Summary of Security Items from September 15 through September 21, 2004
This bulletin
provides a summary of new or updated vulnerabilities, exploits, trends, viruses,
and trojans identified between September 13 and September 20, 2004. Updates to items appearing in previous bulletins are listed in
bold text. The text in the Risk column appears in red for vulnerabilities
ranking High. The risks levels applied to
vulnerabilities in the Cyber Security Bulletin are based on how the "system" may
be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch
Available" column that indicates whether a workaround or patch has been
published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities
that have been identified, even if they are not being exploited. Complete
details about patches or workarounds are available from the source of the
information or from the URL provided in the section. CVE numbers are listed
where applicable. Vulnerabilities that affect both Windows and
Unix Operating Systems are included in the Multiple Operating
Systems section.
Note: All the information included in the following tables
has been discussed in newsgroups and on web sites.
The Risk levels
defined below are based on how the system may be impacted:
High - A
high-risk vulnerability is defined as one that will allow an intruder to
immediately gain privileged access (e.g., sysadmin or root) to the system or
allow an intruder to execute code or alter arbitrary system files. An example
of a high-risk vulnerability is one that allows an unauthorized user to send a
sequence of instructions to a machine and the machine responds with a command
prompt with administrator privileges.
Medium - A
medium-risk vulnerability is defined as one that will allow an intruder
immediate access to a system with less than privileged access. Such
vulnerability will allow the intruder the opportunity to continue the attempt
to gain privileged access. An example of medium-risk vulnerability is a server
configuration error that allows an intruder to capture the password
file.
Low - A
low-risk vulnerability is defined as one that will provide information to an
intruder that could lead to further compromise attempts or a Denial of Service
(DoS) attack. It should be noted that while the DoS attack is deemed low from
a threat potential, the frequency of this type of attack is very high. DoS
attacks against mission-critical nodes are not included in this rating and any
attack of this nature should instead be considered to be a "High"
threat.
An input validation vulnerability exists in the 'About' section of the
Google Toolbar due to insufficient filtering of HTML code, which could let
a remote malicious user execute arbitrary HTML and JavaScript code.
No workaround or patch available at time of
publishing.
A Proof of Concept exploit script has been published.
Google Toolbar Input Validation
High
Bugtraq, September 17, 2004
IBM
Microsoft Windows XP SP1 OEM Version,
Microsoft Windows XP OEM
Version
A vulnerability exists due to a default hidden administrative account
that fails to set a password, which could let a malicious user obtain
administrative access.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, a Proof of Concept exploit
has been published.
IBM OEM Microsoft Windows Default Administrative
Account
High
SECNAP Advisory, September 15, 2004
McAfee
VirusScan 4.5, 4.5.1
A vulnerability exists in 'System Scan' via the system tray applet due
to the failure to drop privileges, which could let a malicious user
execute arbitrary code.
This issue has reportedly been addressed by the vendor in Patch 48,
which may be obtained by customers with a valid contract grant number
through McAfee Corporate Technical Support.
There is no exploit code required.
McAfee VirusScan Arbitrary Code Execution
High
iDEFENSE Security Advisory, September 15, 2004
Microsoft
Windows CE 2.0, 3.0, 4.2
A vulnerability exists in the kernel memory structure KDataStruct,
which could let a malicious user obtain sensitive information.
No workaround or patch available at time of
publishing.
This vulnerability is exploited by the virus WinCE.Duts.A.
Microsoft Windows CE KDatastruct Information
Disclosure
Medium
Airscanner Mobile Security Advisory, September 18, 2004
Microsoft
Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows
XP Professional SP1 Microsoft Windows XP Professional
A Denial of Service vulnerability exists in 'Explorer.exe' due to the
way certain TIFF format images are handled,
No workaround or patch available at time of
publishing.
A Proof of Concept exploit has been published.
Microsoft Windows XP Explorer.EXE TIFF Image Denial of
Service
Low
SecurityFocus, September 16, 2004
Microsoft
Internet Explorer 6.0 SP2
A vulnerability exists due to a design error, which could let a
malicious user bypass the user confirmation requirement.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, a Proof of Concept exploit
has been published.
