SecurityFocus Newsletter #201

SecurityFocus Newsletter #201

This Issue is Sponsored by: Black Hat

Attend the Black Hat Briefings & Training, July 28-31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out.

Visit us at: http://www.securityfocus.com/BlackHat-sf-news

I. FRONT AND CENTER

1. Penetration Test for Web Applications - Part One
2. Honeypots: Are They Illegal?
3. Bad Raps for Non-Hacks II. BUGTRAQ SUMMARY
4. Sun Microsystems Java Virtual Machine Insecure Temporary File...
5. Microsoft Windows FIN-ACK Network Device Driver Frame Padding...
6. Nokia GGSN Kernel Panic Denial of Service Vulnerability
7. HPUX PCLToTIFF Command Line Argument Local Buffer Overflow...
8. Spyke PHP Board Information Disclosure Vulnerability
9. H-Sphere HTML Template Inclusion Cross-Site Scripting...
10. FlashFXP PASV Response Buffer Overflow Vulnerability
11. FlashFXP Client Request Hostname Buffer Overflow Vulnerability
12. SmartFTP PWD Command Request Buffer Overflow Vulnerability
13. SmartFTP File List Command Buffer Overflow Vulnerability
14. LeapFTP Client PASV Response Buffer Overflow Vulnerability
15. FTP Voyager Remote LIST Buffer Overrun Vulnerability
16. Apple AFP Server Arbitrary File Corruption Vulnerability
17. Nuca WebServer File Disclosure Vulnerability
18. MNOGoSearch Search.CGI UL Buffer Overflow Vulnerability
19. MNOGoSearch Search.CGI TMPLT Buffer Overflow Vulnerability
20. Aiglon Web Server Installation Path Information Disclosure...
21. SGI IRIX PIOCSWATCH Local Denial Of Service Vulnerability
22. XMB Forum Member.PHP U2U Private Message HTML Injection...
23. XMB Forum Member.PHP Location Field HTML Injection Vulnerability
24. IBM AIX LSMCODE Environment Variable Local Buffer Overflow...
25. GZip ZNew Insecure Temporary File Creation Symbolic Link...
26. ArGoSoft Mail Server Multiple GET Requests Denial Of Service...
27. RPM Package Manager FTP NLST Data Integer Overflow Remote...
28. Gnome FTP NLST Data Integer Overflow Memory Corruption...
29. SMC Wireless Router Malformed PPTP Packet Denial of Service...
30. Multiple Gnocatan Server Buffer Overflow Vulnerabilities
31. Ethereal DCERPC Dissector Memory Allocation Vulnerability
32. Ethereal SPNEGO Dissector Denial Of Service Vulnerability
33. Ethereal OSI Dissector Buffer Overflow Vulnerability
34. Ethereal Multiple Dissector String Handling Vulnerabilities
35. Ethereal TVB_GET_NSTRINGZ0() Memory Handling Vulnerability
36. FakeBO Syslog Format String Vulnerability
37. WebcamNow Plain Text Password Storage Weakness...
38. Mollensoft Enceladus Server Suite Clear Text Password Storage...
39. MySQL libmysqlclient Library mysql_real_connect() Buffer...
40. Mollensoft Software Enceladus Server Suite Guestbook HTML...
41. silentThought Simple Web Server Directory Traversal Vulnerability
42. Mollensoft Enceladus Server Suite HTACCESS File Access...
43. WebBBS Pro Malicious GET Request Denial Of Service Vulnerability
44. Typespeed Remote Memory Corruption Vulnerability
45. Lyskom Server Unauthenticated User Denial Of Service...
46. Cistron RADIUS Remote Signed NAS-Port Number Expansion Memory...
47. Apple Mac OS X DSIMPORTEXPORT Information Disclosure Weakness...
48. Sphera HostingDirector VDS Control Panel Multiple Buffer...
49. Sphera HostingDirector VDS Control Panel Account Configuration... III. SECURITYFOCUS NEWS ARTICLES
50. Law Would Spy on Ashcroft
51. Cracking Down on Cyberspace Land Grabs
52. On MS, AV and Addictive Updates
53. 802.11g is a standard (official) IV. SECURITYFOCUS TOP 6 TOOLS
54. LibTomCrypt v0.77
55. PheTail v.01
56. Firewall Builder for PIX v1.0
57. LibTomMath v0.04
58. Astaro Security Linux (Stable 4.x) v4.008
59. DSPAM v2.6.0.68
60. SECURITYJOBS LIST SUMMARY
61. Enterprise Security Architect--NJ/Full-time (Thread)
62. Posting for another party - Director, Information Security NYC...
63. NYC: Microsoft security expert (Thread)
