Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > sf-news > 03 > 080039.html (Request Expert securityfocus.com Support)

SecurityFocus Newsletter #208

From: John Boletta <jboletta(at)securityfocus.com>
Date: Mon Aug 04 2003 - 15:56:01 EDT
('binary' encoding is not supported, stored as-is)

SecurityFocus Newsletter #208

This Issue is Sponsored by: SPI Dynamics

NEW ALERT:
"How a Hacker Launches a LDAP Injection Attack Step-by-Step"
It's as simple as placing additional LDAP query commands into a Web form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because LDAP Injections are seen as valid data.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!
http://www.securityfocus.com/SPIDynamics-sf-news5

I. FRONT AND CENTER

  1. Maintaining System Integrity During Forensics
  2. Firewall Evolution - Deep Packet Inspection
  3. Betting on Malware II. BUGTRAQ SUMMARY
  4. Multiple Novell iChain Buffer Overflow Vulnerabilities
  5. Microsoft Outlook Express Script Execution Weakness
  6. e107 Website System HTML Injection Vulnerability
  7. ManDB Utility Local Buffer Overflow Vulnerability
  8. FreeRadius Chap Remote Buffer Overflow Vulnerability
  9. University of Minnesota GopherD Do_Command Buffer Overflow...
  10. PBLang Bulletin Board System HTML Injection Vulnerability
  11. EFSoftware EF Commander FTP Banner Buffer Overflow Vulnerability
  12. PBLang Bulletin Board System IMG Tag HTML Injection Vulnerability
  13. Cisco Aironet AP1x00 Malformed HTTP GET Denial Of Service...
  14. Cisco Aironet Telnet Service User Account Enumeration Weakness
  15. Gallery Search Engine Cross-Site Scripting Vulnerability
  16. Mod_Mylo Apache Module REQSTR Buffer Overflow Vulnerability
  17. MacOS X Third Party Application Screen Effects Password...
  18. HP PHNE_27128 Denial Of Service Introduction Vulnerability
  19. HP PHNE_26413 Denial Of Service Introduction Vulnerability
  20. Softshoe Parse-file Cross-Site Scripting Vulnerability
  21. Mini SQL Remote Format String Vulnerability
  22. XBlast HOME Environment Variable Buffer Overflow Vulnerability
  23. KDE Konqueror HTTP REFERER Authentication Credential Leak...
  24. Valve Software Half-Life Client Connection Routine Buffer...
  25. Valve Software Half-Life Dedicated Server Malformed Parameter...
  26. Valve Software Half-Life Dedicated Server Multiplayer Request...
  27. Linux Kernel 2.4 XDR Packet Handler For NFSv3 Remote Denial Of...
  28. NetScreen ScreenOS TCP Window Size Remote Denial Of Service...
  29. Multiple ManDB Utility Local Buffer Overflow Vulnerabilities
  30. Sun Solaris Runtime Linker LD_PRELOAD Local Buffer Overflow...
  31. SGI IRIX NSD AUTH_UNIX GID List Privilege Escalation...
  32. Symantec Quarantine Server Disconnect Denial Of Service...
  33. XConq Multiple Environment Variable Buffer Overflow... III. SECURITYFOCUS NEWS ARTICLES
  34. Fed: Cyberterror fears missed real threat
  35. Panel Probes the Half-life of Bugs
  36. UK e-voting pilots deeply flawed
  37. Yaha usurps Klez IV. SECURITYFOCUS TOP 6 TOOLS
  38. PeerProtect v0.2
  39. DSPAM v2.6.3
  40. pkdump v0.96.2
  41. Dante v1.1.14
  42. System Rescue CD v0.2.0
  43. FSlint v2.0.2
  44. SECURITYJOBS LIST SUMMARY
  45. Systems Security Engineer (Thread)
  46. Looking for a Software Developer or Researcher Position (Thread)
  47. Technical Operations Manager vacancy (Thread)
  48. Two security positions, one in PA and one in DC (Thread)
  49. Network Security Engineer relocating to PA (Thread)
  50. Security Engineer position - Montgomery, AL (Thread)
  51. Question about opportunities for Americans outside the US (Thread)
  52. Installation & Support Technician (Thread)
  53. Ethical Hacker Needed -- Chicago (Thread)