Microsoft Internet Explorer User Security Confirmation
Bypass
Medium
Bugtraq, September 15, 2004
Microsoft
Microsoft .NET Framework 1.x, Digital Image Pro 7.x, 9.x, Digital Image
Suite 9.x, Frontpage 2002, Greetings 2002, Internet Explorer 6, Office
2003 Professional Edition, 2003 Small Business Edition, 2003 Standard
Edition, 2003 Student and Teacher Edition, Office XP, Outlook 2002, 2003,
Picture It! 2002, 7.x, 9.x, PowerPoint 2002, Producer for Microsoft Office
PowerPoint 2003, Project 2002, 2003, Publisher 2002, Visio 2002, 2003,
Visual Studio .NET 2002, 2003, Word 2002; Avaya DefinityOne
Media Servers, IP600 Media Servers, S3400 Modular Messaging, S8100 Media
Servers
A buffer overflow vulnerability exists in the processing of JPEG image
formats, which could let a remote malicious user execute arbitrary code.
Microsoft Security Bulletin, MS04-028, September 14, 2004
US-CERT Vulnerability Note VU#297462, September 14, 2004
Technical Cyber Security Alert TA04-260A, September 16, 2004
SecurityFocus, September 17, 2004
RhinoSoft.com
DNS4Me 3.0 .0.4
Two vulnerabilities exist: a Denial of Service vulnerability exists
due to an error when processing incoming traffic; and a Cross-Site
Scripting vulnerability exists due to insufficient sanitization of
user-supplied URI input, which could let a remote malicious user execute
arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, a Proof of Concept exploit
has been published for the Cross-Site Scripting vulnerability.
DNS4Me Denial Of Service & Cross-Site Scripting
Vulnerabilities
Low/High
(High if arbitrary code can be executed)
GulfTech Security Research Advisory, September 16, 2004
A vulnerability exists in the 'down.asp' script due to insufficient
sanitization of the 'location' parameter, which could let a remote
malicious user execute arbitrary code.
No workaround or patch available at time of
publishing.
A Proof of Concept exploit has been published.
Snitz Forums 'Down.ASP' Input Validation
High
Securiteam, September 19, 2004
Tech-Noel Inc.
Pigeon Server 3.2.143
A remote Denial of Service vulnerability exists when a malicious user
submits a login parameter value longer than 8180 characters to port 3103.
SecurityTracker Alert ID, 1011213, September 10, 2004
Mandrakelinux Security Update Advisory, MDKSA-2004:096,
September 15, 2004
RedHat Security Advisory, RHSA-2004:463-09, September 15, 2004
Gentoo Linux Security Advisory GLSA 200409-21, September 16,
2004
Trustix Secure Linux Security Advisory , TSLSA-2004-0047,
September 16, 2004
Apple
iChat 1.0.1, AV 2.0, 2.1
A vulnerability exists when a remote malicious iChat user submits a
specially crafted 'link' that, when activated by the target user, will
cause an application on the target user's system to run.
APPLE-SA-0024-09-07 Security Update, September 7, 2004
US-CERT Vulnerability Note VU#914870, September 15, 2004
Caolan McNamara and Dom Lachowicz
wvWare version 0.7.4, 0.7.5, 0.7.6 and 1.0.0
A buffer overflow vulnerability exists due to the insecure function
call strcat() without appropriate bounds checking, which could let a
remote malicious user execute arbitrary code.
Conectiva Linux Security Announcement, CLA-2004:863, September 10,
2004
Debian Security Advisory, DSA 550-1, September 20, 2004
GNU
a2ps 4.13
A vulnerability exists in filenames due to insufficient validation of
shell escape characters, which could let a malicious user execute
arbitrary commands.
There is no exploit code required; however, a Proof of Concept exploit
has been published.
GNU a2ps Command Injection
High
Securiteam, August 29, 2004
SUSE Security Announcement, SUSE-SA:2004:034, September 17,
2004
GNU
Radius 0.92.1, 0.93-0.96, 1.1, 1.2
A remote Denial of Service vulnerability exists in the
'asn_decode_string()' function in 'snmplib/asn1.c' when a malicious user
submits a large unsigned integer in the SNMP parameter.
A buffer overflow vulnerability exists in the 'word-list-compress'
utility due to insufficient bounds checking, which could let a malicious
user execute arbitrary code.
US-CERT Vulnerability Note VU#700326, September 17, 2004
J.Schilling
Star Tape Archiver 1.5a09-1.5a45
A vulnerability exists in the setuid function due to a failure to
properly implement the function when ssh is used for remote tape access,
which could let a malicious user obtain superuser access.
A vulnerability exists due to the insecure creation of temporary files
during installation, which could let a malicious user obtain sensitive
information.
Debian Security Advisory, DSA 544-1, September 14, 2004
LOGICNOW
PerlDesk
A vulnerability exists in the 'pdesk.cgi' software due to insufficient
validation of the 'lang' parameter, which could let a malicious user
obtain sensitive information.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, Proof of Concept exploit
has been published.
