U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Bulletin (SB04-301)

Summary of Security Items from October 20 through October 26

Original release date: October 27, 2004

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.


Bugs, Holes, & Patches

The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Abyss

Abyss Web Server X1

An input validation vulnerability exists, which could allow a remote malicious user to crash the target service. It is reported that a remote user can submit an HTTP request for a URL containing a MS-DOS device name (e.g., CON, PRN, AUX) in the 'cgi-bin' directory to cause the web service to crash.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Abyss Web Server MS-DOS Device Names Processing
Low
SecurityTracker Alert ID, 1011812, October 20, 2004

Akella

Age of Sail II 1.04.151 and prior versions

A buffer overflow vulnerability may permit a remote malicious user to execute arbitrary code on the target system. A remote user can join a game server and supply a specially crafted nickname to trigger a buffer overflow.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Akella Age of Sail II Buffer Overflow
High
Secunia Advisory ID, SA12905, October 21, 2004

Altiris

Altiris Carbon Copy Solution 6.0.5257

A vulnerability exists which can be exploited by local malicious users to gain escalated privileges. The vulnerability is caused due to the "CCW32.exe" process invoking the help functionality with SYSTEM privileges. Certain prior versions reportedly also ran the Carbon Copy Scheduler with SYSTEM privileges.

No workaround or patch available at time of publishing.

There is no exploit required.

Altiris Carbon Copy Solution Privilege Escalation
Medium
SecurityFocus, Bugtraq ID 11500, October 22, 2004

Altiris

Altiris Deployment Server 5.x, 6.x; 6.1sp1 and prior versions

An authentication vulnerability was reported in the Altiris Deployment Server which could allow a remote malicious user to obtain full control of all target clients. The 'AClient.exe' client process does not authenticate the Deployment Server when connecting.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

Altiris Deployment Server Client Authentication Hole
High
SecurityTracker Alert ID, 1011862, October 21, 2004

Best Software

SalesLogix 6

Multiple vulnerabilities were reported in which a remote malicious user can gain administrative access on the application. A remote malicious user can inject SQL commands, determine the installation path, determine passwords, and upload arbitrary files.

The vendor has issued a fix, available at: http://support.saleslogix.com/

Proof of Concept exploit script has been published.

Best Software SalesLogix Multiple Vulnerabilities

Medium/High

(High if arbitrary code can be executed)

SecurityTracker Alert ID, 1011769, October 18, 2004

SecurityFocus, October 18, 2004

Code-Crafters

Ability (Mail and FTP) Server 2.3.4

A buffer overflow vulnerability was reported in the Ability Server in the FTP service which could allow a remote authenticated malicious user to execute arbitrary code on the target system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Code-Crafters Ability Server Buffer Overflow
High

Secunia Advisory ID, SA12941, October 25, 2004

SecurityFocus, Bugtraq ID 11508, October 22, 2004

Distinct Web Creations

Dwc_Articles 1.6 and prior versions

A vulnerability was reported in Dwc_Articles in which a remote malicious user can inject SQL commands. Nearly all of the scripts do not properly validate user-supplied input.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

Dwc_Articles Input Validation
Medium
SecurityTracker Alert ID, 1011909, October 23, 2004

ElektroPost Stockholm AB

EPiServer

A vulnerability was reported in EPiServer in which a remote malicious user may be able to view files on the target system, obtain sensitive information, and cause Denial of Service conditions.

The vendor has reportedly issued a fix for sensitive information issue in version 4.20. There is no solution for the other vulnerabilities at this time.

A Proof of Concept exploit has been published.

ElektroPost EPiServer Input Validation Errors

Low/Medium

(Medium if sensitive information can be obtained)

SecurityTracker Alert ID, 1011913, October 25, 2004

FIL Security Laboratory

Twister Anti-TrojanVirus 5.5

A vulnerability exists that could permit a remote malicious user to create a file that will not be detected by the application. A file or directory name that contains certain character strings related to MS-DOS device names (e.g., COM1, LPT1, AUX, CON, PRN) will not be scanned by the anti-virus system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Twister Anti-Trojan Virus MS DOS Device Names Scan File Failure
High
SecurityTracker Alert ID, 1011843, October 21, 2004

H+BEDV

AntiVir DOS 6.28 .00.03, AntiVir Windows Server NT/2000/2003 6.28.01.03, AntiVir Windows Workstation 6.28 .00.01

A vulnerability exists that could permit a remote malicious user to create a file that will not be detected by the application. A file or directory name that contains certain character strings related to MS-DOS device names (e.g., COM1, LPT1, AUX, CON, PRN) will not be scanned by the anti-virus system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

H+BEDV AntiVir Fails to Scan Files Named With MS DOS Device Names
High
SecurityTracker Alert ID, 1011842, October 21, 2004

Hummingbird

Hummingbird Connectivity 7.1 and 9.0

Two vulnerabilities have been reported in which can be exploited to gain escalated privileges or cause a Denial of Service. The Inetd32 administration tool makes it possible for malicious, local users to configure services including changing the executables that are executed, when a connection is received. A boundary error in the FTP service when handling "XCWD" FTP commands can be exploited by malicious users to crash the service by passing an overly long directory name.

The vendor has issued patches: http://connectivity.hummingbird.com/
support/nc/request.html

We are not aware of any exploits for this vulnerability.

Hummingbird Connectivity Vulnerabilities
Medium
NISCC Vulnerability Advisory 841713/Hummingbird, October 26, 2004

LANDesk Software

LANDesk 8

A vulnerability exists that could allow a remote malicious user to connect to the remote desktop port (port 3389) on a target system that is being managed by LANDesk to cause the target system to crash and reboot.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

LANDesk Error Permits Remote Users to Cause a Denial of Service
Low
SecurityTracker Alert ID: 1011787, October 19, 2004

Mavel d.o.o. Software Company

ShixxNote 6.net

A buffer overflow vulnerability exists that could permit a remote malicious user to execute arbitrary code on the target system. It is reported that a remote user can supply a specially crafted value for the field that specifies the font.

No workaround or patch available at time of publishing.

Exploit script has been published.

Mavel ShixxNote 6.net Buffer Overflow in Font Field
High

SecurityTracker Alert ID, 1011672, October 14, 2004

PacketStorm, October 23, 2004

Microsoft

Internet Explorer 6

Two vulnerabilities exist in Internet Explorer, which can be exploited by malicious users to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2.The two vulnerabilities in combination with actions in the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system.

Microsoft advises customers who have applied the latest Internet Explorer update, MS04-038, to set the "Drag and Drop or copy and paste files" option in the Internet and Intranet zone to "Disable" or "Prompt." No patch is currently available.

A Proof of Concept exploit has been published.

Microsoft Internet Explorer Two Vulnerabilities

CVE Names:
CAN-2004-0979
CAN-2004-0727

High

Secunia Advisory ID: SA12889, October 20, 2004

US-CERT Vulnerability Note #630720, October 22, 2004

US-CERT Vulnerability Note #207264, October 19, 2004

Microsoft

Outlook

A vulnerability was reported in Microsoft Outlook. The e-mail client may display images even when configured to view messages in plain text.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Microsoft Outlook May Display Images in Plaintext Only Mode
Low
SecurityTracker Alert ID, 1011890 October 22, 2004

Microsoft

Windows NT Server 4.0, Windows NT Server 4.0 Enterprise Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Server, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Exchange 2000 Server, Exchange Server 2003

A remote code execution vulnerability exists within the Network News Transfer Protocol (NNTP) component of the affected operating systems, which could let a remote malicious user execute arbitrary code. This vulnerability could potentially affect systems that do not use NNTP.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-036.mspx

We are not aware of any exploits for this vulnerability.

Microsoft NNTP Remote Code Execution

CVE Name: CAN-2004-0574

High

Microsoft Security Bulletin MS04-036, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Note VU#203126, October 22, 2004

Microsoft

Windows XP Explorer SP1

A vulnerability was reported in Microsoft Windows XP Explorer in the processing of WAV files. A remote malicious user can create a WAV file that, when loaded by the target user, will consume all available CPU resources on the target system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Microsoft Windows XP Error in Explorer in Processing WAV Files
Low
SecurityFocus, Bugtraq ID 11503, October 22, 2004

Microsoft

Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Internet Information Services 5.0, Internet Information Services 5.1, Internet Information Services 6.0;

Avaya DefinityOne Media Servers, IP600 Media Servers, Modular Messaging (MSS) 1.1, (MSS) 2.0,
S3400 Message Application Server,
S8100 Media Servers

A Denial of Service vulnerability exists that could allow a malicious user to send a specially crafted WebDAV request to a server that is running IIS and WebDAV. A malicious user could cause WebDAV to consume all available memory and CPU time on an affected server. The IIS service would have to be restarted to restore functionality.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-030.mspx

An exploit script has been published.