64. PEARL HARBOR SA POSITION - SECURITY RELATED (Thread)
65. New York --- ethical hacker looking for a job (Thread)
66. Yet again... More of the same (Thread)
67. Control SA Technical Security Consultant in Saudi Arabia (Thread)
68. Chicago Security Consulting and Testing Lab Manager Postions...
69. Excellent Opportunity - Security Sales Account Executive (Thread)
70. SR. IDS MANAGER - IMMEDIATE OPENING (Thread)
71. Pre-Sales Engineer - New York (Thread)
72. NE Regional Sales Manager (New York Metro) (Thread)
73. Director of Biz Dev, New York (Thread)
74. Information Assurance Engineers needed immediately!!! (Thread)
75. AS400 Security Assessment in New Orleans area (Thread)
76. Appliance Software Engineer for IDS Appliances in Colombia...
77. Senior IDS/Secruity Research Analyst role in Colombia, MD...
78. Herndon, VA, USA - Symantec hiring Sr. Software/Security...
79. Vendor Security Assesment Coordinator - New York, NY (Thread)
80. Territory Manager - New York, New Jersey & Conn. (Thread)
81. Dallas/Fort Worth: All around Administration/Engineering guy...
82. Senior security technical lead (Thread)
83. Systems Engineer - Technical Pre-Sales - Toronto (Thread)
84. Product Manger - Orange County, CA (Thread)
85. Looking to get off sinking ship (Foundstone) - have skills...
86. Global Cert Coordinator (Thread)
87. West Coast Regional Sales Manager- Santa Clara, CA (Thread)
88. Creative Senior Security Professional seeking a position (Thread)
89. Application Security Architect - Chicago, IL (Thread)
90. Internal Application Security Risk Consultant - New York, NY...
91. Application Security Consultant - Dulles, VA (Thread)
92. Director of Software Engineering - Dulles, VA (Thread)
93. InfoSec Masters student w/ 8 years LAN/WAN seeks Security...
94. IT Security Practice Manager Role in the UK (Thread) VI. INCIDENTS LIST SUMMARY
95. File on desktop called "~" (Thread)
96. Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log...
97. Windows 2k rootkit incident, files zipped for your pleasure...
98. Help with identifying scan/attack (Thread)
99. Windows 2k rootkit incident, files zipped for your pleasure...
100. Windows 2k rootkit incident (Thread)
101. Strange CONNECT entries in apache logs (Thread)
102. Request for Raw Data (Thread)
103. strange traffic on UDP port 53 (Thread)
104. nscd poisoning? (Thread)
105. Help with an odd log file... (Thread)
106. Odd SYN packet spoofed sources (Thread)
107. SecurityFocus Article Announcements (3) (Thread)
108. Attack(s) caught by Okena (Thread)
109. bad IP traffic (Thread)
110. Odd windows ICMP... any ideas what this is? (Thread)
111. IRC botnets (Thread)
112. Re(2): Help with an odd log file... (Thread)
113. Hmm....901 (Thread)
114. AW: Strange CONNECT entries in apache logs (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY
115. shellcode with standard characters (Thread)
116. Small buffer format string attack (Thread)
117. Research on Source Code Review -C (Thread)
118. 3com OfficeConnect Remote 812 ADSL Router - Possible bug ?...
119. Linux 2.0 remote info leak from too big icmp citation (Thread)
120. strcpy bug (Thread)
121. PSOFT H-Sphere XSS Vulnerabilities (Thread)
122. View and edit hidden HTML form fields (Thread)
123. New Site. (Thread)
124. Win32 Shellcode (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY
125. Local User Permissions in a Public, Domain Environment? (Thread)
126. Question regarding su.exe (Thread)
127. Windows 2000 Patch Order (Thread)
128. FW: Windows 2000 Patch Order (Thread)
129. Fwd: FW: Windows 2000 Patch Order (Thread)
130. Article Announcement (Thread)
131. SecurityFocus Microsoft Newsletter #140 (Thread) IX. SUN FOCUS LIST SUMMARY
132. NO NEW POSTS FOR THE WEEK ENDING 06.13.03
133. LINUX FOCUS LIST SUMMARY
134. deny deleting a file for users (Thread) XI. SPONSOR INFORMATION
135. FRONT AND CENTER

