U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Bulletin (SB04-231)

Summary of Security Items from August 4 through August 17, 2004

Original release date: August 17, 2004

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends and viruses identified between August 4 and August 17, 2004.

 


Bugs, Holes, & Patches

The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Updates to items appearing in previous bulletins are listed in bold. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

Windows Operating Systems Only

UNIX / Linux Operating Systems Only

Multiple Operating Systems - Windows / UNIX / Linux / Other

 

Risk is defined as follows:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Adobe Systems

Adobe Acrobat 5.0.5 and prior, possibly 6.0.2

A buffer overflow vulnerability exists in Acrobat/Acrobat Reader due to a boundary error within the "pdf.ocx" ActiveX component supplied with Adobe Acrobat Reader. A remote malicious user can exploit this vulnerability via a malicious website using a specially crafted URL to potentially execute arbitrary code. Successful exploitation allows remote malicious users to utilize the arbitrary word overwrite to redirect the flow of control and eventually take control of the affected system. Code execution will occur under the context of the user that instantiated the vulnerable version of Adobe Acrobat.

No solution is available at this time.

Vendor asserts this vulnerability is fixed in version 6.0.2. However, proof of concept code exists that causes a Denial of Service.

Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability

CVE Name:
CAN-2004-0629

High
iDEFENSE Security Advisory 08.13.04

Acme Laboratories

thttpd 2.07 beta 0.4 10dec99

A input validation vulnerability exists in the Windows port of thttpd. A remote user can view files on the target system that are located outside of the web document directory. thttpd does not properly validate user-supplied requests. A remote user can submit a request containing directory traversal characters or a direct path to view files on the system.

No solution is available at this time.

A Proof of Concept exploit has been published.

thttpd Input Validation Error Discloses Files to Remote Users
Medium
SecurityTracker, 1010850, August 4, 2004

Clearswift

MAILsweeper prior to 4.3.15

Several vulnerabilities exist in MAILsweeper in the processing of encoded or compressed files. A remote user may be able to send a MIME attachment that will not be properly scanned by MAILsweeper. MAILsweeper fails to properly detect several common compression formats, including ZIP 6.0, RAR, and HQX. A remote malicious user can create a malicious attachment in certain formats and have the attachment pass through MAILsweeper without detection.

A Denial of Service vulnerability also exists due to an error when processing malformed PowerPoint files which may cause the service to enter an endless loop and exhaust all CPU resources.

Update to version 4.3.15 available at: http://download.mimesweeper.com/www/Patches/MAILsweeper_Patches_495ReadMe.htm

We are not aware of any exploits for this vulnerability.

MAILsweeper Fails to Detect and Analyze Some Attachment Formats

CVE Names:
CAN-2003-0928
CAN-2003-0929
CAN-2003-0930

Medium

Secunia, SA12301, August 13, 2004

SecurityTracker, 1010953, August 13, 2004

MAILsweeper for SMTP 4.3.15 Release Notes, July 28, 2004

Clearswift

MIMEsweeper for Web prior to 5.0.4

An input validation vulnerability exists in MIMEsweeper for Web, which can be exploited by a malicious user to retrieve arbitrary files outside the web root via directory traversal attacks using the "..\", "..\\", "../\", and "../" character sequences.

Update to version 5.0.4 or later available at: http://download.mimesweeper.com/www/Patches/MSW4WEB504_ReadMe.htm

A Proof of Concept exploit has been published.

MIMEsweeper for Web Directory Traversal Vulnerability
Medium

MIMEsweeper for Web Version 5.0.4 Release Notes

IceWarp

IceWarp Web Mail prior to 5.2.8

Multiple vulnerabilities exist in IceWarp Web Mail, which could allow a malicious user to conduct cross-site scripting and SQL injection attacks, access sensitive information, and manipulate the file system.

Update to version 5.2.8 available at: http://www.icewarp.com/Download/

We are not aware of any exploits for this vulnerability.

IceWarp Web Mail Multiple Unspecified Vulnerabilities
High

Secunia, SA12269, August 11, 2004

IceWarp Web Mail Release Notes, 5.2.8, August 10, 2004

Keene Software

Keene Digital Media Server 1.0.2

Multiple vulnerabilities exist in Keene Digital Media Server, which can be exploited by a malicious user to retrieve sensitive information such as passwords and perform administrative tasks. 1) Keene Digital Media Server stores passwords in clear text in the file "dmscore.db" in the installation directory. This may disclose sensitive information to malicious local users. 2) An input validation error within the processing of HTTP requests can be exploited to retrieve arbitrary files via directory traversal attacks. It is possible to bypass the user authentication and perform administrative tasks by accessing the script "/dms/adminusers.kspx" directly.

No solution is available at this time. The vendor has stated that the vulnerabilities will be fixed in version 1.0.4.

A Proof of Concept exploit has been published.

Keene Digital Media (KDM) Server Multiple Vulnerabilities
Medium

SecurityTracker: 1010928, August 11, 2004

Secunia, SA12272, August 12, 2004

Microsoft

MS Windows 2000 SP 2, 3, and 4; XP and XP SP1; XP 64-Bit Edition SP 1

A remote code execution vulnerability exists in the Task Scheduler because of an unchecked buffer during application name validation. A malicious user who successfully exploited this vulnerability could take complete control of an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx

Exploit script has been published.

Microsoft Windows Task Scheduler Vulnerability

CVE Name:
CAN-2004-0212
High

Microsoft Security Bulletin MS04-022, July 13, 2004

PacketStorm, August 5, 2004

Microsoft

INTERIX 2.2

This security bulletin was updated to include the INTERIX product. A privilege elevation vulnerability exists in the POSIX operating system component (subsystem) due to an unchecked buffer. This vulnerability could allow remote code execution on an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx

Currently, we are not aware of any exploits for this vulnerability.

POSIX Vulnerability Could Allow Code Execution

CVE Name:
CAN-2004-0210

High
Microsoft Security Bulletin MS04-020, Updated: August 10, 2004

Microsoft

Microsoft Exchange Server 5.5 SP4

An input validation vulnerability exists in Microsoft Outlook Web Access in which a malicious user could conduct cross-site scripting attacks. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Outlook Web Access software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Update available at: http://www.microsoft.com/downloads/details.aspx?FamilyId=
66E4E033-5A4C-4EEC-84F1-31F0CA878092&displ aylang=en

The update does not require a restart, but the it will restart Microsoft Internet Information Services (IIS), the Exchange Store, and the Exchange System Attendant Services. Customers that have customized certain ASP pages should check the advisory for some important caveats: http://www.microsoft.com/technet/security/bulletin/ms04-026.mspx

Currently, we are not aware of any exploits for this vulnerability.

Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks

CVE Name:
CAN-2004-0203

High

Microsoft Security Bulletin MS04-026, August 10, 2004

 

US-CERT Vulnerability Note VU#948750, August 11, 2004

Microsoft

Microsoft Internet Explorer 5.01, 5.5, 6

A vulnerability exists in Internet Explorer, which potentially can be exploited by a malicious user to conduct phishing attacks against a user.The vulnerability is caused due to Internet Explorer failing to update the address bar after a sequence of actions has been performed on a named window. This can be exploited to display content from a malicious site while displaying the URL of a trusted site in the address bar.

Workaround: Disable Active Scripting. Currently known attack vectors do not work on Windows XP systems with SP2 applied.

A Proof of Concept exploit has been published.

Internet Explorer Address Bar Spoofing Vulnerability
Medium
Secunia, SA12304, August 16, 2004

Next Generation Security

StackDefender 1.10 and 2.0

Multiple input validation vulnerabilities exist in StackDefender in the processing of certain hooked kernel function parameters which could allow a local or remote malicious user to cause the target system to crash. StackDefender fails to validate the 'ObjectAttributes' parameter supplied to the ZwOpenFile() and ZwCreateFile() kernel API functions. Also, the 'BaseAddress' parameter supplied to the ZwAllocateVirtualMemory() and ZwProtectVirtualMemory() kernel API functions is not properly validated and can be exploited in a similar fashion.

Upgrade to StackDefender 2.10 available at: http://ngsec.com/ngproducts/stackdefender/download.php

We are not aware of any exploits for this vulnerability.

NGSEC StackDefender 1.10 Invalid Pointer Dereference Vulnerability

CVE Names:
CAN-2004-0767
CAN-2004-0766

Low
iDEFENSE Security Advisory, August 3, 2004

Rhinosoft

Serv-U FTP Server 4.x through 5.1.0.0 inclusive

A default login vulnerability exists in Serv-U that could allow a local unprivileged user to execute commands with SYSTEM privileges using a problem with Serv-U administration. The Serv-U FTP server in all its platforms has a local administration account that can be used to configure the server. This account has a default login and password credentials and is only available through the loopback interface. An unprivileged user can connect to the server with the default login information and use the "SITE EXEC" command to execute arbitrary commands. The commands are run with SYSTEM privileges hence turning Serv-U to a conduit through which administrative commands can be run.

No solution is available at this time.

A Proof of Concept exploit has been published.

Serv-U Local Privilege Escalation Vulnerability
Medium
Securities, August 15, 2004

SapporoWorks

BlackJumboDog FTP Server 3.6.1

A buffer overflow vulnerability exists in which a remote malicious user can execute arbitrary code on the target system. A remote user can send a specially crafted FTP command with a long parameter string to trigger the flaw. The USER, PASS, RETR, CWD, XMKD, XRMD, and other commands are affected. The software reportedly copies the user-supplied parameter string to a 256 byte buffer.

Update to version 3.6.2, available at:http://homepage2.nifty.com/spw/software/bjd/

A Proof of Concept exploit has been published.

BlackJumboDog Has Buffer Overflow in the FTP Service
High

US-CERT VU#714584, August 3, 2004

SecuriTeam, August 4, 2004

Sun Microsystems

Java Runtime Environment (JRE)

A Denial of Service vulnerability exists in Sun's Java Runtime Environment. A remote malicious user can create a Java applet that alerts using a native win32 assertion that will, when loaded by the target user, cause the target user's system to crash.

No solution is available at this time.

A Proof of Concept exploit has been published.

Sun JRE Win32 Native Assertion Error Lets malicious Applets Deny Service
Low
SecurityTracker, 1010846, August 3, 2004

Sygate

Sygate Secure Enterprise prior to 3.5MR3 and Sygate Enforcer 4.0 and later

Multiple vulnerabilities exist in Sygate Secure Enterprise (SSE) in the processing of client logging messages which could allow a remote malicious user to cause a Denial of Service or bypass security restrictions. A remote user can cause the service to consume all available resources on the target system by continually replaying HTTP messages and discovery datagrams (UDP). The system does not provide replay protection for messages sent from Sygate Security Agent clients. An optional component, Sygate Enforcer, does not correctly filter broadcast traffic sent prior to authentication, allowing malicious users to bypass the authentication.

Update to SSE version 3.5MR3 and a Sygate Enforcer version later than 4.0 available at: http://www.sygate.com/products/sygate-secure-enterprise.htm

We are not aware of any exploits for this vulnerability.

Sygate Secure Enterprise Multiple Vulnerabilities

CVE Name:
CAN-2004-0163

Low

SecurityTracker, 1010919, August 10, 2004

Corsaire Security Advisories c031120-001 - 3, August 8-10, 2004

Symantec

Symantec Clientless VPN Gateway 4400 Series

Multiple vulnerabilities exist in Symantec Clientless VPN Gateway 4400 Series, where some have an unknown impact and others can be exploited to conduct cross-site scripting attacks or manipulate users' signon information. Various unspecified vulnerabilities affect the ActiveX and HTML file browsers; input validation errors within the end user UI can be exploited to conduct cross-site scripting attacks; an error within the end user UI can be exploited by a malicious user to manipulate other users' signon information (including username and password).

A hotfix is available at: ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/
sym_clientless_vpn_5/updates/SCVG5-20040806-00.tgz

We are not aware of any exploits for this vulnerability.

Symantec Clientless VPN Gateway 4400 Series Multiple Vulnerabilities
High
Symantec, Hotfix: SCVG5-20040806-00, August 2004

Venta Association

VentaFax 5.4

 

A vulnerability exists in VentaFax that could allow a local malicious user to obtain elevated privileges. A local malicious user can access the application via the system tray and can execute commands with Local System privileges.

No solution is available at this time.

A Proof of Concept exploit has been published.

VentaFax Command Execution Lets Local Users Gain Elevated Privileges
Medium
SecurityTracker, 1010902, August 9, 2004

WIDCOMM

WIDCOMM Bluetooth Connectivity Software versions prior to 3.0 on the BTW and BT-CE/PPC platforms

BTStackServer 1.3.2.7 and 1.4.2.10 on both Windows XP and Windows 98

HP IPAQ 5450 running WinCE 3.0 with Bluetooth software version 1.4.1.03.

Multiple buffer overflow vulnerabilities exist in WIDCOMM Bluetooth Connectivity Software which a malicious user can use to execute arbitrary code. The vulnerabilities are caused due to boundary errors when handling various malformed service requests. These can be exploited by sending specially crafted service requests through a wireless Bluetooth connection to a vulnerable system.

No solution is available at this time. The vendor reports that issues will be fixed in version 3.

A Proof of Concept exploit has been written.

WIDCOMM Bluetooth Connectivity Software Buffer Overflow Vulnerabilities

CVE Name:
CAN-2004-0775

High

Secunia, SA12275, August 12, 2004

Pentest Limited Security Advisory, ptl-2004-03, August 11, 2004

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common
Name
Risk
Source

Adobe Systems

Adobe Acrobat Reader 5.05 and 5.06

An input validation and boundary error vulnerability exists in in the uudecoding feature of Adobe Acrobat Reader, which can be exploited by a malicious user to compromise a user's system. An input validation error injection of arbitrary shell commands. The boundary vulnerability can be exploited to cause a buffer overflow via a malicious PDF document with an overly long filename. Successful exploitation may allow execution of arbitrary code, but requires that a user is tricked into opening a malicious document.

Update to version 5.09 for UNIX available at: http://www.adobe.com/products/acrobat/readstep2.html

We are not aware of any exploits for this vulnerability.

Adobe Acrobat Reader Shell Command Injection and Buffer Overflow Vulnerability

CVE Names:
CAN-2004-0630
CAN-2004-0631

High

Secunia, SA12285, August 13, 2004

iDEFENSE Advisories 08.12.04

Apache Software Foundation

Apache 2.0.49 (Win32) with PHP 5.0.0 RC2

A Denial of Service vulnerability exists in the Apache web server when running with PHP due to a flaw when invoking certain functions such as fopen and fsockopen in an endless loop.

Hewlett-Packard: Install updated version of Apache from Software Depot. http://software.hp.com

Conectiva: http://distro.conectiva.com.br/atualizacoes/
index.php?id=a&anuncio=000857

A Proof of Concept exploit has been published.

Apache Can Be Crashed By PHP Code
Low

SecurityTracker, 1010674, July 9, 2004

US-CERT Cyber Security Bulletin SB04-203

HP SSRT4777 rev. 0 HP-UX Apache, PHP, August 2, 2004

Secunia, SA12243, August 9, 2004

Benchmark Design

WHM Autopilot 2.4.5 and prior

A login vulnerability exists due to a bug in client login code and the built-in login backdoor. It is possible to generate the hash required to get a user's username and plain-text password.

No solution is available at this time.

We are not aware of any exploits for this vulnerability.

Benchmark Designs' WHM Autopilot Backdoor Allows Plaintext Credential
Leakage
Medium
SecuriTeam, August 3, 2004

cvstrac.org

CVSTrac 1.1.3

An input validation vulnerability exists in CVSTrac due to insufficient sanitization of input passed to 'filediff,' which could allow a malicious user to execute arbitrary code.

Fix available in the CVS repository at: http://www.cvstrac.org/cvstrac/wiki?p=DownloadCvstrac

A Proof of Concept exploit has been published.

CVSTrac "filediff" Arbitrary Command Execution Vulnerability
High
Bugtraq, August 5, 2004
Ethereal

Ethereal 0.x

Multiple Denial of Service and buffer overflow vulnerabilities exist due to errors in the iSNS, SNMP, and SMB dissectors which may allow a malicious user to run arbitrary code or crash the program.