PerlDesk 'lang' Parameter Input Validation
Medium
SecurityTracker Alert ID, 1011276, September 15, 2004
MacOSXLabs
RsyncX 2.1
Two vulnerabilities exist: a vulnerability exists due to a failure to
drop 'wheel' group privileges, which could let a malicious user execute
arbitrary programs; and a vulnerability exists in '/tmp/cron_rsyncxtmp'
because the temporary file is created insecurely, which could let a
malicious user obtain elevated privileges.
No workaround or patch available at time of
publishing.
Proofs of Concept exploits have been published.
RsyncX Local Vulnerabilities
Medium/ High
(High if arbitrary code can be executed)
SecurityTracker Alert ID, 1011352, September 17, 2004
MIT Debian Fedora Gentoo
Immunix Mandrake OpenBSD RedHat SGI Sun Tinysofa
Trustix
Multiple buffer overflow vulnerabilities exist due to boundary errors
in the ‘krb5_aname_to_localname()’ library function during conversion
of Kerberos principal names into local account names, which could let a
remote malicious user execute arbitrary code with root privileges.
Gentoo Linux Security Advisory, GLSA 200409-20, September 16,
2004
Multiple Vendors
Apache Software Foundation Apache 2.0.50 & prior; Gentoo Linux 1.4;
RedHat Desktop 3.0, Enterprise Linux WS 3, ES 3, AS 3; Trustix
Secure Enterprise Linux 2.0, Secure Linux 2.0, 2.1
A remote Denial of Service vulnerability exists in the Apache mod_dav
module when an authorized malicious user submits a specific sequence of
LOCK requests.
SecurityTracker Alert ID, 1011248, September 14, 2004
Multiple Vendors
Apache Software Foundation Apache 2.0.50 & prior; Gentoo Linux 1.4;
MandrakeSoft Linux Mandrake 9.2, amd64, 10.0, AMD64; RedHat Desktop
3.0, Enterprise Linux WS 3, ES 3, AS 3, Fedora Core1&2; Trustix
Secure Enterprise Linux 2.0, Secure Linux 2.0, 2.1; Turbolinux Turbolinux
Desktop 10.0
A buffer overflow vulnerability exists in the apr-util library's IPv6
URI parsing functionality due to insufficient validation, which could
let a remote malicious user execute arbitrary code. Note: On Linux
based Unix variants this issue can only be exploited to trigger a Denial
of Service condition.
Apache Software Foundation Apache 2.0, 2.0.28, 2.0.32,
2.0.35-2.0.50; Gentoo Linux 1.4; MandrakeSoft Linux Mandrake 9.2,
amd64,10.0, AMD64; RedHat Desktop 3.0, Enterprise Linux WS 3, ES 3, AS
3; Trustix Secure Enterprise Linux 2.0, Secure Linux 2.0,
2.1; Turbolinux Turbolinux Desktop 10.0
A buffer overflow vulnerability exists in the 'ap_resolve_env()'
function in 'server/util.c'.due to insufficient validation, which could
let a remote malicious user execute arbitrary code.
US-CERT Vulnerability Note VU#481998, September 17, 2004
Multiple Vendors
Cisco VPN 3000 Concentrator 4.0 .x, 4.0, 4.0.1, 4.1 .x; Debian Linux
3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm,
alpha; Gentoo Linux 1.4 _rc1-rc3, 1.4; MandrakeSoft Corporate Server 2.1,
x86_64, Linux Mandrake 9.1, ppc, 9.2, amd64, 10.0, AMD64,
MandrakeSoft Multi Network Firewall 8.2; MIT Kerberos 5 1.0, 1.0.6,
1.0.8, 1.1, 1.1.1, 1.2-1.2.8, 1.3 -1.3.4; RedHat Desktop 3.0, Enterprise
Linux WS 3, ES 3, AS 3, Fedora Core2, Core1; Sun SEAM 1.0.2
Multiple double-free vulnerabilities exist due to inconsistent memory
handling routines in the krb5 library: various double-free errors exist in
the KDC (Key Distribution Center) cleanup code and in client libraries,
which could let a remote malicious user execute arbitrary code; various
double-free errors exist in the 'krb5_rd_cred()' function, which could let
a remote malicious user execute arbitrary code; a double-free
vulnerability exists in krb524d, which could let a remote malicious user
execute arbitrary code; and a vulnerability exists in ASN.1 decoder when
handling indefinite length BER encodings, which could let a remote
malicious user cause a Denial of Service.