     ---

136. Penetration Test for Web Applications - Part One By Jody Melbourne

This is the first in a series of three articles on penetration testing for Web applications. The first installment provides the penetration tester with an overview of Web applications - how they work, how they interact with users, and most importantly how developers can expose data and systems with poorly written and secured Web application front-ends.

http://www.securityfocus.com/infocus/1704

2. Honeypots: Are They Illegal?
By Lance Spitzner

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

As honeypots and their concepts have grown more popular, people have begun to ask what legal issues could apply. The purpose of this paper is to address the most commonly asked issues.

http://www.securityfocus.com/infocus/1703

3. Bad Raps for Non-Hacks
By Mark Rasch

A few odd cases show that you don't have be a digital desparado to be accused of a cybercrime... particularly if you embarrass the wrong bureaucrats.

http://www.securityfocus.com/columnists/167

II. BUGTRAQ SUMMARY

1. Sun Microsystems Java Virtual Machine Insecure Temporary File Vulnerability BugTraq ID: 7848 Remote: No Date Published: Jun 08 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7848 Summary:

The Java Virtual Machine is a component of the Java Runtime Environment, distributed by Sun Microsystems.

A problem has been reported that may make it possible for an attacker to gain unauthorized privileges.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that the Java Virtual Machine distributed by Sun does not safely generate temporary files. Because of this, an attacker may be able to launch a symbolic link attack.

The problem is in the handling temporary files. When the Java Virtual Machine is invoked, it creates a temporary file in the /tmp directory with the prefix of jpsock.**_*, and varying characters in the place of the asterisks. An attacker could create a range of symbolic links pointing to a specific file, attempting to predict the future name of a temporary file created by the JVM. Upon a successful guess, the file at the end of the symbolic link would be overwritten.

2. Microsoft Windows FIN-ACK Network Device Driver Frame Padding Information Disclosure Vulnerability BugTraq ID: 7849
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7849
Summary:

Network device drivers for Microsoft Windows Server 2003 has been reported to disclose potentially sensitive information to attackers.

Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers do not do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across ethernet segments. As the ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked.

An attacker can exploit this vulnerability by sending a simple TCP packet, with the FIN-ACK flags set, to a vulnerable machine. A response to such a query will involve a packet that has been padded to a sufficient length. It may be that the information that is padded is of a sensitive nature. An attacker may use the information obtained in this manner to launch other attacks against a vulnerable system.

The following drivers were reported to be vulnerable to this issue:

VIA Rhine II Compatible network card (some motherboards have this integrated) AMD PCNet family network cards (Used by some versions of VMWare).

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The affected drivers are signed by the vendor and are available on the Windows Server 2003 CD. Both drivers have been reported to disclose sensitive information, such as POP3 passwords, to attackers.

This vulnerability is similar to the issue described in BID 6535.

3. Nokia GGSN Kernel Panic Denial of Service Vulnerability BugTraq ID: 7854
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7854
Summary:

The Nokia GGSN (Gateway GPRS Support Node) is used to bridge Gn and Gi networks. GPRS can allow for web browsing and email connectivity for cellular phones.

The GGSN device is reported to be prone to a denial of service condition triggered by malformed IP packets.

When the device receives a malformed IP packet with a TCP option of 0xFF set, it will cause a kernel panic resulting in the device shutting down. This will cause a failure in all data connectivity on the GPRS (General Packet Radio Service) network.

4. HPUX PCLToTIFF Command Line Argument Local Buffer Overflow Vulnerability BugTraq ID: 7853
Remote: No
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7853
Summary:

HP-UX is the UNIX Variant Operating System distributed by Hewlett Packard. HP-UX is designed for operation on systems ranging from desktop servers to large enterprise systems.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

HP-UX pcltotiff has been reported prone to a buffer overflow vulnerability.

The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space.

Specifically, excessive data passed as the '-t' argument to the vulnerable pcltotiff executable, when copied into internal memory, may overrun the boundary of the assigned buffer and corrupt adjacent memory. Memory adjacent to this buffer has been reported to contain values that are crucial to controlling memory management or program execution flow. It may be possible for a local attacker to seize control of the vulnerable application and have malicious arbitrary code executed in the context of pcltotiff.

It should be noted that the affected binary is a setgid 'bin' utility.

This vulnerability may be similar to the issue described in BID 2646.

5. Spyke PHP Board Information Disclosure Vulnerability BugTraq ID: 7856
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7856
Summary:

Spyke PHP Board is a web-based Content Management System (CMS) implemented in PHP. It is available for a variety of platforms including Microsoft Windows and Unix variant operating environments.

A vulnerability has been reported for Spyke's PHP Board that may result in an attacker obtaining access to sensitive information.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The vulnerability exists due to the way the CMS stores data. Specifically, the system uses plaintext files for the storage of sensitive information.

An attacker can exploit this vulnerability to issue a request for the
'info.dat' configuration file. This will return a plaintext file to the
attacker the contents of which contain administrative authentication information.