Updates available at: http://www.ethereal.com/download.html or disable the affected protocol dissectors.

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

Debian: http://lists.debian.org/debian-security-announce/debian-
security-announce-2004/msg00129.html

Exploit script has been published.

Ethereal: Multiple security problems

CVE Names:
CAN-2004-0633
CAN-2004-0634
CAN-2004-0635

High

Etheral Advisory, enpa-sa-00015, July 6, 2004

Gentoo Linux Security Advisory, GLSA 200407-08 / Ethereal, July 9, 2004

Secunia Advisory, 12034 & 12035, July 12, 2004

SecurityFocus, August 5, 2004

Gaim

  Gentoo

Multiple vulnerabilities were reported in Gaim in the processing of the MSN protocol. A remote user may be able to execute arbitrary code on the target system. Several remotely exploitable buffer overflows were reported in the MSN protocol parsing functions.

Gentoo: http://security.gentoo.org/glsa/glsa-200408-12.xml

SuSE: http://www.suse.de/de/security/2004_25_gaim.html

We are not aware of any exploits for this vulnerability.

Gaim Buffer Overflows in Processing MSN Protocol


CVE Name:
CAN-2004-0500

High
SecurityTracker, 1010872, August 5, 2004

Geeklog.net

Geeklog 1.39

A configuration vulnerability exists in Geeklog. The installation software leaves the 'install' file in the 'admin' directory, which is accessible to remote users. A remote malicious user can invoke the installation script with specially crafted URLs.

No solution is available at this time.

We are not aware of any exploits for this vulnerability.

Geeklog Default Installation Lets Remote Users Access the Installation Script
Low
SecurityTracker 1010948, August 13, 2004

Gentoo Linux 1.x

versions prior to "www-servers/tomcat-5.0.27-r3"

A privilege escalation vulnerability exists in the tomcat package for Gentoo, which can be exploited by a local malicious user to escalate their privileges. tomcat initialization scripts are owned by the "tomcat" user and group, but are run with "root" privileges during system startup. This can be exploited by users in the "tomcat" group to execute commands as root.

Update to "www-servers/tomcat-5.0.27-r3" or later. http://security.gentoo.org/glsa/glsa-200408-15.xml

We are not aware of any exploits for this vulnerability.

Gentoo Tomcat Privilege Escalation Vulnerability
Medium
Gentoo Security Advisory, GLSA 200408-15 / tomcat, August 15, 2004

gv Postscript and PDF viewer 3.5.8 and prior

Gentoo

A buffer overflow vulnerability exists in gv that could allow a local malicious user to execute arbitrary code. To exploit this vulnerability, a malicious user would have to trick a user into viewing a malformed PDF or PostScript file from the command.

Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200408-10.xml

A Proof of Concept exploit script has been published.

gv Local Buffer Overflow
High
SecuriTeam, August 4, 2004

Hewlett-Packard

HP-UX Process Resource Manager C.02.01[.01] and prior

HP-UX Workload Manager

A vulnerability was reported in the HP-UX Process Resource Manager that could allow non-root local malicious users to corrupt data files on a system that has the Process Resource Manager installed. Workload Manager (version A.02.01 and prior) includes the Process Resource Manager and, therefore, is also affected.

For Proc-Resrc-Mgr.PRM-RUN (PRM-Sw-Lib.PRM-LIB), install revision C.02.02 or subsequent. For WLM-Monitor (Workload-Mgr), install revision A.02.02 or subsequent. Update information and patch matrix is available at: http://h20000.www2.hp.com/bizsupport/TechSupport/
Document.jsp?objectID=PSD_HPSBUX01065

We are not aware of any exploits for this vulnerability.

HP-UX Process Resource Manager Bug Lets Local Users Corrupt Files
Medium

HP SSRT4785 rev. 0 HP-UX Process Resource Manager (PRM) potential data corruption, August 5, 2004

SecurityTracker: 1010914, August 10, 2004

Hewlett-Packard

HP-UX release B.11.04 with VirtualVault A.04.50 - A.04.70 or Webproxy A.02.00 - A.02.10

Multiple vulnerabilities exist in Apache affecting HP VirtualVault and HP Webproxy, which can be exploited by a malicious user to cause a DoS (Denial of Service), bypass security restrictions, or compromise a vulnerable system.

Install patches available at: http://itrc.hp.com

We are not aware of any exploits for this vulnerability.

HP VirtualVault / Webproxy Multiple Vulnerabilities in Apache
High

Secunia, SA12246, August 10, 2004

SSRT4788 rev. 0 HP-UX Apache, August 8, 2004

SSRT4789 rev. 0 HP-UX Apache, August 8, 2004

KDE 3.2.3 and prior

Two vulnerabilities exist in KDE which a local malicious user can exploit to gain escalated privileges and unauthorized access to files on the system.1) Certain directories and files are created insecurely when a user runs a KDE application outside the KDE environment or as another user. This can be exploited via symlink attacks to overwrite or truncate arbitrary files or prevent KDE applications from accessing certain directories. 2) The DCOPServer creates temporary files, which are used for authentication related purposes, insecurely. This can be exploited to potentially gain the privileges of any user running a KDE application.

Apply patches available at: ftp://ftp.kde.org/pub/kde/security_patches/

Gentoo: http://security.gentoo.org/glsa/glsa-200408-13.xml

We are not aware of any exploits for this vulnerability.

KDE Insecure Temporary File Creation Vulnerability

CVE Name:
CAN-2004-0690

Medium

KDE Security Advisories 20040811-1 and 20040811-2, August 11, 2004

KDE 3.2.3 and prior

A frame injection vulnerability exists in the Konqueror web browser that allows websites to load web pages into a frame of any other frame-based web page that the user may have open. A malicious website could abuse Konqueror to insert its own frames into the page of an otherwise trusted website. As a result the user may unknowingly send confidential information intended for the trusted website to the malicious website.

Source code patches have been made available which fix these vulnerabilities. Refer to advisory: http://www.kde.org/info/security/advisory-20040811-3.txt

A Proof of Concept exploit has been published.

Konqueror Frame Injection Vulnerability

CVE Name:
CAN-2004-0721

Low
KDE Security Advisory 20040811-3, August 11, 2004
Linux 2.4.27

A permissions vulnerability exists in the sys_chown() module of the Linux kernel. A remote authenticated user can modify the group permissions of files on the target system. A remote malicious user can modify the group ID of arbitrary files on the system due to a missing check for fsuid in the sys_chown() function. An NFS client may be able to make unauthorized changes to the group ownership of files on a remote system.

Upgrade to Linux 2.4.27 RC5.

We are not aware of any exploits for this vulnerability.

Linux Kernel sys_chown() Bug May Let Remote NFS Users Modify Group Permissions on Files

CVE Name:
CAN-2004-0497

Medium
SecurityTracker, 1010859, August 4, 2004

Linux
  Fedora
  RedHat
  SuSE

Linux kernel 2.4 through 2.4.26, 2.6 through 2.6.7

A vulnerability exists in the Linux kernel in the processing of 64-bit file offset pointers thus allowing a local malicious user to view kernel memory. The kernel's file handling API does not properly convert 64-bit file offsets to 32-bit file offsets. In addition, the kernel provides insecure access to the file offset member variable. As a result, a local user can gain read access to large portions of kernel memory.

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

RedHat:
http://rhn.redhat.com/

SuSE:
http://www.suse.de/de/security/2004_24_kernel.html

A Proof of Concept exploit has been published.

Linux Kernel 64-bit to 32-bit File Offset Conversion Errors Disclose Kernel Memory to Local Users

CVE Name:
CAN-2004-0415

High

ISEC Security Research, August 4, 2004

 

Paul L Daniels

ripMIME 1.3.2.2 and prior

An input validation vulnerability exists in ripMIME, which may allow a virus to avoid detection and compromise the system. Certain virus attachments may not be properly decoded. Some viruses use encoded attachments that may contain blank lines or other invalid characters to cause the Base64 decoding process to terminate prematurely. As a result, an anti-virus system using this decoding method may fail to detect a virus.

Update to version 1.3.2.3, available at: http://www.pldaniels.com/ripmime/downloads.php

We are not aware of any exploits for this vulnerability.

ripMIME Base64 Decoding May Terminate Prematurely When Decoding Virus Attachments
Medium
SecurityTracker, 1010858, August 4, 2004

Peter F. Brown

Simple Form prior to 2.2

An input validation vulnerability exists in Simple Form, which can be exploited by a malicious user to use it as an open mail relay. Input passed to the parameters "admin_email_to" and "admin_email_from" isn't properly verified before being used in mails.

Update to version 2.2 available at: http://worldcommunity.com/opensource/utilities/simple_form.html

We are not aware of any exploits for this vulnerability.

Simple Form Open Mail Relay Vulnerability
Low
Secunia, SA12297, August 16, 2004

phpMyWebhosting version 0.3.4

Multiple input validation vulnerabilities exist in phpMyWebhosting that allow malicious users to gain elevated privileges as well as enter to the product's management system without knowing the administrative password. phpMyWebhosting does not verifying incoming user input for arbitrary SQL statements. If magic_quotes_gpc is disabled in PHP settings, a remote malicious user can cause SQL injection vulnerability in phpMyWebhosting.

No solution is available at this time.

We are not aware of any exploits for this vulnerability.

phpMyWebhosting SQL Injection Vulnerabilities
High
SecuriTeam, August 16, 2004

Redhat

GNOME VFS

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64;
Red Hat Linux Advanced Workstation 2.1 - ia64;
Red Hat Enterprise Linux ES version 2.1 - i386;
Red Hat Enterprise Linux WS version 2.1 - i386;
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64;
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64;
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

Multiple vulnerabilities exist in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. A malicious user who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts.

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/

We are not aware of any exploits for this vulnerability.

GNOME VFS updates address extfs vulnerability

CVE Name:
CAN-2004-0494

High
Red Hat Security Advisory ID: RHSA-2004:373-01, August 4, 2004
Shorewall 1.4.x, 2.0.x

A privilege escalation vulnerability is caused due to the "shorewall" script creating temporary files insecurely, which can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user invoking the script (usually root).

Update available at: http://shorewall.net/download.htm

Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:080

Currently, we are not aware of any exploits for this vulnerability.

Shorewall Insecure Temporary File Creation Vulnerability

CVE Name:
CAN-2004-0647

Medium
Shorewall Security Vulnerability, June 28, 2004

rsync 2.6.2 and prior
  Debian
  SuSE
  Trustix

A vulnerability exists in rsync when running in daemon mode with chroot disabled. A remote user may be able read or write files on the target system that are located outside of the module's path. A remote user can supply a specially crafted path to cause the path cleaning function to generate an absolute filename instead of a relative one. The flaw resides in the sanitize_path() function.

Updates and patches are available at: http://rsync.samba.org/

SuSE: http://www.suse.de/de/security/2004_26_rsync.html

Debian: http://www.debian.org/security/2004/dsa-538

Trustix: http://www.trustix.net/errata/2004/0042/

We are not aware of any exploits for this vulnerability.

Rsync Input Validation Error in sanitize_path() May Let Remote Users Read or Write Arbitrary Files
High

SecurityTracker 1010940, August 12, 2004

rsync August 2004 Security Advisory

Silicon Graphics

SGI IRIX 6.5.x, CDE 5.3.4

A buffer overflow vulnerability exist in the libDtHelp module and a double-free vulnerability exists in the dtlogin module which a malicious user can use to gain root access.

Upgrade to CDE 5.3.4 available at: ftp://patches.sgi.com/support/free/security/patches/6.5.25/

We are not aware of any exploits for this vulnerability.

SGI IRIX CDE Multiple Vulnerabilities

CVE Names:
CAN-2003-0834
CAN-2004-0368

Medium
SGI Security Advisory, 20040801-01-P, August 3, 2004
Sourceforge.net
Gentoo Linux
Pavuk 0.x

Multiple vulnerabilities exist which could allow a malicious user to run arbitrary code. The vulnerabilities are caused due to boundary errors within the handling of digest authentication.

Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200407-19.xml

Exploit script has been published.

Pavuk Digest Authentication Buffer Overflow Vulnerabilities
High

Gentoo Security Advisory, GLSA 200407-19 / Pavuk
Release Date July 26, 2004

SecurityFocus, August 7, 2004

sox.sourceforge.net
  Fedora
  Mandrakesoft
  Gentoo
  Conectiva
  RedHat

SoX 12.17.4, 12.17.3,
and 12.17.2

Multiple vulnerabilities exist that could allow a remote malicious user to execute arbitrary code This is due to boundary errors within the "st_wavstartread()" function when processing ".WAV" file headers and can be exploited to cause stack-based buffer overflows. Successful exploitation requires that a user is tricked into playing a malicious ".WAV" file with a large value in a length field.

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:076

Gentoo: http://security.gentoo.org/glsa/glsa-200407-23.xml

Conectiva: ftp://atualizacoes.conectiva.com.br

RedHat: http://rhn.redhat.com/errata/RHSA-2004-409.html

Exploit script has been published.

SoX ".WAV" File Processing Buffer Overflow Vulnerabilities

CVE Name:
CAN-2004-0557

High

Secunia, SA12175, 12176, 12180, July 29, 2004

SecurityTracker Alerts 1010800 and 1010801, July 28/29, 2004

Mandrakesoft Security Advisory MDKSA-2004:076, July 28, 2004

PacketStorm, August 5, 2004

SpamAssassin prior to 2.64

A Denial of Service vulnerability exists in SpamAssassin. A a remote user can send an e-mail message with specially crafted headers to cause a Denial of Service attack against the SpamAssassin service.

Update to version (2.64), available at: http://old.spamassassin.org/released/

Gentoo: http://security.gentoo.org/glsa/glsa-200408-06.xml

We are not aware of any exploits for this vulnerability.

SpamAssassin Lets Remote Users Deny of Service By Sending Malformed Messages
Low
SecurityTracker: 1010903, August 10, 2004

Team OpenFTPD

OpenFTPD 0.30.2 prior to July 16, 2004, and prior versions

A vulnerability exists that could allow a remote malicious user to execute arbitrary code on the target system. A remote authenticated user can send a specially crafted message to another FTP user to trigger a format string flaw and execute arbitrary code on the FTP server due to a flaw in 'misc/msg.c'.

Update available at: http://www.openftpd.org:9673/openftpd/download_page.html

Exploit script has been published.
OpenFTPD Format String Flaw Lets Remote Authenticated Users Execute Arbitrary Code
High

VSA0402 - openftpd - void.at security notice, July 31, 2004

PacketStorm, August 5, 2004

xine-Project

xine 0.99.2

A buffer overflow vulnerability exists in xine in the processing of 'vcd://' protocol identifiers. A remote malicious user can execute arbitrary code on the target system. A remote malicious user can trigger a stack overflow in xine-lib by embedding a specially crafted source identifier within a playlist file, for example. When the target user plays the file, arbitrary code can be executed with the privileges of the target user.

A patch is available via CVS at: http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&forum_id=11923

A Proof of Concept exploit has been published.

xine Buffer Overflow in Processing 'vcd' Identifiers Lets Remote Users Execute Arbitrary Code
High

SecurityTracker: 1010895, August 8, 2004

Open security advisory #6, August, 8, 2004

[back to top]

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

America Online

AOL Instant Messenger (AIM) 5.5

A buffer overflow vulnerability exists in America Online's Instant Messenger (AIM) which can allow remote malicious users to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values passed to the 'goaway' function of the AOL Instant Messenger 'aim:' URI handler.

Upgrade to AIM beta version available at: www.aim.com

Proof of Concept exploit script has been published.

AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability
High

iDEFENSE Security Advisory 08.09.04

Secunia, SA12198, August 9, 2004

 

US-CERT Vulnerability Note VU#735966, August 10, 2004

Apache Software Foundation
Apple
Mandrake
Trustix

Apache 2.0.47 2.0.49

A remote Denial of Service vulnerability exists in the ‘ap_get_mime_headers_core()’ function due to a failure to handle excessively long HTTP header strings.