Multiple buffer overflow vulnerabilities exist in the Iimlib/Imlib2
libraries when handling malformed bitmap images, which could let a remote
malicious user cause a Denial of Service or execute arbitrary code.
Fedora Update Notifications, FEDORA-2004-290 & 291, September
8, 2004
Conectiva Linux Security Announcement, CLA-2004:864, September 13,
2004
SUSE Security Announcement, SUSE-SA:2004:026, September 16, 2004
Multiple Vendors
GNU Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64,
ia-32, hppa, arm, alpha; GNOME gdk-pixbug 0.22 & prior; GTK GTK+
2.0.2, 2.0.6, 2.2.1, 2.2.3, 2.2.4; MandrakeSoft Linux Mandrake 9.2,
amd64, 10.0, AMD64; RedHat Advanced Workstation for the Itanium
Processor 2.1, IA64, Desktop 3.0, Enterprise Linux WS 3, WS 2.1 IA64, WS
2.1, ES 3, ES 2.1 IA64, ES 2.1, AS 3, AS 2.1 IA64, AS 2.1, RedHat
Fedora Core1&2; SuSE. Linux 8.1, 8.2, 9.0, x86_64, 9.1, Desktop
1.0, Enterprise Server 9, 8
Multiple vulnerabilities exist: a vulnerability exists when decoding
BMP images, which could let a remote malicious user cause a Denial of
Service; a vulnerability exists when decoding XPM images, which could let
a remote malicious user cause a Denial of Service or execute arbitrary
code; and a vulnerability exists when attempting to decode ICO images,
which could let a remote malicious user cause a Denial of Service.
SecurityTracker Alert ID, 1011285, September 17, 2004
Multiple Vendors
LinuxPrinting.org Foomatic-Filters 3.03.0.2, 3.1; Trustix Secure
Enterprise Linux 2.0, Secure Linux 2.0, 2.1
A vulnerability exists in the foomatic-rip print filter due to
insufficient validation of command-lines and environment variables, which
could let a remote malicious user execute arbitrary commands.
Several vulnerabilities exist in the out-of-band signal handling code
due to race condition errors, which could let a remote malicious user
obtain superuser privileges.
Multiple vulnerabilities exist: a stack overflow exists in
'xpmParseColors()' in 'parse.c' when a specially crafted XPMv1 and XPMv2/3
file is submitted, which could let a remote malicious user execute
arbitrary code; a stack overflow vulnerability exists in the
'ParseAndPutPixels()' function in -create.c' when reading pixel values,
which could let a remote malicious user execute arbitrary code; and an
integer overflow vulnerability exists in the colorTable allocation in
'xpmParseColors()' in 'parse.c,' which could let a remote malicious user
execute arbitrary code.
Trustix Secure Linux Security Advisory, TSL-2004-0043, August 26, 2004
Gentoo Linux Security Advisory, [ERRATA UPDATE] GLSA
200409-14:02, September 9, 2004
Turbolinux Security Advisory, TLSA-2004-25, September 15, 2004
SUSE Security Announcement, SUSE-SA:2004:034, September 17,
2004
Samba.org
Samba version 3.0 - 3.0.6
Several vulnerabilities exist: a remote Denial of Service
vulnerability exists in the 'process_logon_packet()' function due to
insufficient validation of 'SAM_UAS_CHANGE' request packets; and a remote
Denial of Service vulnerability exists when a malicious user submits a
malformed packet to a target 'smbd' server.
Gentoo Linux Security Advisory, GLSA 200409-16, September 13,
2004
Mandrakelinux Security Update Advisory, MDKSA-2004:092,
September 13, 2004
Trustix Secure Linux Bugfix Advisory, TSL-2004-0046, September
14, 2004
OpenPKG Security Advisory, OpenPKG-SA-2004.040, September 15,
2004
SUSE Security Announcement, SUSE-SA:2004:034, September 17,
2004
SnipSnap
SnipSnap 0.5.2 a
A vulnerability exists in the 'referer' parameter due to the way POST
requests are handled, which could let a remote malicious user execute
arbitrary code.
Gentoo Linux Security Advisory, GLSA 200409-23, September 17, 2004
SpamAssassin.org
SpamAssassin prior to 2.64
A Denial of Service vulnerability exists in
SpamAssassin. A a remote user can send an e-mail message with specially
crafted headers to cause a Denial of Service attack against the
SpamAssassin service.
We are not aware of any exploits for this
vulnerability.