 

Microsoft WebDav XML Message Handler Denial of Service

CVE Name:
CAN-2004-0718

Low

Microsoft Security Bulletin MS04-030, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

SecurityFocus, October 20, 2004

Microsoft

Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Exchange Server 2003;

Avaya DefinityOne Media Servers, IP600 Media Servers, Modular Messaging (MSS) 1.1, (MSS) 2.0,
S3400 Message Application Server,
S8100 Media Servers

A remote code execution vulnerability exists in the Windows Server 2003 SMTP component because of the way that it handles Domain Name System (DNS) lookups. A malicious user could exploit the vulnerability by causing the server to process a particular DNS response that could potentially allow remote code execution. The vulnerability also exists in the Microsoft Exchange Server 2003 Routing Engine component when installed on Microsoft Windows 2000 Service Pack 3 or on Microsoft Windows 2000 Service Pack 4.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-035.mspx

We are not aware of any exploits for this vulnerability.

Microsoft SMTP Remote Code Execution

CVE Name:
CAN-2004-0840

High

Microsoft Security Bulletin MS04-035, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Note VU#394792, October 15, 2004

SecurityFocus, October 20, 2004

Microsoft

Windows NT Server 4.0, Windows NT Server 4.0 Enterprise Edition, Windows NT Server 4.0 Terminal Server Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, Windows 98, Windows 98 SE, Windows ME

Avaya DefinityOne Media Servers, IP600 Media Servers, Modular Messaging (MSS) 1.1, 2.0, Avaya S3400 Message Application Server
Avaya S8100 Media Servers

Multiple vulnerabilities are corrected with Microsoft Security Update MS04-032. These vulnerabilities include: Window Management Vulnerability, Virtual DOS Machine Vulnerability, Graphics Rendering Engine Vulnerability, Windows Kernel Vulnerability. These vulnerabilities could permit elevation of privilege, remote code execution, and Denial of Service.

A vulnerability exists in the Windows SetWindowLong and SetWindowLongPtr API function calls. In some cases this can be exploited to gain execution control.

Updates available at: http://www.microsoft.com/technet/
security/bulletin/MS04-032.mspx

Avaya: Customers are advised to follow Microsoft's guidance for applying patches. Advisories are located at the following locations:

http://support.avaya.com/japple/css/japple?
temp.groupID=128450&temp.selectedFamily=
128451&temp.selectedProduct=154235&temp.selectedBucket=
126655&temp.feedbackState=askForFeedback&temp.documentID=
203487&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=
avaya.css.UsageUpdate()

http://support.avaya.com/japple/css/japple?temp.groupID
=128450&temp.selectedFamily=128451&temp.selectedProduct=
154235&temp.selectedBucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=203487&PAGE=
avaya.css.CSSLvl1Detail&executeTransaction=
avaya.css.UsageUpdate()

Exploit script has been published.

 

 

 

Microsoft Windows Security Update

CVE Name:
CAN-2004-0207

CAN-2004-0208
CAN-2004-0209
CAN-2004-0211

High

Microsoft Security Bulletin MS04-032, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Notes, VU#910998, VU#218526, VU#806278, October 13, 2004, VU#119262, October 15, 2004

SecurityFocus Bugtraq ID: 11369, October 18, 2004

SecurityFocus Bugtraq ID: 11365, October 18, 2004

 

Microsoft

Windows NT Server 4.0, Windows NT Server 4.0 Enterprise Edition, Windows NT Server 4.0 Terminal Server Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Server, Windows 2000 Professional, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Windows Server 2003 Datacenter Edition, Windows 98, Windows 98 SE, Windows ME

A Shell vulnerability and Program Group vulnerability exists in Microsoft Windows. These vulnerabilities could allow remote code execution.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-037.mspx

Bulletin updated to reduce the scope of a documented workaround to only support Windows XP, Windows XP Service Pack 1, and Windows Server 2003.

We are not aware of any exploits for these vulnerabilities.

Microsoft Windows Shell Remote Code Execution

CVE Names:
CAN-2004-0214

CAN-2004-0572

High

Microsoft Security Bulletin MS04-037 v1.1, October 25, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Note VU#543864, October 15, 2004

Microsoft

Windows XP Home Edition, XP Professional, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition

Avaya DefinityOne Media Servers; IP600 Media Servers; Modular Messaging (MSS) 1.1, 2.0; S3400 Message Application Server; S8100 Media Servers

A remote code execution vulnerability exists in Compressed (zipped) Folders because of an unchecked buffer in the way that it handles specially crafted compressed files. A malicious user could exploit the vulnerability by constructing a malicious compressed file that could potentially allow remote code execution if a user visited a malicious web site.

Updates available at: http://www.microsoft.com/technet/
security/bulletin/MS04-034.mspx

We are not aware of any exploits for this vulnerability.

Avaya customers are advised to follow Microsoft's guidance for applying patches. Please see the referenced Avaya advisory at the following location for further details:

http://support.avaya.com/japple/css/japple?temp.groupID=
128450&temp.selectedFamily=128451&temp.selectedProduct=
154235&temp.selectedBucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=203487&PAGE=
avaya.css.CSSLvl1Detail&executeTransaction=
avaya.css.UsageUpdate()

Microsoft Compressed (zipped) Folders Remote Code Execution

CVE Name:
CAN-2004-0575

High

Microsoft Security Bulletin MS04-034, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Note VU#649374, October 14, 2004

SecurityFocus, Bugtraq ID 11382, October 18, 2004

Mozilla.org

Mozilla Firefox

When attempting to render a large binary file as HTML, the browser will consume all available memory on the target system and hang. Files larger than 5 MB will trigger the flaw. A remote user can cause a Denial of Service.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

Mozilla Firefox Browser Denial of Service
Low
SecurityTracker Alert ID, 1011917, October 25, 2004

Multiple Browser Vendors

Maxthon (MyIE2) 1.1.039

Avant Browser 9.02 build 101 and 10.0 build 029

stilesoft Netcaptor 7.5.2

Flashpeak Slim Browser 4.x

Two vulnerabilities exist which can be exploited by malicious web sites to obtain sensitive information and spoof dialog boxes. Inactive tabs can launch dialog boxes so they appear to be displayed by a web site in another tab and inactive tabs can gain focus from form fields on web sites in another tab. Successful exploitation would normally require that a user is tricked into opening a link from a malicious web site to a trusted web site in a new tab.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Multiple Vendors Tabbed Browsing Vulnerabilities
Medium

Secunia Advisory ID: SA12731, October 20, 2004

Secunia Advisory ID: SA12717, October 20, 2004

Secunia Advisory ID: SA12966, October 25, 2004

Secunia Advisory ID: SA12983, October 26, 2004

Multiple Vendors

Altnet ADM;
Grokster Grokster 1.3, 1.3.3, 2.6; KaZaA KaZaA Media Desktop 1.3-1.3.2, 1.6.1, 2.0, 2.0.2, 2.6.4

A buffer overflow vulnerability exists in Altnet Download Manager in the 'IsValidFile()' method, which could let a remote malicious user execute arbitrary code.

Upgrade available at: http://www.altnet.com/install/upgrade.asp

A Proof of Concept exploit has been published.

Altnet ADM ActiveX Control Remote Buffer Overflow
High

SecurityFocus, September 3, 2004

SecurityFocus, October 22, 2004

Nortel

Nortel Contivity Multi-OS VPN Client 4.91

A vulnerability exists in Nortel Contivity VPN Client, potentially allowing malicious users to open a VPN tunnel to the client. When the Contivity VPN Client establishes a connection to a gateway, the gateway certificate isn't checked before the user answers a dialog box. While the dialog box is displayed to the user, the VPN tunnel remains open allowing the gateway network access to the client system.

There is no solution at this time. Reportedly, this will be fixed in version 5.1.

We are not aware of any exploits for this vulnerability.

Nortel Contivity VPN Client Open Tunnel Certificate Verification
Issue
Medium
Secunia Advisory ID, SA12881, October 20, 2004

Novell

Novell ZENworks for Desktops 4.0.1

A vulnerability has been reported in Novell ZENworks for Desktops, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to the Remote Management Agent invoking the ZENworks Remote Control Help functionality with SYSTEM privileges. This can be exploited to execute arbitrary programs with escalated privileges.

The vulnerability has been fixed in version 4 SP1b/4.0.1 Interim
Release 5: http://support.novell.com/servlet/
filedownload/sec/pub/zfd401_ir5.exe

We are not aware of any exploits for this vulnerability.