Patches available at: http://www.apache.org/dist/httpd/patches/apply_to_2.0.49/CAN-2004-0493.patch

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

Exploit scripts have been published.

Apache ap_escape_html Remote
Denial of Service

CVE Name:
CAN-2004-0493

Low

Mandrakelinux Security Update Advisory, MDKSA-2004:064, June 29, 2004

Trustix Security Advisory, TSL-2004-0038, June 29, 2004

SecurityFocus, August 6, 2004

Apple

Apple Macintosh OS X

Safari 1.x

 

 

Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. Multiple vulnerabilities in libpng that can exploited to cause a Denial of Service or compromise a user's system; a vulnerability in the Safari browser can be used to steal sensitive information from forms; a vulnerability in the processing of network traffic that can be used to cause a DoS. The attack known as the "Rose Attack" will cause the system to use too much system resources resulting in DoS.

Apply Security Update 2004-08-09.

Mac OS X 10.3.5: http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/
product=04216&platform=osx&method=sa/SecUpd2004-08-09Pan.dmg

Mac OS X 10.2.8: http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/
product=04285&platform=osx&method=sa/SecUpd2004-08-09Jag.dmg

We are not aware of any exploits for this vulnerability.

See also Multiple Vulnerabilities in libpng.

Mac OS X Security Update Fixes Multiple Vulnerabilities
High
Secunia, SA12249, August 10, 2004
CuteNews 1.3.1

An input validation vulnerability exists in CuteNews, which can be exploited by a remote malicious user to conduct cross-site scripting attacks. Input passed to the "archive" parameter in "show_archives.php" is not sanitized properly before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website by tricking the user into visiting a malicious website or follow a specially crafted link.

No solution is available at this time.

A Proof of Concept exploit has been published.

CuteNews "archive" Parameter Cross-Site Scripting Vulnerability
High
Secunia, SA12260, August 16, 2004

Concurrent Versions Systems (CVS) 1.11

A vulnerability exists in Concurrent Versions System (CVS) in which a malicious user can exploit to determine the existence and permissions of arbitrary files and directories. The problem is caused due to an undocumented switch to the "history" command implemented in "src/history.c". Using the "-X" switch and supplying an arbitrary filename, CVS will try to access the specified file and returns various information depending on whether the file exists and can be accessed.

Upgrade to version 1.11.17 or 1.12.9 available at: https://www.cvshome.org/

A Proof of Concept exploit has been published.

CVS Undocumented Flag Information Disclosure Vulnerability

CVE Name:
CAN-2004-0778

Low

iDEFENSE Security Advisory 08.16.04

Endonesia.Com

eNdonesia 8.3

Input verification vulnerabilities exist that could allow a remote malicious user to conduct cross-site scripting attacks or determine the installation path. The software does not properly filter HTML code from user-supplied input in the "query" parameter. A remote user can submit a request with certain invalid parameters to cause the system to display the installation path.

No solution is available at this time.

A Proof of Concept exploit has been published.

eNdonesia 'mod.php' Input Validation Vulnerability in Search 'query' Parameter Permits Cross-Site Scripting Attacks
High
SecurityTracker: 1010865, August 4, 2004
GoScript 2.0 An input validation vulnerability exists in GoScript that could allow a remote user to execute arbitrary commands on the target system. The 'go.cgi' script does not validate user-supplied input. A remote user can supply a specially crafted URL to execute operating system commands on the target system with the privileges of the target web service.

No solution is available at this time.

A Proof of Concept exploit has been published.

GoScript Input Validation Hole Lets Remote Users Execute Arbitrary Commands
High
SecurityTracker 1010865, August 4, 2004

IBM

IBM Tivoli Access Manager for e-business 3.x, 4.x, 5.x

An input validation vulnerability exists in IBM Tivoli Access Manager for e-business, which could allow a remote malicious user to conduct cross-site scripting attacks and gain control over an affected system.

Patch as appropriate at: http://www.ibm.com/support/us/

We are not aware of any exploits for this vulnerability.

IBM Tivoli Access Manager HTTP Response Splitting Vulnerability
High
Secunia, SA12093, August 9, 2004

Juniper

Juniper Networks NetScreen firewalls with SSHv1 enabled - ScreenOS prior to 5.0.0r8

A vulnerability exists in ScreenOS in the processing of SSHv1 management connections that could allow a remote malicious user cause the device to crash. If SSH version 1 is enabled on the target device, a remote user can connect to the management port and cause the device to hang or to crash and reboot. Authentication is not required.

Updates available at: http://www.juniper.net/support/

We are not aware of any exploits for this vulnerability.

NetScreen Firewalls ScreenOS Can Be Crashed By Remote Users Due to an SSHv1 Implementation Bug
Low

Juniper Networks NetScreen Advisory 59147, August 3, 2004

SecurityTracker 1010848, August 3, 2004

US-CERT Vulnerability Note VU#749870, August 13, 2004

Mark Burgess

Cfengine 2.0.0 to 2.1.7p1.

Input validation and buffer overflow vulnerabilities exist in Cfengine which could allow a remote malicious user to execute arbitrary code or cause a DoS (Denial of Service). The vulnerabilities are caused due to insufficient input validation and a boundary error in the cfservd daemon when processing authentication requests. The problems lies in the AuthenticationDialogue()" function, which is responsible for performing RSA authentication and key agreement.

Update to version 2.1.8 available at: http://www.cfengine.org/mirrors.html

Gentoo: http://security.gentoo.org/glsa/glsa-200408-08.xml

We are not aware of any exploits for this vulnerability.

Cfengine RSA Authentication Heap Corruption

High

Core Security Technologies Advisory, Advisory ID: CORE-2004-0714, August 9, 2004

Matt Johnston

Dropbear SSH Server 0.42

A vulnerability exists that could allow a remote malicious user to execute arbitrary code. This vulnerability is caused due to freeing of uninitialized variables in the DSS verification code.

Update to version 0.43 available at: http://matt.ucc.asn.au/dropbear/

Exploit scripts have been published.

Dropbear SSH Server DSS Verification Vulnerability
High

Secunia, SA12153, July 26, 2004

Dropbear Security Update

Packetstorm, August 4, 2004

moodle.org

Moodle versions prior to 1.3

An input validation vulnerability was reported in Moodle in 'post.php' in which a remote malicious user can conduct cross-site scripting attacks. 'post.php' does not properly filter HTML code from user-supplied input in the reply variable. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Moodle software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Update to version 1.3 or above available at: http://moodle.org/mod/resource/view.php?id=8

A Proof of Concept exploit has been published.

Moodle Input Validation Flaw in 'post.php' in reply Variable Permits Cross-Site Scripting Attacks
High
SecurityTracker, 1010893, August 7, 2004

Mozilla Organization
  Mandrakesoft
  Slackware

Mozilla 1.7 and prior;
Firefox 0.9 and prior;
Thunderbird 0.7 and prior

Multiple vulnerabilities exist in Mozilla, Firefox, and Thunderbird that could allow a malicious user to conduct spoofing attacks, compromise a vulnerable system, or cause a Denial of Service. These vulnerabilities include buffer overflow, input verification, insecure certificate name matching, and out-of-bounds reads.

Upgrade to the latest version of Mozilla, Firefox, or Thunderbird available at: http://www.mozilla.org/download.html

Slackware: http://www.slackware.com/security/viewer.php?l=
slackware-security&y=2004&m=slackware-security.667659

Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:082

We are not aware of any exploits for this vulnerability.

Mozilla Multiple Vulnerabilities
High
Secunia, SA10856, August 4, 2004

Nokia

Nokia IPSO 3.5, 3.5.1, 3.6, 3.7, 3.7.1, 3.8

A vulnerability exists in Nokia IPSO, which can be exploited by a malicious user to cause a Denial of Service.

Update to the latest builds.

We are not aware of any exploits for this vulnerability.

Nokia IPSO Denial of Service Vulnerability
Low

Secunia, SA12280, August 12, 2004

Nokia Knowledge Base, Resolution 21008

Opera Software

Opera 7.53

A spoofing vulnerability exists that could be exploited by a malicious user to conduct phishing attacks against a user. Opera fails to update the address bar if a web page is opened using the "window.open" function and then "replaced" using the "location.replace" function. This causes Opera to display the URL of the first website while loading the content of the second website.

Update to 7.54 available at: http://www.opera.com/download/

Gentoo: http://security.gentoo.org/glsa/glsa-200408-05.xml

A Proof of Concept exploit has been published.

Opera Browser Spoofing Vulnerability
High

Secunia, SA12162, July 27, 2004

Gentoo SA, GLSA 200408-05 / Opera, August 05, 2004

GreyMagic Security Advisory GM#008-OP, August 5, 2004

PHP Foundry

Jetbox One 2.0.8

An input validation vulnerability exists in Jetbox One that could allow users with "Author" privileges in "IMAGES" to upload arbitrary files including PHP code. The vulnerability exists because the type of file being uploaded is not verified as a valid image file e.g. GIF, JPEG. Once uploaded, the malicious user is then able to request the file, which will be interpreted by the JetboxOne application.

Also, JetboxOne does not encrypt information in the account information database. Any user with the ability to query the database may be able to view confidential account information.

No vendor solution is available.

A Proof of Concept exploit has been published.

JetBoxOne CMS Arbitrary File Upload Vulnerability

JetBoxOne Leaves Account Database Unencrytped

High

Secunia, SA12230, August 5, 2004

US-CERT Vulnerability Note #417408, August 13, 2004

US-CERT Vulnerability Note #58670, August 13, 2004

Phpnuke.org

PHP-Nuke 7.x

An input verification vulnerability exists in PHP-Nuke which a malicious user can exploit to conduct cross-site scripting attacks. User input passed to the search box in the following modules is not sanitized before being returned to users: Web_Links, Journal, Stories Archive, Topics Archive.

No vendor solution is available.

A Proof of Concept exploit has been published.

PHP-Nuke Search Box Cross-Site Scripting Vulnerabilities
High

Secunia, SA12271, August 11, 2004

SystemSecure.org, Advisory SS#23072004

PluggedOut

Blog 1.6 alpha and prior

An input validation vulnerability exists that could allow a remote malicious user to conduct cross-site scripting attacks. The software does not filter HTML code from user-supplied input in the 'blogid' variable. The malicious user can access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

No vendor solution is available.

A Proof of Concept exploit has been published.

PluggedOut Blog Input Validation Hole in 'blogid'
High
VulnWatch, August 7, 2004

PNG Development Group
  Conectiva
  Debian
  Fedora
  Gentoo
  Mandrakesoft
  RedHat
  SuSE
  Sun Solaris
  HP-UX
  GraphicsMagick
  ImageMagick
  Slackware

libpng 1.2.5 and 1.0.15

Multiple vulnerabilities exist in the libpng library which could allow a remote malicious user to crash or execute arbitrary code on an affected system. These vulnerabilities include:

  • libpng fails to properly check length of transparency chunk (tRNS) data,
  • libpng png_handle_iCCP() NULL pointer dereference,
  • libpng integer overflow in image height processing,
  • libpng png_handle_sPLT() integer overflow,
  • libpng png_handle_sBIT() performs insufficient bounds checking,
  • libpng contains integer overflows in progressive display image reading.

If using original, update to libpng version 1.2.6rc1 (release candidate 1) available at: http://www.libpng.org/pub/png/libpng.html

Conectiva: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000856

Debian: http://lists.debian.org/debian-security-announce/
debian-security-announce-2004/msg00139.html

Gentoo: http://security.gentoo.org/glsa/glsa-200408-03.xml

Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079

RedHat http://rhn.redhat.com/

SuSE: http://www.suse.de/de/security/2004_23_libpng.html

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Sun Solaris: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617

HP-UX: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01065

GraphicsMagick: http://www.graphicsmagick.org/www/download.html

ImageMagick: http://www.imagemagick.org/www/download.html

Slackware: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.439243

Yahoo: http://messenger.yahoo.com/

A Proof of Concept exploit has been published.

Multiple Vulnerabilities in libpng

CVE Names:
CAN-2004-0597
CAN-2004-0598
CAN-2004-0599

High

US-CERT Technical Cyber Security Alert TA04-217A, August  4, 2004

 

US-CERT Vulnerability Notes VU#160448, VU#388984, VU#817368, VU#236656, VU#477512, VU#286464, August 4, 2004.

QuiXplorer - Quick (PHP) Explorer 2.3 and prior

A directory traversal vulnerability was reported in QuiXplorer. A remote user can view files on the target system. QuiXplorer does not properly filter user-supplied input in the 'item' parameter. A remote user can submit a specially crafted request to view files located anywhere on the target system.

Update to 2.3.1, available at:

http://sourceforge.net/project/showfiles.php?group_id=72517

A Proof of Concept exploit has been published.

QuiXplorer Input Validation Hole in 'item' Parameter Discloses Files to Remote Users
Medium
SecurityTracker 1010954, August 15, 2004

Simon Tatham
  Gentoo

PuTTY 0.54 and previous

Input validation and buffer overflow vulnerabilities exist in PuTTY that could allow a remote malicious user to execute arbitrary code. By sending specially crafted packets to the client during the authentication process, a malicious user is able to compromise and execute arbitrary code on the machine running PuTTY or PSCP.

Update to version 0.55 available at: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200408-04.xml

A Proof of Concept exploit has been published.

PuTTY System Compromise Vulnerability
High
Core Security Technologies Advisory number CORE-2004-0705

Sun Microsystems

Sun Solaris 7, 8, 9

A vulnerability has been reported in Solaris, which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to an unspecified error within the processing of XDMCP requests. Successful exploitation crashes the X Display Manager (xdm).

Apply patches or vendor workaround available at: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57619

We are not aware of any exploits for this vulnerability.

Sun Solaris XDMCP Parsing Vulnerability
Low

Sun Alert ID: 57619, August 9, 2004

US-CERT Vulnerability Note VU#139504, August 11, 2004

The Webmaster Guide, Inc.

Board Power v2.04 PF

An input validation vulnerability exists in Board Power forum could allow a remote malicious user to conduct cross-site scripting attacks and execute arbitrary code. Board Power fails to filter malicious content passed into the "action" parameter of icq.cgi. This could be used to "sniff" sensitive data from within the web page, including passwords, credit card numbers, and any arbitrary information the user inputs. Likewise, information stored in cookies can be stolen or corrupted.

No solution is available at this time.

A Proof of Concept exploit has been published.

Board Power forum contains cross-site scripting vulnerability
High
US-CERT Vulnerability Note VU#744590, August 5, 2004

Thompson

SpeedTouch Home ADSL Modem firmware version GV8BAA3.270 (1003825) and earlier

A design error vulnerability exists in Thompson's SpeedTouch Home ADSL modem that could allow a malicious user to spoof TCP traffic on behalf of the device. The problem specifically exists due to the predictable nature of the TCP Initial Sequence Number (ISN) generator on the device.

No vendor solution is available at this time.

We are not aware of any exploits for this vulnerability.

Thompson SpeedTouch Home ADSL Modem Predictable TCP ISN Generation

CVE Name:
CAN-2004-0641

Medium

iDEFENSE Security Advisory, August 5, 2004

SecuriTeam, August 9, 2004

Volker Rattel

phpBB Fetch All 2.0.10 and 2.0.11

An input verification vulnerability exists in phpBB Fetch All that could allow a malicious user to pass malicious SQl statements to the underlying function. Successful exploitation could result in compromise of the application, disclosure or modification of data or may permit a malicious user to exploit vulnerabilities in the underlying database implementation.

Upgrade to 2.0.12 available at: http://prdownloads.sourceforge.net/phpbbfetchall/phpbb_fetch_all-2.0.12.zip?download

No exploit code required.

phpBB Fetch All SQL Injection Vulnerability
High
SecurityFocus, August 4, 2004
vRating 4.0, 4.01

A disclosure vulnerability exists in vRating. A remote malicious user can view and edit the 'settings.php' file with a specially crafted URL. A malicious user can also access the 'admin' directory to gain access to the administrative interface.

No solution is available at this time.