SpamAssassin Remote Denial of Service
Low
SecurityTracker: 1010903, August 10, 2004
Mandrake Security Advisory, MDKSA-2004:084, August 19,
2004
OpenPKG Security Advisory, OpenPKG-SA-2004.041,
September 15, 2004
Squid-cache.org
Squid Web Proxy Cache 2.0 PATCH2, 2.1 PATCH2, 2.3 STABLE5, 2.4,
STABLE7, 2.5 STABLE1-STABLE6, Squid Web Proxy Cache 3.0 PRE1-PRE3
A remote Denial of Service vulnerability exists in 'lib/ntlmauth.c' due
to insufficient validation of negative values in the 'function
"ntlm_fetch_string()' function.
Mandrakelinux Security Update Advisory, MDKSA-2004:093,
September 15, 2004
Trustix Secure Linux Security Advisory, TSLSA-2004-0047,
September 16, 2004
Todd Miller
Sudo 1.6.8
A vulnerability exists due to insufficient validation of
symbolic links when sudoedit ("sudo -u" option) copies temporary files,
which could let a malicious user access the contents of arbitrary files
with superuser privileges.
There is no exploit code required; however, a Proof of Concept exploit
script has been published.
Sudo Information Disclosure
High
Secunia Advisory, SA12596, September 20, 2004
VBulletin
VBulletin 3.0, Gamma, beta 2-beta7, 3.0.1-3.0.3
A vulnerability exists in the 'x_invoice_num' parameter due to
insufficient validation, which could let a remote malicious user execute
arbitrary code.
No workaround or patch available at time of
publishing.
Multiple vulnerabilities exist: a buffer overflow in the DVD subpicture
component, which could let a remote malicious user execute arbitrary code;
a buffer overflow vulnerability exists in the VideoCD functionality when
reading ISO disk labels, which could let a remote malicious user execute
arbitrary code; and a buffer overflow vulnerability exists when handling
text subtitles, which could let a remote malicious user execute arbitrary
code.
Two vulnerabilities exist: a vulnerability exists because some security
checks are performed on the client-side and not on the server-side, which
could let an authenticated remote malicious user delete arbitrary
documents; and a Cross-Site Scripting vulnerability exists due to
insufficient sanitization of user-supplied input when uploading documents,
which could let a remote malicious user execute arbitrary HTML and script
code.
The vendor has released patches dealing with this issue. Users are
recommended to contact the vendor for patch and update availability.
There is no exploit code required.
WebIntelligence Access Control Bypass & Cross-Site Scripting
We are not aware of any exploits for this vulnerability.
HP Web Jetadmin Unspecified Arbitrary Command
Execution
High
HP Security Advisory, SSRT4739, September 15, 2004
Inkra Networks Corporation
1504GX VSM 2.1.4.b003
A remote Denial of Service vulnerability exists due to insufficient
validation of IP options.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, Proof of Concept exploit
has been published.
Inkra 1504GX Remote Denial of Service
Low
Secunia Advisory, SA12538, September 17, 2004
Matt Smith
ReMOSitory
An input validation vulnerability exists in the ReMOSitory add-on for
Mambo Open Server due to insufficient validation, which could let a remote
malicious user execute arbitrary code.
Multiple vulnerabilities exist: buffer overflow vulnerabilities exist
in 'nsMsgCompUtils.cpp' when a specially crafted e-mail is forwarded,
which could let a remote malicious user execute arbitrary code; a
vulnerability exists due to insufficient restrictions on script generated
events, which could let a remote malicious user obtain sensitive
information; a buffer overflow vulnerability exists in the
'nsVCardObj.cpp' file due to insufficient boundary checks, which could let
a remote malicious user execute arbitrary code; a buffer overflow
vulnerability exists in 'nsPop3Protocol.cpp' due to boundary errors, which
could let a remote malicious user execute arbitrary code; a heap overflow
vulnerability exists when handling non-ASCII characters in URLs, which
could let a remote malicious user execute arbitrary code; multiple integer
overflow vulnerabilities exist in the image parsing routines due to
insufficient boundary checks, which could let a remote malicious user
execute arbitrary code; a cross-domain scripting vulnerability exists
because URI links dragged from one browser window and dropped into another
browser window will bypass same-origin policy security checks, which could
let a remote malicious user execute arbitrary code; and a vulnerability
exists because unsafe scripting operations are permitted, which could let
a remote malicious user manipulate information displayed in the security
dialog.
