U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Bulletin (SB04-203)

Summary of Security Items from July 6 through July 20, 2004

Original release date: July 20, 2004

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends and viruses identified between July 6 and July 20, 2004.


Bugs, Holes, & Patches

The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Updates to items appearing in previous bulletins are listed in bold. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

Risk is defined as follows:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

 

Windows Operating Systems
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source
Adobe

Adobe Acrobat Reader version 6.0.1
A buffer overflow vulnerability exists that allows remote attackers to execute arbitrary code. The problem specifically exists within a routine that is responsible for splitting the filename path into multiple components. Successful exploitation allows an attacker to execute arbitrary code under the privileges of the local user. Remote exploitation is possible by sending a specially crafted e-mail and attaching the malicious PDF document.

Update to the latest release of Adobe Acrobat and the free Adobe Reader, version 6.0.2 available at: http://www.adobe.com/support/techdocs/34222.htm

Currently, we are not aware of any exploits for this vulnerability.
Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability

CVE Name:
CAN-2004-0632
High
iDEFENSE Security Advisory, July 12, 2004

Securiteam, July 11, 2004
Code-Crafters

Ability Mail Server 1.x
Cross-Site Scripting and Denial of Service vulnerabilities exist due to unsanitized input and an error in connection handling. These can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
Ability Mail Server Cross-Site Scripting and Denial of Service Vulnerabilities
High
Secunia Advisory, SA12039, July 12, 2004

SecurityTracker Alert, 1010672, July 12, 2004
EA Games

Medal of Honor
Allied Assault 1.11v9 and prior;
Breakthrough 2.40b and prior;
Spearhead 2.15 and prior


A buffer overflow vulnerability in the Medal of Honor and related game software. It is reported that a remote user can send a specially crafted packet to the target server to trigger a buffer overflow in the code that checks for slash characters and null bytes. A remote user can execute arbitrary code on the target system.

An unofficial patch is available for Windows-based platforms at: http://aluigi.altervista.org/patches.htm

A Proof of Concept exploit has been published.

EA Games Medal of Honor Has Buffer Overflow in 'connect' Packet
High
SecurityTracker Alert, 1010725, July 17, 2004
Microsoft

Internet Explorer 6
A remote code execution vulnerability exists in popup.show(). A malicious user can take arbitrary mouse-based actions on the target system. This vulnerability can be used in conjunction with a "shell://" vulnerability to execute arbitrary code on the target user's system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
HijackClick 3
High
SecurityTracker Alert, 1010679, July 12, 2004

Bugtraq, July 11, 2004
Microsoft

Hotmail HTML
An input validation vulnerability exists because Hotmail does not filter scripting code from within conditional IF statements contained in HTML comments. A remote user can conduct cross-site scripting attacks against target users via Internet Explorer.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Hotmail HTML Comment Condition Lets Remote Users Conduct Cross-Site Scripting Attacks
High
SecurityTracker Alert, 1010726
July 17, 2004
Microsoft

MS Windows NT® Workstation 4.0 SP; MS Windows NT Server
A buffer overrun vulnerability exists in Internet Information Server 4.0 due to an unchecked buffer in the IIS 4.0 redirect function. This vulnerability could allow remote code execution on an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx

Currently, we are not aware of any exploits for this vulnerability.
IIS Redirection Vulnerability

CVE Name:
CAN-2004-0205


High
Microsoft Security Bulletin MS04-021, July 13, 2004
Microsoft

Internet Explorer 6
A cross-domain scripting vulnerability exists in which a remote user can create HTML containing a javascript function that redirects to a different javascript function of the same name as the original function to bypass cross-domain security restrictions. Arbitrary scripting code can be executed in the security context of an arbitrary site.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
Microsoft Internet Explorer Same Name Javascript Bug
High
SecurityTracker Alert, 1010683, July 13, 2004
Microsoft

MS Internet Explorer 5.01, 5.5, 6
Multiple vulnerabilities exist in Internet Explorer, allowing malicious people to bypass security restrictions and potentially compromise a vulnerable system. It is possible to redirect a function to another function with the same name, which allows a malicious website to access the function without the normal security restrictions. Malicious sites can trick users into performing actions like drag'n'drop or click on a resource without their knowledge. It is possible to inject arbitrary script code into Channel links in Favorites. It is possible to place arbitrary content above any other window and dialog box using the "Window.createPopup()" function.

Workaround: Disabling Active Scripting will solve some of these vulnerabilities

A Proof of Concept exploit has been published.
Microsoft Internet Explorer Multiple Vulnerabilities
High
Secunia Advisory, SA12048, July 13, 2004
Microsoft

MS Windows 2000 SP 2, 3, and 4
A privilege elevation vulnerability exists in the way that Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges and could take complete control of the system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx

A Proof of Concept exploit has been published.
Utility Manager Vulnerability

CVE Name:
CAN-2004-0213
High
Microsoft Security Bulletin MS04-019, July 13, 2004
Microsoft

MS Windows 2000 SP 2, 3, and 4; XP and XP SP1; XP 64-Bit Edition SP 1
A remote code execution vulnerability exists in the Task Scheduler because of an unchecked buffer during application name validation. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx

Currently, we are not aware of any exploits for this vulnerability.
Task Scheduler Vulnerability

CVE Name:
CAN-2004-0212


High
Microsoft Security Bulletin MS04-022, July 13, 2004
Microsoft

MS Windows 2000 Service Pack 2, 3 and 4;
MS Windows XP and XP SP 1;
MS Windows XP 64-Bit Edition SP 1;
MS Windows XP 64-Bit Edition Version 2003;
MS Windows Server™ 2003;
MS Windows Server 2003 64-Bit Edition;
MS Windows 98, MS Windows 98 Second Edition (SE), and MS Windows Millennium Edition (Me)
Remote code execution vulnerabilities exist in the processing of a specially crafted showHelp URL and in HTML Help that could allow remote code execution on an affected system. This is due to incorrect file validation in the HTML Help protocol and incomplete input validation.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx

Currently, we are not aware of any exploits for this vulnerability.
showHelp Vulnerability

CVE Name:
CAN-2003-1041


HTML Help Vulnerability

CVE Name:
CAN-2004-0201
High
Microsoft Security Bulletin MS04-023, July 13, 2004

Microsoft

MS Windows NT® Workstation 4.0 SP 6a;
MS Windows NT Server 4.0 SP 6a;
MS Windows NT Server 4.0 Terminal Server Edition SP 6;
MS Windows NT® Workstation 4.0 SP 6a and NT Server 4.0 SP 6a with Active Desktop;
MS Windows 2000 SP 2, 3, and 4;
MS Windows XP and MS Windows XP Service Pack 1;
MS Windows XP 64-Bit Edition SP 1;
MS Windows XP 64-Bit Edition Version 2003;
MS Windows Server™ 2003;
MS Windows Server 2003 64-Bit Edition;
MS Windows 98, MS Windows 98 Second Edition (SE), and MS Windows Millennium Edition (Me)

A remote code execution vulnerability exists in the way that the Windows Shell launches applications due to the way the shell API handles class identifiers. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx

Currently, we are not aware of any exploits for this vulnerability.
Windows Shell Vulnerability

CVE Name:
CAN-2004-0420:
High
Microsoft Security Bulletin MS04-024, July 13, 2004
Microsoft

MS Windows NT® Workstation 4.0 SP 6a;
MS Windows NT Server 4.0 SP 6a;
MS Windows NT Server 4.0 Terminal Server Edition SP 6;
Microsoft Windows 2000 Service Pack 2, 3, and 4
A privilege elevation vulnerability exists in the POSIX operating system component (subsystem) due to an unchecked buffer. This vulnerability could allow remote code execution on an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx

Currently, we are not aware of any exploits for this vulnerability.
POSIX Vulnerability

CVE Name:
CAN-2004-0210
High
Microsoft Security Bulletin MS04-020, July 13, 2004
Microsoft

MS Works Suite 2003;
MS Word 2000;
MS Outlook 2003;
MS Outlook 2000;
MS Office 2003 Student and Teacher Edition;
MS Office 2003 Standard Edition;
MS Office 2003 Small Business Edition;
MS Office 2003 Professional Edition;
MS Office 2000
A vulnerability exists when Word is used to edit mails in Outlook which can be exploited to execute arbitrary code on a user's system if the user is tricked into forwarding a malicious email with an unclosed "<OBJECT>" tag. This may be possible only when mails are forwarded. This may also be possible to exploit through malicious HTML documents if edited in Word.

No workaround or patch available at time of publishing.

Currently, we are not aware of any exploits for this vulnerability.
Microsoft Outlook / Word Object Tag Vulnerability
High
Secunia Advisory, SA12041, July 12, 2004
Mozilla Organization

Mozilla (Suite) 1.7.0 and prior;
Mozilla Firefox 0.9.1 and prior;
Mozilla Thunderbird 0.7.1 and prior;
A security vulnerability exists in the handling of the shell: protocol making it possible to combine this effect with a known buffer overrun to create a remote execution exploit or a denial-of-service type attacks (including crashing the system in some cases).

Patch available at: http://www.mozilla.org/security/shell.html

A Proof of Concept exploit has been published.
Mozilla shell: Scheme Allows Code Execution
High
Mozilla Organization Advisory

Computer Associates, Vulnerability ID: 28693, July 11, 2004
Sun

Sun Java JRE 1.4.x, 1.3.x, 1.2.x, 1.1.x
with Internet Explorer version 5.5, 6.0
A temporary file creation issue in Sun's Java Virtual Machine combined with known security holes in Internet Explorer may lead to arbitrary script code execution on the victim's machine.

Workaround: Disable Active Scripting in Internet Explorer.

A Proof of Concept exploit has been published.
Sun JVM Insecure Temporary File Creation Allows Remote Code Execution
High
Securiteam, July 11, 2004
Secunia Advisory, SA12043, July 12, 2004
GeeOS Team

Gattaca Server 2003 1.x

Multiple vulnerabilities exist which can be exploited to disclose system information, cause a Denial of Service, or conduct cross-site scripting attacks. These vulnerabilities are due to input validation and sanitization errors, connection handling, and buffer overflows.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Gattaca Server 2003 Multiple Vulnerabilities
Medium
Secunia Advisory, SA12071, July 15, 2004
Microsoft

MSN Messenger 6.x
Microsoft Word 2002
A vulnerability exists in these programs due to the failure to restrict access to the "shell:" URI handler. This allows an attacker to invoke various programs associated with specific extensions. It is not possible to pass parameters to these programs, only filenames, thus limiting the impact of launching applications.

No workaround or patch available at time of publishing.

Currently, we are not aware of any exploits for this vulnerability.
Microsoft Products Fail to Restrict "shell:" Access
Medium
Secunia Advisory, SA12042, July 12, 2004
PsTools 2.01, 2.02, and 2.03

psexec 1.52; psgetsid 1.4;
psinfo 1.5,
pskill 1.03,
pslist 1.25,
psloglist 2.5,
pspasswd 1.21,
psservice 2.1,
psshutdown 2.31,
pssuspend 1.04

 

Multiple vulnerabilities were reported in Sysinternals PsTools. A local user can gain administrative access on certain remote hosts. Several of the PsTools utilities map the IPC$ or ADMIN$ share when executing a command on a remote host but do not properly disconnect from the share when the utility exits. As a result, a local user can access the share and take administrative actions on the target system.

Updates available at: http://www.sysinternals.com/ntw2k/freeware/pstools.shtml

A Proof of Concept exploit has been published.

Sysinternals PsTools Fails to Disconnect
Medium
SecurityTracker Alert, 1010737, July 19, 2004
Apache Software Foundation

Apache 2.0.49 (Win32) with PHP 5.0.0 RC2
A Denial of Service vulnerability exists in the Apache web server when running with PHP due to a flaw when invoking certain functions such as fopen and fsockopen in an endless loop.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
Apache Can Be Crashed By PHP Code
Low
SecurityTracker Alert, 1010674, July 9, 2004
INweb Mail Server 2.x A Denial of Service vulnerability exists in INweb Mail Server due to an error in the connection handling, which can be exploited to crash the application.

No solution available at this time.

Currently, we are not aware of any exploits for this vulnerability.
INweb Mail Server Multiple Connection Denial of Service Vulnerability
Low
Secunia Advisory, SA12056, July 12, 2004
Microsoft Java Virtual Machine

version 5.0.0.3810
A vulnerability in Microsoft Java Virtual Machine allows Java applets originating from different domains to communicate. This could be exploited to cause information leakage.

No workaround or patch available at time of publishing.

