Summary of Security Items from September 1 through September 7, 2004

Released
Sep 07, 2004
Document ID
SB04-252

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends and viruses identified between August 31 and September 7, 2004. Updates to items appearing in previous bulletins are listed in bold text.The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.




















href="#bugs">Bugs, Holes, & Patches


href="#exploits">Recent Exploit Scripts/Techniques
href="#trends">Trends
href="#viruses">Viruses/Trojans


Bugs,
Holes, & Patches

The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the
following tables has been discussed in newsgroups and
on web sites.

Risk is defined as follows: (Note: The risks levels applied to vulnerabilities in the Cyber Bulletin are based on how the "system" may be impacted.)

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.






Windows Operating Systems Only

Vendor & Software
Name

Vulnerability
- Impact
Patches - Workarounds
Attacks Scripts

Common Name
Risk
Source

ACLogic

CesarFTP 0.98b, 0.99 g, 0.99 e

A buffer overflow vulnerability exists during authentication due to insufficient bounds checking, which could let a remote user cause a Denial of Service or execute arbitrary code.

No workaround or patch available at time of publishing.

Proof of Concept exploit script has been published.

CesarFTP Buffer Overflow

Low/High

(High if arbitrary code can be executed)

Securiteam, August 31, 2003

Comersus Open Technologies

Comersus Cart 5.0 991

A vulnerability exists in the 'comersus_customerLoggedVerify.asp' script due to insufficient validation of the 'redirecturl' parameter, which could let a remote malicious user obtain or modify sensitive information or execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Comersus Shopping Cart 'redirecturl' Input Validation

Medium/High

(High if arbitrary code can be executed)

SecurityTracker Alert ID: 1011135, September 1, 2004

Diebold

GEMS Central Tabulator 1.17.7, 1.18

A vulnerability exists due to an undocumented backdoor account, which could a local or remote authenticated malicious user modify votes.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

GEMS Central Tabulator Vote Database Vote Modification
Medium
BlackBoxVoting.org, August 31, 2004

IPSwitch

IMail 5.0, 5.0.5-5.0.8, 6.0-6.0.6, 6.1-6.4, 7.0.1-7.0.7, 7.1, 7.12, 8.0.3, 8.0.5, 8.1

Multiple buffer overflow vulnerabilities exist: a remote Denial of Service vulnerability exists in the Queue Manager when a malicious user submits an overly long sender field; a remote Denial of Service vulnerability exists in Web Calendaring when a ca lender entry that contains certain content is viewed; and a remote Denial of Service vulnerability exists in Web Messaging when a malicious user submits an overly long 'To:' line. The execution of arbitrary code may also be possible.

Patches available at: http://www.ipswitch.com/support/imail/releases/imail_professional/im813.html

We are not aware of any exploits for this vulnerability.

Ipswitch IMail Server Multiple Buffer Overflow Remote Denial of Service

Low/High

(High if arbitrary code can be executed)

Secunia Advisory, SA12453, September 3, 2004

IPSwitch

WhatsUp Gold 7.0 4, 7.0 3, 7.0, 8.03 hotfix 1, 8.03, 8.0 1, 8.0

Two vulnerabilities exist: a buffer overflow vulnerability exists when processing Notification instance names, which could let a remote malicious user execute arbitrary code; and a remote Denial of Service vulnerability exists in 'prn.htm' when a malicious user submits a certain GET request.

Hotfixes available at:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/WhatsUp/wug803HF2.exe

We are not aware of any exploits for this vulnerability.

WhatsUpGold Web Interface Vulnerabilities

Low/High

(High if arbitrary code can be executed)

SecurityTracker Alert ID: 1011157, September 4, 2004

IPSwitch

WS FTP Server 5.0.2

A remote Denial of Service vulnerability exists in the 'cd' command when a malicious user submits a malformed file path.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

IPSwitch WS_FTP Remote Denial of Service
Low
Bugtraq, August 29, 2004

Jerod Moemeka

Xedus 1.0

Multiple vulnerabilities exist: a remote Denial of Service vulnerability exists when a malicious user submits multiple simultaneous connections; a Cross-Site Scripting vulnerability exists in the sample scripts due to insufficient sanitization of user-supplied URI input, which could let a remote malicious user execute arbitrary HTML and script code; and a Directory Traversal vulnerability exists which could let a remote malicious obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proofs of Concept exploit scripts have been published.

Xedus Web Server Input Validation Vulnerabilities

Low/Medium/ High

(Low if a DoS; Medium if sensitive information can be obtained; and High if arbitrary code can be executed)

GulfTech Security Research Security Advisory, August 30, 2004

Keene Software Corporation

Keene Digital Media Server 1.0.2

Multiple vulnerabilities exist: a Cross-Site Scripting vulnerability exists because input passed to various parameters is not properly sanitized, which could let a remote malicious user execute arbitrary code; and a vulnerability exists because access is not restricted to all administrative pages and users' permissions are not checked before an administrative task is performed, which could let a remote malicious user user performed arbitrary administrative tasks.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Keene Digital Media Server Cross-Site Scripting
High
SecurityFocus, September 4, 2004

Kerio Technologies

Kerio Personal Firewall 4.0.6-4.0.10, 4.0.16

A vulnerability exists in the 'Application Security' functionality, which could let a malicious user bypass certain security features.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

Kerio Personal Firewall Security Bypass
Medium
SIG^2 Vulnerability Research Advisory, September 2, 2004

Multiple Vendors

Altnet ADM;
Grokster Grokster 1.3, 1.3.3, 2.6; KaZaA KaZaA Media Desktop 1.3-1.3.2, 1.6.1, 2.0, 2.0.2, 2.6.4

A buffer overflow vulnerability exists in Altnet Download Manager in the 'IsValidFile()' method, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Altnet ADM ActiveX Control Remote Buffer Overflow
High
SecurityFocus, September 3, 2004

Newintelligence

DasBlog 1.3-1.6

A Cross-Site Scripting vulnerability exists in the 'User-Agent:' and 'Referer:' headers due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.

Patches available at: http://www.dasblog.net/documentation/CategoryView.aspx?category=Download

There is no exploit code required; however, Proofs of Concept exploit scripts have been published.

DasBlog Cross-Site Scripting
High
ERNW Security Advisory, September 1, 2004

Nullsoft

Winamp 5.04 & prior

A buffer overflow vulnerability exists in an ActiveX control installed by the application, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Winamp ActiveX Control Remote Buffer Overflow

CVE Name: CAN-2004-0820

High
SecurityTracker Alert ID: 1011071, September 2, 2004

South River Technologies

Titan FTP Server 2.2, 2.10, 3.0 1, 3.10, 3.21

A heap overflow vulnerability exists in the 'cwd' command due to insufficient boundary checks, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Proof of Concept exploit script has been published.

