Summary of Security Items from September 15 through September 21, 2004
This bulletin
provides a summary of new or updated vulnerabilities, exploits, trends, viruses,
and trojans identified between September 13 and September 20, 2004. Updates to items appearing in previous bulletins are listed in
bold text. The text in the Risk column appears in red for vulnerabilities
ranking High. The risks levels applied to
vulnerabilities in the Cyber Security Bulletin are based on how the "system" may
be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch
Available" column that indicates whether a workaround or patch has been
published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities
that have been identified, even if they are not being exploited. Complete
details about patches or workarounds are available from the source of the
information or from the URL provided in the section. CVE numbers are listed
where applicable. Vulnerabilities that affect both Windows and
Unix Operating Systems are included in the Multiple Operating
Systems section.
Note: All the information included in the following tables
has been discussed in newsgroups and on web sites.
The Risk levels
defined below are based on how the system may be impacted:
High - A
high-risk vulnerability is defined as one that will allow an intruder to
immediately gain privileged access (e.g., sysadmin or root) to the system or
allow an intruder to execute code or alter arbitrary system files. An example
of a high-risk vulnerability is one that allows an unauthorized user to send a
sequence of instructions to a machine and the machine responds with a command
prompt with administrator privileges.
Medium - A
medium-risk vulnerability is defined as one that will allow an intruder
immediate access to a system with less than privileged access. Such
vulnerability will allow the intruder the opportunity to continue the attempt
to gain privileged access. An example of medium-risk vulnerability is a server
configuration error that allows an intruder to capture the password
file.
Low - A
low-risk vulnerability is defined as one that will provide information to an
intruder that could lead to further compromise attempts or a Denial of Service
(DoS) attack. It should be noted that while the DoS attack is deemed low from
a threat potential, the frequency of this type of attack is very high. DoS
attacks against mission-critical nodes are not included in this rating and any
attack of this nature should instead be considered to be a "High"
threat.
An input validation vulnerability exists in the 'About' section of the
Google Toolbar due to insufficient filtering of HTML code, which could let
a remote malicious user execute arbitrary HTML and JavaScript code.
No workaround or patch available at time of
publishing.
A Proof of Concept exploit script has been published.
Google Toolbar Input Validation
High
Bugtraq, September 17, 2004
IBM
Microsoft Windows XP SP1 OEM Version,
Microsoft Windows XP OEM
Version
A vulnerability exists due to a default hidden administrative account
that fails to set a password, which could let a malicious user obtain
administrative access.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, a Proof of Concept exploit
has been published.
IBM OEM Microsoft Windows Default Administrative
Account
High
SECNAP Advisory, September 15, 2004
McAfee
VirusScan 4.5, 4.5.1
A vulnerability exists in 'System Scan' via the system tray applet due
to the failure to drop privileges, which could let a malicious user
execute arbitrary code.
This issue has reportedly been addressed by the vendor in Patch 48,
which may be obtained by customers with a valid contract grant number
through McAfee Corporate Technical Support.
There is no exploit code required.
McAfee VirusScan Arbitrary Code Execution
High
iDEFENSE Security Advisory, September 15, 2004
Microsoft
Windows CE 2.0, 3.0, 4.2
A vulnerability exists in the kernel memory structure KDataStruct,
which could let a malicious user obtain sensitive information.
No workaround or patch available at time of
publishing.
This vulnerability is exploited by the virus WinCE.Duts.A.
Microsoft Windows CE KDatastruct Information
Disclosure
Medium
Airscanner Mobile Security Advisory, September 18, 2004
Microsoft
Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows
XP Professional SP1 Microsoft Windows XP Professional
A Denial of Service vulnerability exists in 'Explorer.exe' due to the
way certain TIFF format images are handled,
No workaround or patch available at time of
publishing.
A Proof of Concept exploit has been published.
Microsoft Windows XP Explorer.EXE TIFF Image Denial of
Service
Low
SecurityFocus, September 16, 2004
Microsoft
Internet Explorer 6.0 SP2
A vulnerability exists due to a design error, which could let a
malicious user bypass the user confirmation requirement.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, a Proof of Concept exploit
has been published.
