Summary of Security Items from November 24 through November 30, 2005
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Microsoft, Security Advisory 911302, November 29, 2005
Microsoft
Windows Microsoft Distribution Transaction Coordinator (MSDTC) and COM+
A buffer overflow vulnerability has been reported in Windows MSDTC and COM+ that could let local or remote malicious users execute arbitrary code, obtain elevated privileges or cause a Denial of Service.
WebAdmin, TruPrevent Personal 2006, 2005, Titanium 2006 Antivirus + Antispyware, Titanium 2005 Antivirus, Titanium
Panda Security 3.0, Platinum 2006 Internet Security, EnterpriSecure Antivirus, ISA Secure, GateDefender, FileSecure with TruPrevent Technologies, FileSecure, ExchangeSecure, EnterpriSecure with TruPrevent Technologies, ClientShield with TruPrevent Technologies, BusinesSecure Antivirus, Antivirus Platinum 2.0, Antivirus for NetWare 2.0, ActiveScan 5.0
A heap overflow vulnerability has been reported when attempting to decompress ZOO archive files, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
Panda Software Antivirus Library ZOO Archive Heap Overflow
Security Focus, Bugtraq ID: 15616, November 29, 2005
SpeedProject
SpeedCommander 10.51, 11, Squeez 5.0, ZipStar 5.0
Multiple buffer overflow vulnerabilities have been reported in SpeedCommander, Squeez, and ZipStar that could let remote malicious users execute arbitrary code.
Multiple vulnerabilities have been reported: a vulnerability was reported when handling HTTP headers in the Apache 2 web server due to an error, which could let a remote malicious user conduct HTTP request smuggling attacks; a vulnerability was reported in the Apache web server's 'mod_ssl' module due to an error, which could let a remote malicious user bypass security restrictions; a vulnerability was reported in 'CoreFoundation' when resolving certain URLs due to a boundary error, which could let a remote malicious user execute arbitrary code; a vulnerability was reported in curl when handling NTML authentication due to an error, which could let a remote malicious user compromise a user's system; a vulnerability was reported in 'iodbcadmintoo,' which could let a malicious user execute arbitrary commands with elevated privileges; a vulnerability was reported in OpenSSL when handling certain compatibility options due to an error, which could let a remote malicious user perform rollback attacks; a vulnerability was reported in 'passwordserver' when handling the creation of an Open Directory master server due to an error, which could let a malicious user obtain sensitive information; a vulnerability was reported in the PCRE library used by Safari's JavaScript due to an integer overflow error, which could let a remote malicious user execute arbitrary code; a vulnerability was reported in Safari when a downloaded file that contains an overly long filename is downloaded, which could let a remote malicious user save the file outside the designated directory; a vulnerability was reported in Safari because JavaScript dialog boxes don't indicate the web site that created them, which could let a remote malicious user spoof dialog boxes; a vulnerability was reported in Webkit when handling specially crafted content due to a boundary error, which could let a remote malicious user execute arbitrary code; a vulnerability was reported in 'sudo' due to an error, which could let a malicious user execute arbitrary code; and a vulnerability was reported in the syslog server due to insufficient sanitization of messages before recording them, which could let a remote malicious user forge log entries and mislead the system administrator.
Several vulnerabilities have been reported: an SQL injection vulnerability has been reported in some input passed in the customer interface due to insufficient sanitization before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability has been reported in 'register_domain.php' due to insufficient sanitization of the 'sld' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required.
drzes HMS SQL Injection & Cross-Site Scripting
Medium
Secunia Advisory: SA17755, November 29, 2005
GNU
shtool 2.0.1 & prior
A vulnerability has been reported that could let a local malicious user gain escalated privileges. The vulnerability is caused due to temporary files being created insecurely.
HP Security Advisory, HPSBUX02075, November 14, 2005
HP Security Advisory, HPSBUX02075 Update 1, November 22, 2005
Info-ZIP
UnZip 5.52
A vulnerability has been reported due to a security weakness when extracting an archive to a world or group writeable directory, which could let a malicious user modify file permissions.
