eSecurityOnline Security Advisories notes
Hello, To help clear up any confusion about the Discovery Dates associated with the group of advisories that we are publishing today, I should explain the situation. We are publishing our advisories in groups after each group is approved internally. With the exception of the Microsoft issues, none of the vulnerabilities have been posted or discussed in public forums or lists. The discovery date that we list in the advisories refers to the date on which we discovered the advisory, rather than the date that we made the information public. Since none of these vulnerabilities (except for the Solaris CACHEFSD) have been actively exploited / seen in the wild, we have been patient in working with and waiting for vendors to complete vulnerability validation, and for patches to be developed and posted to vendor sites. We plan to publish more advisories in the near future, and hopefully in a much more timely fashion. Regards, Ken Williams eSecurityOnline Research and Development Team Ken Williams ; CISSP ; Technical Lead ; [EMAIL PROTECTED] eSecurityOnline - an eSecurity Venture of Ernst Young [EMAIL PROTECTED] ; www.esecurityonline.com ; 1-877-eSecurity
eSecurityOnline Security Advisory 2397 - Sun Solaris admintool -d and PRODVERS buffer overflow vulnerabilities
eSO Security Advisory: 2397 Discovery Date: March 28, 2000 ID: eSO:2397 Title: Sun Solaris admintool -d and PRODVERS buffer overflow vulnerabilities Impact: Local attackers can gain root privileges Affected Technology:Solaris 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86 Vendor Status: Patches are available Discovered By: Kevin Kotas of the eSecurityOnline Research and Development Team CVE Reference: CAN-2002-0089 Advisory Location: http://www.eSecurityOnline.com/advisories/eSO2397.asp Description: The Sun Solaris admintool utility is vulnerable to multiple buffer overflow conditions that allow a local attacker to gain root access. The problems are due to insufficient bounds checking on command line options and on a configuration file variable. An attacker can use a carefully constructed string with the -d command line option or with the PRODVERS .cdtoc file variable to gain root privileges. The first buffer overflow is related to command line execution of admintool with the -d switch, when a long string is used with /Solaris present. The second buffer overflow occurs due to a lack of bounds checking for the PRODVERS argument in the .cdtoc file. The .cdtoc file is used to specify variables for installation media. Through the software/edit/add feature, a local directory can be specified that contains a .cdtoc file. The file can contain a string of data for the PRODVERS variable that will cause the program to crash or execute code when processed. Technical Recommendation: Apply the following patches. Solaris 2.5: 103247-16 Solaris 2.5_x86: 103245-16 Solaris 2.5.1: 103558-16 Solaris 2.5.1_x86: 103559-16 Solaris 2.6: 105800-07 Solaris 2.6_x86: 105801-07 Solaris 7: 108721-02 Solaris 7_x86: 108722-02 Solaris 8: 10453-01 Solaris 8_x86: 110454-01 As a workaround solution, remove the setuid permissions with the following: chmod -s /usr/bin/admintool Vendor site: http://sunsolve.sun.com Acknowledgements: eSecurityOnline would like to thank Sun Microsystems and the Sun security team for their cooperation in resolving the issue. Copyright 2002 eSecurityOnline LLC. All rights reserved. THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC AS IS, WHERE IS, WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT.
eSecurityOnline Security Advisory 2408 - CIDER SHADOW CGI
eSO Security Advisory: 2408 Discovery Date: April 3, 2000 ID: eSO:2408 Title: CIDER SHADOW CGI arbitrary command execution vulnerabilities Impact: Remote attackers can execute commands with the privileges of the running web server process Affected Technology:CIDER SHADOW 1.5, 1.6 Vendor Status: Vendor informed Discovered By: Kevin Kotas of the eSecurityOnline Research and Development Team CVE Reference: CAN-2002-0091 Advisory Location: http://www.eSecurityOnline.com/advisories/eSO2408.asp Description: The CIDER Project's SHADOW intrusion detection utility is vulnerable to CGI implementation flaws that allow a remote attacker to run arbitrary commands on the analyzer. The problem occurs due to insufficient character verification of sent variables. For multiple CGI scripts, an attacker can send a specially crafted URL and execute commands with the privileges of the running server. Technical Recommendation: By design, the analyzer web interface should only be reachable through an internal network and with password authentication. Since the possibility remains that an attacker can reach the analyzer, disable network access to the web interface and only view the web pages locally. Copyright 2002 eSecurityOnline LLC. All rights reserved. THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC AS IS, WHERE IS, WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT.
eSecurityOnline Security Advisory 4197 - Sun Solaris cachefsd denial of service vulnerability
eSO Security Advisory: 4197 Discovery Date: October 29, 2001 ID: eSO:4197 Title: Sun Solaris cachefsd denial of service vulnerability Impact: Remote attackers can cause a denial of service condition Affected Technology:Solaris 2.6, 7, 8 SPARC and x86 Vendor Status: Vendor notified Discovered By: Kevin Kotas of the eSecurityOnline Research and Development Team Technical Contributor: Richard Johnson of the eSecurityOnline Research and Development Team CVE Reference: CAN-2002-0085 Advisory Location: http://www.eSecurityOnline.com/advisories/eSO4197.asp Description: Sun Solaris cachefsd is vulnerable to a flaw that allows remote attackers to cause a denial of service condition. The problem is due to the way the program handles RPC requests that contain an invalid procedure call. An attacker can send a call that will cause cachefsd to crash. Technical Recommendation: As a workaround solution, ensure RPC services are blocked at the firewall. Otherwise, disable cachefsd. Copyright 2002 eSecurityOnline LLC. All rights reserved. THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC AS IS, WHERE IS, WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT.