Microsoft Internet Explorer User Security Confirmation
Bypass
Medium
Bugtraq, September 15, 2004
Microsoft
Microsoft .NET Framework 1.x, Digital Image Pro 7.x, 9.x, Digital Image
Suite 9.x, Frontpage 2002, Greetings 2002, Internet Explorer 6, Office
2003 Professional Edition, 2003 Small Business Edition, 2003 Standard
Edition, 2003 Student and Teacher Edition, Office XP, Outlook 2002, 2003,
Picture It! 2002, 7.x, 9.x, PowerPoint 2002, Producer for Microsoft Office
PowerPoint 2003, Project 2002, 2003, Publisher 2002, Visio 2002, 2003,
Visual Studio .NET 2002, 2003, Word 2002; Avaya DefinityOne
Media Servers, IP600 Media Servers, S3400 Modular Messaging, S8100 Media
Servers
A buffer overflow vulnerability exists in the processing of JPEG image
formats, which could let a remote malicious user execute arbitrary code.
Microsoft Security Bulletin, MS04-028, September 14, 2004
US-CERT Vulnerability Note VU#297462, September 14, 2004
Technical Cyber Security Alert TA04-260A, September 16, 2004
SecurityFocus, September 17, 2004
RhinoSoft.com
DNS4Me 3.0 .0.4
Two vulnerabilities exist: a Denial of Service vulnerability exists
due to an error when processing incoming traffic; and a Cross-Site
Scripting vulnerability exists due to insufficient sanitization of
user-supplied URI input, which could let a remote malicious user execute
arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, a Proof of Concept exploit
has been published for the Cross-Site Scripting vulnerability.
DNS4Me Denial Of Service & Cross-Site Scripting
Vulnerabilities
Low/High
(High if arbitrary code can be executed)
GulfTech Security Research Advisory, September 16, 2004
A vulnerability exists in the 'down.asp' script due to insufficient
sanitization of the 'location' parameter, which could let a remote
malicious user execute arbitrary code.
No workaround or patch available at time of
publishing.
A Proof of Concept exploit has been published.
Snitz Forums 'Down.ASP' Input Validation
High
Securiteam, September 19, 2004
Tech-Noel Inc.
Pigeon Server 3.2.143
A remote Denial of Service vulnerability exists when a malicious user
submits a login parameter value longer than 8180 characters to port 3103.
SecurityTracker Alert ID, 1011213, September 10, 2004
Mandrakelinux Security Update Advisory, MDKSA-2004:096,
September 15, 2004
RedHat Security Advisory, RHSA-2004:463-09, September 15, 2004
Gentoo Linux Security Advisory GLSA 200409-21, September 16,
2004
Trustix Secure Linux Security Advisory , TSLSA-2004-0047,
September 16, 2004
Apple
iChat 1.0.1, AV 2.0, 2.1
A vulnerability exists when a remote malicious iChat user submits a
specially crafted 'link' that, when activated by the target user, will
cause an application on the target user's system to run.
APPLE-SA-0024-09-07 Security Update, September 7, 2004
US-CERT Vulnerability Note VU#914870, September 15, 2004
Caolan McNamara and Dom Lachowicz
wvWare version 0.7.4, 0.7.5, 0.7.6 and 1.0.0
A buffer overflow vulnerability exists due to the insecure function
call strcat() without appropriate bounds checking, which could let a
remote malicious user execute arbitrary code.
Conectiva Linux Security Announcement, CLA-2004:863, September 10,
2004
Debian Security Advisory, DSA 550-1, September 20, 2004
GNU
a2ps 4.13
A vulnerability exists in filenames due to insufficient validation of
shell escape characters, which could let a malicious user execute
arbitrary commands.
There is no exploit code required; however, a Proof of Concept exploit
has been published.