  54. Security Software Sales opportunity- Federal (Thread)
  55. Security Software Sales opportunities- Midwest, Southeast/west...
  56. Information Security Architect - Franklin Lakes, NJ, USA (Thread)
  57. Cisco is looking for a Sr. Microsoft security expert (Thread)
  58. Sr. IA Engineer to work on program in Wash., DC (Thread)
  59. IA Program Manger (Thread)
  60. Full time IT Auditor position in Pittsburgh PA (Thread)
  61. Seeking Information Security Position in the Washington, DC...
  62. Seattle - Security Sales (Thread)
  63. Google: Network Security Engineer (Thread)
  64. Fulltime Test positions -Northern Va (Thread)
  65. Symantec's MSS practice looking for security device expert...
  66. Senior Security Professional seeking post (Thread)
  67. Senior Security Analyst Opportunity - Alphatech Corporation...
  68. IMMEDIATE OPENING - Vulnerability Assessment, Reston, VA (Thread)
  69. IMMEDIATE OPENING - Sr. IDS Manager, Bethesda, MD (Thread)
  70. Senior IT Auditor (Thread)
  71. System Security Analyst (Thread)
  72. IT Security Auditor (Thread)
  73. Top Secret Cleared Security Professionals Wanted (Thread)
  74. Open Positions at LURHQ Corporation (Thread)
  75. Seeking Information Security Position in the SF Bay Area (Thread)
  76. Network Security Engineer - Washington, DC (Thread)
  77. Axexandria, VA - Sr Mgmt Systems Programmer wanted (Thread)
  78. Security Software Developer available (Thread) VI. INCIDENTS LIST SUMMARY
  79. Command Line RPC vulnerability scanner? (Thread)
  80. Scan of TCP 552-554 (Thread)
  81. RPC DCOM exploit (Thread)
  82. Scans for 17300/tcp starting again (Thread)
  83. Exploit for Windows RPC may be in the wild! (Thread)
  84. new worm? or DDoS attack in progress (Thread)
  85. Importance of outbound traffic filtering (Thread)
  86. floods through our proxy (Thread)
  87. Anyone know this tool? (Thread)
  88. email worm? Newsletter, aaa.exe, caraoke ksp.exe (Thread)
  89. www.google.com reference in directory-traversal attack (Thread)
  90. New or old PHP worm? (Thread)
  91. Is this enough to identify this by? (Thread)
  92. "access_log?hello" ? (Thread)
  93. First time security issue. (Thread)
  94. [security-elvandar] "access_log?hello" ? (Thread)
  95. Heavy port 1214 traffic revisited (Thread)
  96. First Time Security Incident (Thread)
  97. email worm? Newsletter, aaa.exe, caraoke ksp.exe (fwd) (Thread)
  98. New worm in Japan? (Thread)
  99. Port 0 packets (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY
  100. Analyze binary for holes (Thread)
  101. Some help With BOF Exploits Writing. - EAX ?! (Thread)
  102. Password Cracking Challenge... (Thread)
  103. perl/php connect-back backdoor? (Thread)
  104. VL: Remote Linux Kernel < 2.4.21 DoS in XDR routine. (Thread)
  105. is it even possible for a worm with dcom vuln? (Thread)
  106. Some help With BOF Exploits Writing. (Thread)
  107. proces on win2K (Thread)
  108. Thanks much! (Thread)
  109. Unbreakable Lotus Notes (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY
  110. DCOM RPC exploit as a virus/trojan? (Thread)
  111. change NT passwords Kerberos (Thread)
  112. How to silently deploy DirectX9b? (Thread)
  113. Windows XP "write attributes" permission for Users (Thread)
  114. IAS as a RADIUS server (Thread)
  115. HTASploit (Thread)
  116. ISA Server and Win2k3 standard OS (Thread)
  117. SecurityFocus Microsoft Newsletter #147 (Thread)
  118. monitor folders (Thread)
  119. Tracking down a user in a large AD network (Thread) IX. SUN FOCUS LIST SUMMARY
  120. NO NEW POSTS FOR THE WEEK ENDING 08.01.03
  121. LINUX FOCUS LIST SUMMARY
  122. NO NEW POSTS FOR THE WEEK ENDING 08.01.03 XI. SPONSOR INFORMATION
  123. FRONT AND CENTER
  124. Betting on Malware By George Smith