Titan FTP Server CWD Command Remote Heap Overflow
High
www.cnhonker.com
Security Advisory, August 29, 2004

Symantec

PowerQuest DeployCenter 5.5

A password disclosure vulnerability exists in the 'stuffit.dat' file due to a failure to handle exceptional conditions, which could let a malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required.

PowerQuest DeployCenter Password Disclosure
Medium
SecurityTracker Alert ID: 1011081, August 28, 2004

Texas Imperial Software

WFTPD Pro 3.21, R1-R3

A remote Denial of Service vulnerability exists due to insufficient validation of the 'MLST' command.

No workaround or patch available at time of publishing.

Exploit script has been published.

WFTPD Remote Denial of Service
Low
www.cnhonker.com
Security Advisory, August 30, 2004

Web Animations

Password Protect

Multiple vulnerabilities exist: vulnerabilities exist in the 'LoginId,' 'OPass,' 'NPass,'and 'CPass' parameters in 'ChangePassword.asp,' the 'admin' and 'Pass' parameters in 'index_next.asp,' and ' users_add.asp' and 'users_edit.asp' scripts due to insufficient sanitization, which could let a remote malicious user obtain administrative access to the application or to view or modify the database; and vulnerabilities exist in 'ChangePassword.asp,' 'index.asp,' 'users_list.asp,' 'users_add.asp,' and 'users_edit.asp' due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proofs of Concept exploit scripts have been published.

Password Protect Input Validation
High
CRIOLABS Advisory, August 30, 2004

WinZip Computing, Inc.

WinZip 7.0, 8.0, 8.1, SR-1, 9.0

Multiple unspecified buffer overflow vulnerabilities exist due to insufficient bounds checking when processing zip archives, which could let a local/remote malicious user execute arbitrary code.

Upgrades available at:
http://www.winzip.com/downauto.cgi?winzip90.exe

We are not aware of any exploits for this vulnerability.

WinZip Multiple Buffer Overflows
High
Securiteam, September 6, 2004

[back to
top]















http://security.debian.org/pool/updates/main/r/ruby/
UNIX / Linux Operating Systems Only

Vendor & Software Name


Vulnerability - Impact
Patches - Workarounds
Attacks Scripts

Common Name
Risk
Source

Apache Software Foundation

Apache 2.0 a9, 2.0, 2.0.28 Beta, 2.0.28, 2.0.32, 2.0.35-2.0.50

A remote Denial of Service vulnerability exists in Apache 2 mod_ssl during SSL connections.

Apache: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964

RedHat:http://rhn.redhat.com/errata/RHSA-2004-349.html

SuSE: ftp://ftp.suse.com/pub/suse/i386/update/

We are not aware of any exploits for this vulnerability.

Apache mod_ssl Denial of Service

CVE Name:
CAN-2004-0748

Low
SecurityFocus, September 6, 2004

Apple

MacOS X 10.2.8, 10.3.4, 10.3.5

Two vulnerabilities exist: a vulnerability exists in CoreFoundation 'CFPlugin' facilities, which could let a malicious user obtain elevated privileges; and a buffer overflow vulnerability exists in CoreFoundation, which could let a malicious user execute arbitrary code.

Patches available at:
http://www.apple.com/support/downloads/

We are not aware of any exploits for this vulnerability.

Mac OS X CoreFoundation Buffer Overflow & Library Loading

CVE Names:
CAN-2004-0821,

CAN-2004-0822

Medium/ High

(High if arbitrary code can be executed)

Apple Security Update, APPLE-SA-0024-09-07, September 7, 2004

Bharat Mediratta

Gallery 1.4.4

A vulnerability exists in the 'set_time_limit' function due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary code.

Upgrade available at: http://prdownloads.sourceforge.net/gallery/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-05.xml

Proof of Concept exploit script has been published.

Gallery Input Validation

High

SecurityTracker Alert ID: 1010971, August 18, 2004

SecurityFocus, September 2, 2004

Gentoo Linux Security Advisory GLSA 200409-05, September 2, 2004

Double Precision, Inc.

Inter7 Courier-IMAP 1.6, 1.7, 2.0 .0, 2.1- 2.1.2, 2.2 .0. 2.2.1

A format string vulnerability exists in the 'auth_debug()' function used for login debugging, which could let a remote malicious user execute arbitrary code.

Upgrade available at: http://prdownloads.sourceforge.net/courier/courier-imap-3.0.7.tar.bz2

Gentoo: http://security.gentoo.org/glsa/glsa-200408-19.xml

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

Exploit script has been published.

Courier-IMAP Remote Format String

CVE Name:
CAN-2004-0777

High

iDEFENSE Security Advisory 08.18.04

SecurityFocus, September 2, 2004

Fujitsu

Fujitsu ServerView 3.0

A vulnerability exists because the '.index' file is world writeable, which could let a malicious user modify MIB values.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

Fujitsu ServerView MIB Modification
Medium
SecurityTracker Alert ID: 1011168, September 6, 2004

Inter7

vpopmail (vchkpw) 3.4.1-3.4.11, 4.5, 4.6, 4.7, 4.8, 4.9, 4.9.10, 4.10, 5.2.1, 5.2.2, 5.3.20-5.3.30, 5.4-5.4.2

Multiple buffer overflow and format string vulnerabilities exist in the 'vsybase.c' file, which could let a malicious user cause a Denial of Service, obtain unauthorized access, or execute arbitrary code.

Upgrades available at:
http://prdownloads.sourceforge.net/vpopmail/vpopmail-5.4.6.tar.gz?download

Gentoo: http://security.gentoo.org/glsa/glsa-200409-01.xml

We are not aware of any exploits for this vulnerability.

Inter7 Vpopmail Vsybase.c Multiple Vulnerabilities

Low/ Medium/High

Low if a DoS; Medium if unauthorized access can be obtained; and High if arbitrary code can be executed.

Bugtraq, August 17, 2004

Gentoo Linux Security Advisory GLSA 200409-01, September 1, 2004

Inter7

vpopmail (vchkpw) 3.4.1-3.4.11, 4.5-4.10, 5.2.1, 5.2.2, 5.3.20-5.3.30, 5.4-5.4.5

An SQL injection vulnerability exists due to insufficient sanitization of user-supplied input data before using it in an SQL query, which could let a remote malicious user insert additional SQL commands into data passed into POP/IMAP login, SMTP AUTH, or a QmailAdmin login. Note: Vpopmail is only vulnerable if SQL servers are utilized by the application. Sites using the 'cdb' backend for data storage are not affected.

Upgrades available at:
http://prdownloads.sourceforge.net/vpopmail/vpopmail-5.4.6.tar.gz?download

Gentoo: http://security.gentoo.org/glsa/glsa-200409-01.xml

There is no exploit code required.