eSecurityOnline Security Advisory 4198 - Sun Solaris cachefsd mount file buffer overflow vulnerability
eSO Security Advisory: 4198 Discovery Date: October 29, 2001 ID: eSO:4198 Title: Sun Solaris cachefsd mount file buffer overflow vulnerability Impact: Local attackers can gain root privileges Affected Technology:Solaris 2.6, 7, 8 SPARC and x86 Vendor Status: Vendor notified Discovered By: Kevin Kotas of the eSecurityOnline Research and Development Team Technical Contributor: Richard Johnson of the eSecurityOnline Research and Development Team CVE Reference: CAN-2002-0084 Advisory Location: http://www.eSecurityOnline.com/advisories/eSO4198.asp Description: Sun Solaris cachefsd is vulnerable to a flaw that can allow attackers to execute arbitrary code. The problem is due to insufficient bounds checking on mounts that are supplied by a user. An attacker can create a file and have cachefsd process it to gain root privileges. Technical Recommendation: As a workaround solution, ensure RPC services are blocked at the firewall. Otherwise, disable cachefsd. Copyright 2002 eSecurityOnline LLC. All rights reserved. THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC AS IS, WHERE IS, WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT.
eSecurityOnline Security Advisory 4123 - Sun Solaris admintool media installation path buffer overflow vulnerability
eSO Security Advisory: 4123 Discovery Date: October 15, 2001 ID: eSO:4123 Title: Sun Solaris admintool media installation path buffer overflow vulnerability Impact: Local attackers can gain root privileges Affected Technology:Sun Solaris 2.6,7,8 SPARC and x86 Vendor Status: Vendor notified Discovered By: Kevin Kotas of the eSecurityOnline Research and Development Team CVE Reference: CAN-2002-0088 Advisory Location: http://www.eSecurityOnline.com/advisories/eSO4123.asp Description: Sun Solaris admintool is vulnerable to a buffer overflow condition that allows a local attacker to gain root privileges. The problem is due to insufficient bounds checking on the installation path. An attacker can create a path, supply it to admintool, and execute arbitrary code. Technical Recommendation: As a workaround solution, remove the setuid bit from the binary. chmod -s /usr/bin/admintool Copyright 2002 eSecurityOnline LLC. All rights reserved. THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC AS IS, WHERE IS, WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT.
eSecurityOnline Security Advisory 2406 - CDE dtprintinfo Help search buffer overflow vulnerability
eSO Security Advisory: 2406 Discovery Date: March 31, 2000 ID: eSO:2406 Title: CDE dtprintinfo Help search buffer overflow vulnerability Impact: Local attackers can gain root level access Affected Technology:Solaris 2.4, 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86 HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11 IBM AIX 4.3, 4.3.1, 4.3.2, 4.3.3 Compaq Tru64 5.1A, 5.1, 5.0A, 4.0G, 4.0F CDE Vendor Status: Patches are available Discovered By: Kevin Kotas of the eSecurityOnline Research and Development Team CVE Reference: CAN-2001-0551 Advisory Location: http://www.eSecurityOnline.com/advisories/eSO2406.asp Description: The CDE dtprintinfo program is vulnerable to a buffer overflow condition that allows a local attacker to gain root access. The problem occurs due to insufficient bounds checking in the Volume search field from the Help section. An attacker can insert a specially crafted string for the search parameter and gain root privileges. In the dtprintinfo Help, an Index search function permits querying by keyword. If a string of appropriate length is inserted into the 'Entries with' field and a single Help Volume is selected for the search, an exploitable buffer overflow will occur. Technical Recommendation: Upgrade with the following patches. Solaris 2.4, 2.5, 2.5.1 SPARC: 105076-04 Solaris 2.4, 2.5, 2.5.1 x86: 105354-04 Solaris 2.6 SPARC: 106242-03 Solaris 2.6 x86: 106243-03 Solaris 7 SPARC: 107178-02 Solaris 7 x86: 107179-02 Solaris 8 SPARC: 108949-04 Solaris 8 x86: 108950-04 IBM AIX: AIX 4.3.x: APAR #IY21539 AIX 5.1: APAR #IY20917 Compaq: SSRT1-78U SSRT0788U SSRT0757U SSRT-541 HP-UX: 10.10: PHSS_23355 10.20: PHSS_23796 10.24: PHSS_24097 11.00: PHSS_23797 11.04: PHSS_24098 11.11: PHSS_24087, PHSS_24091 Acknowledgements: eSecurityOnline would like to thank Sun Microsystems and the Sun security team for their cooperation in resolving the issue. Copyright 2002 eSecurityOnline LLC. All rights reserved. THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC AS IS, WHERE IS, WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT.
eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability
eSO Security Advisory: 3761 Discovery Date: July 5, 2001 ID: eSO:3761 Title: Sun Solaris lbxproxy display name buffer overflow vulnerability Impact: Local attackers can gain group root privileges Affected Technology:Sun Solaris 8 x86 Vendor Status: Vendor notified Discovered By: Kevin Kotas of the eSecurityOnline Research and Development Team CVE Reference: CAN-2002-0090 Advisory Location: http://www.eSecurityOnline.com/advisories/eSO3761.asp Description: Sun Solaris lbxproxy is vulnerable to a buffer overflow condition that can allow an attacker to execute arbitrary code. The overflow occurs due to insufficient bounds checking on the display command line option. A display name can be given that, when processed, will alter program execution. Technical Recommendation: As a workaround solution, remove the setgid bit from the program. chmod -s /usr/openwin/bin/lbxproxy Copyright 2002 eSecurityOnline LLC. All rights reserved. THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC AS IS, WHERE IS, WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT.