DARPA's plan to create a futures market for terrorist activities is dead, but the concept is a natural for predicting viruses and worms.

http://www.securityfocus.com/columnists/176

2. Maintaining System Integrity During Forensics By Jamie Morris

This article discusses best practices for maintaining system integrity during forensic examinations.

Do you need help?X

http://www.securityfocus.com/infocus/1717

3. Firewall Evolution - Deep Packet Inspection By Ido Dubrawsky

Deep Packet Inspection can be seen as the integration of Intrusion Detection (IDS) and Intrusion Prevention (IPS) capabilities with traditional stateful firewall technology.

http://www.securityfocus.com/infocus/1716

II. BUGTRAQ SUMMARY

  1. Multiple Novell iChain Buffer Overflow Vulnerabilities BugTraq ID: 8280 Remote: Yes Date Published: Jul 25 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8280 Summary:

Novell iChain Server is a web-based security product designed to implement and maintain various network-based access controls.

Novell iChain has been reported prone to multiple buffer overflow vulnerabilities.

The first issue occurs when a special script is run against login. The issue is likely due to insufficient bounds checking performed on user-supplied data. It is reported that this issue may be exploited to trigger a server ABEND condition.

Do you need more help?X

The second issue occurs when a user login name >= 230 bytes is passed to the iChain server. It has been reported that if this login fails and email alerts is enabled in the iChain server, the excessive data will likely trigger an ABEND condition in the affected software.

It has been reported that both of these conditions may be exploited to trigger ABEND conditions and deny service to legitimate users.

This BID will be updated as further technical details are disclosed.

2. Microsoft Outlook Express Script Execution Weakness BugTraq ID: 8281
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8281
Summary:

It has been reported that a weakness may have been re-introduced into Microsoft Outlook Express. According to the source, the issue described in Bugtraq ID 3334 had been fixed by Microsoft but appears to have resurfaced.

The original report (BID 3334) described behavior where script code included in a message set as type "text/plain" in its content-type header field would be parsed and executed. A reliable source has indicated that this condition appears to have returned after being fixed.

This is unsafe behavior as the client should treat all messages of this type as plain text and not execute any script or render any HTML. Furthermore, these messages may bypass filters designed to block messages that contain HTML/script code based on the content-type field.

It should be noted that Symantec has no record of the original issue being fixed. This record will be updated as more information becomes available.

Can we help you?X

3. e107 Website System HTML Injection Vulnerability BugTraq ID: 8279
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8279
Summary:

e107 Website System is a web based content management system implemented in PHP.

The e107 Website System is prone to an HTML injection vulnerability. This issue is exposed through the class2.php script. An attacker may exploit this issue by including hostile HTML and script code in form fields that support custom tags. This includes areas of the site such as Chatbox and Forum. This code may be rendered in the web browser of a user who views these areas of the site. This would occur in the security context of the site hosting e107.

The attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user.

4. ManDB Utility Local Buffer Overflow Vulnerability BugTraq ID: 8278
Remote: No
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8278
Summary:

mandb is a utility that is used to initialize or manually update the index database caches that are usually maintained by the man utility.

mandb has been reported prone to a local buffer overflow vulnerability.

It has been reported that a local attacker may exploit this issue to execute arbitrary instructions with elevated privileges. Specifically, user 'man' privileges.

Can't find what you're looking for?X

The issue likely presents itself due to a lack of sufficient bounds checking performed on user-supplied data. Although unconfirmed, it has been conjectured that user supplied data copied into an insufficient reserved memory buffer may overflow the bounds of that buffer and corrupt saved values that are crucial to program execution flow control.

The attacker may exploit this issue to influence execution flow of the vulnerable utility and have arbitrary attacker specified instructions executed inline.

It should be noted that although the mandb utility is installed with setuid root privileges by default, this issue has been reported to be only exploitable to attain user 'man' privileges.

Additionally, although this vulnerability has been reported to affect man version 2.3.19, other version may also be affected.

5. FreeRadius Chap Remote Buffer Overflow Vulnerability BugTraq ID: 8282
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8282
Summary:

FreeRADIUS is a freely available, open source implementation of the RADIUS protocol. It is available for the Unix and Linux operating systems.

A problem with FreeRADIUS has been reported when handling CHAP requests. Because of this, an attacker may be able to gain unauthorized access to a system using the vulnerable software.

Specific details about the vulnerability are not currently available. It is known that the problem in CHAP may be exploited to execute code with the privileges of the FreeRADIUS server. This could give the attacker access to the system with the privileges of the FreeRADIUS server.

Don't know where to look next?X

6. University of Minnesota GopherD Do_Command Buffer Overflow Vulnerability BugTraq ID: 8283
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8283
Summary:

gopherd is the implementation of the Gopher Protocol Daemon by the University of Minnesota. It is available for the Unix and Linux platforms.

It has been reported that University of Minnesota gopherd is vulnerable to a remotely exploitable boundary condition error. This may make it possible for an attacker to gain unauthorized access to a host using the vulnerable software.

The problem is in the do_command function of the Gopherd.c file. Due to insufficient bounds checking on the user-supplied data, it is possible for an attacker to overwrite sensitive process memory. This could result in the execution of arbitrary instructions with the privileges of the gopher daemon process.

7. PBLang Bulletin Board System HTML Injection Vulnerability BugTraq ID: 8284
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8284
Summary:

PBLang is a bulletin board system implemented in PHP.