GNU a2ps Command Injection
High
Securiteam, August 29, 2004
SUSE Security Announcement, SUSE-SA:2004:034, September 17,
2004
GNU
Radius 0.92.1, 0.93-0.96, 1.1, 1.2
A remote Denial of Service vulnerability exists in the
'asn_decode_string()' function in 'snmplib/asn1.c' when a malicious user
submits a large unsigned integer in the SNMP parameter.
A buffer overflow vulnerability exists in the 'word-list-compress'
utility due to insufficient bounds checking, which could let a malicious
user execute arbitrary code.
US-CERT Vulnerability Note VU#700326, September 17, 2004
J.Schilling
Star Tape Archiver 1.5a09-1.5a45
A vulnerability exists in the setuid function due to a failure to
properly implement the function when ssh is used for remote tape access,
which could let a malicious user obtain superuser access.
A vulnerability exists due to the insecure creation of temporary files
during installation, which could let a malicious user obtain sensitive
information.
Debian Security Advisory, DSA 544-1, September 14, 2004
LOGICNOW
PerlDesk
A vulnerability exists in the 'pdesk.cgi' software due to insufficient
validation of the 'lang' parameter, which could let a malicious user
obtain sensitive information.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, Proof of Concept exploit
has been published.
PerlDesk 'lang' Parameter Input Validation
Medium
SecurityTracker Alert ID, 1011276, September 15, 2004
MacOSXLabs
RsyncX 2.1
Two vulnerabilities exist: a vulnerability exists due to a failure to
drop 'wheel' group privileges, which could let a malicious user execute
arbitrary programs; and a vulnerability exists in '/tmp/cron_rsyncxtmp'
because the temporary file is created insecurely, which could let a
malicious user obtain elevated privileges.
No workaround or patch available at time of
publishing.
Proofs of Concept exploits have been published.
RsyncX Local Vulnerabilities
Medium/ High
(High if arbitrary code can be executed)
SecurityTracker Alert ID, 1011352, September 17, 2004
MIT Debian Fedora Gentoo
Immunix Mandrake OpenBSD RedHat SGI Sun Tinysofa
Trustix
Multiple buffer overflow vulnerabilities exist due to boundary errors
in the ‘krb5_aname_to_localname()’ library function during conversion
of Kerberos principal names into local account names, which could let a
remote malicious user execute arbitrary code with root privileges.
Gentoo Linux Security Advisory, GLSA 200409-20, September 16,
2004
Multiple Vendors
Apache Software Foundation Apache 2.0.50 & prior; Gentoo Linux 1.4;
RedHat Desktop 3.0, Enterprise Linux WS 3, ES 3, AS 3; Trustix
Secure Enterprise Linux 2.0, Secure Linux 2.0, 2.1
A remote Denial of Service vulnerability exists in the Apache mod_dav
module when an authorized malicious user submits a specific sequence of
LOCK requests.
SecurityTracker Alert ID, 1011248, September 14, 2004
Multiple Vendors
Apache Software Foundation Apache 2.0.50 & prior; Gentoo Linux 1.4;
MandrakeSoft Linux Mandrake 9.2, amd64, 10.0, AMD64; RedHat Desktop
3.0, Enterprise Linux WS 3, ES 3, AS 3, Fedora Core1&2; Trustix
Secure Enterprise Linux 2.0, Secure Linux 2.0, 2.1; Turbolinux Turbolinux
Desktop 10.0
A buffer overflow vulnerability exists in the apr-util library's IPv6
URI parsing functionality due to insufficient validation, which could
let a remote malicious user execute arbitrary code. Note: On Linux
based Unix variants this issue can only be exploited to trigger a Denial
of Service condition.
Apache Software Foundation Apache 2.0, 2.0.28, 2.0.32,
2.0.35-2.0.50; Gentoo Linux 1.4; MandrakeSoft Linux Mandrake 9.2,
amd64,10.0, AMD64; RedHat Desktop 3.0, Enterprise Linux WS 3, ES 3, AS
3; Trustix Secure Enterprise Linux 2.0, Secure Linux 2.0,
2.1; Turbolinux Turbolinux Desktop 10.0
A buffer overflow vulnerability exists in the 'ap_resolve_env()'
function in 'server/util.c'.due to insufficient validation, which could
let a remote malicious user execute arbitrary code.