Vpopmail SQL Injection
Medium

SecurityFocus, August 20, 2004

Gentoo Linux Security Advisory GLSA 200409-01, September 1, 2004

J. Schilling

CDRTools 2.0, 2.0.1 a18, 2.0.3.

A vulnerability exists in 'cdrecord,' which could let a malicious user obtain root privileges.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

CDRTools Unspecified Privilege Escalation

High

SecurityFocus, August 31, 2004

JamieCameron

Usermin 1.070, 1.080

Several vulnerabilities exist: an input validation vulnerability exists in the mail functionality, which could let a remote malicious user execute arbitrary code; and a vulnerability exists due to an unspecified error in the installation routine.

Update available at: http://www.webmin.com/index6.html

We are not aware of any exploits for this vulnerability.

Usermin Web Mail
High
SNS Advisory No.77, September 7, 2004

John Bradley

XV 3.10 a

Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the 'xvbmp.c' source file, which could let a remote malicious user execute arbitrary code; multiple heap overflow vulnerabilities exist in the 'xviris.c' source file due to integer handling problems, which could let a remote malicious user execute arbitrary code; a heap overflow vulnerability exists in the 'xvpcx.c' source file due to integer handling problems, which could let a remote malicious user execute arbitrary code; and a heap overflow vulnerability exists in the 'xvpm.c' source file due to integer handling problems, which could let a remote malicious user execute arbitrary code.

Gentoo: http://security.gentoo.org/glsa/glsa-200409-07.xml

Exploit script has been published.

XV Multiple Buffer Overflow and Integer Handling
High

Bugtraq, August 24, 2004

Gentoo Linux Security Advisory, GLSA 200409-07, September 3, 2004

Mr. S.K.

LHA 1.14

Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the parsing of archives, which could let a remote malicious user execute arbitrary code; a buffer overflow vulnerability exists in the parsing of command-line arguments, which could let a remote malicious user execute arbitrary code; and a vulnerability exists due to insufficient validation of shell meta characters in directories, which could let a remote malicious user execute arbitrary shell commands.

RedHat: http://rhn.redhat.com/errata/RHSA-2004-323.html

We are not aware of any exploits for this vulnerability.

LHA Multiple Code Execution

CVE Names:
CAN-2004-0694,
CAN-2004-0745,
CAN-2004-0769,
CAN-2004-0771

High
SecurityFocus, September 2, 2004

mpg123.de

mpg123 0.x

 

A buffer overflow vulnerability exists in the 'do_layer2()' function, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

mpg123 'do_layer2() Function' Remote Buffer Overflow
High
Securiteam, September 7,2 004

Multiple Vendors

Cisco VPN 3000 Concentrator 4.0 .x, 4.0, 4.0.1, 4.1 .x; Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha; Gentoo Linux 1.4 _rc1-rc3, 1.4; MandrakeSoft Corporate Server 2.1, x86_64, Linux Mandrake 9.1, ppc,
9.2, amd64, 10.0, AMD64,
MandrakeSoft Multi Network Firewall 8.2; MIT Kerberos 5 1.2.2-1.2.8, 1.3 -1.3.4; RedHat Desktop 3.0, Enterprise Linux WS 3, ES 3, AS 3, Fedora Core2, Core1;
Sun Solaris 9.0, 9.0 _x86

A remote Denial of Service vulnerability exists in the ASN.1 decoder when decoding a malformed ASN.1 buffer.

MIT Kerberos: http://web.mit.edu/kerberos/advisories/

Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml

Debian: http://security.debian.org/pool/updates/main/k/krb5/

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-09.xml

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Sun: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57631-1&searchclause=

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

We are not aware of any exploits for this vulnerability.

MIT Kerberos 5 ASN.1 Decoder Remote Denial of Service

CVE Name:
CAN-2004-0644

Low
MIT krb5 Security Advisory, MITKRB5-SA-2004-002, August 31, 2004

US-CERT Technical Cyber Security Alert TA04-247A, September 5, 2004

US-CERT Vulnerability Note VU#550464, September 3, 2004

Multiple Vendors

Cisco VPN 3000 Concentrator 4.0 .x, 4.0, 4.0.1, 4.1 .x; Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha; Gentoo Linux 1.4 _rc1-rc3, 1.4; MandrakeSoft Corporate Server 2.1, x86_64, Linux Mandrake 9.1, ppc,
9.2, amd64, 10.0, AMD64,
MandrakeSoft Multi Network Firewall 8.2; MIT Kerberos 5 1.0, 1.0.6, 1.0.8, 1.1, 1.1.1, 1.2-1.2.8, 1.3 -1.3.4; RedHat Desktop 3.0, Enterprise Linux WS 3, ES 3, AS 3, Fedora Core2, Core1;
Sun SEAM 1.0.2

Multiple double-free vulnerabilities exist due to inconsistent memory handling routines in the krb5 library: various double-free errors exist in the KDC (Key Distribution Center) cleanup code and in client libraries, which could let a remote malicious user execute arbitrary code; various double-free errors exist in the 'krb5_rd_cred()' function, which could let a remote malicious user execute arbitrary code; a double-free vulnerability exists in krb524d, which could let a remote malicious user execute arbitrary code; and a vulnerability exists in ASN.1 decoder when handling indefinite length BER encodings, which could let a remote malicious user cause a Denial of Service.

MIT Kerberos: http://web.mit.edu/kerberos/advisories/

Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20040831-krb5.shtml

Debian: http://security.debian.org/pool/updates/main/k/krb5/

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-09.xml

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Sun: http://sunsolve.sun.com/search/document.do?assetkey=1-21-112908-15-1

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

We are not aware of any exploits for this vulnerability.

Kerberos 5 Double-Free Vulnerabilities

CVE Names:
CAN-2004-0642, CAN-2004-0643,
CAN-2004-0772

Low/High

 

(High if arbitrary code can be executed)

MIT krb5 Security Advisory, MITKRB5-SA-2004-002, August 31, 2004

US-CERT Technical Cyber Security Alert TA04-247A, September 5, 2004

US-CERT Vulnerability Notes, VU#350792, VU#795632, VU#866472, September 3, 2004

Multiple Vendors

Enlightenment Imlib2 1.0-1.0.5, 1.1, 1.1.1;
ImageMagick ImageMagick 5.4.3, 5.4.4 .5, 5.4.8 .2-1.1.0 , 5.5.3 .2-1.2.0, 5.5.6 .0- 2003040, 5.5.7,6.0.2;
Imlib Imlib 1.9-1.9.14

Multiple buffer overflow vulnerabilities exist in the Iimlib/Imlib2 libraries when handling malformed bitmap images, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

lmlib: http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/

ImageMagick: http://www.imagemagick.org/www/download.html

We are not aware of any exploits for this vulnerability.