User authentication information is stored under the 'user' directory with a .TXT extension.

Information obtained in this manner may allow an attacker to launch further destructive attacks against a vulnerable system.

This vulnerability was reported for Spyke PHP Board 2.1.

6. H-Sphere HTML Template Inclusion Cross-Site Scripting Vulnerabilities BugTraq ID: 7855
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7855
Summary:

H-Sphere is a multiserver web hosting application. H-Sphere is available for Microsoft Windows, Linux, and Unix operating systems.

H-Sphere is prone to multiple cross-site scripting vulnerabilities via the HTML template feature in the Hosting Control Panel. HTML and script code will not be filtered from pages which are generated when a request for an invalid or unknown template is made.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This could be exploited if a web user follows a malicious link to a site hosting the vulnerable software that includes hostile HTML or script code. This code would be executed in the context of the site hosting the software. The link may also need to contain the username of a valid, logged in user.

Successful exploitation could permit theft of cookie-based authentication credentials from legitimate users of the Hosting Control Panel, which may in turn permit unauthorized access to resources that are managed by the software. Other attacks may also be possible.

7. FlashFXP PASV Response Buffer Overflow Vulnerability BugTraq ID: 7857
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7857
Summary:

FlashFXP is a FTP implementation that allows client-server file transfers in addition to site-to-site file transfers. It is available for Microsoft Windows.

FlashFXP is prone to a remotely exploitable buffer overflow when handling a server response to the PASV FTP command. The PASV command is issued to tell the server that the client wishes to transfer files in passive mode. FTP servers that support passive mode will respond to such a request with an IP address and port number. If an FTP server responds with an excessively long IP address, an internal buffer on the client system may be overrun with specific values supplied by the server.

A malicious FTP server could exploit this issue to execute code on the client system. This would occur in the security context of the user running the vulnerable client.

8. FlashFXP Client Request Hostname Buffer Overflow Vulnerability BugTraq ID: 7859
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7859
Summary:

FlashFXP is a FTP implementation that allows client-server file transfers in addition to site-to-site file transfers. It is available for Microsoft Windows.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

FlashFXP is prone to a buffer overflow vulnerability. This is due to insufficient bounds checking of hostnames supplied in client requests.

Exploitation would require a client user to submit a malicious request for an FTP site. This could occur if the FTP user were enticed to follow a malicious link to an FTP site. If such a request were made by the vulnerable client, excessive data embedded in the request could overrung adjacent regions of memory on the client system. This could permit execution of malicious instructions in the context of the user running the client.

9. SmartFTP PWD Command Request Buffer Overflow Vulnerability BugTraq ID: 7858
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7858
Summary:

SmartFTP is a GUI FTP client available for most Microsoft Windows operating systems.

SmartFTP is reported to be prone to a boundary condition error. This is due to insufficient bounds checking in the 'PWD' command.

If an FTP server replies with an overly long string to a 'PWD' command, an internal buffer may be overrun. This results in corruption of stack-based memory. Arbitrary code execution in the security context of the user running the FTP client is reportedly possible.

This issue was reported to affect SmartFTP 1.0.973, however, other versions may also be vulnerable.

1. SmartFTP File List Command Buffer Overflow Vulnerability BugTraq ID: 7861 Remote: Yes Date Published: Jun 09 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7861 Summary:

SmartFTP is a GUI FTP client available for most Microsoft Windows operating systems.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

SmartFTP is reported to be prone to a boundary condition error. This is due to insufficient bounds checking in the File List command.

If an FTP server replies with an overly long string to a File List command, an internal buffer may be overrun. This results in corruption of heap-based memory. Arbitrary code execution in the security context of the user running the FTP client is reportedly possible.

This issue was reported to affect SmartFTP 1.0.973, however, other versions may also be vulnerable.

1. LeapFTP Client PASV Response Buffer Overflow Vulnerability BugTraq ID: 7860 Remote: Yes Date Published: Jun 09 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7860 Summary:

LeapFTP is an FTP client for Microsoft windows operating systems.

LeapFTP client has been reported prone to a remote buffer overflow vulnerability.

The issue is likely due to insufficient bounds checking and presents itself when the affected FTP client makes a connection to a malicious server that is running PASV mode. Reportedly during an FTP session LeapFTP requests PASV mode. The PASV command is issued to tell the server that the client wishes to transfer files in passive mode. FTP servers that support passive mode will respond to such a request with an IP address and port number.

If the PASV mode IP address data that is sent to the LeapFTP client is of excessive length, the bounds of a stack based internal memory buffer is overrun, corrupting adjacent memory with attacker-supplied data. It has been reported that it is possible to supply sufficient data to corrupt an exception handler that is stored on the stack. Ultimately this condition may be exploited to execute arbitrary code in the context of the user running LeapFTP client.