Novell ZENworks for Desktops Privilege Escalation
High
Novell Technical Information Documents TID10095153, October 25, 2004 and TID2969662, October 26, 2004

Proland Software

Protector Plus

A vulnerability exists that could permit a remote malicious user to create a file that will not be detected by the application. A file or directory name that contains certain character strings related to MS-DOS device names (e.g., COM1, LPT1, AUX, CON, PRN) will not be scanned by the anti-virus system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Proland Protector Plus MS DOs Device Name Scan Failure
High
SecurityTracker Alert ID, 1011844, October 21, 2004

Vypress

Vypress Tonecast version 1.3 and prior

A vulnerability exists due to the software not properly processing malformed media streams. A remote malicious user can send specially crafted data to a target system or to all systems on a subnet to cause the application to crash.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vypress Tonecast Denial of Service
Low
SecurityTracker Alert ID, 1011784, October 19, 2004

XPA Systems

pGina 1.7.6

A configuration vulnerability in pGina could permit a remote malicious user to cause Denial of Service conditions. When the administrator does not disable the "Restart" or "Shutdown" options from the login screen, then a remote user connecting via Remote Desktop can cause the system to reboot or shutdown.

Solution: The administrator should disable the shutdown and restart options via the pGina configuration utility.

A Proof of Concept exploit has been published.

XPA Systems pGina Default Configuration Remote Denial of Service
Low
SecurityTracker Alert ID, 1011896, October 22, 2004

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Aladdin Enterprises

Ghostscript 4.3, 4.3.2, 5.10 cl, 5.10.10 -1 mdk, 5.10.10 -1, 5.10.10 mdk, 5.10.10, 5.10.12 cl, 5.10.15, 5.10.16, 5.50, 5.50.8 _7, 5.50.8, 6.51, 6.52, 6.53, 7.0 4-7.07

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-18.xml

here is no exploit code required.

GhostScript Insecure Temporary File Creation

CVE Name:
CAN-2004-0967

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Gentoo Linux Security Advisory, GLSA 200410-18, October 20, 2004

Apache Software Foundation

Apache 2.0.35-2.0.52

A vulnerability exists when the 'SSLCipherSuite' directive is used in a directory or location context to require a restricted set of cipher suites, which could let a remote malicious user bypass security policies and obtain sensitive information.

OpenPKG: ftp://ftp.openpkg.org/release/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-21.xml

Slackware: ftp://ftp.slackware.com/pub/slackware/

There is no exploit code required.

Apache mod_ssl SSLCipherSuite Access Validation

CVE Name:
CAN-2004-0885

Medium

OpenPKG Security Advisory, OpenPKG-SA-2004.044, October 15, 2004

Gentoo Linux Security Advisory, GLSA 200410-21, October 22, 2004

Slackware Security Advisory, SSA:2004-299-01, October 26, 2004

Apache Software Foundation

Apache 1.3, 1.3.1, 1.3.3, 1.3.4, 1.3.46, 1.3.7 -dev, 1.3.9, 1.3.11, 1.3.12, 1.3.14, 1.3.17-1.3.20, 1.3.22-1.3.29, 1.3.31

A buffer overflow vulnerability exists in the 'get_tag()' function, which could let a malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Exploit scripts have been published.

Apache mod_include Buffer Overflow

CVE Name:
CAN-2004-0940

High
SecurityFocus, October 20, 2004

Apple

Safari 1.2.3

A cross-domain vulnerability exists when multiple windows are open, which could let a remote malicious user spoof web page functions.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Apple Safari Cross-Domain Dialog Box Spoofing
Medium
Secunia Advisory, SA12892, October 20, 2004

Concurrent Versions Systems (CVS) 1.11

A vulnerability exists in Concurrent Versions System (CVS) in which a malicious user can exploit to determine the existence and permissions of arbitrary files and directories. The problem is caused due to an undocumented switch to the "history" command implemented in "src/history.c". Using the "-X" switch and supplying an arbitrary filename, CVS will try to access the specified file and returns various information depending on whether the file exists and can be accessed.

Upgrade to version 1.11.17 or 1.12.9 available at:
https://www.cvshome.org/

FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/
SA-04:14/cvs.patch

Fedora Legacy: http://download.fedoralegacy.org/redhat/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

A Proof of Concept exploit has been published.

CVS Undocumented Flag Information Disclosure

CVE Name:
CAN-2004-0778

Low

iDEFENSE Security Advisory 08.16.04

FreeBSD Security Advisory, FreeBSD-SA-04:14, September 20, 2004

Fedora Legacy Update Advisory, FLSA:1735, October 7, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004, October 20, 2004

cPanel, Inc.

cPanel 9.4.1-RELEASE-64; 9.9.1-RELEASE-3

Several vulnerabilities exist: a vulnerability exists in the backup feature, which could let a remote authenticated malicious user obtain sensitive information; a vulnerability exists when FrontPage extensions are turned on or off, which could let a remote authenticated malicious user change ownership of critical files; and a vulnerability exists in the '_private' directory when FrontPage extensions are turned on or off, which could let a remote authenticated malicious user change permissions on any file on the target system to 0755.

The vendor has released fixes dealing with this issue. Users are advised to update to the latest Edge or Current version of cPanel. This update can be uploaded from WHM under 'Update to Latest Version' if the update preferences are set to 'Edge' or 'Current'.

Proofs of Concept exploits have been published.

cPanel Backup & FrontPage Management Remote Arbitrary File Modifications

Medium/ High

(High if root access can be obtained)

SecurityTracker Alert ID, 1011762, October 18, 2004

SecurityFocus, October 20, 2004

cPanel, Inc.

cPanel 9.4.1-STABLE 65

A vulnerability exists in the webmail feature due to insufficient validation of all password characters, which could let a remote malicious user brute force webmail account passwords.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

cPanel Truncated Password Brute Force
Medium
Secunia Advisory, SA12943, October 22, 2004

dadaIMC

dadaimc 0.95-0.98.2

A vulnerability exists due to insufficient sanitization of user-supplied input before including in dynamically generated web page content, which could let a remote malicious user execute arbitrary HTML code.

No workaround or patch available at time of publishing.

There is no exploit code required.

dadaIMC HTML Injection
High SecurityFocus, October 18, 2004

Debian

telnetd 0.17 -25, 0.17 -18

A vulnerability exists due to a failure to ensure that memory buffers are properly allocated and deallocated, which could let a malicious user cause a Denial of Service or potentially execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/n/netkit-telnet/

Debian: http://security.debian.org/pool/updates/main
/n/netkit-telnet-ssl

We are not aware of any exploits for this vulnerability.

Debian GNU/Linux Telnetd Invalid Memory Handling

CVE Name:
CAN-2004-0911

Low/High

(High if arbitrary code can be executed)

Debian Security Advisory, DSA 556-1, October 3, 2004

Debian Security Advisory DSA 569-1, October 18, 2004

Gaim

  Gentoo

Multiple vulnerabilities were reported in Gaim in the processing of the MSN protocol. A remote user may be able to execute arbitrary code on the target system. Several remotely exploitable buffer overflows were reported in the MSN protocol parsing functions.

Gentoo: http://security.gentoo.org/glsa/glsa-200408-12.xml

SuSE: http://www.suse.de/de/security/2004_25_gaim.html

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Rob Flynn:
http://sourceforge.net/project/showfiles.php?group_id=
235&package_id=253&release_id=263425

Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/
patches/packages/gaim-0.82-i486-1.tgz

Fedora Legacy: http://download.fedoralegacy.org/redhat/

We are not aware of any exploits for this vulnerability.

Gaim Buffer Overflows in Processing MSN Protocol


CVE Name:
CAN-2004-0500

High

SecurityTracker, 1010872, August 5, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:081, August 13, 2004

Slackware Security Advisory, SSA:2004-239-01, August 26, 2004

Fedora Legacy Update Advisory, FLSA:1237, October 16, 2004

Gerhard Rieger

socat 1.0 .x, 1.1 .x, 1.2 .x, 1.3 .x, 1.4 .0.2, 1.4 .0.1, 1.4 .0.0

A format string vulnerability exists in the 'void _msg()' function in 'error.c' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary code.

Socat:
http://www.dest-unreach.org/socat/download/socat-1.4.0.3.tar.gz

Gentoo: http://security.gentoo.org/glsa/glsa-200410-26.xml

An exploit script has been published.

Gerhard Rieger Socat Remote Format String
High

socat Security Advisory 1, October 22,2 004

Gentoo Linux Security Advisory, GLSA 200410-26, October 25, 2004

GNU

glibc 2.0-2.0.6, 2.1, 2.1.1 -6, 2.1.1, 2.1.2, 2.1.3 -10, 2.1.3, 2.1.9 & greater, 2.2-2.2.5, 2.3-2.3.4, 2.3.10

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-19.xml

There is no exploit code required.