Currently, we are not aware of any exploits for this vulnerability.
Microsoft Java Virtual Machine Cross-Site Communication Vulnerability
Low
Secunia Advisory, SA12047, July 12, 2004

Microsoft

MS Outlook Express 5.5 SP 2, 6, 6 SP1, 6 SP1 (64 bit Edition), 6 on Windows Server 2003, 6 on Windows Server 2003 (64 bit edition)

A denial of service vulnerability exists that could allow an attacker to send a specially crafted e-mail message causing Outlook Express to fail.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx

Currently, we are not aware of any exploits for this vulnerability.

Malformed E-mail Header Vulnerability

CVE Name:
CAN-2004-0215

Low
Microsoft Security Bulletin MS04-018
Opera

Opera 5.x, 6.x, 7.x
Due to a race condition in Opera it is possible to spoof the contents of the address bar using a specially crafted HTML page.

Solution: Disable support for Javascript.

A Proof of Concept exploit has been published.
Opera Address Bar Spoofing Condition
Low
Securiteam, July 11, 2004
Symantec

Symantec Norton AntiVirus 2003 Professional Edition;
Symantec Norton AntiVirus 2002
A denial of service vulnerability was reported in Norton Anti-Virus. A remote user can cause the application to consume excessive CPU resources.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
Norton AntiVirus Denial Of Service Vulnerability
Low
SecurityTracker Alert, 1010671, July 9, 2004

[back to top]

UNIX Operating Systems
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source
4D, Inc.

4D WebSTAR 5.3.2 and prior versions
Multiple vulnerabilities including buffer overflow exists that could allow an attacker to escalate privileges or obtain access to protected resources. A remote user can issue a specially crafted FTP command to trigger a stack-based overflow and execute arbitrary code.

The vendor has released a fixed version (5.3.3), available at:
http://www.4d.com/products/downloads_4dws.html

Currently, we are not aware of any exploits for this vulnerability.
4D WebSTAR Grants Access to Remote Users and Elevated Privileges to Local Users
High
SecurityTracker Alert, 1010696, July 13, 2004
Caol n McNamara and Dom Lachowicz

wvWare version 0.7.4, 0.7.5, 0.7.6 and 1.0.0
A buffer overflow vulnerability exists if the user opens an exploit document in HTML mode using an application that builds upon the wv library.

Updates available at: http://www.abisource.com/bonsai/cvsview2.cgi?
diff_mode=context&whitespace_mode =show&root=/cvsroot&subdi
r=wv&command=DIFF_FRAMESET&root=/cvsroot&file=field.c&rev1=
1.19&rev2=1.20


A Proof of Concept exploit has been published.
wvWare Library Buffer Overflow Vulnerability

CVE Name:
CAN-2004-0645
High
Securiteam, July 11, 2004

iDEFENSE Security Advisory, July 9, 2004
Epic Games, Inc.

Unreal Tournament
A buffer overflow vulnerability exists in the Unreal game engine through the 'secure' query. An attacker could execute arbitrary code on the game server.

Updates available at: http://www.gentoo.org/security/en/glsa/glsa-200407-14.xml

Currently, we are not aware of any exploits for this vulnerability.

Buffer overflow in Unreal Tournament

CVE Name:
CAN-2004-0608
High
Gentoo Advisory, GLSA 200407-14 / Unreal Tournament, July 19, 2004
Ethereal

Ethereal 0.x
Multiple Denial of Service and buffer overflow vulnerabilities exist due to errors in the iSNS, SNMP, and SMB dissectors which may allow an attacker to run arbitrary code or crash the program.

Updates available at: http://www.ethereal.com/download.html or disable the affected protocol dissectors.

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

Debian: http://lists.debian.org/debian-security-announce/debian-
security-announce-2004/msg00129.html


Currently, we are not aware of any exploits for this vulnerability.
Ethereal: Multiple security problems

CVE Names:
CAN-2004-0633
CAN-2004-0634
CAN-2004-0635
High

Gentoo Linux Security Advisory, GLSA 200407-08 / Ethereal, July 9, 2004

Secunia Advisory, 12034 & 12035, July 12, 2004

Etheral Advisory, enpa-sa-00015, July 6, 2004

eXtropia

WebStore (version unknown)
An input validation vulnerability exists in eXtropia's WebStore because the web_store.cgi script does not properly validate user-supplied input in the 'page' parameter. A remote user can execute arbitrary shell commands on the target system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

eXtropia WebStore Input Validation Bug Lets Remote Users Execute Arbitrary Commands

High

SecurityTracker Alert, 1010727, July 17, 2004
FreeBSD

SSLTelnet version 0.13-1
A format string vulnerability exists in telnetd.c when input is passed to a logging function without proper handling which could lead to remote code execution.

No workaround or patch available at time of publishing.

There is no exploit code required.
SSLTelnet Remote Format String Vulnerability

CVE Name:
CAN-2004-0640
High
Securiteam, July 11, 2004

iDEFENSE Security Advisory, July 8, 2004
Gentoo Linux 1.x

net-ww/moinmoin-1.2.2
A vulnerability exists in the code handling administrative group Access Control Lists. A user created with the same name as an administrative group gains the privileges of the administrative group.

Update available at: http://www.gentoo.org/security/en/glsa/glsa-200407-09.xml

Currently, we are not aware of any exploits for this vulnerability.
MoinMoin: Group ACL bypass
High
Gentoo Linux Security Advisory, GLSA 200407-09 / MoinMoin

Gentoo, Linux Kernel 2.6.x

Conectiva, Linux 8 and 9

Multiple vulnerabilities exist in the Linux kernel, which can be exploited to gain escalated privileges, cause a DoS (Denial of Service), or gain knowledge of sensitive information.

Gentoo:http://www.gentoo.org/security/en/glsa/glsa-200407-12.xml

Conectiva: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000846

Currently, we are not aware of any exploits for this vulnerability.
Multiple Vulnerabilities in the Linux Kernel
High
Gentoo Advisory, GLSA 200407-12 / Kernel, July 14, 2004

Conectiva Advisory, CLSA-2004:846 , July 16, 2004
Mozilla Foundation

Bugzilla version 2.16.5 and prior
Bugzilla Development version 2.18rc1 and prior

Multiple vulnerabilities exists that include one instance of arbitrary SQL injection exploitable only by a privileged user, several instances of insufficient data validation and/or escaping, and two instances of unprivileged access to names of restricted products.

Upgrading to 2.16.6 and 2.18rc1 is recommended. Full release downloads, patches to upgrade Bugzilla to 2.16.6 from previous 2.16.x versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download.html

Currently, we are not aware of any exploits for this vulnerability.

Multiple Vulnerabilities In Bugzilla
High
The Mozilla Organization, Security Advisory 2.16.5, 2.17.7, July 10, 2004

Securiteam, July 13, 2004
MySQL AB

MySQL version 4.1.0 up to but not including MySQL version 4.1.3;
MySQL version 5.0
An authentication vulnerability allows a remote user to obtain access to the database completely bypassing the normal authentication mechanism and without providing the DB user's password.

Updates available at: http://dev.mysql.com/downloads/

A Proof of Concept exploit has been published.
MySQL Authentication Scheme Bypass
High
Securiteam, July 11, 2004

NGSSoftware Insight Security Research Advisory, July 1, 2004
CGIscript.NET

csFAQ
A path disclosure vulnerability in the csFAQ product allows a remote user to determine the full path to the web root directory and other potentially sensitive information.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
csFAQ Path Disclosure
Medium
Securiteam, July 11, 2004
Fedora Project

Fedora Core 2
A temporary file creation vulnerability exists in Fedora's im-switch utility which can be exploited via symlink attacks to overwrite arbitrary files with the privileges of a user invoking the program.

Updates available at: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

A Proof of Concept exploit has been published.
Fedora im-switch Insecure Temporary File Creation Vulnerability
Medium
Bugzilla Bug 126940: im-switch symlink vulnerability, June 29, 2004
Fedora Project

Fedora Core 1
Fedora Core 2

Multiple vulnerabilities exist in httpd which can be exploited to cause a Denial of Service and potentially compromise a vulnerable system.

Updates available at:
Core 1: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
Core 2: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Currently, we are not aware of any exploits for this vulnerability.

Fedora update for httpd Medium Secunia Advisory, SA12098, July 20, 2004
GNU

Shorewall 1.4.x, 2.0.x

A privilege escalation vulnerability is caused due to the "shorewall" script creating temporary files insecurely, which can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user invoking the script (usually root).

Update available at: http://shorewall.net/download.htm

Currently, we are not aware of any exploits for this vulnerability.

Shorewall Insecure Temporary File Creation Vulnerability

CVE Name: CAN-2004-0647
Medium
Shorewall Security Vulnerability, June 28, 2004
Jaws

JAWS 0.3
Multiple Cross-Site Scripting vulnerabilities exist in the index.php page that allows a malicious attacker to bypass authentication, read arbitrary files and perform Cross-Site-Scripting attacks.

Update available at: http://jaws.com.mx/

A Proof of Concept exploit has been published.
Multiples Vulnerabilities In JAWS
Medium
Securiteam, July 11, 2004
Red Hat, Inc.

Linux Kernel 2.4.x, ia64
A vulnerability exists in the Linux kernel, which potentially can be exploited to gain knowledge of sensitive information. The vulnerability is caused due to an error within the context switch code.

Updates available at: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124734

A Proof of Concept exploit has been published.
Information leak on Linux/ia64

CVE Name:
CAN-2004-0565
Medium
Bugzilla Bug 124734, May 28, 2004
SCO Group

SCO OpenServer 5.x

Multiple vulnerabilities exist in SCO MMDF. According to SCO the vulnerabilities are: buffer overflows, null dereferences and core dumps. One of the buffer overflows is known to affect "execmail".

Updates available at: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7/

A Proof of Concept exploit has been published.

SCO OpenServer Multiple Vulnerabilities in MMDF

CVE Names:
CAN-2004-0510
CAN-2004-0511
CAN-2004-0512
Medium
SCO Advisory, SCOSA-2004.7, July 14, 2004

Deprotect Security Advisory 20040206, July 2, 2004
Gentoo Linux 1.x

rsync
A vulnerability exists that could allow malicious people to write files outside the intended directory.

Update to "net-misc/rsync-2.6.0-r2" or later available at http://www.gentoo.org/security/en/glsa/glsa-200407-10.xml

Currently, we are not aware of any exploits for this vulnerability.
Gentoo update for rsync

CVE Name:
CAN-2004-0426
Low
Gentoo Linux Security Advisory GLSA 200407-10 / rsync, July 12, 2004
Linux Kernel 2.6.7

A denial of service vulnerability exists in the equalizer load-balancer for serial network interfaces. A local user can invoke either the eql_g_slave_cfg() function or the eql_s_slave_cfg() function and supply a non-existent slave device name to cause the kernel to crash.

Updates available at:
http://linux.bkbits.net:8080/linux-2.6/cset@40d4aa72hPLWy-jMLr0eJAXMxHcNZg

Currently, we are not aware of any exploits for this vulnerability.

Linux Kernel 'eql.c' Device Driver Error Lets Local Users Crash the System

CVE Name:
CAN-2004-0596
Low
SecurityTracker Alert, 1010700, July 14, 2004
OpenPKG Project

OpenPKG 1.x
Multiple Denial of Service vulnerabilities exists due to 1) a boundary error within the logging functionality and 2) Buffer overflow on certain platforms the vsnprintf() function isn't supported.

Update available at: ftp://ftp.openpkg.org/release/1.3/UPD/dhcpd-3.0.1rc11-1.3.1.src.rpm

Currently, we are not aware of any exploits for this vulnerability.
ISC DHCP Buffer Overflow Vulnerabilities

CVE Names:
CAN-2004-0460
CAN-2004-0461
Low
OpenPKG Security Advisory, July 9, 2004

[back to top]

Multiple/Other Operating Systems
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source
Adobe

Adobe Reader 6.x;
Adobe Acrobat 6.x

A buffer overflow vulnerability exists in Adobe Acrobat / Reader due to a parsing and boundary error when splitting filename paths into components. Exploitation could allow remote attackers to execute arbitrary code.

Update to version 6.0.2 available at http://www.adobe.com/support/techdocs/34222.htm

Currently, we are not aware of any exploits for this vulnerability.