US-CERT Vulnerability Note VU#481998, September 17, 2004
Multiple Vendors
Cisco VPN 3000 Concentrator 4.0 .x, 4.0, 4.0.1, 4.1 .x; Debian Linux
3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm,
alpha; Gentoo Linux 1.4 _rc1-rc3, 1.4; MandrakeSoft Corporate Server 2.1,
x86_64, Linux Mandrake 9.1, ppc, 9.2, amd64, 10.0, AMD64,
MandrakeSoft Multi Network Firewall 8.2; MIT Kerberos 5 1.0, 1.0.6,
1.0.8, 1.1, 1.1.1, 1.2-1.2.8, 1.3 -1.3.4; RedHat Desktop 3.0, Enterprise
Linux WS 3, ES 3, AS 3, Fedora Core2, Core1; Sun SEAM 1.0.2
Multiple double-free vulnerabilities exist due to inconsistent memory
handling routines in the krb5 library: various double-free errors exist in
the KDC (Key Distribution Center) cleanup code and in client libraries,
which could let a remote malicious user execute arbitrary code; various
double-free errors exist in the 'krb5_rd_cred()' function, which could let
a remote malicious user execute arbitrary code; a double-free
vulnerability exists in krb524d, which could let a remote malicious user
execute arbitrary code; and a vulnerability exists in ASN.1 decoder when
handling indefinite length BER encodings, which could let a remote
malicious user cause a Denial of Service.
Multiple buffer overflow vulnerabilities exist in the Iimlib/Imlib2
libraries when handling malformed bitmap images, which could let a remote
malicious user cause a Denial of Service or execute arbitrary code.
Fedora Update Notifications, FEDORA-2004-290 & 291, September
8, 2004
Conectiva Linux Security Announcement, CLA-2004:864, September 13,
2004
SUSE Security Announcement, SUSE-SA:2004:026, September 16, 2004
Multiple Vendors
GNU Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64,
ia-32, hppa, arm, alpha; GNOME gdk-pixbug 0.22 & prior; GTK GTK+
2.0.2, 2.0.6, 2.2.1, 2.2.3, 2.2.4; MandrakeSoft Linux Mandrake 9.2,
amd64, 10.0, AMD64; RedHat Advanced Workstation for the Itanium
Processor 2.1, IA64, Desktop 3.0, Enterprise Linux WS 3, WS 2.1 IA64, WS
2.1, ES 3, ES 2.1 IA64, ES 2.1, AS 3, AS 2.1 IA64, AS 2.1, RedHat
Fedora Core1&2; SuSE. Linux 8.1, 8.2, 9.0, x86_64, 9.1, Desktop
1.0, Enterprise Server 9, 8
Multiple vulnerabilities exist: a vulnerability exists when decoding
BMP images, which could let a remote malicious user cause a Denial of
Service; a vulnerability exists when decoding XPM images, which could let
a remote malicious user cause a Denial of Service or execute arbitrary
code; and a vulnerability exists when attempting to decode ICO images,
which could let a remote malicious user cause a Denial of Service.
SecurityTracker Alert ID, 1011285, September 17, 2004
Multiple Vendors
LinuxPrinting.org Foomatic-Filters 3.03.0.2, 3.1; Trustix Secure
Enterprise Linux 2.0, Secure Linux 2.0, 2.1
A vulnerability exists in the foomatic-rip print filter due to
insufficient validation of command-lines and environment variables, which
could let a remote malicious user execute arbitrary commands.
Several vulnerabilities exist in the out-of-band signal handling code
due to race condition errors, which could let a remote malicious user
obtain superuser privileges.