We are not aware of any exploits for this vulnerability.

vRating Discloses Sensitive Information and Grants Administrative Access to Remote Users
Medium
SecurityTracker 1010951, August 13 2004

WackoWiki 3.x

An input validation vulnerability exists in WackoWiki in which a malicious user can exploit to execute conduct cross-site scripting attacks and arbitrary HTML and script code in a user's browser session in context of an affected website.

Upgrade to version R4 available at: http://wackowiki.com/WackoDownload/InEnglish

We are not aware of any exploits for this vulnerability.

WackoWiki textsearch Cross-Site Scripting Vulnerability
High
Secunia, SA12209, August 4, 2004

Xavier Cirac

Shuttle FTP Suite 3.2

An input verification vulnerability exists in Shuttle FTP Suite, which can be exploited by a malicious user to read or place files in arbitrary locations on a vulnerable system. Arguments passed to certain commands are not properly verified. This can be exploited to access and write files outside the FTP root using the classical directory traversal character sequence "../" or absolute paths.

No solution is available at this time.

We are not aware of any exploits for this vulnerability.

Shuttle FTP Suite Directory Traversal Vulnerability
Medium
Secunia, SA12270, August 11, 2004

[back to top] 

Recent Exploit Scripts/Techniques

The table below contains a sample of exploit scripts and "how to" guides identified during this period. Items listed in boldface/red (if any) are attack scripts/techniques for which vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have not published workarounds or patches, or which represent scripts that malicious users are utilizing.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Script Description
August 17, 2004 SpecificMAIL.theft.txt A freeware spam filter for Outlook and Outlook Express that is extremely intrusive and acts more as spyware than a useful utility to users.
August 16, 2004 proc_kmem_dump.c Script that exploits the Linux Kernel Proc_kmem_dump vulnerability.
August 14, 2004 aimAway.c Proof of concept exploit for AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability.
August 13, 2004 ethereal-0.10.6.tar.gz A GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames.
August 13, 2004 gv-exploit.c Script that exploits the gv Local Buffer Overflow vulnerability.
August 13, 2004 netgearDG834G.txt The Netgear DG834G has a hardcoded root password of zebra and a debug mode that allows for an immediately available rootshell.
August 13, 2004 priv8afp.pl Remote root exploit for Mac OS X Apple Filing Protocol Buffer Overflow vulnerability.
August 12, 2004
aircrack-1.1.tgz
An 802.11 WEP cracking program that can recover a 40-bit or 104-bit WEP key once enough encrypted packets have been gathered. It implements the standard FMS attack along with some optimizations, thus making the attack much faster compared to other WEP cracking tools.
August 12, 2004
freedom.c
Remote CVS exploit for the Double free() Heap Overflow vulnerability.
August 12, 2004 mercantec_softcart.pm Exploit for the Mercantec Softcart CGI Buffer Overflow vulnerability.
August 12, 2004
pngslap.c
Script that exploits the Libpng Buffer Offset Calculation Overflow vulnerability.
August 12, 2004
rkhunter-1.1.5.tar.gz
Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers.
August 11, 2004
0x4553_Exorcist.tar.gz
A tool that can be considered an anti-anti-ptrace utility that unlocks the ptrace_traceme guard of a binary.
August 11, 2004
0x4553_Scorpion.tar.gz
Tool for infecting statically linked ELF binaries.
August 11, 2004
0x4553-Static_Infecting.html

White paper that discusses a method of infecting statically linked ELF binaries.

August 11, 2004 c030224-001.txt Detailed exploit details for the ServerMask Header Identification vulnerability.
August 11, 2004 framework-2.2.tar.gz The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This release includes 18 exploits and 27 payloads.
August 11, 2004 OllyExp.c Script that exploits the OllyDbg Debugger Messages Format String vulnerability.
August 10, 2004 linuxKernelFileOffsetPointerHandlingExploit.c Exploit for the Linux Kernel File 64-Bit Offset Pointer Handling Kernel Memory Disclosure vulnerability.
August 9, 2004 Xines_Mine.c Script that exploits the Xine Buffer Overflow vulnerability.
August 9, 2004
yapig_script_injection.php
Exploit for the YaPiG Remote Server-Side Script Execution vulnerability.
August 8, 2004
servulocal.c
Script that exploist the RhinoSoft Serv-U FTP Server Default Administration Account vulnerability.
August 7, 2004
pavuk.c
Script that exploits the Pavuk Digest Authentication Buffer Overflow Vulnerabilities.
August 7, 2004 pavukWebSpider.c Script that exploits the Pavuk Digest Authentication Buffer Overflow Vulnerabilities.
August 6, 2004
apache-dos.pl
Perl script that exploits the Apache ap_escape_html Remote
Denial of Service vulnerability.
August 6, 2004
apacheEscapeHeaderD0SExploit.c
Script that exploits the Apache ap_escape_html Remote
Denial of Service vulnerability.
August 5, 2004 aircrack-1.0.tgz An 802.11 WEP cracking program that can recover a 40-bit or 104-bit WEP key once enough encrypted packets have been gathered.
August 5, 2004 bjd361exp.cpp Proof of Concept exploit for the BlackJumboDog FTP Buffer Overflow vulnerability.
August 5, 2004 C-MD5.tar.bz2 MD5 Brute Force Tool that tests the security of MD5 passwords by attempting to brute force them.
August 5, 2004 evil_song.py Exploit for the SoX ".WAV" File Processing Buffer Overflow Vulnerability.
August 5, 2004 hoagie_openftpd.c Remote root exploit for OpenFTPD Format String vulnerability.
August 5, 2004 HOD-ms04022-task-expl.c Exploit for the Microsoft Windows Task Scheduler Remote Buffer Overflow vulnerability.
August 5, 2004 hydra-4.2-src.tar.gz A high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more.
August 5, 2004 isec-0016-procleaks.txt

Exploit for the Linux Kernel 64-bit to 32-bit File Offset Conversion vulnerability.

August 5, 2004
mailEnable.txt
Exploit for the MailEnable Content-Length Denial Of Service vulnerability.
August 5, 2004 openf.c Remote root exploit for OpenFTPD Format String vulnerability.
August 5, 2004
pocExploitEtherealiSNSProtocolVuln.c
Proof of Concept exploit for the Ethereal iSNS Protocol Denial of Service vulnerability.
August 4, 2004 drop-root.c Script that exploits the Dropbear SSH Server DSS Verification Vulnerability.
August 4, 2004
FreeWebChat[Mir]DoS-po.cc
Script that exploits the Free Web Chat Denial Of Service Vulnerabilities.
August 4, 2004
FreeWebChat_ir_RC_poc.java
Exploit for the Free Web Chat Denial Of Service Vulnerabilities.
August 4, 2004
libpn.gc
Script that exploits the LibPNG Graphics Library Denial of Service vulnerability.
August 4, 2004
linuxKernelFileOffsetPointerHandlingExploit.c
Script that exploits the Linux Kernel File 64-Bit Offset Pointer Handling Kernel Memory Disclosure Vulnerability.
August 4, 2004 soxWAVfilebufferoverflowexploi.tc Exploit for the SoX ".WAV" File Processing Buffer Overflow Vulnerability.

[back to top]

Trends

  • Seven months since the W32/Bagle mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/Beagle are known to open a backdoor on an infected system which can lead to further exploitation by remote malicious users.

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported during the latest three months), and approximate date first found.

Rank
Common Name
Type of Code
Trends
Date
1
W32/Netsky-P
Win32 Worm Stable
March 2004
2
W32/Zafi-B
Win32 Worm Stable
June 2004
3
W32/Netsky-Q
Win32 Worm Increase
March 2004
4
W32/Netsky-D
Win32 Worm Slight Increase
March 2004
5
W32/Netsky-B
Win32 Worm Slight Increase
February 2004
6
W32/Netsky-Z
Win32 Worm Decrease
April 2004
7
W32/Bagle-AA
Win32 Worm Decrease
April 2004
8
W32/MyDoom-M
Win32 Worm New to Table
July 2004
9
W32/MyDoom-O
Win32 Worm New to Table
July 2004
9
I-Worm.Bagle.z
Win32 Worm New to Table
April 2004
9
I-Worm.Bagle.AI
Win32 Worm New to Table
July 2004
10
Worm_Sasser.B
Win32 Worm Decrease
April 2004
10
W32/Netsky-C
Win32 Worm Return to Table
March 2004
10
W32/Mydoom.s@MM Win32 Worm New to Table
August 2004
10
W32/Mydoom.q
Win32 Worm New to Table
August 2004

 

New Viruses / Trojans

Viruses or Trojans Considered to be a High Level of Threat

  • Brador/Bardoor These are the first known backdoor Trojans for the Pocket PC hand-held devices. They send the IP address of the infected handheld to the malicious user and opens various TCP ports. Brador only affects Windows Mobile 2003 (Pocket PC 2003 and Windows CE 4.2) and ARM-based devices.

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name
Aliases
Type
Agobot-LT WORM_AGOBOT.OC
W32/Agobot-LT
Win32 Worm
Amus.A I-Worm.Amus.a
W32.Amus.A@mm
W32/Amus.A.worm
Win32.Amus.A
WORM_AMUS.A
Win32 Worm
Backdoor.Beasty.I   Trojan
Backdoor-CFB W32/Backdoor-CFB Win32 Worm
Bardoor Backdoor.Bardor.A WinCE Trojan
Bck/Surila.B Surila.B
W32/Mydoom.R
Trojan
Brador Brador.A
Backdoor.WinCE.Brador.a
Backdoor.Brador.A
Bck/WinCE.Brador.A
Troj/Brador-A
WINCE_BRADOR.A
WinCE/BackDoor-CHK
WinCE Trojan
Cata-A VBS/Cata-A Visual Basic Script Virus
Daqa.B BackDoor-BDI
Win32.Daqa.B
Win32/Daqa.B.Trojan
Win32 Worm
Daqa.C BackDoor-BDI
Win32.Daqa.C
Win32/Daqa.C.Trojan
Win32 Worm
Doep-A W32.Doep.A
W32/Doep-A
W32/Ourtime!p2p
Worm.P2P.Doep.a
WORM_DOEP.A
Win32 Worm
Downloader.Harnig   Trojan
Downloader.OG Trj/Downloader.OG Trojan: Adware Downloader
Febelneck-A

W32/Febelneck-A
W32.Febelneck@mm
Febelneck trojan
I-Worm.Febelneck

Win32 Worm
Frear.A

Win32.Frear.A
Win32/FriTear.A
Worm.P2P.Delf.u
Win32/Frear.A.Worm

Win32 Worm
JS/Zerolin   Java Script Trojan
Keylog-Melcarr   Trojan
Lovgate.AN W32.Lovgate.AN@mm Win32 Worm
MyDoom.R

W32/MyDoom-R
W32/Mydoom.r@MM
WORM_MYDOOM.R
W32.Mydoom.P@mm

Win32 Worm
Myfip.A W32.Myfip.A Win32 Worm
Nachi.L MS03-026
W32/Nachi.worm.m
Win32.Nachi.L
Win32/Nachi.L
Worm.Win32.Welchia.l
Worm/Nachi.S
WORM_NACHI.L
Win32 Worm
Nachi-K W32/Nachi-K
W32/Nachi.worm.m
Worm.Win32.Welchia.l
W32.Welchia.gen
Win32 Worm
Padodor-L Troj/Padodor-L Trojan
PE_LOVGATE.E Win32.Lovgate.AY File Infector Virus
PWSteal.Perfectspy Trojan: Spyware Installer
Reign.V

TrojanProxy.Win32.Agent.ag
W32/Agent.T
Win32.Reign.V
Win32/Agent.T.DLL.Trojanbr
Win32.Reign.W
Win32/Reign.29227.Trojan
Win32/TrojanProxy.Agent.AG

Win32 Worm
Saros

I-Worm.Saros.a
Saros.A
W32.Saros@mm
W32/Saros@MM
Win32.Saros.A
WORM_SAROS.A
CRYPT.WIN32 virus
IW32/Saros-A

Win32 Worm
Sconato.A Keylog-Sconato
Trj/Sconato.A
Troj/Sconato-A
Trojan.ScoNato.A
Trojan.Win32.Sconato.a
Trojan: Keylogger
Sdbot-LU W32/Sdbot.worm.gen
Backdoor.SdBot.nv
BKDR_SDBOT.GEN
W32/Sdbot-LU
Win32 Worm
Sndc.A W32.IRCBot
W32/Pcbot.A@p2p
W32/Sndc.worm!p2p
Win32.Sndc.A
Win32/P2P.Sndc.Worm
Worm.P2P.Krepper.c
Win32 Worm
Startpage.FZ StartPage-DU
Trojan.Win32.StartPage.ix
Win32.Startpage.FZ
Win32/StartPage.IX
Win32 Worm
StartPage-EM   Trojan
SYMBOS_QDIAL.A

Mquito
SymbOS/Mquito
Trojan.Mquito
SymbOS/QDial26

Trojan
Trj/Leritand.A Leritand.A Trojan
Trj/Leritand.B Leritand.B Trojan
Trj/Leritand.C Leritand.C Trojan
Troj/Bdoor-CHR BackDoor-CHR
BackDoor-CHR.sys
Trojan
Troj/CmjSpy-Z   Trojan
Troj/Daemoni-G   Trojan
Troj/Iefeat-K   Trojan
Troj/Mosqit-A   Trojan
Troj/Padodor-L   Trojan
Troj/ProxDrop-A   Trojan
TROJ_BAGLE.AC   Trojan
Trojan.Boxed.E   Trojan
Trojan.Cargao.B   Trojan
Trojan.Nullpos   Trojan
Trojan.StartPage.F

TROJ_STRTPAGE.CQ
Troj/CWS-C
StartPage-CQ.gen
TrojanDownloader.Win32.Small.lc

Trojan
Trojan.StartPage.G   Trojan
VBS.Mywav@mm   Visual Basic Script Worm
W32/Agobot-LX Win32/Agobot.3.ZQ
W32/Gaobot.worm.pp
Win32 Worm
W32/Agobot-MA   Win32 Worm
W32/Agobot-ZX   Win32 Worm
W32/Annil-G I-Worm.Annil.g Win32 Worm
W32/Apribot-C Backdoor.IRCBot.gen
W32/Sdbot.worm.gen.m virus
Win32 Worm
W32/Bagle.aq@MM

HTML_BAGLE.AC
I-Worm.Bagle.al
W32.Beagle.AO@mm
W32/Bagle-AQ
W32/Bagle.AJ@mm
W32/Bagle.AM.worm
WORM_BAGLE.AC
JS/IllWill
JS/Dword.dr
TR/RunMe.Dldr.1
W32/Bagle.aq@MM
Bagle.AG

Win32 Worm
W32/Cali-A   Win32 Worm
W32/Gobot-C Backdoor.IRC.Bot
Backdoor.Gobot.s
Win32 Worm
W32/Lovgate-F   Win32 Worm
W32/MyDoom-Q

W32/Mydoom.q@MM
W32/Evaman.c@MM

Win32 Worm
W32/MyDoom-R   Win32 Worm
W32/Neveg.b@MM W32/Cali@MM Win32 Worm
W32/Neveg.c@MM   Win32 Worm
W32/Rbot-FQ Backdoor.Rbot.gen
W32/Sdbot.worm.gen.g
Win32 Worm
W32/Rbot-FV   Win32 Worm
W32/Rbot-FY   Win32 Worm
W32/Rbot-GF W32/Sdbot.worm.gen.k
Backdoor.Rbot.af
Win32 Worm
W32/Sdbot-MH   Win32 Worm
Win32.Daqa.B

BackDoor-BDI
Win32/Daqa.B.Trojan
Win32/Daqa.C.Trojan
Win32.Daqa.C

Trojan
WORM_ATAK.C   Internet Work
WORM_LOVGATE.E

HLLM.Lovgate.18
I-Worm.Win32.Lovgate.171520
Worm/Lovgate.BJ
I-Worm.LovGate.ah
Win32/Lovgate.AS

Internet Worm
WORM_RATOS.A

W32.Mydoom.Q@mm
I-Worm.Win32.Ratos
W32/Mydoom.s@MM
W32/MyDoom-S
Win32.Mydoom.S
WORM_RATOS.A

Win32 Worm
WORM_SDBOT.LD   Internet Worm

[back to top]

 

 

 

Last updated

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends and viruses identified between August 4 and August 17, 2004.