IMLib/IMLib2 Multiple BMP Image Decoding Buffer Overflows

 

CVE Names:
CAN-2004-0817,
CAN-2004-0802

Low/High

(High if arbitrary code can be executed)

SecurityFocus, September 1, 2004

Multiple Vendors

Gentoo Linux 1.4;
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1, Desktop 3.0, t Enterprise Linux WS 3, WS 2.1 IA64, WS 2.1, ES 3, 2.1 IA64, 2.1, AS 3, AS 2.1 IA64, AS 2.1'
Trolltech Qt 3.0, 3.0.5, 3.1, 3.1.1, 3.1.2, 3.2.1, 3.2.3, 3.3 .0, 3.3.1, 3.3.2

Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the 'read_dib()' function when handling 8-bit RLE encoded BMP files, which could let a malicious user execute arbitrary code; and buffer overflow vulnerabilities exist in the in the XPM, GIF, and JPEG image file handlers, which could let a remote malicious user execute arbitrary code.

Debian: http://security.debian.org/pool/updates/main/q/qt-copy/

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

Gentoo: http://security.gentoo.org/glsa/glsa-200408-20.xml

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Slackware: ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/kde/qt-3.1.2-i486-4.tgz

SuSE: ftp://ftp.suse.com/pub/suse/i386/update

Trolltech Upgrade: http://www.trolltech.com/download/index.html

TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/

Sun: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57637-1&searchclause=security

Proof of Concept exploit has been published.

QT Image File Buffer Overflows

CVE Names:
CAN-2004-0691,
CAN-2004-0692
,
CAN-2004-0693

High

Secunia Advisory, SA12325, August 10, 2004

Sun Alert ID: 57637, September 3, 2004

MySQL AB

MySQL 3.23.49, 4.0.20

A vulnerability exists in the 'mysqlhotcopy' script due to predictable files names of temporary files, which could let a malicious user obtain elevated privileges.

Debian: http://security.debian.org/pool/updates/main/m/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-02.xml

There is no exploit code required.

MySQL 'Mysqlhotcopy' Script Elevated Privileges

CVE Name:
CAN-2004-0457

 

Medium

Debian Security Advisory, DSA 540-1, August 18, 2004

Gentoo Linux Security Advisory GLSA 200409-02, September 1, 2004

openca.org

OpenCA 0.x

A Cross-Site Scripting vulnerability exists due to insufficient sanitization of input passed to the web frontends, which could let a remote malicious user execute arbitrary HTML and script code.

Update available at: http://www.openca.org/openca/

We are not aware of any exploits for this vulnerability.

OpenCA Cross-Site Scripting

CVE Name:

CAN-2004-0787

High
Secunia Advisory, SA12473, September 7, 2004

Oracle Corporation

Oracle Application Server 10g 9.0.4, 9.0.4 .0, Oracle10g Application Server 10.1.0.2, Oracle10g Enterprise Edition 9.0.4.0, 10.1.0.2, Oracle10g Personal Edition 9.0.4.0, 10.1.0.2, Oracle10g Standard Edition 9.0.4.0, 10.1.0.2

Multiple buffer overflow vulnerabilities exist which could let a remote malicious user execute arbitrary commands.

Patches available at:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocu ment?p_database_id=NOT&p_id=281189.1

We are not aware of any exploits for this vulnerability.

Oracle Multiple Buffer Overflows
High

Technical Cyber Security Alert TA04-245A, September 1, 2004

US-CERT Vulnerability Notes VU#316206, VU#170830, VU#435974, September 1, 2004

Oracle Corporation

Oracle8i Enterprise Edition 8.1.7.4, Standard Edition 8.1.7.4, Oracle9i Enterprise Edition 9.2.0.4, Personal Edition 9.2.0.4, Standard Edition 9.0.1.3, 9.2.0.4

A vulnerability exists in the 'ctxsys.driload' package, which could let a remote malicious user obtain administrative privileges.

Patches available at:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p
_
database_id=NOT&p_id=281189.1

A Proof of Concept exploit has been published.

Oracle Database Server ctxsys.driload Access Validation

CVE Name:
CAN-2004-0637

High

Technical Cyber Security Alert TA04-245A, September 1, 2004

 

Oracle Corporation

Oracle8i Enterprise Edition 8.1.7.4, Standard Edition 8.1.7.4, Enterprise Edition 9.0.1.5, 9.0.1.4, 9.2.0.4, 9.2.0.3, Oracle9i Personal Edition 9.0.1.5
Oracle Oracle9i Personal Edition 9.0.1.4, 9.2.0.4, 9.2.0.3, Oracle9i Standard Edition 9.0.1.5, 9.0.1.4, 9.2.0.4, 9.2.0.3

A buffer overflow vulnerability exists in the 'bms_system.ksdwrt()' function, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

Patches available at:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p
_
database_id=NOT&p_id=281189.1

We are not aware of any exploits for this vulnerability.

Oracle Database Server dbms_system.ksdwrt Remote Buffer Overflow

CVE Name:
CAN-2004-0638

Low/High

(High if arbitrary code can be executed)

Technical Cyber Security Alert TA04-245A, September 1, 2004

 

Redhat


GNOME VFS


Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64;

Red Hat Linux Advanced Workstation 2.1 - ia64;

Red Hat Enterprise Linux ES version 2.1 - i386;

Red Hat Enterprise Linux WS version 2.1 - i386;

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64

Red Hat Desktop version 3 - i386, x86_64;

Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64;

Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

Multiple vulnerabilities exist in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. A malicious user who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts.


Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date


For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: href="http://www.redhat.com/docs/manuals/enterprise/ ">http://www.redhat.com/docs/manuals/enterprise/


Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/


We are not aware of any exploits for this vulnerability.

GNOME VFS updates address extfs vulnerability


CVE Name:

href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0494">CAN-2004-0494

High

Red Hat Security Advisory ID: RHSA-2004:373-01, August 4, 2004

Fedora Update Notification
FEDORA-2004-272 & 273, September 1, 2004

Regents of University of California

bsdmainutils 6.0.14

An information disclosure vulnerability exists in the calendar utility when run with the '-a' option due to improper authorization checks, which could let a malicious user obtain root access.

Debian: http://ftp.debian.org/debian/pool/main/b/bsdmainutils /bsdmainutils_6.0.15.tar.gz

There is no exploit code required; however, Proofs of Concept exploit scripts have been published.

Bsdmainutils Calendar Information Disclosure

CVE Name:
CAN-2004-0793

High
SecurityTracker Alert ID: 1011131, September 1, 2004

rsync 2.6.2 and prior

  Debian

  SuSE

  Trustix

A vulnerability exists in rsync when running in daemon mode with chroot disabled. A remote user may be able read or write files on the target system that are located outside of the module's path. A remote user can supply a specially crafted path to cause the path cleaning function to generate an absolute filename instead of a relative one. The flaw resides in the sanitize_path() function.