Multiple vulnerabilities exist: a stack overflow exists in
'xpmParseColors()' in 'parse.c' when a specially crafted XPMv1 and XPMv2/3
file is submitted, which could let a remote malicious user execute
arbitrary code; a stack overflow vulnerability exists in the
'ParseAndPutPixels()' function in -create.c' when reading pixel values,
which could let a remote malicious user execute arbitrary code; and an
integer overflow vulnerability exists in the colorTable allocation in
'xpmParseColors()' in 'parse.c,' which could let a remote malicious user
execute arbitrary code.
Trustix Secure Linux Security Advisory, TSL-2004-0043, August 26, 2004
Gentoo Linux Security Advisory, [ERRATA UPDATE] GLSA
200409-14:02, September 9, 2004
Turbolinux Security Advisory, TLSA-2004-25, September 15, 2004
SUSE Security Announcement, SUSE-SA:2004:034, September 17,
2004
Samba.org
Samba version 3.0 - 3.0.6
Several vulnerabilities exist: a remote Denial of Service
vulnerability exists in the 'process_logon_packet()' function due to
insufficient validation of 'SAM_UAS_CHANGE' request packets; and a remote
Denial of Service vulnerability exists when a malicious user submits a
malformed packet to a target 'smbd' server.
Gentoo Linux Security Advisory, GLSA 200409-16, September 13,
2004
Mandrakelinux Security Update Advisory, MDKSA-2004:092,
September 13, 2004
Trustix Secure Linux Bugfix Advisory, TSL-2004-0046, September
14, 2004
OpenPKG Security Advisory, OpenPKG-SA-2004.040, September 15,
2004
SUSE Security Announcement, SUSE-SA:2004:034, September 17,
2004
SnipSnap
SnipSnap 0.5.2 a
A vulnerability exists in the 'referer' parameter due to the way POST
requests are handled, which could let a remote malicious user execute
arbitrary code.
Gentoo Linux Security Advisory, GLSA 200409-23, September 17, 2004
SpamAssassin.org
SpamAssassin prior to 2.64
A Denial of Service vulnerability exists in
SpamAssassin. A a remote user can send an e-mail message with specially
crafted headers to cause a Denial of Service attack against the
SpamAssassin service.
We are not aware of any exploits for this
vulnerability.
SpamAssassin Remote Denial of Service
Low
SecurityTracker: 1010903, August 10, 2004
Mandrake Security Advisory, MDKSA-2004:084, August 19,
2004
OpenPKG Security Advisory, OpenPKG-SA-2004.041,
September 15, 2004
Squid-cache.org
Squid Web Proxy Cache 2.0 PATCH2, 2.1 PATCH2, 2.3 STABLE5, 2.4,
STABLE7, 2.5 STABLE1-STABLE6, Squid Web Proxy Cache 3.0 PRE1-PRE3
A remote Denial of Service vulnerability exists in 'lib/ntlmauth.c' due
to insufficient validation of negative values in the 'function
"ntlm_fetch_string()' function.
Mandrakelinux Security Update Advisory, MDKSA-2004:093,
September 15, 2004
Trustix Secure Linux Security Advisory, TSLSA-2004-0047,
September 16, 2004
Todd Miller
Sudo 1.6.8
A vulnerability exists due to insufficient validation of
symbolic links when sudoedit ("sudo -u" option) copies temporary files,
which could let a malicious user access the contents of arbitrary files
with superuser privileges.
There is no exploit code required; however, a Proof of Concept exploit
script has been published.
Sudo Information Disclosure
High
Secunia Advisory, SA12596, September 20, 2004
VBulletin
VBulletin 3.0, Gamma, beta 2-beta7, 3.0.1-3.0.3
A vulnerability exists in the 'x_invoice_num' parameter due to
insufficient validation, which could let a remote malicious user execute
arbitrary code.
No workaround or patch available at time of
publishing.
Multiple vulnerabilities exist: a buffer overflow in the DVD subpicture
component, which could let a remote malicious user execute arbitrary code;
a buffer overflow vulnerability exists in the VideoCD functionality when
reading ISO disk labels, which could let a remote malicious user execute
arbitrary code; and a buffer overflow vulnerability exists when handling
text subtitles, which could let a remote malicious user execute arbitrary
code.