Adobe Acrobat / Reader File Extension Buffer Overflow Vulnerability
High
iDEFENSE Security Advisory, July 12, 2004
GNU/GPL

PHP- Nuke 4.1
Multiple vulnerabilities exist in the 'Search' module. A remote user can inject SQL commands, conduct cross-site scripting attacks and determine the installation path. These vulnerabilities are due to input validation errors and SQL injection flaws.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
PHP-Nuke Input Validation Error in Search Module 'categ' Variable Permits SQL Injection
High
SecurityTracker Alert, 1010734, July 18, 2004
GNU/GPL

PostNuke 0.75-RC3, 0.726-3

An input validation vulnerability was reported in PostNuke in the Reviews module in the showcontent() function. A remote user can conduct cross-site scripting attacks and determine the installation path.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

PostNuke Input Validation Hole in Reviews Module
High
Security Wari Projects, Advisory 10, July 14, 2004
Hewlett-Packard

OpenVMS, DCE Version 3.1-SSB
A buffer overflow vulnerability exists in DCE for HP OpenVMS. A remote user may be able to cause denial of service conditions or execute arbitrary code. A remote user can send a specially crafted packet to a target DCE server to overflow a buffer on the target server.

Patches available through vendor.

Currently, we are not aware of any exploits for this vulnerability.
DCE for HP OpenVMS Potential RPC Buffer Overrun Attack
High
HP Security Bulletin, HPSBOV01056, July 12, 2004
mod SSL Project

mod_ssl 2.x

A vulnerability exists in mod_ssl, which may allow an attacker to compromise a vulnerable system. The vulnerability is reportedly caused due to a "ssl_log()" related format string error within the "mod_proxy" hook functions.

Update to version 2.8.19-1.3.31 available at:
http://www.modssl.org/source/mod_ssl-2.8.19-1.3.31.tar.gz

OpenPKG: ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.6.src.rpm

Currently, we are not aware of any exploits for this vulnerability.

mod_proxy" Hook Functions Format String Vulnerability in mod_ssl
High
modSSL Notice, July 16, 2004

Secunia Advisory, SA12077, July 19, 2004
Moodle

Moodle 1.3.2+ stable; 1.4 dev
An input validation vulnerability exists in 'help.php', affecting the 'file' parameter due to input not being properly filtered to remove HTML code from user-supplied input before displaying the information. This could allow a remote user to conduct cross-site scripting attacks.

A fix is available via CVS at: http://cvs.sourceforge.net/viewcvs.py/moodle/moodle/help.php

A Proof of Concept exploit has been published.
Moodle Input Validation Bug in 'help.php'
High
SecurityTracker Alert, 1010697, July 14, 2004
Open Source Development Network

PlaySMS - SMS Gateway, versions prior to 0.7

Multiple input verification vulnerabilities exist that could allow an attacker to conduct SQL injection attacks and execute arbitrary system commands.

Update to version 0.7 available at:
http://sourceforge.net/project/showfiles.php?group_id=97032&package_id=103784

Currently, we are not aware of any exploits for this vulnerability.

PlaySMS SMS Gateway SQL and Command Injection Vulnerabilities
High

Secunia Advisory,
SA12103, July 19, 2004

Outblaze

Outblaze E-mail
An input validation vulnerability exists in Outblaze E-mail that can allow a remote user to conduct cross-site scripting attacks. The e-mail server does not properly filter javascript from HTML-based e-mails. A remote user can send javascript code with an encoded carriage return character in the javascript tag to bypass the filtering mechanism.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Outblaze E-mail Javascript Filtering Error
High
SecurityTracker Alert, 1010735, July 18, 2004
PHP Group

PHP 4.3.7 and prior versions;
5.0.0RC3 and prior versions
A vulnerability exists in PHP when complied and running with 'memory_limit' enabled. A remote user may be able to execute arbitrary code on the target system. A vulnerability also exists in the handling of allowed tags within PHP's strip_tags() function. A remote user may be able to bypass the function to inject arbitrary tags when certain web browsers are used.

Update to version 4.3.8 or 5.0.0, available at: http://www.php.net/downloads.php

Mandrake: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:068
Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200407-13.xml
Conectiva: http://distro.conectiva.com.br/atualizacoes
/index.php?id=a&anuncio=000847

RedHat: http://rhn.redhat.com/errata/RHSA-2004-395.html
SuSE: http://www.suse.de/de/security/2004_21_php4.html

Currently, we are not aware of any exploits for this vulnerability.
PHP 'memory_limit' and strip_tags() Remote Vulnerabilities

CVE Name:
CAN-2004-0594
CAN-2004-0595
High
SecurityTracker Alerts, 1010698 and 1010699, July 14, 2004

eMatters, Advisory 12/2004, July 14, 2004

Mandrake Advisory, MDKSA-2004:068, July 14, 2004

Gentoo Linux Security Advisory: GLSA 200407-13 / PHP, July 15, 2004
phpBB Group

phpBB 2.0.8
Input validation and other vulnerabilities exist in in 'index.php' and 'language\lang_english\lang_faq.php' which could allow a remote user to can determine the installation path or conduct cross-site scripting attacks.

Upgrade to version 2.0.9, available at: http://www.phpbb.com/downloads.php

A Proof of Concept exploit has been published.
phpBB Input Validation Holes
High

SecurityTracker Alert, 1010721, July 17, 2004

SquirrelMail version 1.5.1 and earlier;
IMP 3.2.3 (from Horde project);
OpenWebmail 2.32;
IlohaMail 0.8.12;
Sqwebmail 4.0.4;

A vulnerability has been discovered in several web mail applications. Due to un-sanitized user input, a specially crafted e-mail being read by the victim can inject arbitrary HTML tags. When correctly exploited, it will permit the execution of malicious scripts to run in the context of the victim's browser.

Upgrade to the next point release of the affected software.

Currently, we are not aware of any exploits for this vulnerability.

Content-Type XSS Vulnerability in Multiple Webmail Programs
High
Securiteam, July 7, 2004
Comersus Open Technologies

Comersus Shopping Cart 5.x, 4.x
Cross-Site Scripting and order manipulation vulnerabilities exist in Comersus Shopping Cart, due to improper input sanitization in certain scripts. Orders are also reportedly submitted insecurely via a GET request which can manipulate pricing.

Update to version 5.098 available at http://www.comersus.com/
Comersus Shopping Cart Cross-Site Scripting and Price Manipulation
Medium
Secunia Advisory, SA12026, July 8, 2004
D-Link Systems

D-Link DI-624 wireless router, firmware release 1.28 for Revision B.
A Denial of Service and Cross-Site Scripting vulnerabilities exist in D-Link DI-624.

Disable the DHCP service.

A Proof of Concept has been published.
D-Link DI-624 Multiple Vulnerabilities
Medium
Bugtraq, June 27, 2004
Fastream Technologies

Fastream NETFile FTP/Web Server 6.x

An input verification vulnerability exists in Fastream NETFile FTP/Web Server, allowing an attacker to retrieve arbitrary files.

Update to version 6.7.3 available at http://www.fastream.com/netfile.htm

Currently, we are not aware of any exploits for this vulnerability.

Fastream NETFile FTP/Web Server Directory Traversal Vulnerability
Medium
Secunia Advisory, SA12016, July 6, 2004
Free Software Foundation

Ada ImgSvr 0.5
Multiple input validation vulnerabilities exist that could allow a remote user to view files on the target system or execute arbitrary code on the target system.

No workaround or patch available at time of publishing.

A Proof of Concept has been published.
Ada ImgSvr Discloses Files to Remote Users and May Execute Arbitrary Code
Medium
SecurityTracker Alert, 1010677, July 12, 2004
GNU/GPL

PHP-Nuke 7.x

Cross Site Scripting and other vulnerabilities exists in PHP-Nuke due to improperly sanitized input in the in the 'instory' field. These can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

PHP-Nuke Multiple Vulnerabilities
Medium
Secunia Advisory, SA12083, July 19, 2004

SecurityTracker Alert, 1010722, July 17, 2004
IBM

IBM Lotus Instant Messaging and Web Conferencing (Sametime) 6.x;
IBM Lotus Sametime 3.x
A Denial of Service vulnerability exists in IBM Lotus Sametime due to an unspecified error within the IBM Global Security Toolkit (GSKit) during SSL handshakes. This can be exploited via specially crafted SSL records to crash the application or cause a performance degradation.

Updates available at: http://www-1.ibm.com/support/docview.wss?rs=203&uid=swg21169383

Currently, we are not aware of any exploits for this vulnerability.
IBM Lotus Sametime GSKit Denial of Service Vulnerability
Medium
IBM Technote, July 12, 2004
IBM

Lotus Notes R6.x;
Lotus Notes R6.x Client

Multiple vulnerabilities exist in the Lotus Notes clients due to unspecified errors when handling Java applets.

Disable support for Java applets ("Enable Java applets" option) via the Notes client menu.

Currently, we are not aware of any exploits for this vulnerability.

IBM Lotus Notes Client Unspecified Java Applet Handling
Medium
Secunia Advisory, SA12046, July 14, 2004

IBM Technote Reference #1173910
Linksys

Linksys Wireless Internet Camera version 2.12
The Linksys Camera has a file disclosure vulnerability in main.cgi leading to exposure of sensitive data and bypassing authentication.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
Linksys Wireless Internet Camera File Disclosure
Medium
Securiteam, July 13, 2004
Mbedthis Software

Mbedthis AppWeb 1.x

Multiple vulnerabilities exist in Mbedthis AppWeb that may be exploited to gain knowledge of sensitive information or bypass certain security restrictions.

Upgrade to versions 1.0.4 and 1.1.3 available at: http://www.mbedthis.com/downloads/appWeb/index.html

Currently, we are not aware of any exploits for this vulnerability.

Mbedthis AppWeb Multiple Vulnerabilities
Medium
Secunia Advisory, SA12011, July 7, 2004

Mbedthis New Features Advisory
IBM

WebSphere Edge Components Caching Proxy version 5.02 using JunctionRewrite with UseCookiedirective, apparently all platforms

A Denial of Service vulnerability exists if the JunctionRewrite directive is active and a HTTP GET request is executed.

Patches are available from the vendor for clients with support level 2 or 3. The upcoming version of the server (5.0.3) will be immune to the vulnerability. As a workaround, it is possible to disable the directive if not needed, or the UseCookie option of the directive. Both of these conditions will prevent the denial of service.

Currently, we are not aware of any exploits for this vulnerability.

WebSphere Edge Server DoS Through JunctionRewrite Directive
Low
Securiteam, July 7, 2003

CYBEC Security Systems
Moodle

Moodle 1.2.x, 1.3.x
An unspecified vulnerability exists due to an error in the front page and affects Moodle servers with old versions of PHP (prior to 4.3).

Update available at: http://moodle.org/mod/resource/view.php?id=8

Currently, we are not aware of any exploits for this vulnerability.
Moodle Unspecified Front Page Vulnerability
Low
Secunia Advisory, SA12045, July 12, 2004

Moodle.org, July 9, 2004
Mozilla Foundation

Mozilla 1.6;
Mozilla 1.7.x;
Mozilla Firefox 0.x

A Denial of Service vulnerability exists in which arbitrary root certificates are imported silently without presenting users with a import dialog box. Due to another problem, this can e.g. be exploited by malicious websites or HTML-based emails to prevent users from accessing valid SSL sites.

Workaround: Check the certificate store and delete untrusted certificates if an error message is displayed with error code -8182 ("certificate presented by [domain] is invalid or corrupt") when attempting to access a SSL-based website.

Currently, we are not aware of any exploits for this vulnerability.

Mozilla / Firefox Certificate Store Corruption Vulnerability
Low
Secunia Advisory, SA12076, July 16, 2004

Bugzilla Bug 24900, July 14, 2004

Sierra Entertainment, Inc.

Half-Life (versions prior to July 7, 2004)
A Denial of Service vulnerability exists in Sierra's Half-Life engine because the software does not properly process split data, causing the target application to attempt to write to read-only memory and crash.

Update via Stream content management system.

A Proof of Concept exploit has been published.
Half-Life Game Server and Client Can Be Crashed
Low
SecurityTracker Alert, 1010678, July 7, 2004
Zoom

Zoom X3 ADSL Modem

A vulnerability in the product leaves out an administrative port that is password protected by a default password that cannot be changed. A malicious user can change DSL settings and issue a complete "Factory Reset".

Workaround: Create dummy "Virtual Servers" on port TCP 254 to block any incoming connections.

Currently, we are not aware of any exploits for this vulnerability.

Backdoor Menu on Conexant Chipset Dsl Router (Zoom X3)
Low
Securiteam, July 8, 2004

[back to top] 

Recent Exploit Scripts/Techniques The table below contains a sample of exploit scripts and "how to" guides identified during this period. Red text indicates scripts or techniques for which vendors, security vulnerability listservs, or computer emergency response teams have not published workarounds or patches, or which represent scripts that malicious users are utilizing.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse Chronological Order)
Script name Script Description

July 17, 2004

W32.Beagle.AC@mm

Mass-mailing worm that uses its own SMTP engine to spread through e-mail, and opens a backdoor on TCP Port 1080. Uses PeX as an executable packer.