HP HP-UX B.11.23, 11.11, 11.00; Mozilla Network Security Services
(NSS) 3.2, 3.2.1, 3.3-3.3.2, 3.4-3.4.2, 3.5, 3.6, 3.6.1, 3.7-3.7.3, 3.7.5,
3.7.7, 3.8, 3.9; Netscape Certificate Server 1.0 P1, 4.2, Directory Server
1.3, P1&P5, 3.12, 4.1, 4.11-.4.13, Enterprise Server 2.0 a, 2.0, 2.0.1
C, 3.0 L, 3.0, 3.0.1 B, 3.0.1, 3.1, 3.2, 3.5, 3.6, SP1-SP3, 3.51, 4.0,
4.1, SP3-SP8, Enterprise Server for NetWare 4/5 3.0.7 a, 4/5 4.1.1, 4/5
5.0, Enterprise Server for Solaris 3.5, 3.6, Netscape Personalization
Engine; Sun ONE Application Server 6.0, SP1-SP4, 6.5, SP1 MU1&MU2, 6.5
SP1, 6.5 MU1-MU3, 7.0 UR2 Upgrade Standard, 7.0 UR2 Upgrade Platform,
Standard Edition, Platform Edition, 7.0 UR1 Standard Edition, Platform
Edition, 7.0 Standard Edition, Platform Edition, Certificate Server 4.1,
Directory Server 4.16, SP1, 5.0, SP1&SP2, 5.1 x86 SP3 x86, 5.1,
SP1-SP3, 5.2, Web Server 4.1, SP1-SP14, 6.0, SP1-SP7, 6.1
A buffer overflow vulnerability exists in the Netscape Network
Security Services (NSS) library suite due to insufficient boundary checks,
which could let a remote malicious user which may result in remote execute
arbitrary code.
SecurityTracker Alert ID, 1011279, September 15, 2004
PHPGroupWare
PHPGroupWare 0.9.12-0.9.16
A Cross-Site Scripting vulnerability exists in 'transforms.php' due to
insufficient sanitization of user-supplied URI input, which could let a
remote malicious user execute arbitrary HTML and script code.
SecurityTracker Alert ID, 1011339, September 17, 2004
SMC
SMC7004VWBR 1.21 a, 1.22, 1.23, SMC7008ABR 1.32
A vulnerability exists which due to the way users are validated in the
web administration software, which could let a remote malicious user
obtain administrative access.
No workaround or patch available at time of
publishing.
Several vulnerabilities exist: a vulnerability exists due to a failure
to properly validate access to administrative commands, which could let a
remote malicious user execute arbitrary commands; and a Cross-Site
Scripting vulnerability exists in the 'YaBB.pl' script, which could let a
remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
An information disclosure vulnerability exists in ARP requests, which
could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of
publishing.
There is no exploit code required.
ZyXEL P681 ARP Request Information Disclosure
Medium
Bugtraq, September 13, 2004
Recent
Exploit Scripts/Techniques
The table below
contains a sample of exploit scripts and "how to" guides identified during this
period. The "Workaround or Patch Available" column indicates if vendors,
security vulnerability listservs, or Computer Emergency Response Teams (CERTs)
have published workarounds or patches.
Note: At times,
scripts/techniques may contain names or content that may be considered
offensive.
Date of
Exploit (Reverse Chronological
Order)
Script
or Exploit Name
Workaround or Patch Available
Description
September 21, 2004
advisory-05-glFTPd.txt
No
Proof of concept exploit for the local stack overflow vulnerability in
the dupescan binary from glFTPd versions 2.00RC3 and below.
September 21, 2004
ettercap-NG-0.7.1.tar.gz
N/A
Ettercap NG is a network sniffer/interceptor/logger for switched LANs.
It uses ARP poisoning and the man-in-the-middle technique to sniff all the
connections between two hosts.
September 21, 2004
mambo45.jose.txt
Yes
Mambo versions 4.5 and below are susceptible to cross site scripting
and remote command execution flaws.
September 21, 2004
mambo451.txt
Yes
Proof of concept exploit for Mambo versions 4.5.1 and below SQL
injection vulnerability.
September 21, 2004
pigeonx.zip
Yes
Remote denial of service exploit for Pigeon versions 3.02.0143 and
below.
September 21, 2004
rsynxOSX.txt
Yes
Proof of concept exploit for RsyncX version 2.1, the frontend for
rsync on OS X, arbitrary program execution vulnerability.
September 21, 2004
sudoedit.txt
Yes
Proof of concept exploit for sudo version 1.6.8p1 that makes use of a
flaw in sudoedit.
September 18, 2004
sudo-exploit.c
Yes
Proof of Concept exploit for the Sudo Information Disclosure
vulnerability.