Fedora Update Notification,
FEDORA-2005-844, September 9, 2005
SCO Security Advisory, SCOSA-2005.39, September 28, 2005
Ubuntu Security Notice, USN-191-1, September 29, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0053, September 30, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:197, October 26, 2005
Debian Security Advisory, DSA 903-1, November 21, 2005
Conectiva Linux Announcement, CLSA-2005:1049, November 21, 2005
Jed Wing
CHM lib 0.36, 0.35, 0.3-0.33, 0.2, 0.1
A buffer overflow vulnerability has been reported in the '_chm_decompress_block()' function due to a boundary error when reading input, which could let a remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 15211, October 26, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Debian Security Advisory, DSA 886-1, November 7, 2005
Gentoo Linux Security Advisory, GLSA 200511-23, November 28, 2005
Multiple Vendors
ktools 0.3;
Centericq 4.21, 4.20
A buffer overflow vulnerability has been reported in the 'VGETSTRING()' marco when generating the output string using the "vsprintf()" function, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
Security Focus, Bugtraq ID: 15536, November 22, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Multiple Vendors
Ubuntu Linux 5.10 powerpc, i386, amd64, 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
TouchTunes Rhapsody,
TouchTunes Maestro;
SuSE UnitedLinux 1.0, Novell Linux Desktop 9.0, Linux Professional 10.0 OSS, 10.0, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, 9.0 x86_64, 9.0, Linux Personal 10.0 OSS, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, 9.0 x86_64, 9.0, Linux Enterprise Server 9, 8, Linux Desktop 1.0;
RedHat Fedora Core4, Core3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, 2.1 IA64, 2.1, AS 4, AS 3, AS 2.1 IA64, 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1; GTK+ 2.8.6, 2.6.4, 2.4.14, 2.4.13, 2.4.10, 2.4.9, 2.4.1, 2.2.4, 2.2.3;
GNOME GdkPixbuf 0.22;
Gentoo Linux ; Ardour 0.99
Multiple vulnerabilities have been reported: an integer overflow vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' due to the insufficient validation of the 'n_col' value before using to allocate memory, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' when processing an XPM file that contains a large number of colors; and an integer overflow vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' when performing calculations using the height, width, and colors of a XPM file, which could let a remote malicious user execute arbitrary code or cause a Denial of Service.
Fedora Update Notifications
FEDORA-2005-1085 & 1086, November 15, 2005
RedHat Security Advisory, RHSA-2005:810-9, November 15, 2005
Gentoo Linux Security Advisory GLSA 200511-14, November 16, 2005
SUSE Security Announcement, SUSE-SA:2005:065, November 16, 2005
Ubuntu Security Notice, USN-216-1, November 16, 2005
Mandriva Linux Security Advisory, MDKSA-2005:214, November 18, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0066, November 22, 2005
Avaya Security Advisory, ASA-2005-229, November 21, 2005
Debian Security Advisory, DSA 911-1, November 29, 2005
SGI Security Advisory, 20051101-01-U, November 29, 2005
Multiple Vendors
Gentoo Linux;
eix 0.5 .0-beta, 0.3 .0-r1
A vulnerability has been reported due to the insecure creation of temporary files, which could let a malicious user obtain sensitive information or cause a Denial of Service.
Gentoo Linux Security Advisory, GLSA 200511-19, November 22, 2005
Multiple Vendors
Gentoo Linux;
GNU GDB 6.3
Multiple vulnerabilities have been reported: a heap overflow vulnerability was reported when loading malformed object files, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported which could let a malicious user obtain elevated privileges.
Ubuntu Security Notice, USN-219-1, November 22, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14
A Denial of Service vulnerability has been reported in 'ptrace.c' when 'CLONE_THREAD' is used due to a missing check of the thread's group ID when trying to determine whether the process is attempting to attach to itself.
Fedora Update Notification,
FEDORA-2005-1104, November 28, 2005
Multiple Vendors
Linux kernel 2.6-2.6.15
A Denial of Service vulnerability has been reported in the 'time_out_leases()' function because 'printk()' can consume large amounts of kernel log space.
Security Focus, Bugtraq ID: 15625, November 29, 2005
Multiple Vendors
MandrakeSoft Multi Network Firewall 2.0, Linux Mandrake 2006.0 x86_64, 2006.0, 10.2 x86_64, 10.2, Corporate Server 3.0 x86_64, 3.0;
GNU wget 1.10;
Daniel Stenberg curl 7.14.1, 7.13.1, 7.13, 7.12.1- 7.12.3, 7.11- 7.11.2, 7.10.6- 7.10.8
A buffer overflow vulnerability has been reported due to insufficient validation of user-supplied NTLM user name data, which could let a remote malicious user execute arbitrary code.
A vulnerability has been reported because fusermount fails to securely handle special characters specified in mount points, which could let a malicious user cause a Denial of Service or add arbitrary mount points.
Gentoo Linux Security Advisory, GLSA 200511-17, November 22, 2005
Mandriva Linux Security Advisory, MDKSA-2005:216, November 24, 2005
Multiple Vendors
RedHat Enterprise Linux WS 4, WS 3, WS 2.1, IA64, ES 4, ES 3, ES 2.1, IA64, AS 4, AS 3, 2.1, IA64, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1, IA64;
libungif libungif 4.1.3,
4.1, giflib 4.1.3;
Gentoo Linux
Several vulnerabilities have been reported: a remote Denial of Service vulnerability was reported due to a NULL pointer dereferencing error; and a vulnerability was reported due to a boundary error that causes an out-of-bounds memory access, which could let a remote malicious user cause a Denial of Service and potentially execute arbitrary code.
A format string vulnerability has been reported in the 'miniserv.pl' script due to a failure to properly handle format specifiers in formatted printing functions, which could let a remote malicious user cause a Denial of Service.