July 17, 2004

W32.Beagle.AC@mm

Mass-mailing worm that uses its own SMTP engine to spread through e-mail, and opens a backdoor on TCP Port 1080. Uses PeX as an executable packer.

July 17, 2004.

WinCE.Duts.A

First virus that infects the Windows CE (Pocket PC) platform. The virus will only infect ARM-based devices.

July 17, 2004

Cross-Site Scripting Attack

Allows a remote user to send specially crafted e-mail, when viewed will cause arbitrary scripting code to be executed by the target user’s browser.

July 16, 2004

W32.Spybot.Worm

Worm that spreads using KaZaA file-sharing and mIRC. Can also be spread to computers that are infected with common Backdoor Trojan horses.

July 15, 2004

W32.Beagle.AB@mm

Mass-mailing worm that uses its own SMTP engine to spread through e-mail, and opens a backdoor on TCP Port 1080. Uses UPX as an executable packer

July 13, 2004

Remote Buffer Overflow Vulnerability

Script that perpetuates a lack of sufficient validation performed on user-supplied data before the data is copied into an allocated buffer.

July 9, 2004

DHCPing-0.90.tar.gz

DHCPing 0.90 is a tool that can be used for various security audits allowing an engineer the ability to create valid and invalid DHCP/BOOTP traffic via hping. It also features several exploits for the latest ISC Infoblox and DLink vulnerabilities.

July 8, 2004

Mysql.authentication.bypass_client.c.diff

A .diff file, applied to the MySQL 5.0.0-alpha source distribution will allow building a MySQL client that can be used to connect to a remote MySQL server with no password.

July 8, 2004

getusr.c

Exploit that makes use of the mod-userdir vulnerability in various Apache 1.3 and 2.x servers.

July 7, 2004

Backdoor.Berbew.H

Script that attempts to steal cached passwords and may display fake windows to gather confidential information. A minor variant of Backdoor.Berbew.H

July 6, 2004

Weplab-0.0.7-beta.tar.gz

Weplab is a tool to review the security of WEP encryption in wireless networks from an educational point of view. Several attacks are available to help measure the effectiveness and minimum requirements necessary to succeed.

[back to top]

 

Trends

Microsoft has released a Security Bulletin Summary for July 2004. This summary addresses vulnerabilities in various Windows applications and components. Exploitation of some of these vulnerabilities can result in the remote execution of arbitrary code by a remote attacker. For more information, see TA04-196A located at: http://www.us-cert.gov/cas/techalerts/TA04-196A.html

Six months since the W32/Bagle mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/Beagle are known to open a backdoor on an infected system which can lead to further exploitation by remote attackers. US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.

[back to top]

 

Viruses/Trojans

Top 10 High Threat Viruses

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported during the latest three months), and approximate date first found.

Rank Common Name Type of Code Trends Date
1
W32/Netsky-P Win32 Worm Increase
March 2004
2
W32/Zafi-B Win32 Worm New to Table
June 2004
3
W32/Netsky-Z Win32 Worm Increase
April 2004
4
W32/Bagle-AA Win32 Worm New to Table
April 2004
5
W32/Netsky-D Win32 Worm Decrease
March 2004
6
W32/Netsky-B Win32 Worm Decrease
February 2004
7
W32/Netsky-Q Win32 Worm Decrease
March 2004
8
W32/Sasser Win32 Worm Slight Increase
April 2004
9
Bagle.AD Win32 Worm Decrease
April 2004
10
Lovgate.AB Win32 Worm New to Table
May 2004
10
TROJ_AGENT.AC  Trojan New to Table
July 2004

 

New Viruses / Trojans

Viruses or Trojans Considered to be a High Level of Threat

  • Atak.A - Atak.A is a mass e-mailing worm that hides by going to sleep when it suspects that antivirus software is trying to detect it. This worm had received a lot of media attention and while it is not considered a serious threat, it can generate a significant amount of spam.
  • Bagle / Beagle - New variants of the Bagle virus appeared over the last two weeks. Infected PCs download a Trojan which can use the infected computer to distribute spam and other malware and to launch distributed denial-of-service attacks.
  • WinCE.Duts.A: While not considered a high threat, this virus is the first virus reported for the Windows CE (Pocket PC) platform. The virus is a simple appending file infector and will only infect ARM-based devices.

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors and security related web sites: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name Aliases Type

Atak.A

W32/Atak.A.worm
Win32/Atak.A
W32/Atak@MM
I-Worm.Atak.a
W32.Atak@mm
WORM_ATAK.A

Win32 Worm

Atak-B

I-Worm.Atak.b
W32/Atak.B.worm
W32/Atak.b@MM
W32/Atak-B
WORM_ATAK.B

Win32 Worm

Backdoor.Berbew.H

Berbew.H

Trojan

Backdoor.Doster

 

Trojan

BackDoor-BDJ

 

Trojan

BackDoor-CFB

 

Trojan

Bagle.AE Bagle.AI
Bagle.AH
I-Worm.Bagle.ai
W32.beagle.AG.mm
W32.Beagle.AG@mm
W32/Bagle-AH
W32/Bagle-AI
W32/Bagle.ai@MM
Win32.Bagle.AE
Win32.Bagle.AI
Win32/Bagle.AH.Worm
Win32/BAgle.AI@mm
Win32/Bagle.Variant.Worm
Win32:Beagle-AH
Worm/Bagle.AI
WORM_BAGLE.AH
Win32 Worm

Bagle-AF

Bagle.AF
I-Worm.Bagle.af
W32/Bagle.AF.worm
W32/Bagle.af@MM
W32.Beagle.AB@mm
Win32.Bagle.AB
Win32/Bagle-AF
WORM_BAGLE.AF

Win32 Worm

Beagle.AA

I-Worm.Bagle.ac
VBS.Bagle.AA
VBS.EXEDropper
VBS/Bagle.X.Dropper
W32.Beagle.AA@mm
Win32.Bagle.AA
Win32/Bagle.AA.Worm
Win32/Bagle.X.DLL.Worm
ZIP.Bagle

Win32 Worm

Downloader.JH

Downloader-DA.dll
PornWare.Dailer.OnlineDailer

Trojan

HTML.Phishbank.AH

 

E-mail Scam

HTML.Phishbank.U   E-mail Scam

Korgo.Z

W32/Korgo.Z.worm

Win32 Worm

Lovgate.ag

W32/Lovgate.ag@MM

Win32 Worm

MyDoom-N MyDoom.L
Mydoom.M
I-Worm.Mydoom-l
I-Worm.Mydoom.l
I-Worm.Mydoom.L
Mydoom.N
W32.Mydoom.L@MM
W32/Mydoom-A
W32/MyDoom-N
W32/Mydoom.n@MM
Win32.Mydoom.N
Win32/MyDoom.N.Worm
WORM_MYDOOM.L
Win32 Worm

PWSteal.Likmet.A

 

Trojan

Troj/Bancban-C TrojanSpy.Win32.Banker.bf
PWS-Bancban.gen.b trojan
Trojan

Troj/HacDef-F

 

Trojan

Troj/Keylog-Q

Juntador-C
MultiDropper-BN

Trojan

Troj/Legmir-K

PSW.QQpass.ak
Lemir-Gen
Legmir-AH

Trojan

Troj/Padodo-Fam

Backdoor.AXJ
Berbew
Webber

Trojan

Troj/Pastry-A

BackDoor-APX trojan

Trojan

Trojan.Cargao

 

Trojan

Trojan.Ecure.B

 

Trojan

Trojan.Ecure.C

 

Trojan

VBS.Gaggle.E

I-Worm.Gedza
VBS/Gedza.A
VBS.Gaggle.E@mm

Win32 Worm

W32.Beagle.AC@mm

I-Worm.Bagle.ah
W32/Bagle.ag@MM
Win32.Bagle.AC
Win32/Bagle.ZIP.Worm
ZIP.Bagle

Win32 Worm

W32.Gaobot.AZT   Win32 Worm

W32.Hardoc@mm

Hardoc
W32.Hardoc@mm
W32/Hardoc
Win32.Hardoc.A
Win32/Hardoc.A.Worm
WORM_HARDOC.A

Win32 Worm

W32.Korgo.X

WORM_KORGO.X
Korgo.X

Win32 Worm

W32.Lemoor.A

Lemoor
Worm.Win32.Lemoor.a

Win32 Worm

W32.Lovgate.AB@mm

 

Win32 Worm

W32/Agobot-KM

Backdoor.Agobot.ty
W32/Gaobot.worm.gen.f virus

Win32 Worm

W32/Agobot-KN

Gaobot
Nortonbot
Phatbot
Polybot

Win32 Worm

W32/Agobot-KS

Backdoor.Agobot.gen

Win32 Worm

W32/Agobot-KT

Backdoor.Agobot.gen
W32/Gaobot.worm.gen.h
Win32/Agobot.TE
W32.Gaobot.AFJ
WORM_AGOBOT.JF

Win32 Worm

W32/Agobot-KW

 

Win32 Worm

W32/Agobot-WD

Backdoor.Agobot.gen
W32/Gaobot.worm.gen.f
Win32/Agobot.3.ABQ
W32.HLLW.Gaobot.gen
WORM_AGOBOT.WD

Win32 Worm

W32/Bagle-AG

Bagle.AG
Bagle-AG
W32/Bagle.ag@MM
WORM_BAGLE.AG

Win32 Worm

W32/Korgo-U

Korgo-U
Worm.Win32.Padobot.p
W32/Korgo.worm.gen

Win32 Worm

W32/Lovgate.ah@MM

Lovgate.ah
I-Worm.Lovgate.ad
PE_LOVGATE.AH
Win32.Lovgate.AQ

Win32 Worm

W32/Lovgate.aj@MM

I-Worm.LovGate.ag
W32.Lovgate.AC@mm
W32/Lovgate.ai@MM
W32/Lovgate-AJ
Win32.Lovgate.AR
Win32/LovGate.AI.Worm
Lovgate.ai
Lovgate.aj
WORM_LOVGATE.AJ

Win32 Worm

W32/Lovgate-AG

W32/Lovgate.ae@MM virus
Win32/Lovgate.AJ worm
I-Worm.LovGate.ag

Win32 Worm

W32/Rbot-CZ

W32/Sdbot.worm.gen.h

Win32 Worm

W32/Rbot-DE

Backdoor.Rbot.gen
W32/Sdbot.worm.gen.k

Win32 Worm

W32/Rbot-DJ

 

Win32 Worm

W32/Rbot-DL

Backdoor.Rbot.gen
W32/Sdbot.worm.gen.k
WORM_RBOT.W

Win32 Worm

W32/Rbot-DP

 

Win32 Worm

W32/Rbot-DR

Backdoor.Rbot.gen
W32/Sdbot.worm.gen.g

Win32 Worm

W32/Rbot-DS

 

Win32 Worm

W32/Rbot-DT

 

Win32 Worm

W32/Rbot-DX

Backdoor.Rbot.gen

Win32 Worm

W32/Rbot-DY

W32/Gaobot.worm.gen.l

Win32 Worm

W32/Sdbot-EA

 

Win32 Worm

W32/Sdbot-JY

W32/Specx.worm.b!p2p
Win32/Specx.C
WORM_SDBOT.I

Win32 Worm

W32/Sdbot-KK   Win32 Worm

WCE/Duts-A

Dtus
Duts.1520
WCE/Duts-A
WinCE.Dust
WinCE.Dust.A
WinCE.Duts.a
WinCE/Dust.A
WinCE/Duts.1520
WinCE/Duts.1520.A
WinCE/Duts.1536
WinCE4/Dust
WINCE_DUTS.A

WinCE Worm

Win32.Puce.A

Puce.A
Win32/HLLP.Puce.A
W32/Puce
Win32/Puce.A
Win32.HLLP.Rile.a

Win32 Worm

WORM_AGIST.A

Agist.A
W32.Agist.A@mm

Win32 Worm

WORM_KORGO.Y

Korgo.Y

Win32 Worm

WORM_LOVGATE.AG

 

Win32 Worm

WORM_OLATSKY.A

W32.Olatsky@mm
I-Worm.VB.j
Win32.Olatsky.A
Olatsky.A

Win32 Worm

WORM_WUKILL.E W32.Wullik@mm
W32.Wukill.worm
Win32 Worm

Xebiz.A

Trj/Xebiz/A
SS.exe
BackDoor-CGT

Win32 Worm

[back to top]

 

 

 

Last updated

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends and viruses identified between July 6 and July 20, 2004.