GNU
GLibC Insecure Temporary File Creation

CVE Name:
CAN-2004-0968

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Gentoo Linux Security Advisory, GLSA 200410-19, October 21, 2004

Heiko Stamer

OpenSkat 1.1-1.9

Several security issues related to the non-interactive zero knowledge protocols exist. The impact was not specified.

Upgrades available at:
http://freshmeat.net/redir/openskat/36295/url_tgz/openSkat-2.0.tar.gz

We are not aware of any exploits for this vulnerability.

Heiko Stamer openSkat Game Unspecified Security Issues
Not Specified
SecurityTracker Alert ID, 1011805, October 20, 2004

Hewlett Packard Company

Cluster Object Manager B.03.00.01, B.03.00.00, B.02.02.02, B.02.02.00, B.02.01.02, B.01.04, A.01.03, Serviceguard A.11.16.00, A.11.15.00, A.11.14, A.11.13, Serviceguard for Linux A.11.15.04, A.11.14.04

A vulnerability exists which could let a remote malicious user obtain root privileges.

Patches available at: http://itrc.hp.com

We are not aware of any exploits for this vulnerability.

HP ServiceGuard & Cluster Object Manager Remote Root Access
High
HP Security Bulletin,
HPSBUX01080 , October 22, 2004

Hewlett Packard Company

HP-UX B.11.23, B.11.22, B.11.11, B.11.00

A vulnerability exists in 'stmkfont' due to the way paths to external executables are handled, which could let a malicious user execute arbitrary code.

Patches available at: http://itrc.hp.com/

There is no exploit code required.

 

HP-UX 'STMKFONT' External Executables

CVE Name:
CAN-2004-0965

High
HP Security Bulletin, HPSBUX01088, October 20, 2004

Hewlett Packard Company

Tru64 4.0 G PK4, 4.0 F PK8, 5.1 B-2 PK4 (BL25),
4 5.1 B-1 PK3 (BL24), 5.1 A PK6

A file permissions and a buffer overflow vulnerability exists in the X Window System, which could let a malicious user obtain elevated privileges.

Patches available at:
http://www.itrc.hp.com/service/patch/

We are not aware of any exploits for this vulnerability.

HP Tru64 X Window System Elevated Privileges

Medium
HP Security Bulletin,
HPSBTU01084, October 18, 2004

KDE.org

Konqueror 3.2.2 -6

A cross-domain dialog vulnerability exists because inactive tabs can launch dialog boxes so they appear to be displayed by a web site in another tab, which could let a remote malicious user spoof an interface of a trusted web site.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Konqueror Browser Cross-Domain Dialog Box Spoofing
Medium
Secunia Advisory,
SA12706, October 20, 2004

libtiff.org

LibTIFF 3.6.1

Several buffer overflow vulnerabilities exist: a vulnerability exists because a specially crafted image file can be created, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; a remote Denial of Service vulnerability exists in 'libtiff/tif_dirread.c' due to a division by zero error; and a vulnerability exists in the 'tif_next.c,' 'tif_thunder.c,' and 'tif_luv.c' RLE decoding routines, which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/t/tiff/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-11.xml

Fedora: http://download.fedora.redhat.com/pub/fedora/
linux/core/updates/2/

OpenPKG:
ftp://ftp.openpkg.org/release/

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

SuSE: ftp://ftp.suse.com/pub/suse/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-577.html

Proofs of Concept exploits have been published.

LibTIFF Buffer Overflows

CVE Name:
CAN-2004-0803
CAN-2004-0804
CAN-2004-0886

Low/High

(High if arbitrary code can be execute)

Gentoo Linux Security Advisory, GLSA 200410-11, October 13, 2004

Fedora Update Notification,
FEDORA-2004-334, October 14, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.043, October 14, 2004

Debian Security Advisory, DSA 567-1, October 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:109 & MDKSA-2004:111, October 20 & 21, 2004

SuSE Security Announcement, SUSE-SA:2004:038, October 22, 2004

RedHat Security Advisory, RHSA-2004:577-16, October 22, 2004

mpg123.de

mpg123 pre0.59s, 0.59r

A buffer overflow vulnerability exists in the 'getauthfromURL()' function due to a boundary error, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

MPG123 Remote URL Open Buffer Overflow
High
Securiteam, October 21, 2004

Multiple Vendors

FileZilla Server 0.7, 0.7.1; OpenBSD -current, 3.5;
OpenPKG Current, 2.0, 2.1;
zlib 1.2.1

A remote Denial of Service vulnerability during the decompression process due to a failure to handle malformed input.

Gentoo: http://security.gentoo.org/glsa/glsa-200408-26.xml

FileZilla: http://sourceforge.net/project/showfiles.
php?group_id=21558

OpenBSD:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/
3.5/common/017_libz.patch

OpenPKG: ftp ftp.openpkg.org

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

SuSE: ftp://ftp.suse.com/pub/suse/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Conectiva: ftp://atualizacoes.conectiva.com.br/

SCO: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.17

We are not aware of any exploits for this vulnerability.

Zlib Compression Library Remote
Denial of Service

CVE Name:
CAN-2004-0797

Low

SecurityFocus, August 25, 2004

SUSE Security Announcement, SUSE-SA:2004:029, September 2, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:090, September 8, 2004

Conectiva Linux Security Announcement, CLA-2004:865, September 13, 2004

US-CERT Vulnerability Note VU#238678, October 1, 2004

SCO Security Advisory, SCOSA-2004.17, October 19, 2004

Multiple Vendors

Gaim version 0.75 & prior

Multiple buffer overflow vulnerabilities exist due to boundary errors in the YMSG protocol handler, the oscar protocol handler, various utility functions, and the HTTP proxy connection handling, which could let a remote malicious user execute arbitrary code.

Upgrade available at:
http://prdownloads.sourceforge.net/ultramagnetic/
ultramagnetic-0.81.tar.bz2?download

Debian:
http://security.debian.org/pool/updates/main/g/gaim/

Mandrake: http://www.mandrakesecure.net/en/advisories/

RedHat: ftp://updates.redhat.com/

Slackware: ftp://ftp.slackware.com/pub/slackware/

SuSE: ftp://ftp.suse.com/pub/suse/i386/update/

Conectiva: ftp://atualizacoes.cbronectiva.com./

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

SGI:
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/

Fedora Legacy: http://download.fedoralegacy.org/redhat/

We are not aware of any exploits for this vulnerability.

Gaim
Remote
Buffer Overflows

CVE Names:
CAN-2004-0005
CAN-2004-0006
CAN-2004-0007
CAN-2004-0008

High

Red Hat Security Advisory, RHSA-2004:032-01, January 26, 2004

Slackware Security Advisory, SSA:2004-026-01, January 27, 2004

SuSE Security Announcement, SuSE-SA:2004:004, January 29, 2004

Mandrake Linux Security Update Advisory, MDKSA-2004:006-1, January 30, 2004

Debian Security Advisory, DSA 434-1, February 5, 2004

Conectiva Linux Security Announcement, CLA-2004:813, February 10, 2004

SGI Security Advisory, 20040201-01-U, February 11, 1004

Fedora Update Notification, FEDORA-2004-070, February 16, 2004

US-CERT Vulnerability Notes, VU#197142, VU#779614, VU#444158, VU#871838, VU#527142, VU#297198, VU#371382, VU#503030, VU#190366, VU#226974,
VU#655974, VU#404470, May 2004

Fedora Legacy Update Advisory, FLSA:1237, October 16, 2004

Multiple Vendors

Apple Mac OS X 10.2-10.2.8, 10.3 -10.3.5, OS X Server 10.2-10.2.8, 10.3 -10.3.5; Easy Software Products CUPS 1.0.4 -8, 1.0.4, 1.1.1,
1.1.4-5, 1.1.4 -3, 1.1.4 -2, 1.1.4, 1.1.6, 1.1.7, 1.1.10, 1.1.12-1.1.21

A vulnerability exists in 'error_log' when certain methods of remote printing are carried out by an authenticated malicious user, which could disclose user passwords.

Update available at: http://www.cups.org/software.php

Apple:
http://wsidecar.apple.com/cgi-bin/nph-
reg3rdpty1.pl/product=04829&platform=osx&
method=sa/SecUpd2004-09-30Jag.dmg


http://wsidecar.apple.com/cgi-bin/nph-
reg3rdpty1.pl/product=04830&platform=osx&
method=sa/SecUpd2004-09-30Pan.dmg

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-06.xml

Debian: http://security.debian.org/pool/updates/main/c/cupsys/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

RedHat: http://rhn.redhat.com/errata/RHSA-2004-543.html

There is no exploit code required.