PBLang is prone to an HTML injection vulnerability. This issue is exposed through the docs.php script. An attacker may exploit this issue by including hostile HTML and script code in posts to the bulletin board. This is because the script that processes posts does not sufficiently sanitize user input, allowing attackers to embed HTML and script commands within the post. This code may be rendered in the web browser of a user who views these areas of the site. This would occur in the security context of the site hosting PBLang.

The attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user.

Confused? Frustrated?X

8. EFSoftware EF Commander FTP Banner Buffer Overflow Vulnerability BugTraq ID: 8285
Remote: Yes
Date Published: Jul 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8285
Summary:

EF Commander is a commercially available FTP client distributed by EFSoftware. It is available for the Microsoft Windows platform.

A problem with EF Commander could result in the execution of arbitrary code.

It has been reported that a memory corruption bug exists in EF Commander. Under some circumstances, when an FTP client connects to a malicious FTP server it may be possible for the server to exploit a boundary condition error.

The problem is in the handling of FTP banners in EF Commander. When EF Commander receives a FTP banner of excessive length, it becomes unstable. It has been reported that this vulnerability can be reproduced by sending an FTP banner of 520 or more bytes to a vulnerable client. It is possible that this vulnerability is an exploitable buffer overflow, and could result in the execution of attacker-supplied code. Any code executed would be with the permissions of the EF Commander client user.

9. PBLang Bulletin Board System IMG Tag HTML Injection Vulnerability BugTraq ID: 8286
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8286
Summary:

PBLang is a bulletin board system implemented in PHP.

PBLang is prone to an HTML injection vulnerability. This issue is exposed through the docs.php script. An attacker may exploit this issue by including hostile HTML and script code encapsulated in [IMG] tags of posts to the bulletin board. This is because the script that processes posts does not sufficiently sanitize user input, allowing attackers to embed HTML and script commands within [IMG] tags of the post. This code may be rendered in the web browser of a user who views these areas of the site. This would occur in the security context of the site hosting PBLang.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

The attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user.

It should be noted that although this vulnerability has been reported to affect PBLang version 4.56, previous versions are also likely affected.

  1. Cisco Aironet AP1x00 Malformed HTTP GET Denial Of Service Vulnerability BugTraq ID: 8290 Remote: Yes Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8290 Summary:

The Cisco Aironet AP1x00 is a series of wireless access point devices.

Cisco Aironet AP1x00 series devices are prone to a denial of service vulnerability upon receipt of a malformed HTTP GET request. This issue exists in the web administrative interface for affected devices. Such a request will cause the device to reload. It is possible to cause a prolonged denial of service by repeatedly sending such requests to an affected device. This could be exploited to deny availability of a WLAN that depends on the device.

  1. Cisco Aironet Telnet Service User Account Enumeration Weakness BugTraq ID: 8292 Remote: Yes Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8292 Summary:

Aironet is the Wireless Access Point solution distributed and maintained by Cisco.

An information leak has been reported in Cisco Aironet Access Points when the telnet service has been enabled. This may allow a remote attacker to gain potentially sensitive information.

The problem is in the response of the telnet daemon. Usual implementation returns a response to a failed authentication attempt that does not validate the user name. However, when an invalid username is sent to the Aironet telnet daemon, the daemon responds with a "% Login invalid" message, allowing the attacker to gather a list of valid user names on the target device.

  1. Gallery Search Engine Cross-Site Scripting Vulnerability BugTraq ID: 8288 Remote: Yes Date Published: Jul 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8288 Summary:

Gallery is a web-based photo album. It is written in PHP and is available for Linux and Unix variants as well as Microsoft Windows operating systems.

Do you need help?X

Gallery is prone to a cross-site scripting vulnerability. This issue is present in the search engine (search.php) facility provided by the software. Input supplied to the search engine via URI parameters is not sufficiently sanitized of HTML or script code before being echoed back to users, allowing for cross-site scripting attacks.

An attacker could exploit this issue by constructing a malicious link to the search engine that contains hostile HTML and script code. Attacker-supplied code could be rendered in the browser of a user who follows such a link. This would occur in the security context of the site hosting the vulnerable software.

  1. Mod_Mylo Apache Module REQSTR Buffer Overflow Vulnerability BugTraq ID: 8287 Remote: Yes Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8287 Summary:

mod_mylo is a third party module for Apache HTTP server. The module is designed to log data into a MySQL database in addition to standard logging.

mod_mylo has been reported prone to remotely exploitable buffer overflow vulnerability.