Bugs, Holes, & Patches

The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Updates to items appearing in previous bulletins are listed in bold. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

Risk is defined as follows:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

 

Windows Operating Systems
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source
Adobe

Adobe Acrobat Reader version 6.0.1
A buffer overflow vulnerability exists that allows remote attackers to execute arbitrary code. The problem specifically exists within a routine that is responsible for splitting the filename path into multiple components. Successful exploitation allows an attacker to execute arbitrary code under the privileges of the local user. Remote exploitation is possible by sending a specially crafted e-mail and attaching the malicious PDF document.

Update to the latest release of Adobe Acrobat and the free Adobe Reader, version 6.0.2 available at: http://www.adobe.com/support/techdocs/34222.htm

Currently, we are not aware of any exploits for this vulnerability.
Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability

CVE Name:
CAN-2004-0632
High
iDEFENSE Security Advisory, July 12, 2004

Securiteam, July 11, 2004
Code-Crafters

Ability Mail Server 1.x
Cross-Site Scripting and Denial of Service vulnerabilities exist due to unsanitized input and an error in connection handling. These can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
Ability Mail Server Cross-Site Scripting and Denial of Service Vulnerabilities
High
Secunia Advisory, SA12039, July 12, 2004

SecurityTracker Alert, 1010672, July 12, 2004
EA Games

Medal of Honor
Allied Assault 1.11v9 and prior;
Breakthrough 2.40b and prior;
Spearhead 2.15 and prior


A buffer overflow vulnerability in the Medal of Honor and related game software. It is reported that a remote user can send a specially crafted packet to the target server to trigger a buffer overflow in the code that checks for slash characters and null bytes. A remote user can execute arbitrary code on the target system.

An unofficial patch is available for Windows-based platforms at: http://aluigi.altervista.org/patches.htm

A Proof of Concept exploit has been published.

EA Games Medal of Honor Has Buffer Overflow in 'connect' Packet
High
SecurityTracker Alert, 1010725, July 17, 2004
Microsoft

Internet Explorer 6
A remote code execution vulnerability exists in popup.show(). A malicious user can take arbitrary mouse-based actions on the target system. This vulnerability can be used in conjunction with a "shell://" vulnerability to execute arbitrary code on the target user's system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
HijackClick 3
High
SecurityTracker Alert, 1010679, July 12, 2004

Bugtraq, July 11, 2004
Microsoft

Hotmail HTML
An input validation vulnerability exists because Hotmail does not filter scripting code from within conditional IF statements contained in HTML comments. A remote user can conduct cross-site scripting attacks against target users via Internet Explorer.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Hotmail HTML Comment Condition Lets Remote Users Conduct Cross-Site Scripting Attacks
High
SecurityTracker Alert, 1010726
July 17, 2004
Microsoft

MS Windows NT® Workstation 4.0 SP; MS Windows NT Server
A buffer overrun vulnerability exists in Internet Information Server 4.0 due to an unchecked buffer in the IIS 4.0 redirect function. This vulnerability could allow remote code execution on an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx

Currently, we are not aware of any exploits for this vulnerability.
IIS Redirection Vulnerability

CVE Name:
CAN-2004-0205


High
Microsoft Security Bulletin MS04-021, July 13, 2004
Microsoft

Internet Explorer 6
A cross-domain scripting vulnerability exists in which a remote user can create HTML containing a javascript function that redirects to a different javascript function of the same name as the original function to bypass cross-domain security restrictions. Arbitrary scripting code can be executed in the security context of an arbitrary site.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
Microsoft Internet Explorer Same Name Javascript Bug
High
SecurityTracker Alert, 1010683, July 13, 2004
Microsoft

MS Internet Explorer 5.01, 5.5, 6
Multiple vulnerabilities exist in Internet Explorer, allowing malicious people to bypass security restrictions and potentially compromise a vulnerable system. It is possible to redirect a function to another function with the same name, which allows a malicious website to access the function without the normal security restrictions. Malicious sites can trick users into performing actions like drag'n'drop or click on a resource without their knowledge. It is possible to inject arbitrary script code into Channel links in Favorites. It is possible to place arbitrary content above any other window and dialog box using the "Window.createPopup()" function.

Workaround: Disabling Active Scripting will solve some of these vulnerabilities

A Proof of Concept exploit has been published.
Microsoft Internet Explorer Multiple Vulnerabilities
High
Secunia Advisory, SA12048, July 13, 2004
Microsoft

MS Windows 2000 SP 2, 3, and 4
A privilege elevation vulnerability exists in the way that Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges and could take complete control of the system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx

A Proof of Concept exploit has been published.
Utility Manager Vulnerability

CVE Name:
CAN-2004-0213
High
Microsoft Security Bulletin MS04-019, July 13, 2004
Microsoft

MS Windows 2000 SP 2, 3, and 4; XP and XP SP1; XP 64-Bit Edition SP 1
A remote code execution vulnerability exists in the Task Scheduler because of an unchecked buffer during application name validation. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx

Currently, we are not aware of any exploits for this vulnerability.
Task Scheduler Vulnerability

CVE Name:
CAN-2004-0212


High
Microsoft Security Bulletin MS04-022, July 13, 2004
Microsoft

MS Windows 2000 Service Pack 2, 3 and 4;
MS Windows XP and XP SP 1;
MS Windows XP 64-Bit Edition SP 1;
MS Windows XP 64-Bit Edition Version 2003;
MS Windows Server™ 2003;
MS Windows Server 2003 64-Bit Edition;
MS Windows 98, MS Windows 98 Second Edition (SE), and MS Windows Millennium Edition (Me)
Remote code execution vulnerabilities exist in the processing of a specially crafted showHelp URL and in HTML Help that could allow remote code execution on an affected system. This is due to incorrect file validation in the HTML Help protocol and incomplete input validation.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx

Currently, we are not aware of any exploits for this vulnerability.
showHelp Vulnerability

CVE Name:
CAN-2003-1041


HTML Help Vulnerability

CVE Name:
CAN-2004-0201
High
Microsoft Security Bulletin MS04-023, July 13, 2004

Microsoft

MS Windows NT® Workstation 4.0 SP 6a;
MS Windows NT Server 4.0 SP 6a;
MS Windows NT Server 4.0 Terminal Server Edition SP 6;
MS Windows NT® Workstation 4.0 SP 6a and NT Server 4.0 SP 6a with Active Desktop;
MS Windows 2000 SP 2, 3, and 4;
MS Windows XP and MS Windows XP Service Pack 1;
MS Windows XP 64-Bit Edition SP 1;
MS Windows XP 64-Bit Edition Version 2003;
MS Windows Server™ 2003;
MS Windows Server 2003 64-Bit Edition;
MS Windows 98, MS Windows 98 Second Edition (SE), and MS Windows Millennium Edition (Me)

A remote code execution vulnerability exists in the way that the Windows Shell launches applications due to the way the shell API handles class identifiers. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx

Currently, we are not aware of any exploits for this vulnerability.
Windows Shell Vulnerability

CVE Name:
CAN-2004-0420:
High
Microsoft Security Bulletin MS04-024, July 13, 2004
Microsoft

MS Windows NT® Workstation 4.0 SP 6a;
MS Windows NT Server 4.0 SP 6a;
MS Windows NT Server 4.0 Terminal Server Edition SP 6;
Microsoft Windows 2000 Service Pack 2, 3, and 4
A privilege elevation vulnerability exists in the POSIX operating system component (subsystem) due to an unchecked buffer. This vulnerability could allow remote code execution on an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx

Currently, we are not aware of any exploits for this vulnerability.
POSIX Vulnerability

CVE Name:
CAN-2004-0210
High
Microsoft Security Bulletin MS04-020, July 13, 2004
Microsoft

MS Works Suite 2003;
MS Word 2000;
MS Outlook 2003;
MS Outlook 2000;
MS Office 2003 Student and Teacher Edition;
MS Office 2003 Standard Edition;
MS Office 2003 Small Business Edition;
MS Office 2003 Professional Edition;
MS Office 2000
A vulnerability exists when Word is used to edit mails in Outlook which can be exploited to execute arbitrary code on a user's system if the user is tricked into forwarding a malicious email with an unclosed "<OBJECT>" tag. This may be possible only when mails are forwarded. This may also be possible to exploit through malicious HTML documents if edited in Word.

No workaround or patch available at time of publishing.

Currently, we are not aware of any exploits for this vulnerability.
Microsoft Outlook / Word Object Tag Vulnerability
High
Secunia Advisory, SA12041, July 12, 2004
Mozilla Organization

Mozilla (Suite) 1.7.0 and prior;
Mozilla Firefox 0.9.1 and prior;
Mozilla Thunderbird 0.7.1 and prior;
A security vulnerability exists in the handling of the shell: protocol making it possible to combine this effect with a known buffer overrun to create a remote execution exploit or a denial-of-service type attacks (including crashing the system in some cases).

Patch available at: http://www.mozilla.org/security/shell.html

A Proof of Concept exploit has been published.
Mozilla shell: Scheme Allows Code Execution
High
Mozilla Organization Advisory

Computer Associates, Vulnerability ID: 28693, July 11, 2004
Sun

Sun Java JRE 1.4.x, 1.3.x, 1.2.x, 1.1.x
with Internet Explorer version 5.5, 6.0
A temporary file creation issue in Sun's Java Virtual Machine combined with known security holes in Internet Explorer may lead to arbitrary script code execution on the victim's machine.

Workaround: Disable Active Scripting in Internet Explorer.

A Proof of Concept exploit has been published.
Sun JVM Insecure Temporary File Creation Allows Remote Code Execution
High
Securiteam, July 11, 2004
Secunia Advisory, SA12043, July 12, 2004
GeeOS Team

Gattaca Server 2003 1.x

Multiple vulnerabilities exist which can be exploited to disclose system information, cause a Denial of Service, or conduct cross-site scripting attacks. These vulnerabilities are due to input validation and sanitization errors, connection handling, and buffer overflows.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Gattaca Server 2003 Multiple Vulnerabilities
Medium
Secunia Advisory, SA12071, July 15, 2004
Microsoft

MSN Messenger 6.x
Microsoft Word 2002
A vulnerability exists in these programs due to the failure to restrict access to the "shell:" URI handler. This allows an attacker to invoke various programs associated with specific extensions. It is not possible to pass parameters to these programs, only filenames, thus limiting the impact of launching applications.

No workaround or patch available at time of publishing.

Currently, we are not aware of any exploits for this vulnerability.
Microsoft Products Fail to Restrict "shell:" Access
Medium
Secunia Advisory, SA12042, July 12, 2004
PsTools 2.01, 2.02, and 2.03

psexec 1.52; psgetsid 1.4;
psinfo 1.5,
pskill 1.03,
pslist 1.25,
psloglist 2.5,
pspasswd 1.21,
psservice 2.1,
psshutdown 2.31,
pssuspend 1.04

 

Multiple vulnerabilities were reported in Sysinternals PsTools. A local user can gain administrative access on certain remote hosts. Several of the PsTools utilities map the IPC$ or ADMIN$ share when executing a command on a remote host but do not properly disconnect from the share when the utility exits. As a result, a local user can access the share and take administrative actions on the target system.

Updates available at: http://www.sysinternals.com/ntw2k/freeware/pstools.shtml

A Proof of Concept exploit has been published.

Sysinternals PsTools Fails to Disconnect
Medium
SecurityTracker Alert, 1010737, July 19, 2004
Apache Software Foundation

Apache 2.0.49 (Win32) with PHP 5.0.0 RC2
A Denial of Service vulnerability exists in the Apache web server when running with PHP due to a flaw when invoking certain functions such as fopen and fsockopen in an endless loop.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
Apache Can Be Crashed By PHP Code
Low
SecurityTracker Alert, 1010674, July 9, 2004
INweb Mail Server 2.x A Denial of Service vulnerability exists in INweb Mail Server due to an error in the connection handling, which can be exploited to crash the application.

No solution available at this time.

Currently, we are not aware of any exploits for this vulnerability.
INweb Mail Server Multiple Connection Denial of Service Vulnerability
Low
Secunia Advisory, SA12056, July 12, 2004
Microsoft Java Virtual Machine

version 5.0.0.3810
A vulnerability in Microsoft Java Virtual Machine allows Java applets originating from different domains to communicate. This could be exploited to cause information leakage.

No workaround or patch available at time of publishing.