Two vulnerabilities exist: a vulnerability exists because some security
checks are performed on the client-side and not on the server-side, which
could let an authenticated remote malicious user delete arbitrary
documents; and a Cross-Site Scripting vulnerability exists due to
insufficient sanitization of user-supplied input when uploading documents,
which could let a remote malicious user execute arbitrary HTML and script
code.
The vendor has released patches dealing with this issue. Users are
recommended to contact the vendor for patch and update availability.
There is no exploit code required.
WebIntelligence Access Control Bypass & Cross-Site Scripting
We are not aware of any exploits for this vulnerability.
HP Web Jetadmin Unspecified Arbitrary Command
Execution
High
HP Security Advisory, SSRT4739, September 15, 2004
Inkra Networks Corporation
1504GX VSM 2.1.4.b003
A remote Denial of Service vulnerability exists due to insufficient
validation of IP options.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, Proof of Concept exploit
has been published.
Inkra 1504GX Remote Denial of Service
Low
Secunia Advisory, SA12538, September 17, 2004
Matt Smith
ReMOSitory
An input validation vulnerability exists in the ReMOSitory add-on for
Mambo Open Server due to insufficient validation, which could let a remote
malicious user execute arbitrary code.
Multiple vulnerabilities exist: buffer overflow vulnerabilities exist
in 'nsMsgCompUtils.cpp' when a specially crafted e-mail is forwarded,
which could let a remote malicious user execute arbitrary code; a
vulnerability exists due to insufficient restrictions on script generated
events, which could let a remote malicious user obtain sensitive
information; a buffer overflow vulnerability exists in the
'nsVCardObj.cpp' file due to insufficient boundary checks, which could let
a remote malicious user execute arbitrary code; a buffer overflow
vulnerability exists in 'nsPop3Protocol.cpp' due to boundary errors, which
could let a remote malicious user execute arbitrary code; a heap overflow
vulnerability exists when handling non-ASCII characters in URLs, which
could let a remote malicious user execute arbitrary code; multiple integer
overflow vulnerabilities exist in the image parsing routines due to
insufficient boundary checks, which could let a remote malicious user
execute arbitrary code; a cross-domain scripting vulnerability exists
because URI links dragged from one browser window and dropped into another
browser window will bypass same-origin policy security checks, which could
let a remote malicious user execute arbitrary code; and a vulnerability
exists because unsafe scripting operations are permitted, which could let
a remote malicious user manipulate information displayed in the security
dialog.
HP HP-UX B.11.23, 11.11, 11.00; Mozilla Network Security Services
(NSS) 3.2, 3.2.1, 3.3-3.3.2, 3.4-3.4.2, 3.5, 3.6, 3.6.1, 3.7-3.7.3, 3.7.5,
3.7.7, 3.8, 3.9; Netscape Certificate Server 1.0 P1, 4.2, Directory Server
1.3, P1&P5, 3.12, 4.1, 4.11-.4.13, Enterprise Server 2.0 a, 2.0, 2.0.1
C, 3.0 L, 3.0, 3.0.1 B, 3.0.1, 3.1, 3.2, 3.5, 3.6, SP1-SP3, 3.51, 4.0,
4.1, SP3-SP8, Enterprise Server for NetWare 4/5 3.0.7 a, 4/5 4.1.1, 4/5
5.0, Enterprise Server for Solaris 3.5, 3.6, Netscape Personalization
Engine; Sun ONE Application Server 6.0, SP1-SP4, 6.5, SP1 MU1&MU2, 6.5
SP1, 6.5 MU1-MU3, 7.0 UR2 Upgrade Standard, 7.0 UR2 Upgrade Platform,
Standard Edition, Platform Edition, 7.0 UR1 Standard Edition, Platform
Edition, 7.0 Standard Edition, Platform Edition, Certificate Server 4.1,
Directory Server 4.16, SP1, 5.0, SP1&SP2, 5.1 x86 SP3 x86, 5.1,
SP1-SP3, 5.2, Web Server 4.1, SP1-SP14, 6.0, SP1-SP7, 6.1
A buffer overflow vulnerability exists in the Netscape Network
Security Services (NSS) library suite due to insufficient boundary checks,
which could let a remote malicious user which may result in remote execute
arbitrary code.