1. FTP Voyager Remote LIST Buffer Overrun Vulnerability BugTraq ID: 7862 Remote: Yes Date Published: Jun 09 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7862 Summary:

FTP Voyager is an ftp client program maintained by RhinoSoft and is available for the Microsoft Windows operating system.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A buffer overrun vulnerability has been discovered in FTP Voyager. It has been discovered that the client fails to perform sufficient bounds checking before processing server-supplied data returned from a LIST request. Specifically, a string containing approximately 624 bytes of data, returned in a response to a client LIST request, will result in the corruption of stack memory.

Exploitation of this vulnerability could ultimately result in the execution of arbitrary instructions with the privileges of the user invoking the affected client.

This issue is said to affect FTP Voyager 9.1.0.3 and 10.0.0.0, however earlier versions may also be vulnerable.

1. Apple AFP Server Arbitrary File Corruption Vulnerability BugTraq ID: 7863 Remote: Yes Date Published: Jun 09 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7863 Summary:

A vulnerability has been discovered in Apple AFP Server. The problem presents itself when the application is configured to serve files from a UFS or re-shared NFS filesystem.

Although the technical details regarding this issue are currently unknown, the vendor has confirmed that this issue can be exploited to corrupt arbitrary system files. This may allow a remote attacker to cause a target system to no longer function or behave unpredictably.

This BID will be updated as further technical details are made available.

1. Nuca WebServer File Disclosure Vulnerability BugTraq ID: 7864 Remote: Yes Date Published: Jun 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7864 Summary:

Nuca WebServer is a web server plug-in for Nuca Plug-in and IdRunner. It is implemented in Delphi and available for Microsoft Windows operating systems.

Nuca WebServer is prone to an issue that may allow remote attackers to gain access to sensitive files. This is due to insufficient filtering of directory traversal sequences from web requests. As a result, it is possible to escape the web root directory by submitting a request containing directory traversal sequences. This could be exploited to read the contents of arbitrary files that are readable by the web server.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability could permit remote attackers to gain access to sensitive information that might be useful in mounting further attacks against the system hosting the software.

1. MNOGoSearch Search.CGI UL Buffer Overflow Vulnerability BugTraq ID: 7865 Remote: Yes Date Published: Jun 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7865 Summary:

mnoGoSearch is multi-platform web search engine software for Intranet and Internet servers.

mnoGoSearch 'search.cgi' has been reported prone to a buffer overflow vulnerability.

The issue is a result of a lack of sufficient bounds checking performed on a user-supplied URI parameter that is passed to the 'search.cgi' application.

Reportedly, if a 'ul' URI parameter containing excessive data is passed in a HTTP request for 'search.cgi', the bounds of an internal memory buffer will be overrun. Memory adjacent to the affected buffer will be corrupted with attacker-supplied values.

It has been reported that adjacent memory space contains values that are crucial to the control of program execution flow. It is therefore possible for the attacker to seize control of the 'search.cgi' application, and have arbitrary code executed in the context of the web-server process.

This vulnerability was reported to exist in mnoGoSearch 3.1.20.

1. MNOGoSearch Search.CGI TMPLT Buffer Overflow Vulnerability BugTraq ID: 7866 Remote: Yes Date Published: Jun 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7866 Summary:

mnoGoSearch is multi-platform web search engine software for Intranet and Internet servers.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

mnoGoSearch 'search.cgi' has been reported prone to a buffer overflow vulnerability.

The issue is a result of a lack of sufficient bounds checking performed on a user-supplied URI parameter that is passed to the 'search.cgi' application.

Reportedly, if a 'tmplt' URI parameter containing excessive data is passed in a HTTP request for 'search.cgi', the bounds of an internal memory buffer will be overrun. Memory adjacent to the affected buffer will be corrupted with attacker-supplied values.

It has been reported that adjacent memory space contains values that are crucial to the control of program execution flow. It is therefore possible for the attacker to seize control of the 'search.cgi' application, and have arbitrary code executed in the context of the web-server process.

This vulnerability was reported to exist in mnoGoSearch 3.2.10.

1. Aiglon Web Server Installation Path Information Disclosure Weakness BugTraq ID: 7867 Remote: Yes Date Published: Jun 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7867 Summary:

Aiglon Web Server is a HTTP server for windows 9x,2000,NT,XP.

A weakness has been discovered in Aiglon Web Server, which may provide for the disclosure of sensitive information to remote attackers.