Currently, we are not aware of any exploits for this vulnerability.
Microsoft Java Virtual Machine Cross-Site Communication Vulnerability
Low
Secunia Advisory, SA12047, July 12, 2004

Microsoft

MS Outlook Express 5.5 SP 2, 6, 6 SP1, 6 SP1 (64 bit Edition), 6 on Windows Server 2003, 6 on Windows Server 2003 (64 bit edition)

A denial of service vulnerability exists that could allow an attacker to send a specially crafted e-mail message causing Outlook Express to fail.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx

Currently, we are not aware of any exploits for this vulnerability.

Malformed E-mail Header Vulnerability

CVE Name:
CAN-2004-0215

Low
Microsoft Security Bulletin MS04-018
Opera

Opera 5.x, 6.x, 7.x
Due to a race condition in Opera it is possible to spoof the contents of the address bar using a specially crafted HTML page.

Solution: Disable support for Javascript.

A Proof of Concept exploit has been published.
Opera Address Bar Spoofing Condition
Low
Securiteam, July 11, 2004
Symantec

Symantec Norton AntiVirus 2003 Professional Edition;
Symantec Norton AntiVirus 2002
A denial of service vulnerability was reported in Norton Anti-Virus. A remote user can cause the application to consume excessive CPU resources.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
Norton AntiVirus Denial Of Service Vulnerability
Low
SecurityTracker Alert, 1010671, July 9, 2004

[back to top]

UNIX Operating Systems
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source
4D, Inc.

4D WebSTAR 5.3.2 and prior versions
Multiple vulnerabilities including buffer overflow exists that could allow an attacker to escalate privileges or obtain access to protected resources. A remote user can issue a specially crafted FTP command to trigger a stack-based overflow and execute arbitrary code.

The vendor has released a fixed version (5.3.3), available at:
http://www.4d.com/products/downloads_4dws.html

Currently, we are not aware of any exploits for this vulnerability.
4D WebSTAR Grants Access to Remote Users and Elevated Privileges to Local Users
High
SecurityTracker Alert, 1010696, July 13, 2004
Caol n McNamara and Dom Lachowicz

wvWare version 0.7.4, 0.7.5, 0.7.6 and 1.0.0
A buffer overflow vulnerability exists if the user opens an exploit document in HTML mode using an application that builds upon the wv library.

Updates available at: http://www.abisource.com/bonsai/cvsview2.cgi?
diff_mode=context&whitespace_mode =show&root=/cvsroot&subdi
r=wv&command=DIFF_FRAMESET&root=/cvsroot&file=field.c&rev1=
1.19&rev2=1.20


A Proof of Concept exploit has been published.
wvWare Library Buffer Overflow Vulnerability

CVE Name:
CAN-2004-0645
High
Securiteam, July 11, 2004

iDEFENSE Security Advisory, July 9, 2004
Epic Games, Inc.

Unreal Tournament
A buffer overflow vulnerability exists in the Unreal game engine through the 'secure' query. An attacker could execute arbitrary code on the game server.

Updates available at: http://www.gentoo.org/security/en/glsa/glsa-200407-14.xml

Currently, we are not aware of any exploits for this vulnerability.

Buffer overflow in Unreal Tournament

CVE Name:
CAN-2004-0608
High
Gentoo Advisory, GLSA 200407-14 / Unreal Tournament, July 19, 2004
Ethereal

Ethereal 0.x
Multiple Denial of Service and buffer overflow vulnerabilities exist due to errors in the iSNS, SNMP, and SMB dissectors which may allow an attacker to run arbitrary code or crash the program.

Updates available at: http://www.ethereal.com/download.html or disable the affected protocol dissectors.

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

Debian: http://lists.debian.org/debian-security-announce/debian-
security-announce-2004/msg00129.html


Currently, we are not aware of any exploits for this vulnerability.
Ethereal: Multiple security problems

CVE Names:
CAN-2004-0633
CAN-2004-0634
CAN-2004-0635
High

Gentoo Linux Security Advisory, GLSA 200407-08 / Ethereal, July 9, 2004

Secunia Advisory, 12034 & 12035, July 12, 2004

Etheral Advisory, enpa-sa-00015, July 6, 2004

eXtropia

WebStore (version unknown)
An input validation vulnerability exists in eXtropia's WebStore because the web_store.cgi script does not properly validate user-supplied input in the 'page' parameter. A remote user can execute arbitrary shell commands on the target system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

eXtropia WebStore Input Validation Bug Lets Remote Users Execute Arbitrary Commands

High

SecurityTracker Alert, 1010727, July 17, 2004
FreeBSD

SSLTelnet version 0.13-1
A format string vulnerability exists in telnetd.c when input is passed to a logging function without proper handling which could lead to remote code execution.

No workaround or patch available at time of publishing.

There is no exploit code required.
SSLTelnet Remote Format String Vulnerability

CVE Name:
CAN-2004-0640
High
Securiteam, July 11, 2004

iDEFENSE Security Advisory, July 8, 2004
Gentoo Linux 1.x

net-ww/moinmoin-1.2.2
A vulnerability exists in the code handling administrative group Access Control Lists. A user created with the same name as an administrative group gains the privileges of the administrative group.

Update available at: http://www.gentoo.org/security/en/glsa/glsa-200407-09.xml

Currently, we are not aware of any exploits for this vulnerability.
MoinMoin: Group ACL bypass
High
Gentoo Linux Security Advisory, GLSA 200407-09 / MoinMoin

Gentoo, Linux Kernel 2.6.x

Conectiva, Linux 8 and 9

Multiple vulnerabilities exist in the Linux kernel, which can be exploited to gain escalated privileges, cause a DoS (Denial of Service), or gain knowledge of sensitive information.

Gentoo:http://www.gentoo.org/security/en/glsa/glsa-200407-12.xml

Conectiva: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000846

Currently, we are not aware of any exploits for this vulnerability.
Multiple Vulnerabilities in the Linux Kernel
High
Gentoo Advisory, GLSA 200407-12 / Kernel, July 14, 2004

Conectiva Advisory, CLSA-2004:846 , July 16, 2004
Mozilla Foundation

Bugzilla version 2.16.5 and prior
Bugzilla Development version 2.18rc1 and prior

Multiple vulnerabilities exists that include one instance of arbitrary SQL injection exploitable only by a privileged user, several instances of insufficient data validation and/or escaping, and two instances of unprivileged access to names of restricted products.

Upgrading to 2.16.6 and 2.18rc1 is recommended. Full release downloads, patches to upgrade Bugzilla to 2.16.6 from previous 2.16.x versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download.html

Currently, we are not aware of any exploits for this vulnerability.

Multiple Vulnerabilities In Bugzilla
High
The Mozilla Organization, Security Advisory 2.16.5, 2.17.7, July 10, 2004

Securiteam, July 13, 2004
MySQL AB

MySQL version 4.1.0 up to but not including MySQL version 4.1.3;
MySQL version 5.0
An authentication vulnerability allows a remote user to obtain access to the database completely bypassing the normal authentication mechanism and without providing the DB user's password.

Updates available at: http://dev.mysql.com/downloads/

A Proof of Concept exploit has been published.
MySQL Authentication Scheme Bypass
High
Securiteam, July 11, 2004

NGSSoftware Insight Security Research Advisory, July 1, 2004
CGIscript.NET

csFAQ
A path disclosure vulnerability in the csFAQ product allows a remote user to determine the full path to the web root directory and other potentially sensitive information.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
csFAQ Path Disclosure
Medium
Securiteam, July 11, 2004
Fedora Project

Fedora Core 2
A temporary file creation vulnerability exists in Fedora's im-switch utility which can be exploited via symlink attacks to overwrite arbitrary files with the privileges of a user invoking the program.

Updates available at: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

A Proof of Concept exploit has been published.
Fedora im-switch Insecure Temporary File Creation Vulnerability
Medium
Bugzilla Bug 126940: im-switch symlink vulnerability, June 29, 2004
Fedora Project

Fedora Core 1
Fedora Core 2

Multiple vulnerabilities exist in httpd which can be exploited to cause a Denial of Service and potentially compromise a vulnerable system.

Updates available at:
Core 1: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
Core 2: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Currently, we are not aware of any exploits for this vulnerability.

Fedora update for httpd Medium Secunia Advisory, SA12098, July 20, 2004
GNU

Shorewall 1.4.x, 2.0.x

A privilege escalation vulnerability is caused due to the "shorewall" script creating temporary files insecurely, which can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user invoking the script (usually root).

Update available at: http://shorewall.net/download.htm

Currently, we are not aware of any exploits for this vulnerability.

Shorewall Insecure Temporary File Creation Vulnerability

CVE Name: CAN-2004-0647
Medium
Shorewall Security Vulnerability, June 28, 2004
Jaws

JAWS 0.3
Multiple Cross-Site Scripting vulnerabilities exist in the index.php page that allows a malicious attacker to bypass authentication, read arbitrary files and perform Cross-Site-Scripting attacks.

Update available at: http://jaws.com.mx/

A Proof of Concept exploit has been published.
Multiples Vulnerabilities In JAWS
Medium
Securiteam, July 11, 2004
Red Hat, Inc.

Linux Kernel 2.4.x, ia64
A vulnerability exists in the Linux kernel, which potentially can be exploited to gain knowledge of sensitive information. The vulnerability is caused due to an error within the context switch code.

Updates available at: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124734

A Proof of Concept exploit has been published.
Information leak on Linux/ia64

CVE Name:
CAN-2004-0565
Medium
Bugzilla Bug 124734, May 28, 2004
SCO Group

SCO OpenServer 5.x

Multiple vulnerabilities exist in SCO MMDF. According to SCO the vulnerabilities are: buffer overflows, null dereferences and core dumps. One of the buffer overflows is known to affect "execmail".

Updates available at: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7/

A Proof of Concept exploit has been published.

SCO OpenServer Multiple Vulnerabilities in MMDF

CVE Names:
CAN-2004-0510
CAN-2004-0511
CAN-2004-0512
Medium
SCO Advisory, SCOSA-2004.7, July 14, 2004

Deprotect Security Advisory 20040206, July 2, 2004
Gentoo Linux 1.x

rsync
A vulnerability exists that could allow malicious people to write files outside the intended directory.

Update to "net-misc/rsync-2.6.0-r2" or later available at http://www.gentoo.org/security/en/glsa/glsa-200407-10.xml

Currently, we are not aware of any exploits for this vulnerability.
Gentoo update for rsync

CVE Name:
CAN-2004-0426
Low
Gentoo Linux Security Advisory GLSA 200407-10 / rsync, July 12, 2004
Linux Kernel 2.6.7

A denial of service vulnerability exists in the equalizer load-balancer for serial network interfaces. A local user can invoke either the eql_g_slave_cfg() function or the eql_s_slave_cfg() function and supply a non-existent slave device name to cause the kernel to crash.

Updates available at:
http://linux.bkbits.net:8080/linux-2.6/cset@40d4aa72hPLWy-jMLr0eJAXMxHcNZg

Currently, we are not aware of any exploits for this vulnerability.

Linux Kernel 'eql.c' Device Driver Error Lets Local Users Crash the System

CVE Name:
CAN-2004-0596
Low
SecurityTracker Alert, 1010700, July 14, 2004
OpenPKG Project

OpenPKG 1.x
Multiple Denial of Service vulnerabilities exists due to 1) a boundary error within the logging functionality and 2) Buffer overflow on certain platforms the vsnprintf() function isn't supported.

Update available at: ftp://ftp.openpkg.org/release/1.3/UPD/dhcpd-3.0.1rc11-1.3.1.src.rpm

Currently, we are not aware of any exploits for this vulnerability.
ISC DHCP Buffer Overflow Vulnerabilities

CVE Names:
CAN-2004-0460
CAN-2004-0461
Low
OpenPKG Security Advisory, July 9, 2004

[back to top]

Multiple/Other Operating Systems
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source
Adobe

Adobe Reader 6.x;
Adobe Acrobat 6.x

A buffer overflow vulnerability exists in Adobe Acrobat / Reader due to a parsing and boundary error when splitting filename paths into components. Exploitation could allow remote attackers to execute arbitrary code.

Update to version 6.0.2 available at http://www.adobe.com/support/techdocs/34222.htm

Currently, we are not aware of any exploits for this vulnerability.