SecurityTracker Alert ID, 1011279, September 15, 2004
PHPGroupWare
PHPGroupWare 0.9.12-0.9.16
A Cross-Site Scripting vulnerability exists in 'transforms.php' due to
insufficient sanitization of user-supplied URI input, which could let a
remote malicious user execute arbitrary HTML and script code.
SecurityTracker Alert ID, 1011339, September 17, 2004
SMC
SMC7004VWBR 1.21 a, 1.22, 1.23, SMC7008ABR 1.32
A vulnerability exists which due to the way users are validated in the
web administration software, which could let a remote malicious user
obtain administrative access.
No workaround or patch available at time of
publishing.
Several vulnerabilities exist: a vulnerability exists due to a failure
to properly validate access to administrative commands, which could let a
remote malicious user execute arbitrary commands; and a Cross-Site
Scripting vulnerability exists in the 'YaBB.pl' script, which could let a
remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
An information disclosure vulnerability exists in ARP requests, which
could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of
publishing.
There is no exploit code required.
ZyXEL P681 ARP Request Information Disclosure
Medium
Bugtraq, September 13, 2004
Recent
Exploit Scripts/Techniques
The table below
contains a sample of exploit scripts and "how to" guides identified during this
period. The "Workaround or Patch Available" column indicates if vendors,
security vulnerability listservs, or Computer Emergency Response Teams (CERTs)
have published workarounds or patches.
Note: At times,
scripts/techniques may contain names or content that may be considered
offensive.
Date of
Exploit (Reverse Chronological
Order)
Script
or Exploit Name
Workaround or Patch Available
Description
September 21, 2004
advisory-05-glFTPd.txt
No
Proof of concept exploit for the local stack overflow vulnerability in
the dupescan binary from glFTPd versions 2.00RC3 and below.
September 21, 2004
ettercap-NG-0.7.1.tar.gz
N/A
Ettercap NG is a network sniffer/interceptor/logger for switched LANs.
It uses ARP poisoning and the man-in-the-middle technique to sniff all the
connections between two hosts.
September 21, 2004
mambo45.jose.txt
Yes
Mambo versions 4.5 and below are susceptible to cross site scripting
and remote command execution flaws.
September 21, 2004
mambo451.txt
Yes
Proof of concept exploit for Mambo versions 4.5.1 and below SQL
injection vulnerability.
September 21, 2004
pigeonx.zip
Yes
Remote denial of service exploit for Pigeon versions 3.02.0143 and
below.
September 21, 2004
rsynxOSX.txt
Yes
Proof of concept exploit for RsyncX version 2.1, the frontend for
rsync on OS X, arbitrary program execution vulnerability.
September 21, 2004
sudoedit.txt
Yes
Proof of concept exploit for sudo version 1.6.8p1 that makes use of a
flaw in sudoedit.
September 18, 2004
sudo-exploit.c
Yes
Proof of Concept exploit for the Sudo Information Disclosure
vulnerability.
September 17, 2004
CRASH-TEST.zip crash-netscape.jpg jpegcompoc.zip
Yes
Proof of concept exploit for the Microsoft (Graphics Device Interface)
GDI+ JPEG handler integer underflow vulnerability.
September 17, 2004
jpegcompoc.zip
Yes
Proof of concept exploit for the JPEG buffer overrun vulnerability in
Windows XP.
September 17, 2004
lovethisgame.html
No
Proof of concept exploit for a file inclusion vulnerability in
PerlDesk 1.x due to insufficient input validation.
September 17, 2004
None
No
Example exploit for the DNS4Me denial of service and cross-site
scripting vulnerabilities.
September 17, 2004
None
No
Example exploit for the cross-site scripting vulnerability in the YaBB
forum 'YaBB.pl' script.