It has been reported that a remote attacker may cause the web server to disclose information by making a malformed HTTP request. The resulting error message from this request, will likely contain installation path details.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The remote attacker may potentially use the disclosed information to aid in further "intelligent" attacks against the host running the affected software.

This issue was reported to affect Aiglon Web Server 2.0, however, other versions may also be affected.

1. SGI IRIX PIOCSWATCH Local Denial Of Service Vulnerability BugTraq ID: 7868 Remote: No Date Published: Jun 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7868 Summary:

IRIX is the UNIX variant operating system distributed and maintained by SGI. A problem with IRIX may make it possible for a local user to deny service to legitimate users.

It has been reported that SGI IRIX does not properly handle the PIOCSWATCH option of the ioctl system call. Because of this, an attacker with local access to the system may crash the system, constituting a local denial of service.

Few technical details are available about this vulnerability. PIOCSWATCH is used to establish or clear watched areas in memory of a traced process. The invocation of this option from a user space program in a specific way could cause a kernel panic, requiring the manual restart of the system to resume normal functionality.

1. XMB Forum Member.PHP U2U Private Message HTML Injection Vulnerability BugTraq ID: 7869 Remote: Yes Date Published: Jun 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7869 Summary:

XMB Forum 1.8 is a web based discussion forum.

A vulnerability has been reported for XMB Forum 1.8 which may make it prone to HTML injection attacks. The problem is said to occur while viewing U2U private messages.

Specifically, U2U private messages may not be sufficiently sanitized of malicious content. This may make it possible for an attacker to place HTML or script code within the message body of a private U2U message for another user. When the legitimate forum user attempts to view the message the malicious code will be interpreted by their browser in the security context of the forum website.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Attackers may potentially exploit this issue to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

20. XMB Forum Member.PHP Location Field HTML Injection Vulnerability BugTraq ID: 7870
Remote: Yes
Date Published: Jun 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7870
Summary:

XMB Forum is a web-based discussion forum.

A vulnerability has been reported in XMB Forum that may result in HTML injection. The vulnerability occurs because XMB Forum fails to sufficiently sanitize user-supplied input that is used for the 'Location' field in a registered user's personal information page. Other fields may also be similarly affected.

Due to this condition, a malicious user may be able to submit arbitrary HTML code, as 'Location' field data. The arbitrary code will then be displayed to unsuspecting users who view the XMB Forum member's profile information. Any attacker-supplied code will be interpreted in a victim user's web browser in the security context of the site hosting the software.

It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks may also be possible.

21. IBM AIX LSMCODE Environment Variable Local Buffer Overflow Vulnerability BugTraq ID: 7871
Remote: No
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7871
Summary:

The IBM AIX lsmcode command is prone to a locally exploitable buffer overflow condition. The command is provided with the operating system to display microcode and firmware levels of the adapters and devices of the system.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Insufficient bounds checking in the /usr/sbin/lsmcode utility will allow locally based attackers to cause memory to be corrupted with attacker-supplied data. As a result, it is possible to exploit this condition to execute arbitrary attacker-supplied instructions with elevated privileges.

An attacker can exploit this vulnerability by setting a DIAGNOSTICS environment variable of excessive size containing attacker-supplied address data. The attacker then invokes the vulnerable lsmcode utility. A buffer overflow condition will likely be triggered when data contained in the DIAGNOSTICS environment variable is copied into an internal memory buffer, without sufficient bounds checking. Excessive data will corrupt adjacent memory, possibly overwriting values that are crucial to the control of program execution flow. Ultimately an attacker may seize control of lsmcode and have arbitrary operation codes executed in the context of the affected utility.

This vulnerability was reported to affect IBM AIX 4.3.3 although it is likely that other versions are also vulnerable.

22. GZip ZNew Insecure Temporary File Creation Symbolic Link Vulnerability BugTraq ID: 7872
Remote: No
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7872
Summary:

gzip is a freely available, open source file compression utility. It is maintained by public domain, and available for the Unix, Linux, and Microsoft operating systems.

A problem with the utility may make the local destruction of data possible.

It has been reported that gzip does not securely handle temporary files in the znew script. Because of this, a local attacker may be able to launch a symbolic link attack against sensitive files.

The problem is in the handling of checking for existing files. When the znew script executes, it does not sufficiently validate the value returned when the program checks for the existence of a file in the temporary directory. Because of this, znew could potentially write to a symbolic link that would destroy the data at the end of the symbolic link, provided the user has sufficient privileges to write to the file. This may also potentially lead to elevated privileges, though this theory is unconfirmed.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

23. ArGoSoft Mail Server Multiple GET Requests Denial Of Service Vulnerability BugTraq ID: 7873
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7873
Summary:

ArGoSoft Mail Server is an SMTP, POP3 and Finger server for Microsoft Windows environments. ArGoSoft has a built-in web server to enable remote access to mail.