CUPS Error_Log Password Disclosure

CVE Name:
CAN-2004-0923

Medium

Apple Security Update, APPLE-SA-2004-09-30, October 4, 2004

Fedora Update Notification,
FEDORA-2004-331, October 5, 2004

Gentoo Linux Security Advisory, GLSA 200410-06, October 9, 2004

Debian Security Advisory, DSA 566-1, October 14, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:116, October 21, 2004

RedHat Security Advisory, RHSA-2004:543-15, October 22, 2004

Multiple Vendors

Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha;
Ecartis Ecartis 0.129 a, 1.0 .0 snapshot 20030417, 20030416, 20030404, 20030318, 20030312, 20030309, 20030303, 20030227, 20021013, 20020514, 20020427, 20020125, 20020121

A vulnerability exists in 'src/modules/lsg2/lsg2-main.c,' which could let a remote malicious user obtain administrator privileges and modify list settings.

Debian: http://security.debian.org/pool/updates/main/e/ecartis/

We are not aware of any exploits for this vulnerability.

Ecartis Remote Administrator Privileges

CVE Name:
CAN-2004-0913

High
Debian Security Advisory, DSA 572-1, October 21, 2004

Multiple Vendors

Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha;
Easy Software Products CUPS 1.0.4 -8, 1.0.4, 1.1.1, 1.1.4 -5, 1.1.4 -3, 1.1.4 -2, 1.1.4, 1.1.6, 1.1.7, 1.1.10, 1.1.12-1.1.20;
Gentoo Linux;
GNOME GPdf 0.112;
KDE KDE 3.2-3.2.3, 3.3, 3.3.1, kpdf 3.2;
RedHat Fedora Core2;
Ubuntu ubuntu 4.1, ppc, ia64, ia32, Xpdf Xpdf 0.90-0.93; 1.0.1, 1.0 0a, 1.0, 2.0 3, 2.0 1, 2.0, 3.0

Several integer overflow vulnerabilities exist in 'pdftops/Catalog.cc' and 'pdftops/XRef.cc,' which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/c/cupsys/

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-20.xml

KDE:
ftp://ftp.kde.org/pub/kde/security_patches/post-3.3.1-kdegraphics.diff

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Ubuntu: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/

We are not aware of any exploits for this vulnerability.

 

Xpdf PDFTOPS Multiple Integer Overflows

CVE Names:
CAN-2004-0888
CAN-2004-0889

High
SecurityTracker Alert ID, 1011865, October 21, 2004

Multiple Vendors

Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha; libpng libpng 1.0, 1.0.5-1.0.17, ibpng3 1.2 .0-1.2.6; SuSE Linux 9.; Ubuntu ubuntu 4.1 ppc, 4.1 ia64, 4.1 ia32

A buffer overflow vulnerability exists in the processing of images with excessive height, which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/libp/libpng/

SuSE:
ftp://ftp.suse.com/pub/suse/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/

We are not aware of any exploits for this vulnerability.

LibPNG Graphics Library Image Height Buffer Overflow

CVE Name:
CAN-2004-0955

High

Debian Security Advisories, DSA 570-1 & 571-1, October 20, 2004

SuSE Security Announcement, SUSE-SA:2004:037, October 20, 2004

Ubuntu Security Notice 1-1, October 22, 2004

Multiple Vendors

Enlightenment Imlib2 1.0-1.0.5, 1.1, 1.1.1;
ImageMagick ImageMagick 5.4.3, 5.4.4 .5, 5.4.8 .2-1.1.0 , 5.5.3 .2-1.2.0, 5.5.6 .0- 2003040, 5.5.7,6.0.2;
Imlib Imlib 1.9-1.9.14

Multiple buffer overflow vulnerabilities exist in the Iimlib/Imlib2 libraries when handling malformed bitmap images, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

lmlib: http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/

ImageMagick: http://www.imagemagick.org/www/download.html

Gentoo: http://security.gentoo.org/glsa/glsa-200409-12.xml

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Fedora: http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Debian: http://security.debian.org/pool/updates/main/i/imagemagick/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-465.html

SuSE:ftp://ftp.suse.com/pub/suse/

TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/
TurboLinux/ia32/Desktop/

Conectiva: ftp://atualizacoes.conectiva.com.br/

Sun: http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57648-1&searchclause=

http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57645-1&searchclause=

TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-480.html

We are not aware of any exploits for this vulnerability.

IMLib/IMLib2 Multiple BMP Image
Decoding Buffer Overflows

 

CVE Names:
CAN-2004-0817
CAN-2004-0802

Low/High

(High if arbitrary code can be executed)

SecurityFocus, September 1, 2004

Gentoo Linux Security Advisory, GLSA 200409-12, September 8, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:089, September 8, 2004

Fedora Update Notifications,
FEDORA-2004-300 &301, September 9, 2004

Turbolinux Security Advisory, TLSA-2004-27, September 15, 2004

RedHat Security Advisory, RHSA-2004:465-08, September 15, 2004

Debian Security Advisories, DSA 547-1 & 548-1, September 16, 2004

Conectiva Linux Security Announcement, CLA-2004:870, September 28, 2004

Sun(sm) Alert Notifications, 57645 & 57648, September 20, 2004

Turbolinux Security Announcement, October 5, 2004

RedHat Security Update, RHSA-2004:480-05, October 20, 2004

Multiple Vendors

FreeBSD 4.8-4.10, 5.1, 5.2, 5.2.1-RELEASE;
Thomas Graf bmon 1.2.1

A vulnerability exists in bmon, which could let a malicious user execute arbitrary code.

FreeBSD has updated their port system to remove the setuid bit from the bmon package. Users of affected packages should upgrade to version 1.2.1_2 or greater of the port.

A Proof of Concept exploit script has been published.

BMON Arbitrary Code Execution

High
Securiteam October 17, 2004

Multiple Vendors

Gentoo Linux 1.4;
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1, Desktop 3.0, t Enterprise Linux WS 3, WS 2.1 IA64, WS 2.1, ES 3, 2.1 IA64, 2.1, AS 3, AS 2.1 IA64, AS 2.1'
Trolltech Qt 3.0, 3.0.5, 3.1, 3.1.1, 3.1.2, 3.2.1, 3.2.3, 3.3 .0, 3.3.1, 3.3.2; Avaya Intuity LX, MN100, Modular Messaging (MSS) 1.1, 2.0

Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the 'read_dib()' function when handling 8-bit RLE encoded BMP files, which could let a malicious user execute arbitrary code; and buffer overflow vulnerabilities exist in the in the XPM, GIF, and JPEG image file handlers, which could let a remote malicious user execute arbitrary code.

Debian: http://security.debian.org/pool/updates/main/q/qt-copy/

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

Gentoo: http://security.gentoo.org/glsa/glsa-200408-20.xml

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Slackware: ftp://ftp.slackware.com/pub/slackware/
slackware-9.0/patches/packages/kde/qt-3.1.2-i486-4.tgz

SuSE: ftp://ftp.suse.com/pub/suse/i386/update

Trolltech Upgrade: http://www.trolltech.com/download/index.html

TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/

Sun: http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57637-1&searchclause=security

Conectiva: ftp://atualizacoes.conectiva.com.br/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-478.html
http://rhn.redhat.com/errata/RHSA-2004-479.html

SuSE: ftp://ftp.suse.com/pub/suse/

Avaya: http://support.avaya.com/japple/css/japple
?temp.groupID=128450&temp.selectedFamily=128451
&temp.selectedProduct=154235&temp.selectedBucket
=126655&temp.feedbackState=askForFeedback&temp.
documentID=203389& PAGE=avaya.css.CSSLvl1Detail
&executeTransaction=avaya.css.UsageUpdate()

Proof of Concept exploit has been published.

QT Image File Buffer Overflows

CVE Names:
CAN-2004-0691
CAN-2004-0692

CAN-2004-0693

High

Secunia Advisory, SA12325, August 10, 2004

Sun Alert ID: 57637, September 3, 2004

Conectiva Linux Security Announcement, CLA-2004:866, September 22, 2004

RedHat Security Advisories, RHSA-2004:478-13 & RHSA-2004:479-05, October 4 & 6, 2004

SUSE Security Announcement, SUSE-SA:2004:035, October 5, 2004

SecurityFocus, October 18, 2004

Multiple Vendors

Gentoo Linux, 1.4; Rob Flynn Gaim 0.10 x, 0.10.3, 0.50-0.75, 0.78, 0.82, 0.82.1, 1.0, 1.0.1; Slackware Linux -current, 9.0, 9.1, 10.0

A buffer overflow vulnerability exists in the processing of MSNSLP messages due to insufficient verification, which could let a remote malicious user execute arbitrary code.

Gentoo: http://security.gentoo.org/glsa/glsa-200410-23.xml

Rob Flynn:
http://prdownloads.sourceforge.net/gaim/gaim-1.0.2.tar.gz?download

RedHat: ftp://updates.redhat.com

Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/
patches/packages/gaim-1.0.2-i486-1.tgz

We are not aware of any exploits for this vulnerability.