Updates and patches are available at: href="http://rsync.samba.org/">http://rsync.samba.org/


SuSE: href="http://www.suse.de/de/security/2004_26_rsync.html">http://www.suse.de/de/security/2004_26_rsync.html


Debian: href="http://www.debian.org/security/2004/dsa-538">http://www.debian.org/security/2004/dsa-538


Trustix: href="http://www.trustix.net/errata/2004/0042/">http://www.trustix.net/errata/2004/0042/


Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/


Mandrake: http://www.mandrakesecure.net/en/ftp.php


OpenPKG: ftp://ftp.openpkg.org/release/2.0/UPD/


Tinysofa:
http://http.tinysofa.org/pub/tinysofa/updates/server-2.0/i386/tinysofa/rpms.updates/rsync-2.6.2-2ts.i386.rpm


TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/


We are not aware of any exploits for this vulnerability.

Rsync Input Validation Error in sanitize_path() May Let Remote Users Read or Write Arbitrary Files

CVE Name:
CAN-2004-0792

High

SecurityTracker 1010940, August 12, 2004


rsync August 2004 Security Advisory


SecurityFocus, September 1, 2004

Squid-cache.org

Squid Web Proxy Cache 2.0 PATCH2, 2.1 PATCH2, 2.3 STABLE5, 2.4, STABLE7, 2.5 STABLE1-STABLE6, Squid Web Proxy Cache 3.0 PRE1-PRE3

A remote Denial of Service vulnerability exists in 'lib/ntlmauth.c' due to insufficient validation of negative values in the 'function "ntlm_fetch_string()' function.

Patches available at:
http://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/squid-2.5.STABLE6-ntlm_fetch_string.patch

Gentoo: http://security.gentoo.org/glsa/glsa-200409-04.xml

We are not aware of any exploits for this vulnerability.

Squid Proxy NTLM Authentication Remote Denial of Service
Low
Secunia Advisory, SA12444, September 3, 2004

Sun Microsystems, Inc.

Solaris 8.0, 8.0_x86

 

A remote Denial of Service vulnerability exists in 'in.named.'

Patch available at: sunsolve.sun.com/search/document.do?assetkey=1-26-57614-1

We are not aware of any exploits for this vulnerability.

Solaris 'in.named' Remote Denial of Service
Low
Sun(sm) Alert Notification, 57614 , September 3, 2004

SuSE

Linux 8.1, 8.2, 9.0, x86_64, 9.1, Linux Connectivity Server, Linux Database Server, Linux Enterprise Server 9, 8, Linux Office Server, SuSE eMail Server III

A Denial of Service vulnerability exists in '/dev/ptmx.'

Updates available at: ftp://ftp.suse.com/pub/suse/

We are not aware of any exploits for this vulnerability.

SuSE Linux PTMX Unspecified Local Denial of Service
Low
SUSE Security Announcement,
SA:2004:028, September 1, 2004

Ulrich Callmeier

Net-Acct 0.x

 

A vulnerability exists in the 'write_list()' and 'dump_curr_list()' functions due to the insecure creation of temporary files, which could let a malicious user modify information.

Patch available at:
http://exorsus.net/projects/net-acct/net-acct-notempfiles.patch

We are not aware of any exploits for this vulnerability.

Net-acct Insecure Temporary File
Medium
Secunia Advisory, September 7, 2004

Yukihiro Matsumoto

Ruby 1.6, 1.8

A vulnerability exists in the CGI session management component due to the way temporary files are processed, which could let a malicious user obtain elevated privileges.

Upgrades available at: http://security.debian.org/pool/updates/main/r/ruby/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-08.xml

We are not aware of any exploits for this vulnerability.

Ruby CGI Session Management Unsafe Temporary File

CVE Name:
CAN-2004-0755

Medium

Debian Security Advisory, DSA 537-1, August 16, 2004

Gentoo Linux Security Advisory, GLSA 200409-08, September 3, 2004

[back to
top]
 









Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name

Vulnerability
- Impact
Patches - Workarounds
Attacks Scripts

Common Name
Risk
Source

America Online


AOL Instant Messenger (AIM) 5.5

A buffer overflow vulnerability exists in America Online's Instant Messenger (AIM) which can allow remote malicious users to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values passed to the 'goaway' function of the AOL Instant Messenger 'aim:' URI handler.


Upgrade to AIM beta version available at: href="http://www.aim.com ">www.aim.com


Proofs of Concept exploit scripts have been published.

AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability
High

iDEFENSE Security Advisory 08.09.04


Secunia, SA12198, August 9, 2004


US-CERT Vulnerability Note VU#735966, August 10, 2004


SecurityFocus, September 2, 2004

Axis Communications

Firmware Version 2.40; Axis 2100/2110/2120/2420/2130, Network Camera, 2400/2401 Video Server

Multiple vulnerabilities exist: an input validation vulnerability exists in the '/axis-cgi/io/virtualinput.cgi' script, which could let a remote malicious user execute arbitrary commands; and a Directory Traversal vulnerability exists, which could let a remote malicious user obtain sensitive information.

Upgrade available at:
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2400/sr/2_34_1/

There is no exploit code required; however, Proofs of Concept exploits have been published.

Axis Network Camera And Video Server Multiple Vulnerabilities

Medium/ High

(High if arbitrary commands can be executed)

Bugtraq, August 22, 2004

SecurityFocus, August 31, 2004

C. Szymanski

Cerbère Proxy Server 1.2

A remote Denial of Service vulnerability exists when a malicious user submits a malformed HTTP GET request.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

Cerbère Proxy Server Remote Denial of Service
Low
GSSIT - Global Security Solution IT Security Advisory, September 1, 2004

Infinity Ward

Call of Duty 1.4 & prior

A vulnerability exists which could let a remote malicious user shutdown the game service when a query or reply is submitted that contains more than 1024 characters.

No workaround or patch available for Windows at time of publishing.

Linux version patch:
http://www.icculus.org/betas/cod/

Proof of Concept exploit has been published.

Call of Duty Game Shutdown
Low
Securiteam, September 7, 2004

CutePHP

CuteNews 0.88, 1.3, 1.3.1, 1.3.2, 1.3.6

A Cross-Site Scripting vulnerability exists in 'show_archives' due to insufficient sanitization of the 'cutepath' variable, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

CutePHP Cross-Site Scripting
High
Hackgen Advisory, hackgen-2004-#001, September 2, 2004

D-Link

DCS-900 Internet Camera 2.10, 2.20, 2.28

A vulnerability exists due to insufficient authentication checks for received UDP broadcast packets on port 62976, which could let a remote malicious user manipulate configuration settings and cause a Denial of Service.

No workaround or patch available at time of publishing.

Exploit script has been published.

DCS-900 Internet Camera Configuration Manipulation
Low
Bugtraq, August 31, 2004

Dynalink

RTA 230 ADSL Router

A vulnerability exists due to a default backdoor account, which could let a remote malicious user obtain control of the device.

No workaround or patch available at time of publishing.