The issue presents itself due to insufficient bounds checking performed on HTTP requests before the HTTP request string is copied into a buffer in memory. Data excessive to the size of the buffer will corrupt adjacent memory. Because memory adjacent to this buffer has been reported to store a saved instruction pointer, it is possible for a remote attacker to influence program execution flow. Ultimately a remote attacker may exploit this condition to execute arbitrary instructions in the context of the Apache HTTP server.

This issue has been reported to affect mod_mylo version 0.2.1 and all versions prior.

  1. MacOS X Third Party Application Screen Effects Password Protection Bypass Vulnerability BugTraq ID: 8293 Remote: No Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8293 Summary:

Apple MacOS X has a screen saver, entitled Screen Effects, with a password feature.

Screen Effects has been reported prone to a vulnerability where third party applications may allow a user who has physical access to the host, to kill the Screen Effects process and thereby subvert desktop password protection.

Do you need more help?X

Under certain circumstances, this may allow an attacker to gain unauthorized access to a vulnerable host.

  1. HP PHNE_27128 Denial Of Service Introduction Vulnerability BugTraq ID: 8291 Remote: No Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8291 Summary:

HP PHNE_27128 is a cumulative patch released by HP to address non-critical issues in nettl and nettladm.

It has been reported that the PHNE_27128 patch has introduced a potential local denial of service vulnerability. HP has announced that this vulnerability could exploited by a non-privileged user to trigger a system panic on a target system.

This BID will be updated as further technical details regarding this vulnerability are disclosed.

  1. HP PHNE_26413 Denial Of Service Introduction Vulnerability BugTraq ID: 8289 Remote: No Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8289 Summary:

HP PHNE_26413 is a patch released by HP to address non-critical issues in nettl, netfmt and nettladm.

It has been reported that the PHNE_26413 patch has introduced a potential local denial of service vulnerability. HP has announced that this vulnerability could exploited by a non-privileged user to trigger a system panic on a target system.

This BID will be updated as further technical details regarding this vulnerability are disclosed.

  1. Softshoe Parse-file Cross-Site Scripting Vulnerability BugTraq ID: 8294 Remote: Yes Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8294 Summary:

Softshoe is a human resources application.

Can we help you?X

Softshoe is allegedly prone to cross-site scripting attacks. The issue exists in the 'parse_file' component and may be exploited by including HTML and script code as input to the 'TEMPLATE' URI parameter. An attacker can exploit this issue by creating a malicious link that contains hostile HTML or script code to a site that is hosting the vulnerable software. If such a link is visited, the attacker-supplied code may be rendered in the user's web browser. This would occur in the context of the site hosting the software.

Exploitation of this issue could allow for theft of cookie-based authentication credentials or other attacks.

  1. Mini SQL Remote Format String Vulnerability BugTraq ID: 8295 Remote: Yes Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8295 Summary:

Mini SQL (mSQL) is a relational database management system.

mSQL has been reported prone to a remotely exploitable format string vulnerability.

Reportedly a remote attacker may send malicious format specifiers to trigger the issue. This issue is due to erroneous use of a formatting function, which may allow format specifiers to be supplied by an external source, in this case a remote user. By passing specially crafted format specifiers through a session, may corrupt process memory and thereby have the ability to execute arbitrary code with the privileges of the affected daemon, which is typically root.

This vulnerability has been reported to affect mSQL version 1.3 and all prior versions; other versions may also be affected.

  1. XBlast HOME Environment Variable Buffer Overflow Vulnerability BugTraq ID: 8296 Remote: No Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8296 Summary:

XBlast is a multi-player arcade game available for Windows and various Linux distributions.

A locally exploitable buffer overflow vulnerability has been reported in XBlast 2.6.1.

Can't find what you're looking for?X

XBlast does not perform adequate bounds checking on input supplied via the HOME environment variable. Successful exploitation can lead to arbitrary code execution. XBlast is typically installed setgid games on Linux systems, making it possible to exploit this issue to gain these privileges.

20. KDE Konqueror HTTP REFERER Authentication Credential Leak Vulnerability BugTraq ID: 8297
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8297
Summary:

Konqueror is a freely available, open source web browser distributed and maintained by the KDE project. It is available for the Unix and Linux operating systems.

It has been reported that a problem in KDE Konqueror may result in the leak of authentication credentials through the HTTP REFERER header field. This could result in an attacker gaining unauthorized access to authentication information.

When a user visits a site that keeps the authentication credentials in the URL, the browser will pass the authentication credentials to the site at the end of the URL through the referrer log. This could result in unauthorized access to the user account of the referring page site.

21. Valve Software Half-Life Client Connection Routine Buffer Overflow Vulnerability BugTraq ID: 8299
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8299
Summary:

Half-Life is a game distributed and maintained by Valve Software. It includes features that allow users to game locally or across a network. The game engine is used in many modifications.

