" in the image name are affected. If the HTTP server is enabled a buffer overflow can be remotely exploited which will cause the switch to fail and reload. The vulnerability can be exploited repeatedly and result in a denial of service. Workarounds are available that limit the ability to exploit the vulnerability. This advisory will be published at http://www.cisco.com/warp/public/707/catos-http-overflow-vuln.shtml. Affected Products = This vulnerability is only present in Cisco Catalyst switches running Cisco CatOS software versions 5.4 through 7.3 that contain an embedded HTTP server to support CiscoView network management software. The affected software images contain "cv" in the image name as seen here: cat6000-supcv.5-5-16.bin. Details === If the HTTP server is enabled on a Cisco Catalyst switch running an affected CiscoView image, an overly long HTTP query can be received by the embedded HTTP server that will cause a buffer overflow and result in a software reset of the switch. Once the switch has recovered and has resumed normal processing it is vulnerable again. It remains vulnerable until the HTTP server is disabled, HTTP queries to the switch management port are blocked, or the switch's software has been upgraded to a fixed version. The HTTP server is disabled by default. It is typically enabled to allow web based management of the switch using CiscoView. Only a small subset of CatOS images contain this embedded HTTP server. This vulnerability is documented as DDTS: CSCdy26428 - CatOS crash with web server enabled in http_get_token. Impact == The exploitation of this issue can result in a software forced reset of this device. Repeated exploitation may lead to a denial of service until the workaround for this vulnerability has been implemented or a fixed version of software has been loaded onto the device. Software Versions and Fixes === All versions of CatOS software with the embedded HTTP server are vulnerable prior to the fixed versions listed below. Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the Rebuild, Interim, and Maintenance columns. A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label). When selecting a release, keep in mind the following definitions: Maintenance === Most heavily tested and highly recommended release of any label in a given row of the table. Interim === Built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available via manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco Technical Assistance Center (TAC). +-+ | Release | Interim |Maintenance | |---++| | 5.x | 5.5(16.2) | 5.5(17)| |---++| | 6.x | 6.3(8.3) | 6.3(9) | |---++| | 7.3 | not yet fixed | not yet fixed | |---++| | 7.4 | 7.4(0.63) | 7.4(1) | +-+ Obtaining F
Linux Security Protection System
LinSec team is proud to announce the first stable release of LinSec. LinSec, as the name says, is Linux Security Protection System. The main aim of LinSec is to introduce Mandatory Access Control (MAC) mechanism into Linux (as opposed to existing Discretionary Access Control mechanism). LinSec model is based on: * Capabilities * Filesystem Access Domains * IP Labeling Lists * Socket Access Control As for Capabilities, LinSec heavily extends the Linux native capability model to allow fine grained delegation of individual capabilities to both users and programs on the system. No more allmighty root! Filesystem Access Domain subsystem allows restriction of accessible filesystem parts for both individual users and programs. Now you can restrict user activities to only its home, mailbox etc. Filesystem Access Domains works on device, dir and individual file granularity. IP Labeling lists enable restriction on allowed network connections on per program basis. From now on, you may configure your policy so that no one except your favorite MTA can connect to remote port 25 Socket Access Control model enables fine grained socket access control by associating, with each socket, a set of capabilities required for a local process to connect to the socket. LinSec consists of two parts: kernel patch (currently for 2.4.18) and userspace tools. Detailed documentation, download & mailing list information - http://www.linsec.org
Re: CoolForum v 0.5 beta shows content of PHP files
If the webserver is not chrooted or otherwise protected from escaping a directory all
files on the system will be potentially readable by an attacker (providing the user
the webserver runs as has read permissions)
i.e.
http://avatar.php?img=3D../../../../../etc/passwd
David Woods
Solidhouse
http://www.solidhouse.com
On Sat, 12 Oct 2002 15:29:48 +0200
scrap <[EMAIL PROTECTED]> wrote:
> CoolForum v 0.5 beta shows content of PHP files
> The original document can be found at
> http://www.securiteinfo.com/attaques/hacking/coolforum0_5.shtml
>
>
> .oO Overview Oo.