 


Bugs, Holes, & Patches

The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Updates to items appearing in previous bulletins are listed in bold. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

Windows Operating Systems Only

UNIX / Linux Operating Systems Only

Multiple Operating Systems - Windows / UNIX / Linux / Other

 

Risk is defined as follows:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Adobe Systems

Adobe Acrobat 5.0.5 and prior, possibly 6.0.2

A buffer overflow vulnerability exists in Acrobat/Acrobat Reader due to a boundary error within the "pdf.ocx" ActiveX component supplied with Adobe Acrobat Reader. A remote malicious user can exploit this vulnerability via a malicious website using a specially crafted URL to potentially execute arbitrary code. Successful exploitation allows remote malicious users to utilize the arbitrary word overwrite to redirect the flow of control and eventually take control of the affected system. Code execution will occur under the context of the user that instantiated the vulnerable version of Adobe Acrobat.

No solution is available at this time.

Vendor asserts this vulnerability is fixed in version 6.0.2. However, proof of concept code exists that causes a Denial of Service.

Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability

CVE Name:
CAN-2004-0629

High
iDEFENSE Security Advisory 08.13.04

Acme Laboratories

thttpd 2.07 beta 0.4 10dec99

A input validation vulnerability exists in the Windows port of thttpd. A remote user can view files on the target system that are located outside of the web document directory. thttpd does not properly validate user-supplied requests. A remote user can submit a request containing directory traversal characters or a direct path to view files on the system.

No solution is available at this time.

A Proof of Concept exploit has been published.

thttpd Input Validation Error Discloses Files to Remote Users
Medium
SecurityTracker, 1010850, August 4, 2004

Clearswift

MAILsweeper prior to 4.3.15

Several vulnerabilities exist in MAILsweeper in the processing of encoded or compressed files. A remote user may be able to send a MIME attachment that will not be properly scanned by MAILsweeper. MAILsweeper fails to properly detect several common compression formats, including ZIP 6.0, RAR, and HQX. A remote malicious user can create a malicious attachment in certain formats and have the attachment pass through MAILsweeper without detection.

A Denial of Service vulnerability also exists due to an error when processing malformed PowerPoint files which may cause the service to enter an endless loop and exhaust all CPU resources.

Update to version 4.3.15 available at: http://download.mimesweeper.com/www/Patches/MAILsweeper_Patches_495ReadMe.htm

We are not aware of any exploits for this vulnerability.

MAILsweeper Fails to Detect and Analyze Some Attachment Formats

CVE Names:
CAN-2003-0928
CAN-2003-0929
CAN-2003-0930

Medium

Secunia, SA12301, August 13, 2004

SecurityTracker, 1010953, August 13, 2004

MAILsweeper for SMTP 4.3.15 Release Notes, July 28, 2004

Clearswift

MIMEsweeper for Web prior to 5.0.4

An input validation vulnerability exists in MIMEsweeper for Web, which can be exploited by a malicious user to retrieve arbitrary files outside the web root via directory traversal attacks using the "..\", "..\\", "../\", and "../" character sequences.

Update to version 5.0.4 or later available at: http://download.mimesweeper.com/www/Patches/MSW4WEB504_ReadMe.htm

A Proof of Concept exploit has been published.

MIMEsweeper for Web Directory Traversal Vulnerability
Medium

MIMEsweeper for Web Version 5.0.4 Release Notes

IceWarp

IceWarp Web Mail prior to 5.2.8

Multiple vulnerabilities exist in IceWarp Web Mail, which could allow a malicious user to conduct cross-site scripting and SQL injection attacks, access sensitive information, and manipulate the file system.

Update to version 5.2.8 available at: http://www.icewarp.com/Download/

We are not aware of any exploits for this vulnerability.

IceWarp Web Mail Multiple Unspecified Vulnerabilities
High

Secunia, SA12269, August 11, 2004

IceWarp Web Mail Release Notes, 5.2.8, August 10, 2004

Keene Software

Keene Digital Media Server 1.0.2

Multiple vulnerabilities exist in Keene Digital Media Server, which can be exploited by a malicious user to retrieve sensitive information such as passwords and perform administrative tasks. 1) Keene Digital Media Server stores passwords in clear text in the file "dmscore.db" in the installation directory. This may disclose sensitive information to malicious local users. 2) An input validation error within the processing of HTTP requests can be exploited to retrieve arbitrary files via directory traversal attacks. It is possible to bypass the user authentication and perform administrative tasks by accessing the script "/dms/adminusers.kspx" directly.

No solution is available at this time. The vendor has stated that the vulnerabilities will be fixed in version 1.0.4.

A Proof of Concept exploit has been published.

Keene Digital Media (KDM) Server Multiple Vulnerabilities
Medium

SecurityTracker: 1010928, August 11, 2004

Secunia, SA12272, August 12, 2004

Microsoft

MS Windows 2000 SP 2, 3, and 4; XP and XP SP1; XP 64-Bit Edition SP 1

A remote code execution vulnerability exists in the Task Scheduler because of an unchecked buffer during application name validation. A malicious user who successfully exploited this vulnerability could take complete control of an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx

Exploit script has been published.

Microsoft Windows Task Scheduler Vulnerability

CVE Name:
CAN-2004-0212
High

Microsoft Security Bulletin MS04-022, July 13, 2004

PacketStorm, August 5, 2004

Microsoft

INTERIX 2.2

This security bulletin was updated to include the INTERIX product. A privilege elevation vulnerability exists in the POSIX operating system component (subsystem) due to an unchecked buffer. This vulnerability could allow remote code execution on an affected system.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx

Currently, we are not aware of any exploits for this vulnerability.

POSIX Vulnerability Could Allow Code Execution

CVE Name:
CAN-2004-0210

High
Microsoft Security Bulletin MS04-020, Updated: August 10, 2004

Microsoft

Microsoft Exchange Server 5.5 SP4

An input validation vulnerability exists in Microsoft Outlook Web Access in which a malicious user could conduct cross-site scripting attacks. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Outlook Web Access software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Update available at: http://www.microsoft.com/downloads/details.aspx?FamilyId=
66E4E033-5A4C-4EEC-84F1-31F0CA878092&displ aylang=en

The update does not require a restart, but the it will restart Microsoft Internet Information Services (IIS), the Exchange Store, and the Exchange System Attendant Services. Customers that have customized certain ASP pages should check the advisory for some important caveats: http://www.microsoft.com/technet/security/bulletin/ms04-026.mspx

Currently, we are not aware of any exploits for this vulnerability.

Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks

CVE Name:
CAN-2004-0203

High

Microsoft Security Bulletin MS04-026, August 10, 2004

 

US-CERT Vulnerability Note VU#948750, August 11, 2004

Microsoft

Microsoft Internet Explorer 5.01, 5.5, 6

A vulnerability exists in Internet Explorer, which potentially can be exploited by a malicious user to conduct phishing attacks against a user.The vulnerability is caused due to Internet Explorer failing to update the address bar after a sequence of actions has been performed on a named window. This can be exploited to display content from a malicious site while displaying the URL of a trusted site in the address bar.

Workaround: Disable Active Scripting. Currently known attack vectors do not work on Windows XP systems with SP2 applied.

A Proof of Concept exploit has been published.

Internet Explorer Address Bar Spoofing Vulnerability
Medium
Secunia, SA12304, August 16, 2004

Next Generation Security

StackDefender 1.10 and 2.0

Multiple input validation vulnerabilities exist in StackDefender in the processing of certain hooked kernel function parameters which could allow a local or remote malicious user to cause the target system to crash. StackDefender fails to validate the 'ObjectAttributes' parameter supplied to the ZwOpenFile() and ZwCreateFile() kernel API functions. Also, the 'BaseAddress' parameter supplied to the ZwAllocateVirtualMemory() and ZwProtectVirtualMemory() kernel API functions is not properly validated and can be exploited in a similar fashion.

Upgrade to StackDefender 2.10 available at: http://ngsec.com/ngproducts/stackdefender/download.php

We are not aware of any exploits for this vulnerability.

NGSEC StackDefender 1.10 Invalid Pointer Dereference Vulnerability

CVE Names:
CAN-2004-0767
CAN-2004-0766

Low
iDEFENSE Security Advisory, August 3, 2004

Rhinosoft

Serv-U FTP Server 4.x through 5.1.0.0 inclusive

A default login vulnerability exists in Serv-U that could allow a local unprivileged user to execute commands with SYSTEM privileges using a problem with Serv-U administration. The Serv-U FTP server in all its platforms has a local administration account that can be used to configure the server. This account has a default login and password credentials and is only available through the loopback interface. An unprivileged user can connect to the server with the default login information and use the "SITE EXEC" command to execute arbitrary commands. The commands are run with SYSTEM privileges hence turning Serv-U to a conduit through which administrative commands can be run.

No solution is available at this time.

A Proof of Concept exploit has been published.

Serv-U Local Privilege Escalation Vulnerability
Medium
Securities, August 15, 2004

SapporoWorks

BlackJumboDog FTP Server 3.6.1

A buffer overflow vulnerability exists in which a remote malicious user can execute arbitrary code on the target system. A remote user can send a specially crafted FTP command with a long parameter string to trigger the flaw. The USER, PASS, RETR, CWD, XMKD, XRMD, and other commands are affected. The software reportedly copies the user-supplied parameter string to a 256 byte buffer.

Update to version 3.6.2, available at:http://homepage2.nifty.com/spw/software/bjd/

A Proof of Concept exploit has been published.

BlackJumboDog Has Buffer Overflow in the FTP Service
High

US-CERT VU#714584, August 3, 2004

SecuriTeam, August 4, 2004

Sun Microsystems

Java Runtime Environment (JRE)

A Denial of Service vulnerability exists in Sun's Java Runtime Environment. A remote malicious user can create a Java applet that alerts using a native win32 assertion that will, when loaded by the target user, cause the target user's system to crash.

No solution is available at this time.

A Proof of Concept exploit has been published.

Sun JRE Win32 Native Assertion Error Lets malicious Applets Deny Service
Low
SecurityTracker, 1010846, August 3, 2004

Sygate

Sygate Secure Enterprise prior to 3.5MR3 and Sygate Enforcer 4.0 and later

Multiple vulnerabilities exist in Sygate Secure Enterprise (SSE) in the processing of client logging messages which could allow a remote malicious user to cause a Denial of Service or bypass security restrictions. A remote user can cause the service to consume all available resources on the target system by continually replaying HTTP messages and discovery datagrams (UDP). The system does not provide replay protection for messages sent from Sygate Security Agent clients. An optional component, Sygate Enforcer, does not correctly filter broadcast traffic sent prior to authentication, allowing malicious users to bypass the authentication.

Update to SSE version 3.5MR3 and a Sygate Enforcer version later than 4.0 available at: http://www.sygate.com/products/sygate-secure-enterprise.htm

We are not aware of any exploits for this vulnerability.

Sygate Secure Enterprise Multiple Vulnerabilities

CVE Name:
CAN-2004-0163

Low

SecurityTracker, 1010919, August 10, 2004

Corsaire Security Advisories c031120-001 - 3, August 8-10, 2004

Symantec

Symantec Clientless VPN Gateway 4400 Series

Multiple vulnerabilities exist in Symantec Clientless VPN Gateway 4400 Series, where some have an unknown impact and others can be exploited to conduct cross-site scripting attacks or manipulate users' signon information. Various unspecified vulnerabilities affect the ActiveX and HTML file browsers; input validation errors within the end user UI can be exploited to conduct cross-site scripting attacks; an error within the end user UI can be exploited by a malicious user to manipulate other users' signon information (including username and password).

A hotfix is available at: ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/
sym_clientless_vpn_5/updates/SCVG5-20040806-00.tgz

We are not aware of any exploits for this vulnerability.

Symantec Clientless VPN Gateway 4400 Series Multiple Vulnerabilities
High
Symantec, Hotfix: SCVG5-20040806-00, August 2004

Venta Association

VentaFax 5.4

 

A vulnerability exists in VentaFax that could allow a local malicious user to obtain elevated privileges. A local malicious user can access the application via the system tray and can execute commands with Local System privileges.

No solution is available at this time.

A Proof of Concept exploit has been published.

VentaFax Command Execution Lets Local Users Gain Elevated Privileges
Medium
SecurityTracker, 1010902, August 9, 2004

WIDCOMM

WIDCOMM Bluetooth Connectivity Software versions prior to 3.0 on the BTW and BT-CE/PPC platforms

BTStackServer 1.3.2.7 and 1.4.2.10 on both Windows XP and Windows 98

HP IPAQ 5450 running WinCE 3.0 with Bluetooth software version 1.4.1.03.

Multiple buffer overflow vulnerabilities exist in WIDCOMM Bluetooth Connectivity Software which a malicious user can use to execute arbitrary code. The vulnerabilities are caused due to boundary errors when handling various malformed service requests. These can be exploited by sending specially crafted service requests through a wireless Bluetooth connection to a vulnerable system.

No solution is available at this time. The vendor reports that issues will be fixed in version 3.

A Proof of Concept exploit has been written.

WIDCOMM Bluetooth Connectivity Software Buffer Overflow Vulnerabilities

CVE Name:
CAN-2004-0775

High

Secunia, SA12275, August 12, 2004

Pentest Limited Security Advisory, ptl-2004-03, August 11, 2004

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common
Name
Risk
Source

Adobe Systems

Adobe Acrobat Reader 5.05 and 5.06

An input validation and boundary error vulnerability exists in in the uudecoding feature of Adobe Acrobat Reader, which can be exploited by a malicious user to compromise a user's system. An input validation error injection of arbitrary shell commands. The boundary vulnerability can be exploited to cause a buffer overflow via a malicious PDF document with an overly long filename. Successful exploitation may allow execution of arbitrary code, but requires that a user is tricked into opening a malicious document.

Update to version 5.09 for UNIX available at: http://www.adobe.com/products/acrobat/readstep2.html

We are not aware of any exploits for this vulnerability.

Adobe Acrobat Reader Shell Command Injection and Buffer Overflow Vulnerability

CVE Names:
CAN-2004-0630
CAN-2004-0631

High

Secunia, SA12285, August 13, 2004

iDEFENSE Advisories 08.12.04

Apache Software Foundation

Apache 2.0.49 (Win32) with PHP 5.0.0 RC2

A Denial of Service vulnerability exists in the Apache web server when running with PHP due to a flaw when invoking certain functions such as fopen and fsockopen in an endless loop.

Hewlett-Packard: Install updated version of Apache from Software Depot. http://software.hp.com

Conectiva: http://distro.conectiva.com.br/atualizacoes/
index.php?id=a&anuncio=000857

A Proof of Concept exploit has been published.

Apache Can Be Crashed By PHP Code
Low

SecurityTracker, 1010674, July 9, 2004

US-CERT Cyber Security Bulletin SB04-203

HP SSRT4777 rev. 0 HP-UX Apache, PHP, August 2, 2004

Secunia, SA12243, August 9, 2004

Benchmark Design

WHM Autopilot 2.4.5 and prior

A login vulnerability exists due to a bug in client login code and the built-in login backdoor. It is possible to generate the hash required to get a user's username and plain-text password.

No solution is available at this time.

We are not aware of any exploits for this vulnerability.

Benchmark Designs' WHM Autopilot Backdoor Allows Plaintext Credential
Leakage
Medium
SecuriTeam, August 3, 2004

cvstrac.org

CVSTrac 1.1.3

An input validation vulnerability exists in CVSTrac due to insufficient sanitization of input passed to 'filediff,' which could allow a malicious user to execute arbitrary code.

Fix available in the CVS repository at: http://www.cvstrac.org/cvstrac/wiki?p=DownloadCvstrac

A Proof of Concept exploit has been published.

CVSTrac "filediff" Arbitrary Command Execution Vulnerability
High
Bugtraq, August 5, 2004
Ethereal

Ethereal 0.x

Multiple Denial of Service and buffer overflow vulnerabilities exist due to errors in the iSNS, SNMP, and SMB dissectors which may allow a malicious user to run arbitrary code or crash the program.