Half-Life Client has been reported prone to a remotely exploitable buffer overflow condition.

Don't know where to look next?X

The issue presents itself in the client connection routine, used by the client to negotiate a connection to the Half-Life game server. Due to a lack of sufficient bounds checking performed on both the parameter and value of data transmitted from the game server to the client, a malicious server may execute arbitrary code on an affected client.

It has been reported that a parameter of 516 bytes and a value of 268, will corrupt data adjacent to an insufficient buffer. This may allow a remote attacker to corrupt a saved instruction pointer and thereby influence program execution flow. Ultimately the attacker may trigger the execution of supplied instructions in the context of the user running the affected game client.

It should be noted that although this vulnerability has been reported to affect Half-Life version 1.1.1.0, previous versions are likely affected.

22. Valve Software Half-Life Dedicated Server Malformed Parameter Loop Denial Of Service Vulnerability
BugTraq ID: 8301
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8301
Summary:

Half-Life is a game distributed and maintained by Valve Software. It includes features that allow users to game locally or across a network. The game engine is used in many modifications.

Half-Life servers are prone to a denial of service that may be exploited by a malicious client. By supplying malformed parameters in a client packet during a request to join a multiplayer game, it may be possible to cause a loop within the server program. This would result in a crash of the vulnerable server.

This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems.

23. Valve Software Half-Life Dedicated Server Multiplayer Request Buffer Overflow Vulnerability
BugTraq ID: 8300
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8300
Summary:

Confused? Frustrated?X

Half-Life is a game distributed and maintained by Valve Software. It includes features that allow users to game locally or across a network. The game engine is used in many modifications.

Half-Life servers are prone to a buffer overflow that may be exploited by a malicious client. By supplying overly long parameters supplied in a client packet during a request to join a multiplayer game, it may be possible to corrupt adjacent locations of stack memory with attacker-supplied data. This could allow for code execution in the context of the vulnerable server. It should be noted that the type of data sent may be restricted by the Half-Life protocol, which may make exploitation more difficult, as certain characters will not be permitted in the client request.

This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems.

24. Linux Kernel 2.4 XDR Packet Handler For NFSv3 Remote Denial Of Service Vulnerability
BugTraq ID: 8298
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8298
Summary:

XDR (External Data Representation) is a protocol governing the platform independent description and encoding of data, in this particular case it is used in conjunction with the Linux implementation of NFSv3 (Network File System), used to share system based resources across a network. NFS uses XDR to describe the format of its data.

Linux Kernel 2.4 XDR handler routines for NFSv3 have been reported prone to a remote denial of service vulnerability.

The issue presents itself in the decode_fh XDR handler routine contained in the nfs3xdr.c kernel source file. The issue is due to a signed/unsigned mismatch, when processing the size field of an XDR packet.

A malicious attacker may bypass the following signed sanity check arithmetic (if (size > NFS3_FHSIZE) of the decode_fh XDR handler routine, by crafting an XDR packet that contains a negative two's compliment representation of -1, or 0xFFFFFFFF. This value will be passed to a memcpy() function that uses the unsigned value of 0xFFFFFFFF or (4 GB), as its size parameter, the massive memcpy operation will trigger a kernel panic.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

It has been reported that the target host may need an accessible exported directory, if this vulnerability is to be successfully exploited. It should be noted that other methods to trigger the vulnerability might also be possible.

This vulnerability has been reported to affect the Linux 2.4 kernel tree.

25. NetScreen ScreenOS TCP Window Size Remote Denial Of Service Vulnerability BugTraq ID: 8302
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8302
Summary:

NetScreen is a line of Internet security appliances integrating firewall, VPN and traffic management features. ScreenOS is the software used to manage and configure the firewall. NetScreen supports Microsoft Windows 95, 98, ME, NT and 2000 clients.

NetScreen ScreenOS has been reported prone to a vulnerability that may allow a remote user to trigger a denial of service condition in an affected appliance.

It has been reported that by modifying system configuration values that control the TCP window size, an attacker may trigger a denial of service in a remote appliance, by connecting to the target appliance.

It has been reported that the issue only affects NetScreen appliances that are configured to use management services. For example HTTP, SSH or Telnet.

This issue only affects some ScreenOS 4.0.1rx and 4.0.3rx releases. NetScreen IDP, NetScreen Firewall/VPN products running ScreenOS 3.x and earlier, 4.0.0, and 4.0.2 are not vulnerable. The vendor has supplied upgrades for affected versions.

Do you need help?X

26. Multiple ManDB Utility Local Buffer Overflow Vulnerabilities BugTraq ID: 8303
Remote: No
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8303
Summary:

mandb is a utility that is used to initialize or manually update the index database caches that are usually maintained by the man utility.

mandb has been reported to be affected by multiple buffer overflow vulnerabilities.