September 17, 2004
None
No
Proof of concept exploit for the Google Toolbar HTML injection
vulnerability. It is reported that the Google Toolbar 'ABOUT.HTML' page
allows the injection of HTML and JavaScript code.
September 17, 2004
None
No
Example exploit for the YaBB administrator command execution
vulnerability.
September 17, 2004
None
Yes
Proof of concept exploit for the Mozilla and
Firefox cross-domain scripting vulnerability.
September 17, 2004
None
Yes
Proof of concept exploit for the SnipSnap HTTP
response splitting vulnerability.
September 16, 2004
None
Yes
Proof of concept exploit for the Snitz Forums HTTP response splitting
vulnerability.
September 16, 2004
Tx.exe
Yes
A small universal Windows backdoor for all versions of Windows
NT/2K/XP/2003 with any service pack.
September 15, 2004
bbsEMarket.txt
Yes
Proof of concept exploit for BBS E-Market Professional path
disclosure, file download, file disclosure, user authentication bypass,
and php source injection vulnerabilities. BBS E-Market patch level bf_130,
version 1.3.0, and below is affected.
September 15, 2004
cdr-exp.sh cdrecord-suidshell.sh readcd-exp.sh
Yes
CDRTools is reportedly vulnerable to an RSH environment variable
privilege escalation vulnerability. This issue is due to a failure of the
application to properly implement security controls when executing an
application specified by the RSH environment variable.
September 15, 2004
challenges.tgz
N/A
This package contains example vulnerable C programs. There are
examples of buffer overflows (stack and heap) and format string
vulnerabilities. All examples are exploitable with a standard linux/x86
environment.
September 15, 2004
fwknop-0.4.1.tar.gz
N/A
fwknop is a flexible port knocking implementation that is based around
iptables. Both shared knock sequences and encrypted knock sequences are
supported.
September 15, 2004
myServer07.txt
Yes
myServer version 0.7 is susceptible to a simple directory traversal
attack.
September 15, 2004
netw-ib-ox-ag-5.24.0.tgz
N/A
Netwox is a utility that supports various protocols (DNS, FTP, HTTP,
NNTP, SMTP, SNMP) and performs low level functions like sniffing, spoofing
traffic, and playing client/server roles. Both Windows and Unix versions
are included.
September 15, 2004
None
Yes
Proof of concept vulnerability for the vulnerability in the Mozilla
'enablePrivilege' method.
September 15, 2004
None
Yes
Proof of concept exploit for the vulnerability in Mozilla and Firefox
browsers that could permit a remote site to gain access to contents of the
client user's clipboard.
September 15, 2004
pizzaicmp.c
N/A
ICMP-based triggered Linux kernel module that executes a local binary
upon successful use.
September 15, 2004
Rx.exe
Yes
A small universal Windows reverse shell for all versions of Windows
NT/2K/XP/2003 with any service pack.
September 14, 2004
getinternet.txt
No
Proof of concept exploit for getInternet SQL injection and remote
command execution vulnerabilities
September 14, 2004
getintranet.txt
No
Proof of concept exploit for getIntranet 2.x cross site scripting, SQL
injection, script insertion, and multiple other attacks
vulnerabilities.
September 14, 2004
LSS-2004-09-01.html
Yes
Proof of concept exploit for the format string vulnerability in SuS
logging function.
September 14, 2004
regulus.htm
No
Proof of concept exploit for various vulnerabilities exist in Regulus
2.x that allow for an attacker to gain access to sensitive information and
to bypass certain security restrictions.
September 13, 2004
None
Yes
Proof of concept exploit for Webmin / Usermin command execution
vulnerability when rendering HTML email messages. This issue is reported
to affect Usermin versions 1.080 and prior.
September 13, 2004
None
Yes
Proof of concept exploit for the Pingtel Xpressa handset remote denial
of service vulnerability.
September 13, 2004
None
No
Proof of concept exploit for the QNX Photon
MicroGUI buffer ove