No workaround or patch available at time of publishing.
A vulnerability has been reported in 'pcre_compile.c' due to an integer overflow, which could let a remote/local malicious user potentially execute arbitrary code.
Gentoo Linux Security Advisory, GLSA 200509-19, September 27, 2005
Debian Security Advisory, DSA 821-1, September 28, 2005
Conectiva Linux Announcement, CLSA-2005:1013, September 27, 2005
Turbolinux Security Advisory, TLSA-2005-92, October 3, 2005
Avaya Security Advisory, ASA-2005-216, October 18, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0059, October 21, 2005
HP Security Bulletin, HPSBUX02074, November 16, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0062, November 22, 2005
Security Focus, Bugtraq ID: 14620, November 25, 2005
PHP Labs
Survey Wizard
An SQL injection vulnerability has been reported in 'survey.php' due to insufficient sanitization of the 'sid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
SQL injection vulnerabilities have been reported in 'viewcat.php' due to insufficient sanitization of the 'category' and 'type' parameters and insufficient sanitization of some parameters when performing a search, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Fedora Update Notifications,
FEDORA-2005-1009 & 1010, October 20, 2005
Mandriva Linux Security Advisory, MDKSA-2005:195, October 26, 2005
SCO Security Advisory, SCOSA-2005.44, November 1, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Security Focus, Bugtraq ID: 15157, November 10, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
Conectiva Linux Announcement, CLSA-2005:1047, November 21, 2005
Sun Micro-systems, Inc.
Solaris 10.0
Multiple buffer overflow vulnerabilities have been reported when handling excessive data supplied through command line arguments, which could let a malicious user execute arbitrary code.
A buffer overflow vulnerability has been reported in 'ldif.c' due to a boundary error in the 'ldif_
get_line()' function when importing a LDIF file into the address book, which could let a remote malicious user obtain unauthorized access.
Fedora Update Notification,
FEDORA-2005-1063, November 9, 2005
Gentoo Linux Security Advisory, GLSA 200511-13, November 15, 2005
Debian Security Advisory, DSA 906-1, November 22, 2005
Debian Security Advisory, DSA 908-1, November 23, 2005
T & D Systems
ADC2000 NG Pro 1.2
An SQL injection vulnerability has been reported in 'adcbrowres.php' due to insufficient sanitization of the 'cat' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Several vulnerabilities have been reported: an SQL injection vulnerability has been reported in 'songinfo.php' due to insufficient sanitization of the 'song_id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability has been reported in 'search.php' due to insufficient sanitization of the 'searchFor' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
A buffer overflow vulnerability has been reported when handling the '.alz' archive due to a boundary error, which could let a remote malicious user execute arbitrary code.
SUSE Security Summary Report, SUSE-SR:2005:023, October 14, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:189 & 194, October 21 & 26, 2005
Slackware Security Advisory, SSA:2005-310-06, November 7, 2005
Conectiva Linux Announcement, CLSA-2005:1046, November 21, 2005
Virtual Hosting Control System
Virtual Hosting Control System (VHCS) 2.4.6.2, 2.2
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in the 'vhcs/gui/errordocs/index.php' error page due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in the domain alias management due to an unspecified error, which could let a remote malicious user hijack other users' forwards.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
A vulnerability has been reported in 'docutils' due to an unspecified error and affects all instances which exposes 'Restructured Text' functionality via the web. The impact was not specified.
SQL injection vulnerabilities have been reported in 'SubCategory.php' due to insufficient sanitization of the 'cl' parameter and in 'ItemInfo.php' and 'ItemReview.php' due to insufficient sanitization of the 'item_id' parameter, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
An SQL injection vulnerability has been reported in 'Product_Cat' due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Tracker Alert ID: 1015272, November 25, 2005
Babe Logger
Babe Logger V2
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'gal' parameter and in 'comments.php' due to insufficient sanitization of the 'id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID:13408, November 25, 2005
BASE Basic Analysis and Security Engine
BASE Basic Analysis and Security Engine 1.2
An SQL injection vulnerability has been reported in 'base_qry_main.php' due to insufficient sanitization of the 'sig[1] parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
Debian Security Advisory DSA 893-1, November 14, 2005
Security Focus, Bugtraq ID: 15199, November 30, 2005
Bedeng PSP
Bedeng PSP 1.1
SQL injection vulnerabilities have been reported in 'index.php' and 'download.php' due to insufficient sanitization of the 'cwhere' parameter and in 'baca.php' due to insufficient sanitization of the 'ckode'; parameter, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15583, November 28, 2005
BerliOS
SourceWell 1.1.3
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'cnt' " parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
SQL injection vulnerabilities have been reported in 'calendar.php' due to insufficient sanitization of the 'year' and 'category' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
An HTTP injection vulnerability has been reported in the '/level/14/exec/buffers/
assigned/ and /level/14/exec/
buffers/all' scripts, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