Adobe Acrobat / Reader File Extension Buffer Overflow Vulnerability
High
iDEFENSE Security Advisory, July 12, 2004
GNU/GPL

PHP- Nuke 4.1
Multiple vulnerabilities exist in the 'Search' module. A remote user can inject SQL commands, conduct cross-site scripting attacks and determine the installation path. These vulnerabilities are due to input validation errors and SQL injection flaws.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
PHP-Nuke Input Validation Error in Search Module 'categ' Variable Permits SQL Injection
High
SecurityTracker Alert, 1010734, July 18, 2004
GNU/GPL

PostNuke 0.75-RC3, 0.726-3

An input validation vulnerability was reported in PostNuke in the Reviews module in the showcontent() function. A remote user can conduct cross-site scripting attacks and determine the installation path.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

PostNuke Input Validation Hole in Reviews Module
High
Security Wari Projects, Advisory 10, July 14, 2004
Hewlett-Packard

OpenVMS, DCE Version 3.1-SSB
A buffer overflow vulnerability exists in DCE for HP OpenVMS. A remote user may be able to cause denial of service conditions or execute arbitrary code. A remote user can send a specially crafted packet to a target DCE server to overflow a buffer on the target server.

Patches available through vendor.

Currently, we are not aware of any exploits for this vulnerability.
DCE for HP OpenVMS Potential RPC Buffer Overrun Attack
High
HP Security Bulletin, HPSBOV01056, July 12, 2004
mod SSL Project

mod_ssl 2.x

A vulnerability exists in mod_ssl, which may allow an attacker to compromise a vulnerable system. The vulnerability is reportedly caused due to a "ssl_log()" related format string error within the "mod_proxy" hook functions.

Update to version 2.8.19-1.3.31 available at:
http://www.modssl.org/source/mod_ssl-2.8.19-1.3.31.tar.gz

OpenPKG: ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.6.src.rpm

Currently, we are not aware of any exploits for this vulnerability.

mod_proxy" Hook Functions Format String Vulnerability in mod_ssl
High
modSSL Notice, July 16, 2004

Secunia Advisory, SA12077, July 19, 2004
Moodle

Moodle 1.3.2+ stable; 1.4 dev
An input validation vulnerability exists in 'help.php', affecting the 'file' parameter due to input not being properly filtered to remove HTML code from user-supplied input before displaying the information. This could allow a remote user to conduct cross-site scripting attacks.

A fix is available via CVS at: http://cvs.sourceforge.net/viewcvs.py/moodle/moodle/help.php

A Proof of Concept exploit has been published.
Moodle Input Validation Bug in 'help.php'
High
SecurityTracker Alert, 1010697, July 14, 2004
Open Source Development Network

PlaySMS - SMS Gateway, versions prior to 0.7

Multiple input verification vulnerabilities exist that could allow an attacker to conduct SQL injection attacks and execute arbitrary system commands.

Update to version 0.7 available at:
http://sourceforge.net/project/showfiles.php?group_id=97032&package_id=103784

Currently, we are not aware of any exploits for this vulnerability.

PlaySMS SMS Gateway SQL and Command Injection Vulnerabilities
High

Secunia Advisory,
SA12103, July 19, 2004

Outblaze

Outblaze E-mail
An input validation vulnerability exists in Outblaze E-mail that can allow a remote user to conduct cross-site scripting attacks. The e-mail server does not properly filter javascript from HTML-based e-mails. A remote user can send javascript code with an encoded carriage return character in the javascript tag to bypass the filtering mechanism.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Outblaze E-mail Javascript Filtering Error
High
SecurityTracker Alert, 1010735, July 18, 2004
PHP Group

PHP 4.3.7 and prior versions;
5.0.0RC3 and prior versions
A vulnerability exists in PHP when complied and running with 'memory_limit' enabled. A remote user may be able to execute arbitrary code on the target system. A vulnerability also exists in the handling of allowed tags within PHP's strip_tags() function. A remote user may be able to bypass the function to inject arbitrary tags when certain web browsers are used.

Update to version 4.3.8 or 5.0.0, available at: http://www.php.net/downloads.php

Mandrake: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:068
Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200407-13.xml
Conectiva: http://distro.conectiva.com.br/atualizacoes
/index.php?id=a&anuncio=000847

RedHat: http://rhn.redhat.com/errata/RHSA-2004-395.html
SuSE: http://www.suse.de/de/security/2004_21_php4.html

Currently, we are not aware of any exploits for this vulnerability.
PHP 'memory_limit' and strip_tags() Remote Vulnerabilities

CVE Name:
CAN-2004-0594
CAN-2004-0595
High
SecurityTracker Alerts, 1010698 and 1010699, July 14, 2004

eMatters, Advisory 12/2004, July 14, 2004

Mandrake Advisory, MDKSA-2004:068, July 14, 2004

Gentoo Linux Security Advisory: GLSA 200407-13 / PHP, July 15, 2004
phpBB Group

phpBB 2.0.8
Input validation and other vulnerabilities exist in in 'index.php' and 'language\lang_english\lang_faq.php' which could allow a remote user to can determine the installation path or conduct cross-site scripting attacks.

Upgrade to version 2.0.9, available at: http://www.phpbb.com/downloads.php

A Proof of Concept exploit has been published.
phpBB Input Validation Holes
High

SecurityTracker Alert, 1010721, July 17, 2004

SquirrelMail version 1.5.1 and earlier;
IMP 3.2.3 (from Horde project);
OpenWebmail 2.32;
IlohaMail 0.8.12;
Sqwebmail 4.0.4;

A vulnerability has been discovered in several web mail applications. Due to un-sanitized user input, a specially crafted e-mail being read by the victim can inject arbitrary HTML tags. When correctly exploited, it will permit the execution of malicious scripts to run in the context of the victim's browser.

Upgrade to the next point release of the affected software.

Currently, we are not aware of any exploits for this vulnerability.

Content-Type XSS Vulnerability in Multiple Webmail Programs
High
Securiteam, July 7, 2004
Comersus Open Technologies

Comersus Shopping Cart 5.x, 4.x
Cross-Site Scripting and order manipulation vulnerabilities exist in Comersus Shopping Cart, due to improper input sanitization in certain scripts. Orders are also reportedly submitted insecurely via a GET request which can manipulate pricing.

Update to version 5.098 available at http://www.comersus.com/
Comersus Shopping Cart Cross-Site Scripting and Price Manipulation
Medium
Secunia Advisory, SA12026, July 8, 2004
D-Link Systems

D-Link DI-624 wireless router, firmware release 1.28 for Revision B.
A Denial of Service and Cross-Site Scripting vulnerabilities exist in D-Link DI-624.

Disable the DHCP service.

A Proof of Concept has been published.
D-Link DI-624 Multiple Vulnerabilities
Medium
Bugtraq, June 27, 2004
Fastream Technologies

Fastream NETFile FTP/Web Server 6.x

An input verification vulnerability exists in Fastream NETFile FTP/Web Server, allowing an attacker to retrieve arbitrary files.

Update to version 6.7.3 available at http://www.fastream.com/netfile.htm

Currently, we are not aware of any exploits for this vulnerability.

Fastream NETFile FTP/Web Server Directory Traversal Vulnerability
Medium
Secunia Advisory, SA12016, July 6, 2004
Free Software Foundation

Ada ImgSvr 0.5
Multiple input validation vulnerabilities exist that could allow a remote user to view files on the target system or execute arbitrary code on the target system.

No workaround or patch available at time of publishing.

A Proof of Concept has been published.
Ada ImgSvr Discloses Files to Remote Users and May Execute Arbitrary Code
Medium
SecurityTracker Alert, 1010677, July 12, 2004
GNU/GPL

PHP-Nuke 7.x

Cross Site Scripting and other vulnerabilities exists in PHP-Nuke due to improperly sanitized input in the in the 'instory' field. These can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

PHP-Nuke Multiple Vulnerabilities
Medium
Secunia Advisory, SA12083, July 19, 2004

SecurityTracker Alert, 1010722, July 17, 2004
IBM

IBM Lotus Instant Messaging and Web Conferencing (Sametime) 6.x;
IBM Lotus Sametime 3.x
A Denial of Service vulnerability exists in IBM Lotus Sametime due to an unspecified error within the IBM Global Security Toolkit (GSKit) during SSL handshakes. This can be exploited via specially crafted SSL records to crash the application or cause a performance degradation.

Updates available at: http://www-1.ibm.com/support/docview.wss?rs=203&uid=swg21169383

Currently, we are not aware of any exploits for this vulnerability.
IBM Lotus Sametime GSKit Denial of Service Vulnerability
Medium
IBM Technote, July 12, 2004
IBM

Lotus Notes R6.x;
Lotus Notes R6.x Client

Multiple vulnerabilities exist in the Lotus Notes clients due to unspecified errors when handling Java applets.

Disable support for Java applets ("Enable Java applets" option) via the Notes client menu.

Currently, we are not aware of any exploits for this vulnerability.

IBM Lotus Notes Client Unspecified Java Applet Handling
Medium
Secunia Advisory, SA12046, July 14, 2004

IBM Technote Reference #1173910
Linksys

Linksys Wireless Internet Camera version 2.12
The Linksys Camera has a file disclosure vulnerability in main.cgi leading to exposure of sensitive data and bypassing authentication.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.
Linksys Wireless Internet Camera File Disclosure
Medium
Securiteam, July 13, 2004
Mbedthis Software

Mbedthis AppWeb 1.x

Multiple vulnerabilities exist in Mbedthis AppWeb that may be exploited to gain knowledge of sensitive information or bypass certain security restrictions.

Upgrade to versions 1.0.4 and 1.1.3 available at: http://www.mbedthis.com/downloads/appWeb/index.html

Currently, we are not aware of any exploits for this vulnerability.

Mbedthis AppWeb Multiple Vulnerabilities
Medium
Secunia Advisory, SA12011, July 7, 2004

Mbedthis New Features Advisory
IBM

WebSphere Edge Components Caching Proxy version 5.02 using JunctionRewrite with UseCookiedirective, apparently all platforms

A Denial of Service vulnerability exists if the JunctionRewrite directive is active and a HTTP GET request is executed.

Patches are available from the vendor for clients with support level 2 or 3. The upcoming version of the server (5.0.3) will be immune to the vulnerability. As a workaround, it is possible to disable the directive if not needed, or the UseCookie option of the directive. Both of these conditions will prevent the denial of service.

Currently, we are not aware of any exploits for this vulnerability.

WebSphere Edge Server DoS Through JunctionRewrite Directive
Low
Securiteam, July 7, 2003

CYBEC Security Systems
Moodle

Moodle 1.2.x, 1.3.x
An unspecified vulnerability exists due to an error in the front page and affects Moodle servers with old versions of PHP (prior to 4.3).

Update available at: http://moodle.org/mod/resource/view.php?id=8

Currently, we are not aware of any exploits for this vulnerability.
Moodle Unspecified Front Page Vulnerability
Low
Secunia Advisory, SA12045, July 12, 2004

Moodle.org, July 9, 2004
Mozilla Foundation

Mozilla 1.6;
Mozilla 1.7.x;
Mozilla Firefox 0.x

A Denial of Service vulnerability exists in which arbitrary root certificates are imported silently without presenting users with a import dialog box. Due to another problem, this can e.g. be exploited by malicious websites or HTML-based emails to prevent users from accessing valid SSL sites.

Workaround: Check the certificate store and delete untrusted certificates if an error message is displayed with error code -8182 ("certificate presented by [domain] is invalid or corrupt") when attempting to access a SSL-based website.

Currently, we are not aware of any exploits for this vulnerability.

Mozilla / Firefox Certificate Store Corruption Vulnerability
Low
Secunia Advisory, SA12076, July 16, 2004

Bugzilla Bug 24900, July 14, 2004

Sierra Entertainment, Inc.

Half-Life (versions prior to July 7, 2004)
A Denial of Service vulnerability exists in Sierra's Half-Life engine because the software does not properly process split data, causing the target application to attempt to write to read-only memory and crash.

Update via Stream content management system.

A Proof of Concept exploit has been published.
Half-Life Game Server and Client Can Be Crashed
Low
SecurityTracker Alert, 1010678, July 7, 2004
Zoom

Zoom X3 ADSL Modem

A vulnerability in the product leaves out an administrative port that is password protected by a default password that cannot be changed. A malicious user can change DSL settings and issue a complete "Factory Reset".

Workaround: Create dummy "Virtual Servers" on port TCP 254 to block any incoming connections.

Currently, we are not aware of any exploits for this vulnerability.

Backdoor Menu on Conexant Chipset Dsl Router (Zoom X3)
Low
Securiteam, July 8, 2004

[back to top] 

Recent Exploit Scripts/Techniques The table below contains a sample of exploit scripts and "how to" guides identified during this period. Red text indicates scripts or techniques for which vendors, security vulnerability listservs, or computer emergency response teams have not published workarounds or patches, or which represent scripts that malicious users are utilizing.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse Chronological Order)
Script name Script Description

July 17, 2004

W32.Beagle.AC@mm

Mass-mailing worm that uses its own SMTP engine to spread through e-mail, and opens a backdoor on TCP Port 1080. Uses PeX as an executable packer.