September 17, 2004
CRASH-TEST.zip crash-netscape.jpg jpegcompoc.zip
Yes
Proof of concept exploit for the Microsoft (Graphics Device Interface)
GDI+ JPEG handler integer underflow vulnerability.
September 17, 2004
jpegcompoc.zip
Yes
Proof of concept exploit for the JPEG buffer overrun vulnerability in
Windows XP.
September 17, 2004
lovethisgame.html
No
Proof of concept exploit for a file inclusion vulnerability in
PerlDesk 1.x due to insufficient input validation.
September 17, 2004
None
No
Example exploit for the DNS4Me denial of service and cross-site
scripting vulnerabilities.
September 17, 2004
None
No
Example exploit for the cross-site scripting vulnerability in the YaBB
forum 'YaBB.pl' script.
September 17, 2004
None
No
Proof of concept exploit for the Google Toolbar HTML injection
vulnerability. It is reported that the Google Toolbar 'ABOUT.HTML' page
allows the injection of HTML and JavaScript code.
September 17, 2004
None
No
Example exploit for the YaBB administrator command execution
vulnerability.
September 17, 2004
None
Yes
Proof of concept exploit for the Mozilla and
Firefox cross-domain scripting vulnerability.
September 17, 2004
None
Yes
Proof of concept exploit for the SnipSnap HTTP
response splitting vulnerability.
September 16, 2004
None
Yes
Proof of concept exploit for the Snitz Forums HTTP response splitting
vulnerability.
September 16, 2004
Tx.exe
Yes
A small universal Windows backdoor for all versions of Windows
NT/2K/XP/2003 with any service pack.
September 15, 2004
bbsEMarket.txt
Yes
Proof of concept exploit for BBS E-Market Professional path
disclosure, file download, file disclosure, user authentication bypass,
and php source injection vulnerabilities. BBS E-Market patch level bf_130,
version 1.3.0, and below is affected.
September 15, 2004
cdr-exp.sh cdrecord-suidshell.sh readcd-exp.sh
Yes
CDRTools is reportedly vulnerable to an RSH environment variable
privilege escalation vulnerability. This issue is due to a failure of the
application to properly implement security controls when executing an
application specified by the RSH environment variable.
September 15, 2004
challenges.tgz
N/A
This package contains example vulnerable C programs. There are
examples of buffer overflows (stack and heap) and format string
vulnerabilities. All examples are exploitable with a standard linux/x86
environment.
September 15, 2004
fwknop-0.4.1.tar.gz
N/A
fwknop is a flexible port knocking implementation that is based around
iptables. Both shared knock sequences and encrypted knock sequences are
supported.
September 15, 2004
myServer07.txt
Yes
myServer version 0.7 is susceptible to a simple directory traversal
attack.
September 15, 2004
netw-ib-ox-ag-5.24.0.tgz
N/A
Netwox is a utility that supports various protocols (DNS, FTP, HTTP,
NNTP, SMTP, SNMP) and performs low level functions like sniffing, spoofing
traffic, and playing client/server roles. Both Windows and Unix versions
are included.
September 15, 2004
None
Yes
Proof of concept vulnerability for the vulnerability in the Mozilla
'enablePrivilege' method.
September 15, 2004
None
Yes
Proof of concept exploit for the vulnerability in Mozilla and Firefox
browsers that could permit a remote site to gain access to contents of the
client user's clipboard.
September 15, 2004
pizzaicmp.c
N/A
ICMP-based triggered Linux kernel module that executes a local binary
upon successful use.
September 15, 2004
Rx.exe
Yes
A small universal Windows reverse shell for all versions of Windows
NT/2K/XP/2003 with any service pack.
September 14, 2004
getinternet.txt
No
Proof of concept exploit for getInternet SQL injection and remote
command execution vulnerabilities
September 14, 2004
getintranet.txt
No
Proof of concept exploit for getIntranet 2.x cross site scripting, SQL
injection, script insertion, and multiple other attacks
vulnerabilities.
September 14, 2004
LSS-2004-09-01.html
Yes
Proof of concept exploit for the format string vulnerability in SuS
logging function.
September 14, 2004
regulus.htm
No
Proof of concept exploit for various vulnerabilities exist in Regulus
2.x that allow for an attacker to gain access to sensitive information and
to bypass certain security restrictions.
September 13, 2004
None
Yes
Proof of concept exploit for Webmin / Usermin command execution
vulnerability when rendering HTML email messages. This issue is reported
to affect Usermin versions 1.080 and prior.