Gaim MSNSLP Remote Buffer Overflow

CVE Name:
CAN-2004-0891

High

Gentoo Linux Security Advisory, GLSA 200410-23, October 25, 2004

RedHat Security Advisory, RHSA-2004:604-01, October 20, 2004

Slackware Security Advisory, SSA:2004-296-01, October 22, 2004

Multiple Vendors

GNU Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha;
GNOME gdk-pixbug 0.22 & prior; GTK GTK+ 2.0.2, 2.0.6, 2.2.1, 2.2.3, 2.2.4;
MandrakeSoft Linux Mandrake 9.2, amd64, 10.0, AMD64;
RedHat Advanced Workstation for the Itanium Processor 2.1, IA64, Desktop 3.0, Enterprise Linux WS 3, WS 2.1 IA64, WS 2.1, ES 3, ES 2.1 IA64, ES 2.1, AS 3, AS 2.1 IA64, AS 2.1,
RedHat Fedora Core1&2;
SuSE. Linux 8.1, 8.2, 9.0, x86_64, 9.1, Desktop 1.0, Enterprise Server 9, 8

Multiple vulnerabilities exist: a vulnerability exists when decoding BMP images, which could let a remote malicious user cause a Denial of Service; a vulnerability exists when decoding XPM images, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; and a vulnerability exists when attempting to decode ICO images, which could let a remote malicious user cause a Denial of Service.

Debian:
http://security.debian.org/pool/updates/main/g/gdk-pixbuf/

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

RedHat: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

SuSE: ftp://ftp.suse.com/pub/suse/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-28.xml

Conectiva: ftp://atualizacoes.conectiva.com.br/

We are not aware of any exploits for this vulnerability.

gdk-pixbug BMP, ICO, and XPM Image Processing Errors

CVE Names:
CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788

Low/High

(High if arbitrary code can be executed)

SecurityTracker Alert ID, 1011285, September 17, 2004

Gentoo Linux Security Advisory, GLSA 200409-28, September 21, 2004

US-CERT Vulnerability Notes VU#577654, VU#369358, VU#729894, VU#825374, October 1, 2004

Conectiva Linux Security Announcement, CLA-2004:875, October 18, 2004

Multiple Vendors

Linux kernel 2.6 -test1-test11, 2.6-l 2.6.8; SuSE Linux 9.1

A remote Denial of Service vulnerability exists in the iptables logging rules due to an integer underflow.

Update available at: http://kernel.org/

SuSE: ftp://ftp.suse.com/pub/suse/

We are not aware of any exploits for this vulnerability.

 

Linux Kernel IPTables Logging Rules Remote Denial of Service

CVE Name:
CAN-2004-0816

Low
SuSE Security Announcement, SUSE-SA:2004:037, October 20, 2004

Multiple Vendors

Linux kernel kernel 2.2- 2.2.25, 2.4 .0-test1-test11, 2.4-2.4.27, 2.6 -2.6.8

Two vulnerabilities exist: a vulnerability exists in the terminal subsystem due to a race condition, which could let a malicious user cause a Denial of Service or obtain sensitive information; and a vulnerability exists in the PPP dial-up-port due to a race conditions, which could let a malicious user cause a Denial of Service.

Upgrades available at:
http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.9.tar.bz2

We are not aware of any exploits for this vulnerability.

Linux Kernel Race Conditions

CVE Name:
CAN-2004-0814

Low/ Medium

(Medium if sensitive information can be obtained)

Secunia Advisory,
SA12951, October 22, 2004

Multiple Vendors

Luke Mewburn lukemftp 1.5, TNFTPD 20031217; NetBSD Current, 1.3-1.3.3, 1.4 x86, 1.4, SPARC, arm32, Alpha, 1.4.1 x86, 1.4.1, SPARC, sh3, arm32, Alpha, 1.4.2 x86, 1,4.2, SPARC, arm32, Alpha, 1.4.3, 1.5 x86, 1.5, sh3, 1.5.1-1.5.3, 1.6, beta, 1.6-1.6.2, 2.0

Several vulnerabilities exist in the out-of-band signal handling code due to race condition errors, which could let a remote malicious user obtain superuser privileges.

Luke Mewburn Upgrade:
ftp://ftp.netbsd.org/pub/NetBSD/misc/tnftp/tnftpd-20040810.tar.gz

Apple: http://wsidecar.apple.com/cgi-bin/

Debian: http://security.debian.org/pool/updates/main/l/lukemftpd/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-19.xml

Sun: http://sunsolve.sun.com/search/document.do
?assetkey=1-26-57655-1&searchclause=

We are not aware of any exploits for this vulnerability.

TNFTPD Multiple Signal Handler Remote Privilege Escalation

CVE Name:
CAN-2004-0794

High

NetBSD Security Advisory 2004-009, August 17, 2004

Apple Security Update, APPLE-SA-2004-09-07, September 7, 2004

Debian Security Advisory DSA 551-1, September 21, 2004

Gentoo Linux Security Advisory, GLSA 200409-19, September 16, 2004

Sun(sm) Alert Notification, 57655, October 15, 2004

Multiple Vendors

OpenBSD 3.4, 3.5; SuSE Linux 8.1, 8.2, 9.0, x86_64, 9.1, Linux Enterprise Server 9, 8;
X.org X11R6 6.7.0, 6.8;
XFree86 X11R6 3.3.6, 4.0, 4.0.1, 4.0.2 -11, 4.0.3, 4.1 .0, 4.1 -12, 4.1 -11, 4.2 .0, 4.2.1, Errata, 4.3.0; Avaya Intuity LX, MN100, Modular Messaging (MSS) 1.1, 2.0

Multiple vulnerabilities exist: a stack overflow vulnerability exists in 'xpmParseColors()' in 'parse.c' when a specially crafted XPMv1 and XPMv2/3 file is submitted, which could let a remote malicious user execute arbitrary code; a stack overflow vulnerability exists in the 'ParseAndPutPixels()' function in -create.c' when reading pixel values, which could let a remote malicious user execute arbitrary code; and an integer overflow vulnerability exists in the colorTable allocation in 'xpmParseColors()' in 'parse.c,' which could let a remote malicious user execute arbitrary code.

Debian: http://security.debian.org/pool/updates/main/i/imlib/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

OpenBSD:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/

SuSE: ftp://ftp.suse.com/pub/suse/

X.org: http://x.org/X11R6.8.1/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-34.xml

IBM: http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

RedHat: http://rhn.redhat.com/errata/RHSA-2004-478.html

Avaya: http://support.avaya.com/japple/css/japple?
temp.groupID=128450&temp.selectedFamily=128451
&temp.selectedProduct=154235&temp.selectedBucket
=126655&temp.feedbackState=askForFeedback&temp.
documentID=203389& PAGE=avaya.css.CSSLvl1Detail
&executeTransaction=avaya.css.UsageUpdate()

Sun: http://sunsolve.sun.com/search/document.do
?assetkey=1-26-57652-1&searchclause=

Proofs of Concept exploits have been published.

LibXpm Image Decoding Multiple Remote Buffer Overflow

CVE Names:
CAN-2004-0687
CAN-2004-0688

High

X.Org Foundation Security Advisory, September 16, 2004

US-CERT Vulnerability Notes, VU#537878 & VU#882750, September 30, 2004

SecurityFocus, October 4, 2004

SecurityFocus, October 18, 2004

Sun(sm) Alert Notification, 5765, October 18, 2004

MySQL AB

MySQL 3.23.49, 4.0.20

A vulnerability exists in the 'mysqlhotcopy' script due to predictable files names of temporary files, which could let a malicious user obtain elevated privileges.

Debian: http://security.debian.org/pool/updates/main/m/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-02.xml

SuSE: ftp://ftp.suse.com/pub/suse/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-569.html

There is no exploit code required.

MySQL
'Mysqlhotcopy' Script Elevated Privileges

CVE Name:
CAN-2004-0457

Medium

Debian Security Advisory, DSA 540-1, August 18, 2004

Gentoo Linux Security Advisory GLSA 200409-02, September 1, 2004

SUSE Security Announcement, SUSE-SA:2004:030, September 6, 2004

RedHat Security Advisory, ,RHSA-2004:569-16, October 20, 2004

Netbilling, Inc.

nbmember.cgi

A vulnerability exists in the 'nbmember.cgi' script, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

Netbilling NBMEMBER Script Information Disclosure
Medium
SecurityFocus, October 22, 2004

OpenOffice

OpenOffice 1.1.2,
Sun StarOffice 7.0

A vulnerability exists in the '/tmp' folder due to insecure permissions, which could let a malicious user obtain sensitive information.