These issues present themselves in the ult_src(), add_to_dirlist(), test_for_include() functions and in the PATH/MANPATH argument handler of mandb.

The issues are due to insufficient bounds checking performed on user-supplied data before it is copied into reserved buffers in memory. A local attacker may supply excessive data in a manner sufficient to trigger these issues and in doing so corrupt arbitrary memory. It has been conjectured that an attacker may ultimately exploit this issue to execute arbitrary instructions, with elevated privileges.

Code execution would occur in the context of the mandb utility, typically user 'man'.

This BID will be split up into unique BIDs as these issues are analyzed in further detail.

27. Sun Solaris Runtime Linker LD_PRELOAD Local Buffer Overflow Vulnerability BugTraq ID: 8305
Remote: No
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8305
Summary:

Do you need more help?X

Sun Solaris runtime linker (ld) is a utility that is harnessed to link shared objects to executables at runtime. The environment variable LD_PRELOAD is used to define a library that will be prioritized above others when seeking shared libraries.

The Sun Solaris ld runtime linker has been reported prone to a buffer overflow vulnerability. It has been conjectured that the issue presents itself, due to insufficient bounds checking performed in the routines used to process the value of LD_PRELOAD. The effected routine is thought to be called in the case that an unprivleged user specifies an LD_PRELOAD value when invoking a setuid binary.

It has been reported that a local attacker may craft an LD_PRELOAD value, consisting of 1200 bytes of data, appended and pre-pended with a forward slash. The attacker may then invoke a setuid binary that is dynamically linked, to trigger the condition in the ld linker. Excessive data copied from the LD_PRELOAD value, may corrupt internal memory and ultimately result in the execution of arbitrary code with elevated privileges.

It should be noted that this problem affects systems with the following attributes:

Sparc Solaris 2.6 with patch 107733-10, and without patch 107733-11. Sparc Solaris 7 with patches 106950-14 through 106950-22, and without patch 106950- 23.
Sparc Solaris 8 with patches 109147-07 through 109147-24, and without patch 109147- 25.
Sparc Solaris 9 without patch 112963-09.

Intel Solaris 2.6 with patch 107734-10, and without patch 107734-11. Intel Solaris 7 with patches 106951-14 through 106951-22, and without patch 106951- 23.
Intel Solaris 8 with patches 109148-07 through 109148-24, and without patch 109148- 25.
Intel Solaris 9 without patch 113986-05.

28. SGI IRIX NSD AUTH_UNIX GID List Privilege Escalation Vulnerability BugTraq ID: 8304
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8304
Summary:

The IRIX unified nsd (Name Service Daemon) provides a generic interface to a number of network lookup services including DNS, NIS and LDAP.

Can we help you?X

SGI has reported a vulnerability in IRIX that may permit attackers to gain remote root privileges via the nsd server and modules. The problem is a heap overflow in the RPC AUTH_UNIX functionality of the nsd service.

By submitting a malicious string to the service which typically handles RPC AUTH_UNIX requests on UDP ports above 1024, it is possible to corrupt heap memory to execute attacker-supplied instructions. This problem would allow an attacker to gain access to the vulnerable system with the privileges of the nsd service.

29. Symantec Quarantine Server Disconnect Denial Of Service Vulnerability BugTraq ID: 8306
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8306
Summary:

Symantec Quarantine Server is a component of Symantec and Norton AntiVirus Corporate Edition. The server can be be configured to listen on a user-specified port.

Symantec Quarantine Server (qserver.exe) is prone to a denial of service vulnerability. This can occur when a user disconnects from the service before sending any data. This can cause CPU usage for the service to spike to 100%, potentially denying availability of other resources.

The Quarantine Server must be rebooted for normal functionality to resume.

30. XConq Multiple Environment Variable Buffer Overflow Vulnerabilities BugTraq ID: 8307
Remote: No
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8307
Summary:

xcong is a multiplayer game that is available for a number of Unix/Linux variants.

Can't find what you're looking for?X

Multiple locally exploitable buffer overflows have been reported in xconq. This is due to insufficient bounds checking of data supplied via the USER and DISPLAY environment variables. This may permit a local attacker to corrupt adjacent regions of stack memory with specific values, allowing execution of arbitrary code in the context of the program, which is typically installed setgid 'games'.

This issue appears similar to BID 1495. Further analysis of these issues may determine that the issues are identical, in which case this BID will be retired and the earlier BID will be updated.