There is no exploit code required.

Dynalink RTA 230 ADSL Router Default Backdoor Account

High
Bugtraq, September 3, 2004

eGroupWare.org

GroupWare 1.0, 1.0.3

Multiple Cross-Site Scripting vulnerabilities exist in the 'addressbook' and 'calendar' modules and HTML injections vulnerabilities exist in the 'Messenger' and 'Ticket' modules, which could let a remote malicious user execute arbitrary HTML and script code.

Gentoo: http://security.gentoo.org/glsa/glsa-200409-06.xml

There is no exploit code required; however, a Proof of Concept exploit has been published.

EGroupWare Multiple Input Validation
High

Bugtraq, August 22, 2004

Gentoo Linux Security Advisory GLSA 200409-06, September 2, 2004

Hitachi

Cosminexus Portal Framework 02-03 & prior

A vulnerability exists when the <ut:cache> tag library is used, which could let a remote malicious user obtain sensitive information.

Patches available at: http://www.hitachi-support.com/security_e/vuls_e/HS04-006_e/01-e.html

We are not aware of any exploits for this vulnerability.

Cosminexus Portal Framework Information Disclosure
Medium
SecurityTracker Alert ID: 1011171, September 7, 2004

IBM

DB2 Universal Database for AIX 7.0-7.2, 8.1, Universal Database for HP-UX 7.0-7.2, 8.1, Universal Database for Linux 7.0-7.2, 8.1, DB2 Universal Database for Solaris 7.0-7.2, 8.1, Universal Database for Windows 7.1, 7.2, 8.1

Several buffer overflow vulnerabilities exist, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://www-306.ibm.com/software/data/db2/udb/support

We are not aware of any exploits for this vulnerability.

IBM DB2 Remote Buffer Overflows
High
NGSSoftware Insight Security Research Advisory, September 1, 2004

Multiple Vendors

Brocade Fabric OS 2.1.2, 2.2, 3.1, SilkWorm 3200, 3250, 3800, 3850, 3900, SilkWorm Fiber Channel Switch 2010, 2040, 2050;
Engenio 2822 Storage Controller, 2882 Storage Controller, 4884 Storage Controller, 5884 Storage Controller; IBM DS4100;
Storagetek D280

A remote Denial of Service vulnerability exists in hardware that is based on Engenio Storage Controllers due to an unspecified error in the handling of incoming TCP packets.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

Engenio Storage Controller Remote Denial Of Service
Low
Bugtraq, September 4, 2004

Multiple Vendors

HP HP-UX B.11.23, 11.11, 11.00;
Mozilla Network Security Services (NSS) 3.2, 3.2.1, 3.3-3.3.2, 3.4-3.4.2, 3.5, 3.6, 3.6.1, 3.7-3.7.3, 3.7.5, 3.7.7, 3.8, 3.9; Netscape Certificate Server 1.0 P1, 4.2, Directory Server 1.3, P1&P5, 3.12, 4.1, 4.11-.4.13, Enterprise Server 2.0 a, 2.0, 2.0.1 C, 3.0 L, 3.0, 3.0.1 B, 3.0.1, 3.1, 3.2, 3.5, 3.6, SP1-SP3, 3.51, 4.0, 4.1, SP3-SP8, Enterprise Server for NetWare 4/5 3.0.7 a, 4/5 4.1.1, 4/5 5.0, Enterprise Server for Solaris 3.5, 3.6,
Netscape Personalization Engine; Sun ONE Application Server 6.0, SP1-SP4, 6.5, SP1 MU1&MU2, 6.5 SP1, 6.5 MU1-MU3, 7.0 UR2 Upgrade Standard, 7.0 UR2 Upgrade Platform, Standard Edition, Platform Edition, 7.0 UR1 Standard Edition, Platform Edition, 7.0 Standard Edition, Platform Edition, Certificate Server 4.1, Directory Server 4.16, SP1, 5.0, SP1&SP2, 5.1 x86
SP3 x86, 5.1, SP1-SP3, 5.2, Web Server 4.1, SP1-SP14, 6.0, SP1-SP7, 6.1

A buffer overflow vulnerability exists in the Netscape Network Security Services (NSS) library suite due to insufficient boundary checks, which could let a remote malicious user which may result in remote execute arbitrary code.

Mozilla:/ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/
releases/NSS_3_9_2_RTM/

Netscape and HP workarounds available at: http://www.securityfocus.com/bid/11015/solution/

Sun: http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57632-1&searchclause=

We are not aware of any exploits for this vulnerability.

NSS Buffer Overflow
High

Internet Security Systems Advisory, August 23, 2004

SecurityFocus, September 1, 2004

Nagl

XOOPS Dictionary Module 1.0

A Cross-Site Scripting vulnerability exists in 'letter.php' due to insufficient sanitization of the 'letter' parameter, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

XOOPS Dictionary Cross-Site Scripting
High

Secunia Advisory, SA12424, September 1, 2004

Opera Software

Opera Web Browser 7.23

A remote Denial of Service vulnerability exists in the 'embed' tag when a specific JavaScript command is executed.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

Opera Embed Tag Remote Denial of Service
Low
Bugtraq, September 1, 2004

phpMyBackupPro

phpMyBackupPro 0.6.2

Multiple input validation vulnerabilities exist due to insufficient validation of some configuration entries and validation of mySQL username and password values, which could let a malicious user obtain unauthorized access or sensitive information.

Upgrade available at:
http://prdownloads.sourceforge.net/phpmybackup
/phpMyBackupPro.v.1.0.zip?download

We are not aware of any exploits for this vulnerability.

PhpMyBackupPro Input Validation
Medium
SecurityFocus, September 3, 2004

phpscheduleit.sourceforge.net

phpScheduleIt 1.0 .0RC1

Cross-Site Scripting vulnerabilities exist in the 'Name' and 'Last Name' fields in the new user registration script and the 'Schedule Name' field in the new schedule creation script due to insufficient sanitization of user-supplied HTML input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required.

phpScheduleIt Cross-Site Scripting
High
Bugtraq, August 31, 2004

phpWebSite Development Team

phpWebsite 0.7.3, e 0.8.2, 0.8.3, 0.9.3 -4, 0.9.3

Multiple input validation vulnerabilities exist: a vulnerability exists in 'index.php' due to insufficient sanitization of the 'pid' parameter, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability exists in the calendar module due to insufficient sanitization of the 'cal_template' field, which could let a remote malicious user execute arbitrary code; and a vulnerability exists due to insufficient sanitization of input passed to the subject and message fields, which could let a remote malicious user execute arbitrary code.

Patches available at:
http://www.phpwebsite.appstate.edu/downloads/security
/phpwebsite-core-security-patch.tar.gz

There is no exploit code required; however, a Proof of Concept exploit script has been published.