Upgrades available at: http://sunsolve.sun.com/search/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-446.html

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Gentoo: http://security.gentoo.org/glsa/glsa-200410-17.xml

There is no exploit code required.

OpenOffice/
StarOffice Insure Temporary File Permissions

CVE Name:
CAN-2004-0752

Medium

Secunia Advisory, SA12302, September 13, 2004

RedHat Security Bulletin, RHSA-2004:446-08, September 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:103, September 28, 2004

Gentoo Linux Security Advisory, GLSA 200410-17, October 20, 2004

PostgreSQL

PostgreSQL 7.4.5

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-16.xml

There is no exploit code required.

PostgreSQL Insecure Temporary File Creation

CVE Name:
CAN-2004-0977

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Gentoo Linux Security Advisory, GLSA 200410-16, October 18, 2004

ProFTPd.net

ProFTPd 1.2.8, 1.2.10; possibly other versions

A vulnerability exists due to a time delay difference in the login
process for existing and non-existing usernames, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

Another Proof of Concept exploit script has been published.

ProFTPd Login Timing Account Disclosure
Medium

LSS Security Team Advisory, October 14, 2004

PacketStorm, October 26, 2004

Rob Flynn

Gaim 0.50-0.75, 0.82, 0.82.1, 1.0, 1.0.1

A remote MSN file transfer and a remote MSN SLP Denial of Service vulnerability exists due to a failure to properly handle exceptional conditions.

Upgrades available at:
http://prdownloads.sourceforge.net/gaim/gaim-1.0.2.tar.gz?download

There is no exploit code required.

Gaim Remote Denials of Service
Low
SecurityFocus, October 20, 2004

Rob Flynn

Gaim 0.10 x, 0.10.3, 0.50-0.75

Multiple vulnerabilities exist which could let a remote malicious user execute arbitrary code or cause a Denial of Service: a vulnerability exists during the installation of a smiley theme; a heap overflow vulnerability exists when processing data from a groupware server; a buffer overflow vulnerability exists in the URI parsing utility; a buffer overflow vulnerability exists when performing a DNS query to obtain a hostname when signing on to zephyr; a buffer overflow vulnerability exists when processing Rich Text Format (RTF) messages; and a buffer overflow vulnerability exists in the 'content-length' header when an excessive value is submitted.

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

Gentoo:http://security.gentoo.org/glsa/glsa-200408-27.xml

Rob Flynn:
http://sourceforge.net/project/showfiles.php?
group_id=235&package_id=253&release_id=263425

Slackware: ftp://ftp.slackware.com/pub/slackware/slackware-10.0/
patches/packages/gaim-0.82-i486-1.tgz

Fedora Legacy: http://download.fedoralegacy.org/redhat/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

We are not aware of any exploits for this vulnerability.

Gaim Multiple Vulnerabilities

CVE Names:
CAN-2004-0784
CAN-2004-0754
CAN-2004-0785

Low/High

 

(High if arbitrary code can be executed)

SecurityFocus, August 26, 2004

Fedora Legacy Update Advisory, FLSA:1237, October 16, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:110, October 21, 2004

rssh

rssh 2.2.1 & prior

A vulnerability exists in 'log.c' due to a format string error, which could let a remote malicious user execute arbitrary code.

Update available at: http://www.pizzashack.org/rssh/downloads.shtml

We are not aware of any exploits for this vulnerability.

rssh 'log.c' Format String
High
Secunia Advisory, SA12954, October 25, 2004
SCO Group

SCO OpenServer 5.x

Multiple vulnerabilities exist in SCO MMDF. According to SCO the vulnerabilities are: buffer overflows, null dereferences and core dumps. One of the buffer overflows is known to affect "execmail".

Updates available at: ftp://ftp.sco.com/pub/updates/OpenServer/
SCOSA-2004.7/

An exploit script has been published.

SCO OpenServer Multiple Vulnerabilities in MMDF

CVE Names:
CAN-2004-0510
CAN-2004-0511
CAN-2004-0512

Medium
SCO Advisory, SCOSA-2004.7, July 14, 2004

Deprotect Security Advisory 20040206, July 2, 2004

PacketStorm October 26, 2004

Speedtouch

USB Driver 1.0, 1.1, 1.2 , beta1-beta3, 1.3

A format string vulnerability exists because the 'modem_run,' 'pppoa2,' and 'pppoa3' functions make an unsafe 'syslog()' call due to insufficient sanitization, which could let a malicious user execute arbitrary code.

Upgrades available at:
http://sourceforge.net/project/showfiles.php?group
_id=32758&package_id=28264&release_id=271734

We are not aware of any exploits for this vulnerability.

Speedtouch USB Driver Format String

CVE Name:
CAN-2004-0834

High
SecurityFocus, October 21, 2004

splitbrain.org

DokuWiki 2004-09-30, 2004-09-25, 2004-09-12, 2004-08-22, 2004-08-15a, 2004-08-15, 2004-08-08, 2004-07-25, 2004-07-21

A vulnerability exists due to improper enforcement of the the access control list, which could let a remote malicious user access some functions without authorization. Affected functions include recent changes, feed, search, and mediaselectiondialog.

Updates available at:
http://freshmeat.net/redir/dokuwiki/51558/url_tgz/dokuwiki-2004-10-19.tgz

There is no exploit code required.

DokuWiki Access Control Enforcement

Medium
SecurityTracker Alert ID, 1011802, October 20, 2004

Squid-cache.org

Squid 2.5-STABLE6, 3.0-PRE3-20040702; when compiled with SNMP support

 

A remote Denial of Service vulnerability exists in the 'asn_parse_header()' function in 'snmplib/asn1.c' due to an input validation error when handling certain negative length fields.

Updates available at: http://www.squid-cache.org/

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-15.xml

Trustix: http://http.trustix.org/pub/trustix/updates/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-591.html

Mandrake: http://www.mandrakesecure.net/en/ftp.php

We are not aware of any exploits for this vulnerability.

Squid Remote Denial of Service

CVE Name:
CAN-2004-0918

Low

iDEFENSE Security Advisory, October 11, 2004

Fedora Update Notification,
FEDORA-2004-338, October 13, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Gentoo Linux Security Advisory, GLSA 200410-15, October 18, 2004

RedHat Security Advisory, RHSA-2004:591-04, October 20, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:112, October 21, 2004

Sun Microsystems, Inc.

Solaris 8.0, 8.0 _x86, 9.0, 9.0 _x86

A vulnerability exists in 'ldap(1)' when used with Role Based Access Control (RBAC), which could let a malicious user execute arbitrary commands with root privileges.

Update available at: http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57657-1

We are not aware of any exploits for this vulnerability.

Sun Solaris LDAP RBAC Root Privileges
High
Sun(sm) Alert Notification, 57657, October 18, 2004

SuSE

Linux Enterprise Server for S/390, 9.0

A vulnerability exists due to an incorrectly handled privileged instruction which could let a malicious user obtain root user privileges. Note: Vulnerability only affects SuSE Linux Enterprise Server 9 when it is installed on the IBM S/390 platform.

Upgrade available at: ftp://ftp.suse.com/pub/suse/

We are not aware of any exploits for this vulnerability.

SuSE Linux IBM S/390 Kernel Root Privileges

CVE Name:
CAN-2004-0887

High
SuSE Security Announcement, SUSE-SA:2004:037, October 21, 2004

SuSE

LibTIFF LibTIFF 3.6.1;
SuSE. Linux 8.1, 8.2, 9.0, 9.1Linux Desktop 1.0, Linux Enterprise Server 9, 8

A buffer overflow vulnerability exists in libtiff on SuSE Linux in the OJPEGVSetField() function in 'libtiff/tif_ojpeg.c,' which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

Upgrades and patches available at:
ftp://ftp.suse.com/pub/suse/

We are not aware of any exploits for this vulnerability.

LibTIFF OJPEG Buffer Overflow

CVE Name:
CAN-2004-0929

Low/High

(High if arbitrary code can be executed)

SUSE Security Announcement, SUSE-SA:2004:038, October 22, 2004

Twibright Labs

Links 0.91-0.99

A remote Denial of Service vulnerability exists when handling HTML tables of excessive size.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Links Malformed Table Remote Denial of Service

Low
Bugtraq, October 18, 2004

University of Kansas

Lynx 2.7, 2.8-2.8.5, 2.8.5 dev2-5, dev8

A remote Denial of Service vulnerability exists when handling malformed HTML tag sequences and formatting.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Lynx Malformed HTML Remote Denial of Service
Low
Bugtraq, October 18, 2004

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

America OnLine

America Online Webmail

A Cross-Site Scripting vulnerability exists in the 'msglist.adp' script due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

AOL Web Mail 'msglist.adp' Cross-Site Scripting
High
SecurityTracker Alert ID, 1011791, October 20, 2004

America OnLine

AOL

An information disclosure vulnerability exists in AOL Journals, which could let a remote malicious user obtain email addresses.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

AOL Journals Email Address Disclosure
Medium
SecurityTracker Alert ID, 1011900, October 22, 2004

brooky.com

CubeCart 2.0.1

A vulnerability exists due to insufficient sanitization of the 'cat_id' parameter, which could let a remote malicious user obtain sensitive information.