July 17, 2004

W32.Beagle.AC@mm

Mass-mailing worm that uses its own SMTP engine to spread through e-mail, and opens a backdoor on TCP Port 1080. Uses PeX as an executable packer.

July 17, 2004.

WinCE.Duts.A

First virus that infects the Windows CE (Pocket PC) platform. The virus will only infect ARM-based devices.

July 17, 2004

Cross-Site Scripting Attack

Allows a remote user to send specially crafted e-mail, when viewed will cause arbitrary scripting code to be executed by the target user’s browser.

July 16, 2004

W32.Spybot.Worm

Worm that spreads using KaZaA file-sharing and mIRC. Can also be spread to computers that are infected with common Backdoor Trojan horses.

July 15, 2004

W32.Beagle.AB@mm

Mass-mailing worm that uses its own SMTP engine to spread through e-mail, and opens a backdoor on TCP Port 1080. Uses UPX as an executable packer

July 13, 2004

Remote Buffer Overflow Vulnerability

Script that perpetuates a lack of sufficient validation performed on user-supplied data before the data is copied into an allocated buffer.

July 9, 2004

DHCPing-0.90.tar.gz

DHCPing 0.90 is a tool that can be used for various security audits allowing an engineer the ability to create valid and invalid DHCP/BOOTP traffic via hping. It also features several exploits for the latest ISC Infoblox and DLink vulnerabilities.

July 8, 2004

Mysql.authentication.bypass_client.c.diff

A .diff file, applied to the MySQL 5.0.0-alpha source distribution will allow building a MySQL client that can be used to connect to a remote MySQL server with no password.

July 8, 2004

getusr.c

Exploit that makes use of the mod-userdir vulnerability in various Apache 1.3 and 2.x servers.

July 7, 2004

Backdoor.Berbew.H

Script that attempts to steal cached passwords and may display fake windows to gather confidential information. A minor variant of Backdoor.Berbew.H

July 6, 2004

Weplab-0.0.7-beta.tar.gz

Weplab is a tool to review the security of WEP encryption in wireless networks from an educational point of view. Several attacks are available to help measure the effectiveness and minimum requirements necessary to succeed.

[back to top]

 

Trends

Microsoft has released a Security Bulletin Summary for July 2004. This summary addresses vulnerabilities in various Windows applications and components. Exploitation of some of these vulnerabilities can result in the remote execution of arbitrary code by a remote attacker. For more information, see TA04-196A located at: http://www.us-cert.gov/cas/techalerts/TA04-196A.html

Six months since the W32/Bagle mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/Beagle are known to open a backdoor on an infected system which can lead to further exploitation by remote attackers. US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.

[back to top]

 

Viruses/Trojans

Top 10 High Threat Viruses

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported during the latest three months), and approximate date first found.

Rank Common Name Type of Code Trends Date
1
W32/Netsky-P Win32 Worm Increase
March 2004
2
W32/Zafi-B Win32 Worm New to Table
June 2004
3
W32/Netsky-Z Win32 Worm Increase
April 2004
4
W32/Bagle-AA Win32 Worm New to Table
April 2004
5
W32/Netsky-D Win32 Worm Decrease
March 2004
6
W32/Netsky-B Win32 Worm Decrease
February 2004
7
W32/Netsky-Q Win32 Worm Decrease
March 2004
8
W32/Sasser Win32 Worm Slight Increase
April 2004
9
Bagle.AD Win32 Worm Decrease
April 2004
10
Lovgate.AB Win32 Worm New to Table
May 2004
10
TROJ_AGENT.AC  Trojan New to Table
July 2004

 

New Viruses / Trojans

Viruses or Trojans Considered to be a High Level of Threat

  • Atak.A - Atak.A is a mass e-mailing worm that hides by going to sleep when it suspects that antivirus software is trying to detect it. This worm had received a lot of media attention and while it is not considered a serious threat, it can generate a significant amount of spam.
  • Bagle / Beagle - New variants of the Bagle virus appeared over the last two weeks. Infected PCs download a Trojan which can use the infected computer to distribute spam and other malware and to launch distributed denial-of-service attacks.
  • WinCE.Duts.A: While not considered a high threat, this virus is the first virus reported for the Windows CE (Pocket PC) platform. The virus is a simple appending file infector and will only infect ARM-based devices.

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors and security related web sites: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name Aliases Type

Atak.A

W32/Atak.A.worm
Win32/Atak.A
W32/Atak@MM
I-Worm.Atak.a
W32.Atak@mm
WORM_ATAK.A

Win32 Worm

Atak-B

I-Worm.Atak.b
W32/Atak.B.worm
W32/Atak.b@MM
W32/Atak-B
WORM_ATAK.B

Win32 Worm

Backdoor.Berbew.H

Berbew.H

Trojan

Backdoor.Doster

 

Trojan

BackDoor-BDJ

 

Trojan

BackDoor-CFB

 

Trojan

Bagle.AE Bagle.AI
Bagle.AH
I-Worm.Bagle.ai
W32.beagle.AG.mm
W32.Beagle.AG@mm
W32/Bagle-AH
W32/Bagle-AI
W32/Bagle.ai@MM
Win32.Bagle.AE
Win32.Bagle.AI
Win32/Bagle.AH.Worm
Win32/BAgle.AI@mm
Win32/Bagle.Variant.Worm
Win32:Beagle-AH
Worm/Bagle.AI
WORM_BAGLE.AH
Win32 Worm

Bagle-AF

Bagle.AF
I-Worm.Bagle.af
W32/Bagle.AF.worm
W32/Bagle.af@MM
W32.Beagle.AB@mm
Win32.Bagle.AB
Win32/Bagle-AF
WORM_BAGLE.AF

Win32 Worm

Beagle.AA

I-Worm.Bagle.ac
VBS.Bagle.AA
VBS.EXEDropper
VBS/Bagle.X.Dropper
W32.Beagle.AA@mm
Win32.Bagle.AA
Win32/Bagle.AA.Worm
Win32/Bagle.X.DLL.Worm
ZIP.Bagle

Win32 Worm

Downloader.JH

Downloader-DA.dll
PornWare.Dailer.OnlineDailer

Trojan

HTML.Phishbank.AH

 

E-mail Scam

HTML.Phishbank.U   E-mail Scam

Korgo.Z

W32/Korgo.Z.worm

Win32 Worm

Lovgate.ag

W32/Lovgate.ag@MM

Win32 Worm

MyDoom-N MyDoom.L
Mydoom.M
I-Worm.Mydoom-l
I-Worm.Mydoom.l
I-Worm.Mydoom.L
Mydoom.N
W32.Mydoom.L@MM
W32/Mydoom-A
W32/MyDoom-N
W32/Mydoom.n@MM
Win32.Mydoom.N
Win32/MyDoom.N.Worm
WORM_MYDOOM.L
Win32 Worm

PWSteal.Likmet.A

 

Trojan

Troj/Bancban-C TrojanSpy.Win32.Banker.bf
PWS-Bancban.gen.b trojan
Trojan

Troj/HacDef-F

 

Trojan

Troj/Keylog-Q

Juntador-C
MultiDropper-BN

Trojan

Troj/Legmir-K

PSW.QQpass.ak
Lemir-Gen
Legmir-AH

Trojan

Troj/Padodo-Fam

Backdoor.AXJ
Berbew
Webber

Trojan

Troj/Pastry-A

BackDoor-APX trojan

Trojan

Trojan.Cargao

 

Trojan

Trojan.Ecure.B

 

Trojan

Trojan.Ecure.C

 

Trojan

VBS.Gaggle.E

I-Worm.Gedza
VBS/Gedza.A
VBS.Gaggle.E@mm

Win32 Worm

W32.Beagle.AC@mm

I-Worm.Bagle.ah
W32/Bagle.ag@MM
Win32.Bagle.AC
Win32/Bagle.ZIP.Worm
ZIP.Bagle

Win32 Worm

W32.Gaobot.AZT   Win32 Worm

W32.Hardoc@mm

Hardoc
W32.Hardoc@mm
W32/Hardoc
Win32.Hardoc.A
Win32/Hardoc.A.Worm
WORM_HARDOC.A

Win32 Worm

W32.Korgo.X

WORM_KORGO.X
Korgo.X

Win32 Worm

W32.Lemoor.A

Lemoor
Worm.Win32.Lemoor.a

Win32 Worm

W32.Lovgate.AB@mm

 

Win32 Worm

W32/Agobot-KM

Backdoor.Agobot.ty
W32/Gaobot.worm.gen.f virus

Win32 Worm

W32/Agobot-KN

Gaobot
Nortonbot
Phatbot
Polybot

Win32 Worm

W32/Agobot-KS

Backdoor.Agobot.gen

Win32 Worm

W32/Agobot-KT

Backdoor.Agobot.gen
W32/Gaobot.worm.gen.h
Win32/Agobot.TE
W32.Gaobot.AFJ
WORM_AGOBOT.JF

Win32 Worm

W32/Agobot-KW

 

Win32 Worm

W32/Agobot-WD

Backdoor.Agobot.gen
W32/Gaobot.worm.gen.f
Win32/Agobot.3.ABQ
W32.HLLW.Gaobot.gen
WORM_AGOBOT.WD

Win32 Worm

W32/Bagle-AG

Bagle.AG
Bagle-AG
W32/Bagle.ag@MM
WORM_BAGLE.AG

Win32 Worm

W32/Korgo-U

Korgo-U
Worm.Win32.Padobot.p
W32/Korgo.worm.gen

Win32 Worm

W32/Lovgate.ah@MM

Lovgate.ah
I-Worm.Lovgate.ad
PE_LOVGATE.AH
Win32.Lovgate.AQ

Win32 Worm

W32/Lovgate.aj@MM

I-Worm.LovGate.ag
W32.Lovgate.AC@mm
W32/Lovgate.ai@MM
W32/Lovgate-AJ
Win32.Lovgate.AR
Win32/LovGate.AI.Worm
Lovgate.ai
Lovgate.aj
WORM_LOVGATE.AJ

Win32 Worm

W32/Lovgate-AG

W32/Lovgate.ae@MM virus
Win32/Lovgate.AJ worm
I-Worm.LovGate.ag

Win32 Worm

W32/Rbot-CZ

W32/Sdbot.worm.gen.h

Win32 Worm

W32/Rbot-DE

Backdoor.Rbot.gen
W32/Sdbot.worm.gen.k

Win32 Worm

W32/Rbot-DJ

 

Win32 Worm

W32/Rbot-DL

Backdoor.Rbot.gen
W32/Sdbot.worm.gen.k
WORM_RBOT.W

Win32 Worm

W32/Rbot-DP

 

Win32 Worm

W32/Rbot-DR

Backdoor.Rbot.gen
W32/Sdbot.worm.gen.g

Win32 Worm

W32/Rbot-DS

 

Win32 Worm

W32/Rbot-DT

 

Win32 Worm

W32/Rbot-DX

Backdoor.Rbot.gen

Win32 Worm

W32/Rbot-DY

W32/Gaobot.worm.gen.l

Win32 Worm

W32/Sdbot-EA

 

Win32 Worm

W32/Sdbot-JY

W32/Specx.worm.b!p2p
Win32/Specx.C
WORM_SDBOT.I

Win32 Worm

W32/Sdbot-KK   Win32 Worm

WCE/Duts-A

Dtus
Duts.1520
WCE/Duts-A
WinCE.Dust
WinCE.Dust.A
WinCE.Duts.a
WinCE/Dust.A
WinCE/Duts.1520
WinCE/Duts.1520.A
WinCE/Duts.1536
WinCE4/Dust
WINCE_DUTS.A

WinCE Worm

Win32.Puce.A

Puce.A
Win32/HLLP.Puce.A
W32/Puce
Win32/Puce.A
Win32.HLLP.Rile.a

Win32 Worm

WORM_AGIST.A

Agist.A
W32.Agist.A@mm

Win32 Worm

WORM_KORGO.Y

Korgo.Y

Win32 Worm

WORM_LOVGATE.AG

 

Win32 Worm

WORM_OLATSKY.A

W32.Olatsky@mm
I-Worm.VB.j
Win32.Olatsky.A
Olatsky.A

Win32 Worm

WORM_WUKILL.E W32.Wullik@mm
W32.Wukill.worm
Win32 Worm

Xebiz.A

Trj/Xebiz/A
SS.exe
BackDoor-CGT

Win32 Worm

[back to top]

 

 

 

Last updated

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top