Updates available at: http://www.ethereal.com/download.html or disable the affected protocol dissectors.

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

Debian: http://lists.debian.org/debian-security-announce/debian-
security-announce-2004/msg00129.html

Exploit script has been published.

Ethereal: Multiple security problems

CVE Names:
CAN-2004-0633
CAN-2004-0634
CAN-2004-0635

High

Etheral Advisory, enpa-sa-00015, July 6, 2004

Gentoo Linux Security Advisory, GLSA 200407-08 / Ethereal, July 9, 2004

Secunia Advisory, 12034 & 12035, July 12, 2004

SecurityFocus, August 5, 2004

Gaim

  Gentoo

Multiple vulnerabilities were reported in Gaim in the processing of the MSN protocol. A remote user may be able to execute arbitrary code on the target system. Several remotely exploitable buffer overflows were reported in the MSN protocol parsing functions.

Gentoo: http://security.gentoo.org/glsa/glsa-200408-12.xml

SuSE: http://www.suse.de/de/security/2004_25_gaim.html

We are not aware of any exploits for this vulnerability.

Gaim Buffer Overflows in Processing MSN Protocol


CVE Name:
CAN-2004-0500

High
SecurityTracker, 1010872, August 5, 2004

Geeklog.net

Geeklog 1.39

A configuration vulnerability exists in Geeklog. The installation software leaves the 'install' file in the 'admin' directory, which is accessible to remote users. A remote malicious user can invoke the installation script with specially crafted URLs.

No solution is available at this time.

We are not aware of any exploits for this vulnerability.

Geeklog Default Installation Lets Remote Users Access the Installation Script
Low
SecurityTracker 1010948, August 13, 2004

Gentoo Linux 1.x

versions prior to "www-servers/tomcat-5.0.27-r3"

A privilege escalation vulnerability exists in the tomcat package for Gentoo, which can be exploited by a local malicious user to escalate their privileges. tomcat initialization scripts are owned by the "tomcat" user and group, but are run with "root" privileges during system startup. This can be exploited by users in the "tomcat" group to execute commands as root.

Update to "www-servers/tomcat-5.0.27-r3" or later. http://security.gentoo.org/glsa/glsa-200408-15.xml

We are not aware of any exploits for this vulnerability.

Gentoo Tomcat Privilege Escalation Vulnerability
Medium
Gentoo Security Advisory, GLSA 200408-15 / tomcat, August 15, 2004

gv Postscript and PDF viewer 3.5.8 and prior

Gentoo

A buffer overflow vulnerability exists in gv that could allow a local malicious user to execute arbitrary code. To exploit this vulnerability, a malicious user would have to trick a user into viewing a malformed PDF or PostScript file from the command.

Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200408-10.xml

A Proof of Concept exploit script has been published.

gv Local Buffer Overflow
High
SecuriTeam, August 4, 2004

Hewlett-Packard

HP-UX Process Resource Manager C.02.01[.01] and prior

HP-UX Workload Manager

A vulnerability was reported in the HP-UX Process Resource Manager that could allow non-root local malicious users to corrupt data files on a system that has the Process Resource Manager installed. Workload Manager (version A.02.01 and prior) includes the Process Resource Manager and, therefore, is also affected.

For Proc-Resrc-Mgr.PRM-RUN (PRM-Sw-Lib.PRM-LIB), install revision C.02.02 or subsequent. For WLM-Monitor (Workload-Mgr), install revision A.02.02 or subsequent. Update information and patch matrix is available at: http://h20000.www2.hp.com/bizsupport/TechSupport/
Document.jsp?objectID=PSD_HPSBUX01065

We are not aware of any exploits for this vulnerability.

HP-UX Process Resource Manager Bug Lets Local Users Corrupt Files
Medium

HP SSRT4785 rev. 0 HP-UX Process Resource Manager (PRM) potential data corruption, August 5, 2004

SecurityTracker: 1010914, August 10, 2004

Hewlett-Packard

HP-UX release B.11.04 with VirtualVault A.04.50 - A.04.70 or Webproxy A.02.00 - A.02.10

Multiple vulnerabilities exist in Apache affecting HP VirtualVault and HP Webproxy, which can be exploited by a malicious user to cause a DoS (Denial of Service), bypass security restrictions, or compromise a vulnerable system.

Install patches available at: http://itrc.hp.com

We are not aware of any exploits for this vulnerability.

HP VirtualVault / Webproxy Multiple Vulnerabilities in Apache
High

Secunia, SA12246, August 10, 2004

SSRT4788 rev. 0 HP-UX Apache, August 8, 2004

SSRT4789 rev. 0 HP-UX Apache, August 8, 2004

KDE 3.2.3 and prior

Two vulnerabilities exist in KDE which a local malicious user can exploit to gain escalated privileges and unauthorized access to files on the system.1) Certain directories and files are created insecurely when a user runs a KDE application outside the KDE environment or as another user. This can be exploited via symlink attacks to overwrite or truncate arbitrary files or prevent KDE applications from accessing certain directories. 2) The DCOPServer creates temporary files, which are used for authentication related purposes, insecurely. This can be exploited to potentially gain the privileges of any user running a KDE application.

Apply patches available at: ftp://ftp.kde.org/pub/kde/security_patches/

Gentoo: http://security.gentoo.org/glsa/glsa-200408-13.xml

We are not aware of any exploits for this vulnerability.

KDE Insecure Temporary File Creation Vulnerability

CVE Name:
CAN-2004-0690

Medium

KDE Security Advisories 20040811-1 and 20040811-2, August 11, 2004

KDE 3.2.3 and prior

A frame injection vulnerability exists in the Konqueror web browser that allows websites to load web pages into a frame of any other frame-based web page that the user may have open. A malicious website could abuse Konqueror to insert its own frames into the page of an otherwise trusted website. As a result the user may unknowingly send confidential information intended for the trusted website to the malicious website.

Source code patches have been made available which fix these vulnerabilities. Refer to advisory: http://www.kde.org/info/security/advisory-20040811-3.txt

A Proof of Concept exploit has been published.

Konqueror Frame Injection Vulnerability

CVE Name:
CAN-2004-0721

Low
KDE Security Advisory 20040811-3, August 11, 2004
Linux 2.4.27

A permissions vulnerability exists in the sys_chown() module of the Linux kernel. A remote authenticated user can modify the group permissions of files on the target system. A remote malicious user can modify the group ID of arbitrary files on the system due to a missing check for fsuid in the sys_chown() function. An NFS client may be able to make unauthorized changes to the group ownership of files on a remote system.

Upgrade to Linux 2.4.27 RC5.

We are not aware of any exploits for this vulnerability.

Linux Kernel sys_chown() Bug May Let Remote NFS Users Modify Group Permissions on Files

CVE Name:
CAN-2004-0497

Medium
SecurityTracker, 1010859, August 4, 2004

Linux
  Fedora
  RedHat
  SuSE

Linux kernel 2.4 through 2.4.26, 2.6 through 2.6.7

A vulnerability exists in the Linux kernel in the processing of 64-bit file offset pointers thus allowing a local malicious user to view kernel memory. The kernel's file handling API does not properly convert 64-bit file offsets to 32-bit file offsets. In addition, the kernel provides insecure access to the file offset member variable. As a result, a local user can gain read access to large portions of kernel memory.

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

RedHat:
http://rhn.redhat.com/

SuSE:
http://www.suse.de/de/security/2004_24_kernel.html

A Proof of Concept exploit has been published.

Linux Kernel 64-bit to 32-bit File Offset Conversion Errors Disclose Kernel Memory to Local Users

CVE Name:
CAN-2004-0415

High

ISEC Security Research, August 4, 2004

 

Paul L Daniels

ripMIME 1.3.2.2 and prior

An input validation vulnerability exists in ripMIME, which may allow a virus to avoid detection and compromise the system. Certain virus attachments may not be properly decoded. Some viruses use encoded attachments that may contain blank lines or other invalid characters to cause the Base64 decoding process to terminate prematurely. As a result, an anti-virus system using this decoding method may fail to detect a virus.

Update to version 1.3.2.3, available at: http://www.pldaniels.com/ripmime/downloads.php

We are not aware of any exploits for this vulnerability.

ripMIME Base64 Decoding May Terminate Prematurely When Decoding Virus Attachments
Medium
SecurityTracker, 1010858, August 4, 2004

Peter F. Brown

Simple Form prior to 2.2

An input validation vulnerability exists in Simple Form, which can be exploited by a malicious user to use it as an open mail relay. Input passed to the parameters "admin_email_to" and "admin_email_from" isn't properly verified before being used in mails.

Update to version 2.2 available at: http://worldcommunity.com/opensource/utilities/simple_form.html

We are not aware of any exploits for this vulnerability.

Simple Form Open Mail Relay Vulnerability
Low
Secunia, SA12297, August 16, 2004

phpMyWebhosting version 0.3.4

Multiple input validation vulnerabilities exist in phpMyWebhosting that allow malicious users to gain elevated privileges as well as enter to the product's management system without knowing the administrative password. phpMyWebhosting does not verifying incoming user input for arbitrary SQL statements. If magic_quotes_gpc is disabled in PHP settings, a remote malicious user can cause SQL injection vulnerability in phpMyWebhosting.

No solution is available at this time.

We are not aware of any exploits for this vulnerability.

phpMyWebhosting SQL Injection Vulnerabilities
High
SecuriTeam, August 16, 2004

Redhat

GNOME VFS

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64;
Red Hat Linux Advanced Workstation 2.1 - ia64;
Red Hat Enterprise Linux ES version 2.1 - i386;
Red Hat Enterprise Linux WS version 2.1 - i386;
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64;
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64;
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

Multiple vulnerabilities exist in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. A malicious user who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts.

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/

We are not aware of any exploits for this vulnerability.

GNOME VFS updates address extfs vulnerability

CVE Name:
CAN-2004-0494

High
Red Hat Security Advisory ID: RHSA-2004:373-01, August 4, 2004
Shorewall 1.4.x, 2.0.x

A privilege escalation vulnerability is caused due to the "shorewall" script creating temporary files insecurely, which can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user invoking the script (usually root).

Update available at: http://shorewall.net/download.htm

Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:080

Currently, we are not aware of any exploits for this vulnerability.

Shorewall Insecure Temporary File Creation Vulnerability

CVE Name:
CAN-2004-0647

Medium
Shorewall Security Vulnerability, June 28, 2004

rsync 2.6.2 and prior
  Debian
  SuSE
  Trustix

A vulnerability exists in rsync when running in daemon mode with chroot disabled. A remote user may be able read or write files on the target system that are located outside of the module's path. A remote user can supply a specially crafted path to cause the path cleaning function to generate an absolute filename instead of a relative one. The flaw resides in the sanitize_path() function.

Updates and patches are available at: http://rsync.samba.org/

SuSE: http://www.suse.de/de/security/2004_26_rsync.html

Debian: http://www.debian.org/security/2004/dsa-538

Trustix: http://www.trustix.net/errata/2004/0042/

We are not aware of any exploits for this vulnerability.

Rsync Input Validation Error in sanitize_path() May Let Remote Users Read or Write Arbitrary Files
High

SecurityTracker 1010940, August 12, 2004

rsync August 2004 Security Advisory

Silicon Graphics

SGI IRIX 6.5.x, CDE 5.3.4

A buffer overflow vulnerability exist in the libDtHelp module and a double-free vulnerability exists in the dtlogin module which a malicious user can use to gain root access.

Upgrade to CDE 5.3.4 available at: ftp://patches.sgi.com/support/free/security/patches/6.5.25/

We are not aware of any exploits for this vulnerability.

SGI IRIX CDE Multiple Vulnerabilities

CVE Names:
CAN-2003-0834
CAN-2004-0368

Medium
SGI Security Advisory, 20040801-01-P, August 3, 2004
Sourceforge.net
Gentoo Linux
Pavuk 0.x

Multiple vulnerabilities exist which could allow a malicious user to run arbitrary code. The vulnerabilities are caused due to boundary errors within the handling of digest authentication.

Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200407-19.xml

Exploit script has been published.

Pavuk Digest Authentication Buffer Overflow Vulnerabilities
High

Gentoo Security Advisory, GLSA 200407-19 / Pavuk
Release Date July 26, 2004

SecurityFocus, August 7, 2004

sox.sourceforge.net
  Fedora
  Mandrakesoft
  Gentoo
  Conectiva
  RedHat

SoX 12.17.4, 12.17.3,
and 12.17.2

Multiple vulnerabilities exist that could allow a remote malicious user to execute arbitrary code This is due to boundary errors within the "st_wavstartread()" function when processing ".WAV" file headers and can be exploited to cause stack-based buffer overflows. Successful exploitation requires that a user is tricked into playing a malicious ".WAV" file with a large value in a length field.

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:076

Gentoo: http://security.gentoo.org/glsa/glsa-200407-23.xml

Conectiva: ftp://atualizacoes.conectiva.com.br

RedHat: http://rhn.redhat.com/errata/RHSA-2004-409.html

Exploit script has been published.

SoX ".WAV" File Processing Buffer Overflow Vulnerabilities

CVE Name:
CAN-2004-0557

High

Secunia, SA12175, 12176, 12180, July 29, 2004

SecurityTracker Alerts 1010800 and 1010801, July 28/29, 2004

Mandrakesoft Security Advisory MDKSA-2004:076, July 28, 2004

PacketStorm, August 5, 2004

SpamAssassin prior to 2.64

A Denial of Service vulnerability exists in SpamAssassin. A a remote user can send an e-mail message with specially crafted headers to cause a Denial of Service attack against the SpamAssassin service.

Update to version (2.64), available at: http://old.spamassassin.org/released/

Gentoo: http://security.gentoo.org/glsa/glsa-200408-06.xml

We are not aware of any exploits for this vulnerability.

SpamAssassin Lets Remote Users Deny of Service By Sending Malformed Messages
Low
SecurityTracker: 1010903, August 10, 2004

Team OpenFTPD

OpenFTPD 0.30.2 prior to July 16, 2004, and prior versions

A vulnerability exists that could allow a remote malicious user to execute arbitrary code on the target system. A remote authenticated user can send a specially crafted message to another FTP user to trigger a format string flaw and execute arbitrary code on the FTP server due to a flaw in 'misc/msg.c'.

Update available at: http://www.openftpd.org:9673/openftpd/download_page.html

Exploit script has been published.
OpenFTPD Format String Flaw Lets Remote Authenticated Users Execute Arbitrary Code
High

VSA0402 - openftpd - void.at security notice, July 31, 2004

PacketStorm, August 5, 2004

xine-Project

xine 0.99.2

A buffer overflow vulnerability exists in xine in the processing of 'vcd://' protocol identifiers. A remote malicious user can execute arbitrary code on the target system. A remote malicious user can trigger a stack overflow in xine-lib by embedding a specially crafted source identifier within a playlist file, for example. When the target user plays the file, arbitrary code can be executed with the privileges of the target user.

A patch is available via CVS at: http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&forum_id=11923

A Proof of Concept exploit has been published.

xine Buffer Overflow in Processing 'vcd' Identifiers Lets Remote Users Execute Arbitrary Code
High

SecurityTracker: 1010895, August 8, 2004

Open security advisory #6, August, 8, 2004

[back to top]

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

America Online

AOL Instant Messenger (AIM) 5.5

A buffer overflow vulnerability exists in America Online's Instant Messenger (AIM) which can allow remote malicious users to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values passed to the 'goaway' function of the AOL Instant Messenger 'aim:' URI handler.

Upgrade to AIM beta version available at: www.aim.com

Proof of Concept exploit script has been published.

AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability
High

iDEFENSE Security Advisory 08.09.04

Secunia, SA12198, August 9, 2004

 

US-CERT Vulnerability Note VU#735966, August 10, 2004

Apache Software Foundation
Apple
Mandrake
Trustix

Apache 2.0.47 2.0.49

A remote Denial of Service vulnerability exists in the ‘ap_get_mime_headers_core()’ function due to a failure to handle excessively long HTTP header strings.

Patches available at: http://www.apache.org/dist/httpd/patches/apply_to_2.0.49/CAN-2004-0493.patch

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

Exploit scripts have been published.