PHPWebSite Multiple Input Validation

High
GulfTech Security Research Security Advisory, August 31, 2004

plogworld.org

pLog 0.1-0.1.2, 0.2, 0.2.1, 0.3-0.3.2

An input validation vulnerability exists in the 'register.php' script due to insufficient sanitization of the 'userName' and 'blogName" parameters, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required.

pLog 'regoster.php' Input Validation
High
Secunia Advisory, SA12415, September 1, 2004

pvpgn.org

PvPGN 1.6.0-1.6.5

A buffer overflow vulnerability exists in the 'watchall' and 'unwatchall' commands, which could let a remote malicious user execute arbitrary code.

Patches available at: http://sourceforge.net/tracker/download.php?group_
id=53514&atid=470607&file_id=99656&aid=1018716

There is no exploit code required.

PvPGN Remote Buffer Overflow
High
PvPGN Security Advisory, PSA-20040829, August 31, 2004

QNX Software Systems Ltd.

RTOS 2.4, 4.25, 6.1 .0, 6.2 .0 Update Patch A, 6.2 .0

Multiple vulnerabilities exist: a buffer overflow vulnerability exists in '/usr/bin/pppoed,' which could let a malicious user execute arbitrary code; buffer overflow vulnerabilities exist in 'name,' 'en', 'upscript,' 'downscript,' 'retries,' 'timeout,' 'scriptdetach,' 'noscript,' 'nodetach,' 'remote_mac,' and 'local_mac' flags, which could let a malicious user execute arbitrary code; and a vulnerability exists because the $PATH variable can be modified to cause the daemon to execute arbitrary code.

No workaround or patch available at time of publishing.

Proof of Concept exploit has been published.

QNX PPPoEd Buffer Overflows
High
Securiteam, September 6, 2004

SiteCubed

MailWorks Professional

A vulnerability exists because the authentication process may be bypassed, which could let a remote malicious user obtain administrative access.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

MailWorks Professional Authentication Bypass
High
SecurityTracker Alert ID: 1011145, September 3, 2004

TorrentTrader

BitTorrent Tracker 1.0 beta, RC1&RC2, alpha, 2.0

An input validation vulnerability exists in the 'download.php' script due to insufficient verification of the 'id' parameter, which could let a remote malicious user obtain sensitive information.

Fix available at: http://forum.tutoriaux.net/index.php?showtopic=299&st=0entry1342

A Proof of Concept exploit script has been published.

TorrentTrader Download.PHP SQL Injection
Medium
Secunia Advisory, SA12439, September 2, 2004
VICE

VICE 1.6, 1.13, 1.14

A format string vulnerability exists in the handling of the monitor ‘memory dump’ command, which could let a malicious user cause a Denial or Service or execute arbitrary code.

Upgrade available at:

ftp://ftp.funet.fi/pub/cbm/crossplatform/emulators
/VICE/vice-1.15.tar.gz

Currently we are not aware of any exploits for this vulnerability.

VICE Monitor Memory Dump Format String

CVE Name:
CAN-2004-0453

High

VICE Security Advisory, VSA-2004-1, June 13, 2004

SecurityFocus, September 1, 2004

YaBBSE.org

YaBB SE 1.5.1

A vulnerability exists in 'sources/Admin.php,' which could let a remote malicious user obtain the installation path.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

YaBB SE 'Admin.php' Information Disclosure
Medium
ECHO_ADV_
05$2004, September 4, 2004

 

Recent Exploit Scripts/Techniques

The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may
contain names or content that may be considered offensive.























































































































Date of Script

(Reverse
face="Arial, Helvetica, sans-serif"> Chronological Order)

Script name

Workaround or Patch Available

Script Description
September 3, 2004 installer.htm
Yes

Proof of concept exploit for Microsoft Internet Explorer vulnerability that may permit cross-zone access, allowing an attacker to execute malicious script code in the context of the Local Zone.
September 3, 2004 None
No

Proof of concept exploit has been published for the Nullsoft Winamp ActiveX Control remote buffer overflow vulnerability.
September 3, 2004 None
No

Proof of concept exploit has been published for the Altnet remote buffer overflow vulnerability.
September 3, 2004 SelenaTeamTrackLoginPagePOC.pl
Yes

Proof of concept exploit for the Serena TeamTrack remote authentication bypass vulnerability.
September 3, 2004 xv_bmpslap.c
Yes

Proof of concept exploit for the xv buffer overflow and integer overflow vulnerabilities.
September 2, 2004 00047-8302004.txt
Yes

Proof of concept exploit for the Xedus version 1.0 denial of service, cross site scripting, and directory traversal vulnerabilities.
September 2, 2004 courier_fstr.c
Yes

Script that exploits the Courier-IMAP Remote Format String vulnerability.
September 2, 2004 galfakeimg.php
Yes

Proof of concept exploit for the Gallery vulnerability that may allow a remote attacker to execute malicious scripts on a vulnerable system.
September 2, 2004 mandragore-aolim.c
aolInstantMessengerMessageBOExp2.c

Yes

Proof of concept exploits for the AOL Instant Messenger remote buffer overflow vulnerability.
September 2, 2004 passprotect.txt
No

Proof of concept exploit for the Password Protect cross site scripting and SQL injection attack vulnerabilities.
September 2, 2004 titanftp.c
Yes

Proof of concept exploit for the heap overflow in Titan FTP server versions 3.21 and below.
September 2, 2004 wftpdDoS.c
Yes

Proof of concept exploit for the denial of service vulnerability in WFTPD Pro Server 3.21.
September 1, 2004 Courier IMAP exploit script
Yes

Proof of concept exploit for the Courier-IMAP remote format string vulnerability in versions prior to 3.0.7.
September 1, 2004 torrentTraderDownloadSQLPOC.php
Yes

Proof of Concept for the TorrentTrader 'id' SQL Injection vulnerability.
August 31, 2004 dLinkNetCamIPAddressSetExploit.c
No

Proof of concept exploit for the D-Link Securicam Network DCS-900 Internet Camera remote configuration vulnerability. An attacker trigger a denial of service condition.
August 30, 2004 cesarftp_dos.c
No

Proof of Concept exploit Denial of Service script for the CesarFTP Buffer Overflow vulnerability.
August 30, 2004 titan_hof.c
No

Proof of Concept exploit script that exploits the Titan FTP Server Remote Heap Overflow vulnerability.
August 30, 2004 wftpd.c

No

Script that exploits the WFTPD Server Remote Denial of Service vulnerability.