ArGoSoft Mail Server has been reported prone to a denial of service condition when handling multiple GET requests, in rapid succession. When many GET requests are processed in a small time frame, the ArGoSoft Mail server will reportedly throw an exception and likely crash. This will effectively deny service to legitimate ArGoSoft Mail server users until the service is restarted.

It should be noted that while ArGoSoft Mail Server version 1.8 (1.8.3.5) has been reported vulnerable, previous versions might also be vulnerable.

24. RPM Package Manager FTP NLST Data Integer Overflow Remote Memory Corruption Vulnerability BugTraq ID: 7874
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7874
Summary:

The RPM Package Manager is a command line utility for creating, installing and managing RPM packages. It is available for a wide range of Linux distributions.

A vulnerability has been reported for the RPM Package Manager. The problem occurs when using the application to access FTP listings on a remote server. Specifically, RPM fails to sufficiently carry out sanity checks on the size of data returned by an FTP NLST listing. The size value is subsequently shifted 2 bits to the left, effectively increasing it's size exponentially by 3, and is then used as a malloc() function parameter. The NLST data is then copied into the buffer returned by malloc().

An attacker could exploit this issue by controlling a malicious FTP server configured in such a way as to transmit NLST data in excess of 1 gigabyte. If this were to occur, when the RPM application carried out the shift procedure, the size value would overflow. As a result, an insufficient memory buffer will be allocated to store the data.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The exploitability of this vulnerability to execute code is highly implausible as copying data of this size will typically result in a page fault. However, this issue could result in the exhaustion of available system resources and would ultimately cause the RPM utility to crash.

25. Gnome FTP NLST Data Integer Overflow Memory Corruption Vulnerability BugTraq ID: 7875
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7875
Summary:

A vulnerability has been reported for Gnome. It has been reported that when processing NLST data from an FTP server, various Gnome functions or utilities may fail to sufficiently handle the size of data returned. Due to subsequent calculations, insufficient data may be allocated for storage of the NLST data. This may result in excessive data being copied into insufficient memory, effectively causing a denial of service.

It should be noted that this issue presents itself when a large amount of NLST data in excess of 1 gigabyte is received. As such, exploitation of this issue will inevitably result in the exhaustion of available resources, followed by a segmentation violation. Also, due to the excessive amount of data copied to memory, the exploitability of this issue to execute code may not be plausible. Furthermore, it is said that the exploitation of this issue may only be possible on architectures with specific variable width characteristics, typically 64-bit systems.

It should be noted that the precise details regarding this vulnerability are currently unknown. The problem may lie in specific Gnome utilities or possibly in Gnome library string parsing functions linked to by other applications.

26. SMC Wireless Router Malformed PPTP Packet Denial of Service Vulnerability BugTraq ID: 7876
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7876
Summary:

SMC SMC7004VWBR is a wireless Cable/DSL broadband router with integrated wireless access point and SPI firewall.

It has been discovered this device is prone to a denial of service attack. The problem occurs when processing a sequence of malformed PPTP packets transmitted to the router's internal interface.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The successful exploitation of this vulnerability will result in the router no longer responding to internal wireless traffic. This will effectively deny legitimate wireless users further network services.

It should be noted that the device would need to be physically reset to restore typical functionality.

This vulnerability affects firmware versions earlier then 1.23.

27. Multiple Gnocatan Server Buffer Overflow Vulnerabilities BugTraq ID: 7877
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7877
Summary:

Gnocatan is a multiplayer game. It is available for Microsoft Windows and Linux operating systems.

The Gnocatan game server is prone to multiple remotely exploitable buffer overflow vulnerabilities. The vulnerabilities are due to insufficient bounds checking of data supplied to the server, which could result in corruption of memory with attacker-supplied values. These conditions could potentially be exploited to execute malicious code in the context of the server or to launch denial of service attacks.

Specific technical details regarding these vulnerabilities are not available at this time. This BID will be updated as more details become available.

28. Ethereal DCERPC Dissector Memory Allocation Vulnerability BugTraq ID: 7878
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7878
Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems.

The DCERPC dissector of Ethereal is prone to a condition whereby too much memory may be allocated when decoding certain NDR strings.

The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available.

An attacker may be able to exploit this vulnerability by crafting a specially formed packet and sending it to a system using the vulnerable dissector or by convincing a victim user to use Ethereal to read a malformed packet trace file.

This may result in the vulnerable Ethereal process allocating too much memory. Repeated decoding of malformed NDR packets may result in the consumption of all available memory resources which may lead to a denial of service condition.