> CoolForum v 0.5 beta shows PHP content files
> Discovered on 2002, September, 16th
> Vendor: http://www.coolforum.net
>
> CoolForum v 0.5 is a PHP forum. This forum can show content of PHP files.
>
>
> .oO Details Oo.
> This forum contains a file named "avatar.php". This file can show an
> image stored in the "logos" directory. Here is the source file of avatar.php :
>
> if (ereg(".jpg",$img))
>header("Content-Type: image/jpeg");
> else if (ereg(".gif",$img))
>header("Content-Type: image/gif");
> header('Expires: 0');
>
> $fichier=3D"logos/$img";
>
> $fp=3Dfopen($fichier,"r");
> $image=3Dfread($fp,filesize($fichier));
> fclose($fp);
>
> echo($image);
> ?>
>
> What this file do ? It's simple : It takes the name of the file as argument,
> read it fully, and send back the content to your browser.
> The security flaw is that *any* file, in or *out* the logos directory can be
> show, bypassing *any* protected directories...
>
>
> .oO Exploit Oo.
> The exploit is really easy. The aim is to read the "connect.php" file in the
> "secret" directory. "connect.php" contains the informations about the
> database connection and "secret" directory is protected by a .htaccess file.
> You can do the exploit with any browser by using this syntax :
> http://avatar.php?img=3D../secret/connect.php
> Of course, replace by the vulnerable server.
> You will get a blank page. If you edit the source of this web page, you'll
> get the jackpot...
>
>
> .oO Solution Oo.
> The vendor has been informed and has solved the problem.
> Download CoolForum 0.5.1 or newer at :
> http://www.coolforum.net/index.php?p=dlcoolforum
>
>
>
> .oO Discovered by Oo.
> Arnaud Jacques aka scrap
> [EMAIL PROTECTED]
> http://www.securiteinfo.com
>
>
NSSI-2002-zonealarm3: ZoneAlarm Pro Denial of Service Vulnerability
NSSI Technologies Inc Research Labs Security Advisory http://www.nssolution.com (Philippines / .ph) "Maximum e-security" http://nssilabs.nssolution.com ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability Author: Abraham Lincoln Hao / SunNinja e-Mail: [EMAIL PROTECTED] / [EMAIL PROTECTED] Advisory Code: NSSI-2002-zonealarm3 Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K Professional / WinNT 4.0 workstation Vendor Status: Zone Labs is already contacted 1 month ago and they informed me that they going to release an update or new version to patched the problem. This vulnerability is confirmed by the vendor. Vendors website: http://www.zonelabs.com Severity: High Overview: New ZoneAlarm® Pro delivers twice the securityZone Labs award-winning, personal firewall trusted by millions, plus advanced privacy features. the award-winning PC firewall that blocks intrusion attempts and protects against Internet-borne threats like worms, Trojan horses, and spyware. ZoneAlarm Pro 3.1 and 3.0 doubles your protection with enhanced Ad Blocking and expanded Cookie Control to speed up your Internet experience and stop Web site spying. Get protected. Compatible with Microsoft® Windows® 98/Me/NT/2000 and XP. ZoneAlarm Pro 3.1.291 and 3.0 contains vulnerability that would let the attacker consume all your CPU and Memory usage that would result to Denial of Service Attack through sending multiple syn packets / synflooding. Details: Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 contains a vulnerability that would let the attacker consume all your CPU and Memory usage that would result to Denial of Service Attack through Synflooding that would cause the machine to stop from responding. Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 is also vulnerable with IP Spoofing. This Vulnerabilities are confirmed from the vendor. Test diagram: [*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===> [Host with ZoneAlarm] 1] Tested under default install of the 2 versions after sending minimum of 300 Syn Packets to port 1-1024 the machine will hang-up until the attack stopped. 