Apache ap_escape_html Remote
Denial of Service

CVE Name:
CAN-2004-0493

Low

Mandrakelinux Security Update Advisory, MDKSA-2004:064, June 29, 2004

Trustix Security Advisory, TSL-2004-0038, June 29, 2004

SecurityFocus, August 6, 2004

Apple

Apple Macintosh OS X

Safari 1.x

 

 

Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. Multiple vulnerabilities in libpng that can exploited to cause a Denial of Service or compromise a user's system; a vulnerability in the Safari browser can be used to steal sensitive information from forms; a vulnerability in the processing of network traffic that can be used to cause a DoS. The attack known as the "Rose Attack" will cause the system to use too much system resources resulting in DoS.

Apply Security Update 2004-08-09.

Mac OS X 10.3.5: http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/
product=04216&platform=osx&method=sa/SecUpd2004-08-09Pan.dmg

Mac OS X 10.2.8: http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/
product=04285&platform=osx&method=sa/SecUpd2004-08-09Jag.dmg

We are not aware of any exploits for this vulnerability.

See also Multiple Vulnerabilities in libpng.

Mac OS X Security Update Fixes Multiple Vulnerabilities
High
Secunia, SA12249, August 10, 2004
CuteNews 1.3.1

An input validation vulnerability exists in CuteNews, which can be exploited by a remote malicious user to conduct cross-site scripting attacks. Input passed to the "archive" parameter in "show_archives.php" is not sanitized properly before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website by tricking the user into visiting a malicious website or follow a specially crafted link.

No solution is available at this time.

A Proof of Concept exploit has been published.

CuteNews "archive" Parameter Cross-Site Scripting Vulnerability
High
Secunia, SA12260, August 16, 2004

Concurrent Versions Systems (CVS) 1.11

A vulnerability exists in Concurrent Versions System (CVS) in which a malicious user can exploit to determine the existence and permissions of arbitrary files and directories. The problem is caused due to an undocumented switch to the "history" command implemented in "src/history.c". Using the "-X" switch and supplying an arbitrary filename, CVS will try to access the specified file and returns various information depending on whether the file exists and can be accessed.

Upgrade to version 1.11.17 or 1.12.9 available at: https://www.cvshome.org/

A Proof of Concept exploit has been published.

CVS Undocumented Flag Information Disclosure Vulnerability

CVE Name:
CAN-2004-0778

Low

iDEFENSE Security Advisory 08.16.04

Endonesia.Com

eNdonesia 8.3

Input verification vulnerabilities exist that could allow a remote malicious user to conduct cross-site scripting attacks or determine the installation path. The software does not properly filter HTML code from user-supplied input in the "query" parameter. A remote user can submit a request with certain invalid parameters to cause the system to display the installation path.

No solution is available at this time.

A Proof of Concept exploit has been published.

eNdonesia 'mod.php' Input Validation Vulnerability in Search 'query' Parameter Permits Cross-Site Scripting Attacks
High
SecurityTracker: 1010865, August 4, 2004
GoScript 2.0 An input validation vulnerability exists in GoScript that could allow a remote user to execute arbitrary commands on the target system. The 'go.cgi' script does not validate user-supplied input. A remote user can supply a specially crafted URL to execute operating system commands on the target system with the privileges of the target web service.

No solution is available at this time.

A Proof of Concept exploit has been published.

GoScript Input Validation Hole Lets Remote Users Execute Arbitrary Commands
High
SecurityTracker 1010865, August 4, 2004

IBM

IBM Tivoli Access Manager for e-business 3.x, 4.x, 5.x

An input validation vulnerability exists in IBM Tivoli Access Manager for e-business, which could allow a remote malicious user to conduct cross-site scripting attacks and gain control over an affected system.

Patch as appropriate at: http://www.ibm.com/support/us/

We are not aware of any exploits for this vulnerability.

IBM Tivoli Access Manager HTTP Response Splitting Vulnerability
High
Secunia, SA12093, August 9, 2004

Juniper

Juniper Networks NetScreen firewalls with SSHv1 enabled - ScreenOS prior to 5.0.0r8

A vulnerability exists in ScreenOS in the processing of SSHv1 management connections that could allow a remote malicious user cause the device to crash. If SSH version 1 is enabled on the target device, a remote user can connect to the management port and cause the device to hang or to crash and reboot. Authentication is not required.

Updates available at: http://www.juniper.net/support/

We are not aware of any exploits for this vulnerability.

NetScreen Firewalls ScreenOS Can Be Crashed By Remote Users Due to an SSHv1 Implementation Bug
Low

Juniper Networks NetScreen Advisory 59147, August 3, 2004

SecurityTracker 1010848, August 3, 2004

US-CERT Vulnerability Note VU#749870, August 13, 2004

Mark Burgess

Cfengine 2.0.0 to 2.1.7p1.

Input validation and buffer overflow vulnerabilities exist in Cfengine which could allow a remote malicious user to execute arbitrary code or cause a DoS (Denial of Service). The vulnerabilities are caused due to insufficient input validation and a boundary error in the cfservd daemon when processing authentication requests. The problems lies in the AuthenticationDialogue()" function, which is responsible for performing RSA authentication and key agreement.

Update to version 2.1.8 available at: http://www.cfengine.org/mirrors.html

Gentoo: http://security.gentoo.org/glsa/glsa-200408-08.xml

We are not aware of any exploits for this vulnerability.

Cfengine RSA Authentication Heap Corruption

High

Core Security Technologies Advisory, Advisory ID: CORE-2004-0714, August 9, 2004

Matt Johnston

Dropbear SSH Server 0.42

A vulnerability exists that could allow a remote malicious user to execute arbitrary code. This vulnerability is caused due to freeing of uninitialized variables in the DSS verification code.

Update to version 0.43 available at: http://matt.ucc.asn.au/dropbear/

Exploit scripts have been published.

Dropbear SSH Server DSS Verification Vulnerability
High

Secunia, SA12153, July 26, 2004

Dropbear Security Update

Packetstorm, August 4, 2004

moodle.org

Moodle versions prior to 1.3

An input validation vulnerability was reported in Moodle in 'post.php' in which a remote malicious user can conduct cross-site scripting attacks. 'post.php' does not properly filter HTML code from user-supplied input in the reply variable. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Moodle software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Update to version 1.3 or above available at: http://moodle.org/mod/resource/view.php?id=8

A Proof of Concept exploit has been published.

Moodle Input Validation Flaw in 'post.php' in reply Variable Permits Cross-Site Scripting Attacks
High
SecurityTracker, 1010893, August 7, 2004

Mozilla Organization
  Mandrakesoft
  Slackware

Mozilla 1.7 and prior;
Firefox 0.9 and prior;
Thunderbird 0.7 and prior

Multiple vulnerabilities exist in Mozilla, Firefox, and Thunderbird that could allow a malicious user to conduct spoofing attacks, compromise a vulnerable system, or cause a Denial of Service. These vulnerabilities include buffer overflow, input verification, insecure certificate name matching, and out-of-bounds reads.

Upgrade to the latest version of Mozilla, Firefox, or Thunderbird available at: http://www.mozilla.org/download.html

Slackware: http://www.slackware.com/security/viewer.php?l=
slackware-security&y=2004&m=slackware-security.667659

Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:082

We are not aware of any exploits for this vulnerability.

Mozilla Multiple Vulnerabilities
High
Secunia, SA10856, August 4, 2004

Nokia

Nokia IPSO 3.5, 3.5.1, 3.6, 3.7, 3.7.1, 3.8

A vulnerability exists in Nokia IPSO, which can be exploited by a malicious user to cause a Denial of Service.

Update to the latest builds.

We are not aware of any exploits for this vulnerability.

Nokia IPSO Denial of Service Vulnerability
Low

Secunia, SA12280, August 12, 2004

Nokia Knowledge Base, Resolution 21008

Opera Software

Opera 7.53

A spoofing vulnerability exists that could be exploited by a malicious user to conduct phishing attacks against a user. Opera fails to update the address bar if a web page is opened using the "window.open" function and then "replaced" using the "location.replace" function. This causes Opera to display the URL of the first website while loading the content of the second website.

Update to 7.54 available at: http://www.opera.com/download/

Gentoo: http://security.gentoo.org/glsa/glsa-200408-05.xml

A Proof of Concept exploit has been published.

Opera Browser Spoofing Vulnerability
High

Secunia, SA12162, July 27, 2004

Gentoo SA, GLSA 200408-05 / Opera, August 05, 2004

GreyMagic Security Advisory GM#008-OP, August 5, 2004

PHP Foundry

Jetbox One 2.0.8

An input validation vulnerability exists in Jetbox One that could allow users with "Author" privileges in "IMAGES" to upload arbitrary files including PHP code. The vulnerability exists because the type of file being uploaded is not verified as a valid image file e.g. GIF, JPEG. Once uploaded, the malicious user is then able to request the file, which will be interpreted by the JetboxOne application.

Also, JetboxOne does not encrypt information in the account information database. Any user with the ability to query the database may be able to view confidential account information.

No vendor solution is available.

A Proof of Concept exploit has been published.

JetBoxOne CMS Arbitrary File Upload Vulnerability

JetBoxOne Leaves Account Database Unencrytped

High

Secunia, SA12230, August 5, 2004

US-CERT Vulnerability Note #417408, August 13, 2004

US-CERT Vulnerability Note #58670, August 13, 2004

Phpnuke.org

PHP-Nuke 7.x

An input verification vulnerability exists in PHP-Nuke which a malicious user can exploit to conduct cross-site scripting attacks. User input passed to the search box in the following modules is not sanitized before being returned to users: Web_Links, Journal, Stories Archive, Topics Archive.

No vendor solution is available.

A Proof of Concept exploit has been published.

PHP-Nuke Search Box Cross-Site Scripting Vulnerabilities
High

Secunia, SA12271, August 11, 2004

SystemSecure.org, Advisory SS#23072004

PluggedOut

Blog 1.6 alpha and prior

An input validation vulnerability exists that could allow a remote malicious user to conduct cross-site scripting attacks. The software does not filter HTML code from user-supplied input in the 'blogid' variable. The malicious user can access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

No vendor solution is available.

A Proof of Concept exploit has been published.

PluggedOut Blog Input Validation Hole in 'blogid'
High
VulnWatch, August 7, 2004

PNG Development Group
  Conectiva
  Debian
  Fedora
  Gentoo
  Mandrakesoft
  RedHat
  SuSE
  Sun Solaris
  HP-UX
  GraphicsMagick
  ImageMagick
  Slackware

libpng 1.2.5 and 1.0.15

Multiple vulnerabilities exist in the libpng library which could allow a remote malicious user to crash or execute arbitrary code on an affected system. These vulnerabilities include:

  • libpng fails to properly check length of transparency chunk (tRNS) data,
  • libpng png_handle_iCCP() NULL pointer dereference,
  • libpng integer overflow in image height processing,
  • libpng png_handle_sPLT() integer overflow,
  • libpng png_handle_sBIT() performs insufficient bounds checking,
  • libpng contains integer overflows in progressive display image reading.

If using original, update to libpng version 1.2.6rc1 (release candidate 1) available at: http://www.libpng.org/pub/png/libpng.html

Conectiva: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000856

Debian: http://lists.debian.org/debian-security-announce/
debian-security-announce-2004/msg00139.html

Gentoo: http://security.gentoo.org/glsa/glsa-200408-03.xml

Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079

RedHat http://rhn.redhat.com/

SuSE: http://www.suse.de/de/security/2004_23_libpng.html

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Sun Solaris: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617

HP-UX: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01065

GraphicsMagick: http://www.graphicsmagick.org/www/download.html

ImageMagick: http://www.imagemagick.org/www/download.html

Slackware: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.439243

Yahoo: http://messenger.yahoo.com/

A Proof of Concept exploit has been published.

Multiple Vulnerabilities in libpng

CVE Names:
CAN-2004-0597
CAN-2004-0598
CAN-2004-0599

High

US-CERT Technical Cyber Security Alert TA04-217A, August  4, 2004

 

US-CERT Vulnerability Notes VU#160448, VU#388984, VU#817368, VU#236656, VU#477512, VU#286464, August 4, 2004.

QuiXplorer - Quick (PHP) Explorer 2.3 and prior

A directory traversal vulnerability was reported in QuiXplorer. A remote user can view files on the target system. QuiXplorer does not properly filter user-supplied input in the 'item' parameter. A remote user can submit a specially crafted request to view files located anywhere on the target system.

Update to 2.3.1, available at:

http://sourceforge.net/project/showfiles.php?group_id=72517

A Proof of Concept exploit has been published.

QuiXplorer Input Validation Hole in 'item' Parameter Discloses Files to Remote Users
Medium
SecurityTracker 1010954, August 15, 2004

Simon Tatham
  Gentoo

PuTTY 0.54 and previous

Input validation and buffer overflow vulnerabilities exist in PuTTY that could allow a remote malicious user to execute arbitrary code. By sending specially crafted packets to the client during the authentication process, a malicious user is able to compromise and execute arbitrary code on the machine running PuTTY or PSCP.

Update to version 0.55 available at: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200408-04.xml

A Proof of Concept exploit has been published.

PuTTY System Compromise Vulnerability
High
Core Security Technologies Advisory number CORE-2004-0705

Sun Microsystems

Sun Solaris 7, 8, 9

A vulnerability has been reported in Solaris, which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to an unspecified error within the processing of XDMCP requests. Successful exploitation crashes the X Display Manager (xdm).

Apply patches or vendor workaround available at: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57619

We are not aware of any exploits for this vulnerability.

Sun Solaris XDMCP Parsing Vulnerability
Low

Sun Alert ID: 57619, August 9, 2004

US-CERT Vulnerability Note VU#139504, August 11, 2004

The Webmaster Guide, Inc.

Board Power v2.04 PF

An input validation vulnerability exists in Board Power forum could allow a remote malicious user to conduct cross-site scripting attacks and execute arbitrary code. Board Power fails to filter malicious content passed into the "action" parameter of icq.cgi. This could be used to "sniff" sensitive data from within the web page, including passwords, credit card numbers, and any arbitrary information the user inputs. Likewise, information stored in cookies can be stolen or corrupted.

No solution is available at this time.

A Proof of Concept exploit has been published.

Board Power forum contains cross-site scripting vulnerability
High
US-CERT Vulnerability Note VU#744590, August 5, 2004

Thompson

SpeedTouch Home ADSL Modem firmware version GV8BAA3.270 (1003825) and earlier

A design error vulnerability exists in Thompson's SpeedTouch Home ADSL modem that could allow a malicious user to spoof TCP traffic on behalf of the device. The problem specifically exists due to the predictable nature of the TCP Initial Sequence Number (ISN) generator on the device.

No vendor solution is available at this time.

We are not aware of any exploits for this vulnerability.

Thompson SpeedTouch Home ADSL Modem Predictable TCP ISN Generation

CVE Name:
CAN-2004-0641

Medium

iDEFENSE Security Advisory, August 5, 2004

SecuriTeam, August 9, 2004

Volker Rattel

phpBB Fetch All 2.0.10 and 2.0.11

An input verification vulnerability exists in phpBB Fetch All that could allow a malicious user to pass malicious SQl statements to the underlying function. Successful exploitation could result in compromise of the application, disclosure or modification of data or may permit a malicious user to exploit vulnerabilities in the underlying database implementation.

Upgrade to 2.0.12 available at: http://prdownloads.sourceforge.net/phpbbfetchall/phpbb_fetch_all-2.0.12.zip?download

No exploit code required.

phpBB Fetch All SQL Injection Vulnerability
High
SecurityFocus, August 4, 2004
vRating 4.0, 4.01

A disclosure vulnerability exists in vRating. A remote malicious user can view and edit the 'settings.php' file with a specially crafted URL. A malicious user can also access the 'admin' directory to gain access to the administrative interface.

No solution is available at this time.

We are not aware of any exploits for this vulnerability.

vRating Discloses Sensitive Information and Grants Administrative Access to Remote Users
Medium
SecurityTracker 1010951, August 13 2004

WackoWiki 3.x

An input validation vulnerability exists in WackoWiki in which a malicious user can exploit to execute conduct cross-site scripting attacks and arbitrary HTML and script code in a user's browser session in context of an affected website.