This vulnerability affects Ethereal 0.9.12 and earlier.

29. Ethereal SPNEGO Dissector Denial Of Service Vulnerability BugTraq ID: 7879
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7879
Summary:

Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The SPNEGO dissector of Ethereal, when parsing certain ASN.1 codes, may cause a segmentation fault.

The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available.

An attacker may be able to exploit this vulnerability by crafting a specially formed packet with an invalid ASN.1 value and sending it to a system using the vulnerable dissector.

Due to the nature of this vulnerability, it may be possible for an attacker to create a situation in which sensitive memory could be overwritten. If successful this may allow for the execution of arbitrary code with the privileges of the Ethereal process.

This vulnerability affects Ethereal 0.9.12 and earlier.

30. Ethereal OSI Dissector Buffer Overflow Vulnerability BugTraq ID: 7880
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7880
Summary:

Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems.

The OSI dissector is prone to a buffer overflow condition when handling bad IPv4 or IPv6 prefix lengths. This is likely due to insufficient bounds checking.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It may be possible to construct an IPv4 or IPv6 packet that will, when decoded by Ethereal, trigger the overflow condition. Successful exploitation of this vulnerability may result in the attacker gaining access to the Ethereal host via execution of attacker-supplied instructions.

This BID will be updated when further technical details are disclosed.

This vulnerability affects Ethereal 0.9.12 and earlier.

31. Ethereal Multiple Dissector String Handling Vulnerabilities BugTraq ID: 7881
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7881
Summary:

Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems.

Several dissectors included with Ethereal do not properly handle strings. Exploitation of this issue may allow an attacker to cause Ethereal to behave in an unpredictable manner. The BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI dissectors are vulnerable to this issue.

The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available.

An attacker may be able to exploit this vulnerability by crafting a specially formed packet and sending it to a system using the vulnerable dissectors or by convincing a victim user to use Ethereal to read a malformed packet trace file.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Due to the nature of this vulnerability, it may be possible for an attacker to create a situation in which sensitive memory could be overwritten. If successful this may allow for the execution of arbitrary code with the privileges of the Ethereal process.

This vulnerability affects Ethereal 0.9.12 and earlier.

32. Ethereal TVB_GET_NSTRINGZ0() Memory Handling Vulnerability BugTraq ID: 7883
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7883
Summary:

Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems.

An Ethereal routine, tvb_get_nstringz0(), has been reported prone to a memory handling vulnerability. Reportedly tvb_get_nstringz0() incorrectly handles a zero-length buffer size. Although unconfirmed, it has been conjectured that this issue may be due to an incorrect allocation of memory, caused when an unsigned integer is used when calculating the size of memory to be allocated.

Exploitation of this issue may allow an attacker to cause Ethereal to behave in an unpredictable manner.

Due to the nature of this vulnerability, it may be possible for an attacker to create a situation in which sensitive memory could be overwritten. If successful this may allow for either a remotely triggered denial of service condition or ultimately in the execution of arbitrary code with the privileges of the Ethereal process.

The precise technical details of this vulnerability are currently unknown. This BID will be updated, as further information is available.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability affects Ethereal 0.9.12 and earlier.

33. FakeBO Syslog Format String Vulnerability BugTraq ID: 7882
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7882
Summary:

FakeBO is a utility to log common trojan attempts in an effort to possibly emulate one. It may also be used in a honeypot setup to facilitate security monitoring. It is available for Microsoft Windows, Linux, and Unix variant operating systems.

A vulnerability has been reported for FakeBO that may result in an attacker obtaining elevated privileges on a target system.

Due to a programming error, it may be possible to exploit a format string vulnerability in the affected utility. Specifically, a logging function in FakeBO contains insecure syslog() calls. This could result in the execution of attacker-supplied code.

The vulnerability occurs when FakeBO resolves a carefully constructed hostname that include malicious format string specifiers. In the event that this vulnerability is exploited, an attacker could cause arbitrary locations in memory to be corrupted with attacker-specified data and execute code with elevated privileges.

This vulnerability was reported for FakeBO 0.4.1.

34. WebcamNow Plain Text Password Storage Weakness BugTraq ID: 7884
Remote: No
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7884
Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

WebcamNow is a streaming image service available for Microsoft Windows operating systems.

WebcamNow stores usernames and associated passwords using plaintext format, in the Windows registry. Specifically, WebcamNow stores authentication credentials in the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\WebCamNow\Users\Name HKEY_LOCAL_MACHINE\SOFTWARE\WebCamNow\Users\Password

As a result, these credentials could be exposed to other local users who have the permissions to access the registry.

35. Mollensoft E