2] We configured the ZoneAlarm firewall both version to BLOCK ALL traffic setting after sending a minimum of 300 Syn Packets to port 1-1024 the machine will hang-up until the attack stopped. Workaround: Disable ZoneAlarm and Hardened TCP/IP stack of your windows and Install latest Security patch. Note: To people who's having problem reproducing the vulnerability let me know :) Any Questions? Suggestions? or Comments? let us know. e-mail: [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED] greetings: nssilabs team, especially to b45h3r and rj45, Most skilled and pioneers of NSSI good luck!. ([EMAIL PROTECTED] / [EMAIL PROTECTED]), Lawless the saint ;), dig0, p1x3l, dc and most of all to my Lorie. -- __ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup
iDEFENSE Security Advisory 10.16.02: Denial of Service in Sabre Desktop Reservation Client for Windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 iDEFENSE Security Advisory 10.16.02: http://www.idefense.com/advisory/10.16.02.txt Denial of Service in Sabre Desktop Reservation Client for Windows October 16, 2002 I. BACKGROUND Sabre Inc.s Desktop Reservation Software for Windows is a legacy travel agency program that has since been replaced by Sabre eVoya software. However, several travel agencies and major airline travel call centers still use this software. II. DESCRIPTION Sabre Desktop Reservation Software for Windows has a component called Sabserv (listening on TCP port 1001) that connects the client application to the communication components and eventually to the local Sabre gateway at the local site. If Sabserv is sent arbitrary data on TCP port 1001 that it does not understand, it will stop functioning within one minute, usually. The client application will no longer have access to Sabre or the gateway. The gateway application is unaffected by this vulnerability and all other users on the local system will continue to have connectivity. III. ANALYSIS Local exploitation at an airline call center or travel agency could potentially slow or halt production. Under heavy load, the client will lock up, thereby forcing a reboot. This causes a loss of productivity, particularly in a high-volume call center. Automated ticketing systems running this client can be crashed as well. Since some companies using this software may not regularly monitor such events, they could miss ticketing deadlines, thereby having to pay out of pocket for ticket price changes or penalties IV. DETECTION This issue was tested on Sabre Desktop Reservation Software for Windows 4.2, 4.3, and 4.4 on Windows 95 and 98SE, with all the latest patches installed. V. RECOVERY Restarting the application should restore normal functionality. VI. VENDOR FIX/RESPONSE Sabre responded with the following statement: "Sabserv will be updated to ignore data it does not understand as part of the next maintenance upgrade to Sabre Desktop Reservation Software for Windows. This will prevent the denial of service condition within the client application when arbitrary data is sent to port 1001." VII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1191 to this issue. VIII. DISCLOSURE TIMELINE 07/26/2002 Issue disclosed to iDEFENSE 08/26/2002 Disclosed to vendor via e-mail to [EMAIL PROTECTED] 08/26/2002 Disclosed to iDEFENSE clients 09/03/2002 Second attempt at e-mail contact 09/15/2002 Call to Sabre technical support rep N2H, referred to customer support representative 09/20/2002 Fourth attempt at contact ([EMAIL PROTECTED]) 09/23/2002 Response received from Leslie Price 09/23/2002 Response received from Jeff Harmon ([EMAIL PROTECTED]) 10/10/2002 Coordinated public disclosure IX. CREDIT Altomo ([EMAIL PROTECTED]) is credited with discovering this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to [EMAIL PROTECTED], subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 [EMAIL PROTECTED] www.idefense.com -BEGIN PGP SIGNATURE- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPa1yXUrdNYRLCswqEQITlwCfV3Ap77m8vUPKTYO1Yli3P2s+VTgAoOHK J4ZiqHNEVt6Hsaz2SPlvCfFV =8mlZ -END PGP SIGNATURE-