September 13, 2004
None
Yes
Proof of concept exploit for the Pingtel Xpressa handset remote denial
of service vulnerability.
September 13, 2004
None
No
Proof of concept exploit for the QNX Photon
MicroGUI buffer overflow vulnerabilities in MicroGUI utilities.
September 11, 2004
None
No
Proof of concept vulnerability for the Serv-U FTP
Server denial of service vulnerability.
Several
vulnerabilities exist in the Mozilla web browser and derived products, the
most serious of which could allow a remote attacker to execute arbitrary code
on an affected system. Mozilla has released versions of the affected software
that contain patches for these issues: Mozilla 1.7.3, Firefox Preview Release,
Thunderbird 0.8. Users are strongly encouraged to upgrade to one of these
versions: www.mozilla.org. For more
information, see US-CERT Technical
Cyber Security Alert TA04-261A: Multiple vulnerabilities in Mozilla products.
Available at: http://www.uscert.gov/cas/techalerts/TA04-261A.html
The volume of worms and viruses is increasing, but the rate
of successful attacks has dropped, according to a new report from Symantec.
The antivirus company's biannual Internet Security Threat Report found that
4,496 new Windows viruses and worms were released between January and June, up
more than 4.5 times from same period last year. But overall the daily volume
of actual attacks decreased in the first six months of 2004. Alfred Huger, a
senior director at Symantec's Security Response team said malicious code
writers were increasingly going to spammers to sell them access to the
computers that they hack, or break into. Spammers, after paying the hackers,
then flood those hacked computers with unsolicited messages or spam. Symantec
also said it expects more viruses and worms in the future to be written to
attack systems that run on the Linux operating system and hand-held devices as
they become more widely used. The report also noted that the rate at which
personal computers are being hijacked by hackers rocketed in the first half of
2004. An average of 30,000 computers per day were turned into enslaved
“zombies”, compared with just 2000 per day in 2003. Report: http://enterprisesecurity.symantec.com/content.cfm?articleid
=1539 (CNET
News.com, September 20, 2004)
A list of high threat
viruses, as reported to various anti-virus vendors and virus incident reporting
organizations, has been ranked and categorized in the table below. For the
purposes of collecting and collating data, infections involving multiple systems
at a single location are considered a single infection. It is therefore possible
that a virus has infected hundreds of machines but has only been counted once.
With the number of viruses that appear each month, it is possible that a new
virus will become widely distributed before the next edition of this
publication. To limit the possibility of infection, readers are reminded to
update their anti-virus packages as soon as updates become available. The table
lists the viruses by ranking (number of sites affected), common virus name, type
of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on
number of infections reported during the latest three months), and approximate
date first found.
Rank
Common
Name
Type
of Code
Trends
Date
1
Netsky-P
Win32 Worm
Stable
March 2004
2
Zafi-B
Win32 Worm
Stable
June 2004
3
Netsky-Z
Win32 Worm
Stable
April 2004
4
Netsky-D
Win32 Worm
Stable
March 2004
5
Netsky-B
Win32 Worm
Stable
February 2004
6
Mydoom.m
Win32 Worm
Increase
July 2004
7
Mydoom.q
Win32 Worm
Slight Decrease
August 2004
8
Bagle-AA
Win32 Worm
Slight Decrease
April 2004
9
Netsky-Q
Win32 Worm
Stable
March 2004
10
MyDoom-O
Win32 Worm
Decrease
July 2004
Top Ten Table Updated September 17, 2004
Viruses or Trojans Considered to be a High Level of
Threat
Troj/IBank-A: Sophos is warning computer users about a
Trojan horse that helps hackers break into the bank accounts of customers of
an Australian bank. The Troj/IBank-A Trojan horse is designed to steal
information from Internet customers of the National Australia Bank, which
could allow hackers to break into accounts and steal substantial amounts of
money. Although this particular Trojan horses only targets users of an
Australian bank, Sophos warns that others have been seen which affect banking
customers in other parts of the world.
The following table provides, in
alphabetical order, a list of new viruses, variations of previously encountered
viruses, and Trojans that have been discovered during the period covered by this
bulletin. This information has been compiled from the following anti-virus
vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central
Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer
Associates, and The WildList Organization International. Users should keep
anti-virus software up to date and should contact their anti-virus vendors to
obtain specific information on the Trojans and Trojan variants that anti-virus
software detects.
NOTE: At times, viruses and
Trojans may contain names or content that may be considered offensive.
Get Adobe Reader
US-CERT is part of the Department of Homeland Security