III. SECURITYFOCUS NEWS AND COMMENTARY

  1. Fed: Cyberterror fears missed real threat By Kevin Poulsen

A top U.S. cyber security official says the government was looking for imagined terrorist hackers, while real terrorists were plotting 9-11.

http://www.securityfocus.com/news/6589

2. Panel Probes the Half-life of Bugs
By Kevin Poulsen

Researchers find that software vulnerabilities have a predictable decay rate, and the Microsoft RPC hole is currently the most prevalent on the net.

http://www.securityfocus.com/news/6568

Don't know where to look next?X

3. UK e-voting pilots deeply flawed
By John Leyden, The Register

A leading British academic has warned of the shortcomings of electronic voting schemes tried at this year's local elections.

http://www.securityfocus.com/news/6580

4. Yaha usurps Klez
By John Leyden, The Register

Yaha-E displaced Klez as the most common viral menace on the Internet over the last month, according to Messagelabs.

http://www.securityfocus.com/news/6579

IV. SECURITYFOCUS TOP 6 TOOLS

  1. PeerProtect v0.2 by Poulet Fabrice Relevant URL: http://www.atout.be/ Platforms: Linux, POSIX Summary:

PeerProtect is an addon for Jay's firewall that generates a file which contains all IP addresses from the RIAA and MPAA, etc. and will protect peer-to-peer programs from them.

Confused? Frustrated?X

2. DSPAM v2.6.3
by Jonathan A. Zdziarski
Relevant URL:
http://www.networkdweebs.com/software/dspam/ Platforms: UNIX
Summary:

DSPAM is a server-side anti-spam agent for UNIX email servers. It masquerades as the email server's local delivery agent and filters/learns SPAM using a Bayesian statistical approach which provides an administratively maintenance-free, self-learning Anti-Spam service. Each email is broken down into its most interesting tokens, each assigned a spam probability. All probabilities are then combined to produce a statistical probability of spam. This approach, applied to a mature corpus of email, has the potential to yield a 99.5% success rate with only 0.03% chance of false positives.

3. pkdump v0.96.2
by dsmoker
Relevant URL:
http://pkdump.sourceforge.net/pkdumpage.html Platforms: Linux, POSIX
Summary:

pkdump detects TCP and UDP port scans and connection attempt from foreign hosts over the Internet.

4. Dante v1.1.14
by Inferno Nettverk A/S, info@inet.no
Relevant URL:
http://www.inet.no/dante/
Platforms: Digital UNIX/Alpha, IRIX, Linux, OpenBSD, Solaris, SunOS Summary:

Dante is a free implementation of the proxy protocols socks version 4, socks version 5 (rfc1928), and msproxy. It can be used as a firewall between networks. The package consists of two parts, a socks server and a proxy client which supports socks, msproxy, and HTTP proxies. Commercial support is available.

5. System Rescue CD v0.2.0
by François Dupoux
Relevant URL:
http://systemrescuecd.sourceforge.net/
Platforms: Linux
Summary:

SystemRescueCd is a Linux system available from a bootable CDROM that provides an easy way to perform administrative tasks on your computer, such as creating and editing the partitions of the hard disk or backing up data. It contains a lot of system utilities (such as parted, qtparted, partimage, and fstools) and basic utilities (such as editors, midnight commander, and network tools).

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

6. FSlint v2.0.2
by pixelbeat
Relevant URL:
http://www.iol.ie/~padraiga/fslint/
Platforms: POSIX, UNIX
Summary:

FSlint is a toolkit to find various forms of lint on a filesystem. At the moment it reports duplicate files, bad symbolic links, troublesome file names, empty directories, non stripped executables, temporary files, duplicate/conflicting (binary) names, and unused ext2 directory blocks.

V. SECURITY JOBS SUMMARY

  1. Systems Security Engineer (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331403

2. Looking for a Software Developer or Researcher Position (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331400

3. Technical Operations Manager vacancy (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331405

Do you need help?X

4. Two security positions, one in PA and one in DC (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331392

5. Network Security Engineer relocating to PA (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331402

6. Security Engineer position - Montgomery, AL (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331409

7. Question about opportunities for Americans outside the US (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331395

Do you need more help?X

8. Installation & Support Technician (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331397

9. Ethical Hacker Needed -- Chicago (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331393

  1. Security Software Sales opportunity- Federal (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331398

  1. Security Software Sales opportunities- Midwest, Southeast/west (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331394

  1. Information Security Architect - Franklin Lakes, NJ, USA (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331396

  1. Cisco is looking for a Sr. Microsoft security expert (Thread) Relevant URL:

http://www.securityfocus.com/archive/77/331406

  1. Sr. IA Engineer to work on program in Wash., DC (Thread) Relevant URL:
Can we help you?X