[back to
top]

name=trends>Trends


  • No new trends to report.


href="#top">[back to top]


name=#viruses>Viruses/Trojans

New Viruses / Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported during the latest three months), and approximate date first found.







face="Arial, Helvetica, sans-serif">Rank
Common Name
Type of Code
face="Arial, Helvetica, sans-serif">Trends
face="Arial, Helvetica, sans-serif">Date
1
Netsky-PWin32 WormStableMarch 2004
2
Zafi-BWin32 WormStableJune 2004
3
Netsky-ZWin32 WormIncreaseApril 2004
4
Mydoom.qWin32 WormIncreaseAugust 2004
5
Netsky-BWin32 WormStableFebruary 2004
6
Netsky-DWin32 WormDecreaseMarch 2004
7
Mydoom.mWin32 WormSlight DecreaseJuly 2004
8
Bagle-AAWin32 WormSlight DecreaseApril 2004
9
Bagle.AIWin32 WormStableJuly 2004
10
MyDoom-OWin32 WormSlight DecreaseJuly 2004
10
Netsky-QWin32 WormDecreaseMarch 2004

 

Viruses or Trojans Considered to be a High Level of Threat


  • Bagle: New variants of the Bagle virus were bulk e-mailed to Internet users. The malware arrives in e-mail with subject and email body "foto" and attachment called foto.zip that poses as a file containing photographs. This zip file contains a HTML file and an executable called foto1.exe. The executable is a dropper that, if activated, it will kill DLL files related to the updating components of various anti-virus programs and open backdoors.


The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.


NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.










































































































































































































































Name
face="Arial, Helvetica, sans-serif">Aliases
face="Arial, Helvetica, sans-serif">Type
Backdoor.Akak Trojan: Server
Backdoor.Alets Trojan
Backdoor.Balkart Trojan: HTTP proxy or FTP server
Bagle.AI

Bagle.AK
Bagle.AN
Bagle.AV
Download.Ject.C
Download.Ject.D
HTML_BAGLE.AI
JScript/IE.VM.Exploit
Troj/BagleDl-A
TrojanDropper.Win32.Small.kv
W32.Beagle.AQ@mm
W32/Bagle.AK.downloader
W32/Bagle.AK.dropper
W32/Bagle.AV.worm
W32/Bagle.dll.dr
W32/Mitglieder.AA
Win32.Bagle.AI
Win32.Bagle.AI!downloader
Win32.Glieder.H
Win32.Glieder.I
Win32/Bagle.Downloader.Trojan
WORM_BAGLE.AI
WORM_BAGLE.AL

Win32 Worm
Bagle.AJ Bagle.AO
I-Worm.Bagle.ao
W32/Bagle.AO
Win32.Bagle.AJ
W32/Bagle.at@MM
Win32/Bagle.AJ.Worm
Win32 Worm
Bagle.ATW32/Bagle-AT
W32/Bagle.at@MM
I-Worm.Bagle.an
Win32 Worm
Bagle.AW W32/Bagle.AW.wormWin32 Worm
Bagle.AYW32/Bagle.AY.wormWin32 Worm
Bugbear.L I-Worm.Tanatos.k
W32/Bugbear.L
W32/Bugbear.L@mm
Win32 Worm
Del-457 Trojan: Adware Downloader
Glieder.H Trojan.Win32.Glieder.h
TrojanDownloader.Win32.Agent.cj
TrojanDropper.Win32.Small.kv
W32/Agent.BJ@dl
W32/Bagle.dll.dr
W32/Bagle.dll.gen
W32/Glieder.H
Win32.Glieder.F
Win32/Glieder.F.Trojan
Win32/SMProxy.Trojan
Win32/TrojanDownloader.Agent.CJ.gen
Trojan
Mywife.D W32/Mywife.D.wormWin32 Worm
NeededwareAdware/Neededware
Trojan: Adware Downloader
PWSteal.Tarno.I Troj/Tofger-BGTrojan: Password Stealer
Troj/BagleDl-A
W32/Bagle.dll.dr
Glieder.H
Glieder.I
Download.Ject.C
Trojan
Trojan.Hiva Trojan
Trojan.Yipid Trojan
W32.Bugbear.M@mm Win32 Worm
W32.IRCBot.F Trojan
W32/Britney-B TROJ_BRITY.A
W32.Britney
Win32 Worm
W32/Bugbear.i@MM Win32 Worm
W32/Forbot-C Backdoor.Win32.Wootbot.c
W32/Sdbot.worm.gen.h
Win32 Worm
W32/Forbot-M Backdoor.Win32.Agobot.vf
Win32 Worm
W32/MyWife.c@MMBlackmal.C
Blackworm.C
I-Worm.Nixen.c
I-Worm.Nyxem.d
Mywife.C
Nyxem.D
W32.Blackmal.C@mm
W32/Mywife.C.worm
W32/Mywife.c@mm
Win32.Blackmal.C
Win32/Blackmal.C.Worm
WORM_BLUEWORM.C
Win32 Worm
W32/Neveg-C W32/Neveg.c@MM
Win32 Worm
W32/Nyxem-C W32/MyWife.c@MM
I-Worm.Nyxem.d
Win32 Worm
W32/Rbot-FL Sdbot.worm.gen.x
Backdoor.Rbot.gen
Win32 Worm
W32/Rbot-HQ Win32 Worm
W32/Rbot-HR
 Win32 Worm
W32/Rbot-HT Backdoor.Rbot.gen
W32/Sdbot.worm.gen.h
Win32 Worm
W32/Rbot-HU Backdoor.Win32.Rbot.bh
W32/Sdbot.worm.gen.h
Win32 Worm
W32/Rbot-IA Trojan.Win32.Pakes
Win32 Worm
W32/Rbot-IE Backdoor.Rbot.gen
W32/Sdbot.worm.gen.j
WORM_RBOT_JP
Win32 Worm
W32/Rbot-IH Backdoor.Rbot.gen
Win32 Worm
W32/Rbot-IP
 Win32 Worm
W32/Rbot-KO Win32 Worm
W32/Rbot-MGBackdoor.Rbot.genWin32 Worm
W32/Sdbot.worm!ftp  Win32 Worm
W97M.Sun.B
 MS Word Macro Virus
Win32.Harbag.BW32.Beagle.gen
Win32/Mitglieder.Trojan
Win32 Worm: E-mail Harvester
Win32.Paps.CW32/Paps
Win32 Worm
Win32.Sced.CDownloader-MB
TrojanDownloader.Win32.Small.rk
Win32/Sced.A.Trojan
Win32 Worm
Win32.Secdrop.D Win32/ChangeSecure.TrojanTrojan: Lowers Security Settings
WORM_MYDOOM.TI-Worm.Mydoom.r
I-Worm.Mydoom.ren
Mydoom.T
W32.Mydoom.R@mm
W32/Mydoom.S@mm
W32/Mydoom.t.dll
W32/Mydoom.T.worm
W32/Mydoom.T@MM
Win32.Mydoom.T
Win32/Mydoom.T.Worm
Win32/Mydoom.U
Win32 Worm
WUpdAdware/WUpd
TrojanDownloader.Win32.Agent.bf
Trojan: Adware Downloader

 


[back to
top]


 


 

 


Last updated


Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.