Upgrade to version R4 available at: http://wackowiki.com/WackoDownload/InEnglish

We are not aware of any exploits for this vulnerability.

WackoWiki textsearch Cross-Site Scripting Vulnerability
High
Secunia, SA12209, August 4, 2004

Xavier Cirac

Shuttle FTP Suite 3.2

An input verification vulnerability exists in Shuttle FTP Suite, which can be exploited by a malicious user to read or place files in arbitrary locations on a vulnerable system. Arguments passed to certain commands are not properly verified. This can be exploited to access and write files outside the FTP root using the classical directory traversal character sequence "../" or absolute paths.

No solution is available at this time.

We are not aware of any exploits for this vulnerability.

Shuttle FTP Suite Directory Traversal Vulnerability
Medium
Secunia, SA12270, August 11, 2004

[back to top] 

Recent Exploit Scripts/Techniques

The table below contains a sample of exploit scripts and "how to" guides identified during this period. Items listed in boldface/red (if any) are attack scripts/techniques for which vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have not published workarounds or patches, or which represent scripts that malicious users are utilizing.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Script Description
August 17, 2004 SpecificMAIL.theft.txt A freeware spam filter for Outlook and Outlook Express that is extremely intrusive and acts more as spyware than a useful utility to users.
August 16, 2004 proc_kmem_dump.c Script that exploits the Linux Kernel Proc_kmem_dump vulnerability.
August 14, 2004 aimAway.c Proof of concept exploit for AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability.
August 13, 2004 ethereal-0.10.6.tar.gz A GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames.
August 13, 2004 gv-exploit.c Script that exploits the gv Local Buffer Overflow vulnerability.
August 13, 2004 netgearDG834G.txt The Netgear DG834G has a hardcoded root password of zebra and a debug mode that allows for an immediately available rootshell.
August 13, 2004 priv8afp.pl Remote root exploit for Mac OS X Apple Filing Protocol Buffer Overflow vulnerability.
August 12, 2004
aircrack-1.1.tgz
An 802.11 WEP cracking program that can recover a 40-bit or 104-bit WEP key once enough encrypted packets have been gathered. It implements the standard FMS attack along with some optimizations, thus making the attack much faster compared to other WEP cracking tools.
August 12, 2004
freedom.c
Remote CVS exploit for the Double free() Heap Overflow vulnerability.
August 12, 2004 mercantec_softcart.pm Exploit for the Mercantec Softcart CGI Buffer Overflow vulnerability.
August 12, 2004
pngslap.c
Script that exploits the Libpng Buffer Offset Calculation Overflow vulnerability.
August 12, 2004
rkhunter-1.1.5.tar.gz
Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers.
August 11, 2004
0x4553_Exorcist.tar.gz
A tool that can be considered an anti-anti-ptrace utility that unlocks the ptrace_traceme guard of a binary.
August 11, 2004
0x4553_Scorpion.tar.gz
Tool for infecting statically linked ELF binaries.
August 11, 2004
0x4553-Static_Infecting.html

White paper that discusses a method of infecting statically linked ELF binaries.

August 11, 2004 c030224-001.txt Detailed exploit details for the ServerMask Header Identification vulnerability.
August 11, 2004 framework-2.2.tar.gz The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This release includes 18 exploits and 27 payloads.
August 11, 2004 OllyExp.c Script that exploits the OllyDbg Debugger Messages Format String vulnerability.
August 10, 2004 linuxKernelFileOffsetPointerHandlingExploit.c Exploit for the Linux Kernel File 64-Bit Offset Pointer Handling Kernel Memory Disclosure vulnerability.
August 9, 2004 Xines_Mine.c Script that exploits the Xine Buffer Overflow vulnerability.
August 9, 2004
yapig_script_injection.php
Exploit for the YaPiG Remote Server-Side Script Execution vulnerability.
August 8, 2004
servulocal.c
Script that exploist the RhinoSoft Serv-U FTP Server Default Administration Account vulnerability.
August 7, 2004
pavuk.c
Script that exploits the Pavuk Digest Authentication Buffer Overflow Vulnerabilities.
August 7, 2004 pavukWebSpider.c Script that exploits the Pavuk Digest Authentication Buffer Overflow Vulnerabilities.
August 6, 2004
apache-dos.pl
Perl script that exploits the Apache ap_escape_html Remote
Denial of Service vulnerability.
August 6, 2004
apacheEscapeHeaderD0SExploit.c
Script that exploits the Apache ap_escape_html Remote
Denial of Service vulnerability.
August 5, 2004 aircrack-1.0.tgz An 802.11 WEP cracking program that can recover a 40-bit or 104-bit WEP key once enough encrypted packets have been gathered.
August 5, 2004 bjd361exp.cpp Proof of Concept exploit for the BlackJumboDog FTP Buffer Overflow vulnerability.
August 5, 2004 C-MD5.tar.bz2 MD5 Brute Force Tool that tests the security of MD5 passwords by attempting to brute force them.
August 5, 2004 evil_song.py Exploit for the SoX ".WAV" File Processing Buffer Overflow Vulnerability.
August 5, 2004 hoagie_openftpd.c Remote root exploit for OpenFTPD Format String vulnerability.
August 5, 2004 HOD-ms04022-task-expl.c Exploit for the Microsoft Windows Task Scheduler Remote Buffer Overflow vulnerability.
August 5, 2004 hydra-4.2-src.tar.gz A high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more.
August 5, 2004 isec-0016-procleaks.txt

Exploit for the Linux Kernel 64-bit to 32-bit File Offset Conversion vulnerability.

August 5, 2004
mailEnable.txt
Exploit for the MailEnable Content-Length Denial Of Service vulnerability.
August 5, 2004 openf.c Remote root exploit for OpenFTPD Format String vulnerability.
August 5, 2004
pocExploitEtherealiSNSProtocolVuln.c
Proof of Concept exploit for the Ethereal iSNS Protocol Denial of Service vulnerability.
August 4, 2004 drop-root.c Script that exploits the Dropbear SSH Server DSS Verification Vulnerability.
August 4, 2004
FreeWebChat[Mir]DoS-po.cc
Script that exploits the Free Web Chat Denial Of Service Vulnerabilities.
August 4, 2004
FreeWebChat_ir_RC_poc.java
Exploit for the Free Web Chat Denial Of Service Vulnerabilities.
August 4, 2004
libpn.gc
Script that exploits the LibPNG Graphics Library Denial of Service vulnerability.
August 4, 2004
linuxKernelFileOffsetPointerHandlingExploit.c
Script that exploits the Linux Kernel File 64-Bit Offset Pointer Handling Kernel Memory Disclosure Vulnerability.
August 4, 2004 soxWAVfilebufferoverflowexploi.tc Exploit for the SoX ".WAV" File Processing Buffer Overflow Vulnerability.

[back to top]

Trends

  • Seven months since the W32/Bagle mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/Beagle are known to open a backdoor on an infected system which can lead to further exploitation by remote malicious users.

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported during the latest three months), and approximate date first found.

Rank
Common Name
Type of Code
Trends
Date
1
W32/Netsky-P
Win32 Worm Stable
March 2004
2
W32/Zafi-B
Win32 Worm Stable
June 2004
3
W32/Netsky-Q
Win32 Worm Increase
March 2004
4
W32/Netsky-D
Win32 Worm Slight Increase
March 2004
5
W32/Netsky-B
Win32 Worm Slight Increase
February 2004
6
W32/Netsky-Z
Win32 Worm Decrease
April 2004
7
W32/Bagle-AA
Win32 Worm Decrease
April 2004
8
W32/MyDoom-M
Win32 Worm New to Table
July 2004
9
W32/MyDoom-O
Win32 Worm New to Table
July 2004
9
I-Worm.Bagle.z
Win32 Worm New to Table
April 2004
9
I-Worm.Bagle.AI
Win32 Worm New to Table
July 2004
10
Worm_Sasser.B
Win32 Worm Decrease
April 2004
10
W32/Netsky-C
Win32 Worm Return to Table
March 2004
10
W32/Mydoom.s@MM Win32 Worm New to Table
August 2004
10
W32/Mydoom.q
Win32 Worm New to Table
August 2004

 

New Viruses / Trojans

Viruses or Trojans Considered to be a High Level of Threat

  • Brador/Bardoor These are the first known backdoor Trojans for the Pocket PC hand-held devices. They send the IP address of the infected handheld to the malicious user and opens various TCP ports. Brador only affects Windows Mobile 2003 (Pocket PC 2003 and Windows CE 4.2) and ARM-based devices.

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name
Aliases
Type
Agobot-LT WORM_AGOBOT.OC
W32/Agobot-LT
Win32 Worm
Amus.A I-Worm.Amus.a
W32.Amus.A@mm
W32/Amus.A.worm
Win32.Amus.A
WORM_AMUS.A
Win32 Worm
Backdoor.Beasty.I   Trojan
Backdoor-CFB W32/Backdoor-CFB Win32 Worm
Bardoor Backdoor.Bardor.A WinCE Trojan
Bck/Surila.B Surila.B
W32/Mydoom.R
Trojan
Brador Brador.A
Backdoor.WinCE.Brador.a
Backdoor.Brador.A
Bck/WinCE.Brador.A
Troj/Brador-A
WINCE_BRADOR.A
WinCE/BackDoor-CHK
WinCE Trojan
Cata-A VBS/Cata-A Visual Basic Script Virus
Daqa.B BackDoor-BDI
Win32.Daqa.B
Win32/Daqa.B.Trojan
Win32 Worm
Daqa.C BackDoor-BDI
Win32.Daqa.C
Win32/Daqa.C.Trojan
Win32 Worm
Doep-A W32.Doep.A
W32/Doep-A
W32/Ourtime!p2p
Worm.P2P.Doep.a
WORM_DOEP.A
Win32 Worm
Downloader.Harnig   Trojan
Downloader.OG Trj/Downloader.OG Trojan: Adware Downloader
Febelneck-A

W32/Febelneck-A
W32.Febelneck@mm
Febelneck trojan
I-Worm.Febelneck

Win32 Worm
Frear.A

Win32.Frear.A
Win32/FriTear.A
Worm.P2P.Delf.u
Win32/Frear.A.Worm

Win32 Worm
JS/Zerolin   Java Script Trojan
Keylog-Melcarr   Trojan
Lovgate.AN W32.Lovgate.AN@mm Win32 Worm
MyDoom.R

W32/MyDoom-R
W32/Mydoom.r@MM
WORM_MYDOOM.R
W32.Mydoom.P@mm

Win32 Worm
Myfip.A W32.Myfip.A Win32 Worm
Nachi.L MS03-026
W32/Nachi.worm.m
Win32.Nachi.L
Win32/Nachi.L
Worm.Win32.Welchia.l
Worm/Nachi.S
WORM_NACHI.L
Win32 Worm
Nachi-K W32/Nachi-K
W32/Nachi.worm.m
Worm.Win32.Welchia.l
W32.Welchia.gen
Win32 Worm
Padodor-L Troj/Padodor-L Trojan
PE_LOVGATE.E Win32.Lovgate.AY File Infector Virus
PWSteal.Perfectspy Trojan: Spyware Installer
Reign.V

TrojanProxy.Win32.Agent.ag
W32/Agent.T
Win32.Reign.V
Win32/Agent.T.DLL.Trojanbr
Win32.Reign.W
Win32/Reign.29227.Trojan
Win32/TrojanProxy.Agent.AG

Win32 Worm
Saros

I-Worm.Saros.a
Saros.A
W32.Saros@mm
W32/Saros@MM
Win32.Saros.A
WORM_SAROS.A
CRYPT.WIN32 virus
IW32/Saros-A

Win32 Worm
Sconato.A Keylog-Sconato
Trj/Sconato.A
Troj/Sconato-A
Trojan.ScoNato.A
Trojan.Win32.Sconato.a
Trojan: Keylogger
Sdbot-LU W32/Sdbot.worm.gen
Backdoor.SdBot.nv
BKDR_SDBOT.GEN
W32/Sdbot-LU
Win32 Worm
Sndc.A W32.IRCBot
W32/Pcbot.A@p2p
W32/Sndc.worm!p2p
Win32.Sndc.A
Win32/P2P.Sndc.Worm
Worm.P2P.Krepper.c
Win32 Worm
Startpage.FZ StartPage-DU
Trojan.Win32.StartPage.ix
Win32.Startpage.FZ
Win32/StartPage.IX
Win32 Worm
StartPage-EM   Trojan
SYMBOS_QDIAL.A

Mquito
SymbOS/Mquito
Trojan.Mquito
SymbOS/QDial26

Trojan
Trj/Leritand.A Leritand.A Trojan
Trj/Leritand.B Leritand.B Trojan
Trj/Leritand.C Leritand.C Trojan
Troj/Bdoor-CHR BackDoor-CHR
BackDoor-CHR.sys
Trojan
Troj/CmjSpy-Z   Trojan
Troj/Daemoni-G   Trojan
Troj/Iefeat-K   Trojan
Troj/Mosqit-A   Trojan
Troj/Padodor-L   Trojan
Troj/ProxDrop-A   Trojan
TROJ_BAGLE.AC   Trojan
Trojan.Boxed.E   Trojan
Trojan.Cargao.B   Trojan
Trojan.Nullpos   Trojan
Trojan.StartPage.F

TROJ_STRTPAGE.CQ
Troj/CWS-C
StartPage-CQ.gen
TrojanDownloader.Win32.Small.lc

Trojan
Trojan.StartPage.G   Trojan
VBS.Mywav@mm   Visual Basic Script Worm
W32/Agobot-LX Win32/Agobot.3.ZQ
W32/Gaobot.worm.pp
Win32 Worm
W32/Agobot-MA   Win32 Worm
W32/Agobot-ZX   Win32 Worm
W32/Annil-G I-Worm.Annil.g Win32 Worm
W32/Apribot-C Backdoor.IRCBot.gen
W32/Sdbot.worm.gen.m virus
Win32 Worm
W32/Bagle.aq@MM

HTML_BAGLE.AC
I-Worm.Bagle.al
W32.Beagle.AO@mm
W32/Bagle-AQ
W32/Bagle.AJ@mm
W32/Bagle.AM.worm
WORM_BAGLE.AC
JS/IllWill
JS/Dword.dr
TR/RunMe.Dldr.1
W32/Bagle.aq@MM
Bagle.AG

Win32 Worm
W32/Cali-A   Win32 Worm
W32/Gobot-C Backdoor.IRC.Bot
Backdoor.Gobot.s
Win32 Worm
W32/Lovgate-F   Win32 Worm
W32/MyDoom-Q

W32/Mydoom.q@MM
W32/Evaman.c@MM

Win32 Worm
W32/MyDoom-R   Win32 Worm
W32/Neveg.b@MM W32/Cali@MM Win32 Worm
W32/Neveg.c@MM   Win32 Worm
W32/Rbot-FQ Backdoor.Rbot.gen
W32/Sdbot.worm.gen.g
Win32 Worm
W32/Rbot-FV   Win32 Worm
W32/Rbot-FY   Win32 Worm
W32/Rbot-GF W32/Sdbot.worm.gen.k
Backdoor.Rbot.af
Win32 Worm
W32/Sdbot-MH   Win32 Worm
Win32.Daqa.B

BackDoor-BDI
Win32/Daqa.B.Trojan
Win32/Daqa.C.Trojan
Win32.Daqa.C

Trojan
WORM_ATAK.C   Internet Work
WORM_LOVGATE.E

HLLM.Lovgate.18
I-Worm.Win32.Lovgate.171520
Worm/Lovgate.BJ
I-Worm.LovGate.ah
Win32/Lovgate.AS

Internet Worm
WORM_RATOS.A

W32.Mydoom.Q@mm
I-Worm.Win32.Ratos
W32/Mydoom.s@MM
W32/MyDoom-S
Win32.Mydoom.S
WORM_RATOS.A

Win32 Worm
WORM_SDBOT.LD   Internet Worm

[back to top]

 

 

 

Last updated

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top