The vendor has recommended the following fix:
INSERT
if (!is_numeric($cat_id))
unset($cat_id);

BEFORE
include("header.inc.php");

IN
index.php

There is no exploit code required; however, a Proof of Concept exploit has been published.

CubeCart Input Validation
Medium

Secunia Advisory, SA12764, October 8, 2004

SecurityFocus, October 22, 2004

Cisco Systems

IOS R12.x, 12.x

 

A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted TCP connection to a telnet or reverse telnet port.

Potential workarounds available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml

We are not aware of any exploits for this vulnerability.

Cisco IOS Telnet Service Remote Denial of Service
Low

Cisco Security Advisory, cisco-sa-20040827, August 27, 2004

US-CERT Vulnerability Note VU#384230

Cisco Security Advisory, 61671 Rev 2.2, October 20, 2004

Google

Google

A Cross-Site Scripting vulnerability exists in the 'custom' script due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability has appeared in the press and other public media.

A Proof of Concept exploit has been published.

Google Input Validation
High
SecurityTracker Alert ID, 1011786, October 19, 2004

Gregory DEMAR

Coppermine Photo Gallery 1.0-1.3.2

A vulnerability exists due to a design error that may allow remote malicious users to cast multiple votes for an image.

No workaround or patch available at time of publishing.

There is no exploit code required.

Coppermine Photo Gallery Voting Restriction Failure
Medium
SecurityTracker Alert ID, 1011860, October 21, 2004

IBM

Lotus Domino 6.0-6.0.3, 6.5.0-6.5.2

Two vulnerabilities exist: a Cross-Site Scripting vulnerability exists due to an input validation error in the native Lotus Notes HTML encoding for computed values, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability exists which could let a remote malicious user inject malicious HTML and script code into the application.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

IBM Lotus Domino Cross-Site Scripting & HTML Injection
High
SecurityFocus, October 18, 2004

Infopop

UBB.threads 3.4, 3.5

An input validation vulnerability exists in 'dosearch.php' due to insufficient validation of user-supplied input in the 'Name' parameter, which could let a remote malicious user execute arbitrary SQL commands.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

UBBThreads Input Validation
High
Bugtraq, October 21, 2004

moinmoin.wikiwikiweb.de

MoniWiki 1.0.8 & prior

A Cross-Site Scripting vulnerability exists in 'wiki.php' due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code.

Update available at: http://kldp.net/project/showfiles.php?group
_id=210&release_id=954

A Proof of Concept exploit has been published.

MoniWiki 'wiki.php' Cross-Site Scripting
High
Secunia Advisory,
SA12975, October 26, 2004
Mozilla.org

Mozilla 1.6 & prior; Netscape 7.0, 7.1, and prior

A input validation vulnerability exists in the SOAPParameter object constructor in Netscape and Mozilla which allows execution of arbitrary code. The SOAPParameter object's constructor contains an integer overflow that allows controllable heap corruption. A web page can be constructed to leverage this into remote execution of arbitrary code.

Upgrade to Mozilla 1.7.1 available at: http://www.mozilla.org/products/mozilla1.x/

SuSE: ftp://ftp.suse.com/pub/suse/

Conectiva: ftp://atualizacoes.conectiva.com.br/

We are not aware of any exploits for this vulnerability.

Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability

CVE Name:
CAN-2004-0722

High
iDEFENSE Security Advisory, August 2, 2004

Bugzilla Bug 236618

SUSE Security Announcement, SUSE-SA:2004:036, October 6, 2004

Conectiva Linux Security Announcement, CLA-2004:877, October 22, 2004

Mozilla.org

Mozilla 1.6;
Mozilla 1.7.x;
Mozilla Firefox 0.x

A Denial of Service vulnerability exists in which arbitrary root certificates are imported silently without presenting users with a import dialog box. Due to another problem, this can e.g. be exploited by malicious websites or HTML-based emails to prevent users from accessing valid SSL sites.

Workaround: Check the certificate store and delete untrusted certificates if an error message is displayed with error code -8182 ("certificate presented by [domain] is invalid or corrupt") when attempting to access a SSL-based website.

SuSE: ftp://ftp.suse.com/pub/suse/

Conectiva: ftp://atualizacoes.conectiva.com.br/

Currently, we are not aware of any exploits for this vulnerability.

Mozilla / Firefox Certificate Store Corruption Vulnerability

CVE Name:
CAN-2004-0758

Low

Secunia Advisory, SA12076, July 16, 2004
Bugzilla Bug 24900, July 14, 2004

SUSE Security Announcement, SUSE-SA:2004:036, October 6, 2004

Conectiva Linux Security Announcement, CLA-2004:877, October 22, 2004

Mozilla.org
  Mandrakesoft
  Slackware

Mozilla 1.7 and prior;
Firefox 0.9 and prior;
Thunderbird 0.7 and prior

Multiple vulnerabilities exist in Mozilla, Firefox, and Thunderbird that could allow a malicious user to conduct spoofing attacks, compromise a vulnerable system, or cause a Denial of Service. These vulnerabilities include buffer overflow, input verification, insecure certificate name matching, and out-of-bounds reads.

Upgrade to the latest version of Mozilla, Firefox, or Thunderbird available at: http://www.mozilla.org/download.html

Slackware: http://www.slackware.com/security/viewer.php?l=
slackware-security&y=2004&m=slackware-security.667659

Mandrakesoft: http://www.mandrakesoft.com/security/advisories?
name=MDKSA-2004:082

RedHat: http://rhn.redhat.com/errata/RHSA-2004-421.html

SGI: ftp://patches.sgi.com/support/free/security/
patches/ProPack/3
/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-26.xml

HP: http://h30097.www3.hp.com/internet/download.htm

SuSE: ftp://ftp.suse.com/pub/suse/

Conectiva: ftp://atualizacoes.conectiva.com.br/

We are not aware of any exploits for this vulnerability.

Mozilla/Firefox/ Thunderbird
Multiple Vulnerabilities

CVE Name:
CAN-2004-0757
CAN-2004-0759
CAN-2004-0761
CAN-2004-0765

High

Secunia, SA10856, August 4, 2004

US-CERT Vulnerability Note VU#561022

RedHat Security Advisory, RHSA-2004:421-17, August 4, 2004

SGI Security Advisory, 20040802-01-U, August 14, 2004

Gentoo Linux Security Advisory, GLSA 200409-26, September 20, 2004

HP Security Bulletin, HPSBTU01081, October 5, 2004

SUSE Security Announcement, SUSE-SA:2004:036, October 6, 2004

Conectiva Linux Security Announcement, CLA-2004:877, October 22, 2004

Mozilla.org

Mozilla 0.x, 1.0-1.7.x, Firefox 0.x, Thunderbird 0.x; Netscape Navigator 7.0, 7.0.2, 7.1, 7.2

Multiple vulnerabilities exist: buffer overflow vulnerabilities exist in 'nsMsgCompUtils.cpp' when a specially crafted e-mail is forwarded, which could let a remote malicious user execute arbitrary code; a vulnerability exists due to insufficient restrictions on script generated events, which could let a remote malicious user obtain sensitive information; a buffer overflow vulnerability exists in the 'nsVCardObj.cpp' file due to insufficient boundary checks, which could let a remote malicious user execute arbitrary code; a buffer overflow vulnerability exists in 'nsPop3Protocol.cpp' due to boundary errors, which could let a remote malicious user execute arbitrary code; a heap overflow vulnerability exists when handling non-ASCII characters in URLs, which could let a remote malicious user execute arbitrary code; multiple integer overflow vulnerabilities exist in the image parsing routines due to insufficient boundary checks, which could let a remote malicious user execute arbitrary code; a cross-domain scripting vulnerability exists because URI links dragged from one browser window and dropped into another browser window will bypass same-origin policy security checks, which could let a remote malicious user execute arbitrary code; and a vulnerability exists because unsafe scripting operations are permitted, which could let a remote malicious user manipulate information displayed in the security dialog.

Updates available at: http://www.mozilla.org/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-26.xml

HP: http://h30097.www3.hp.com/internet/download.htm

RedHat: http://rhn.redhat.com/errata/RHSA-2004-486.html

SuSE: ftp://ftp.suse.com/pub/suse/

Conectiva: ftp://atualizacoes.conectiva.com.br/

Proofs of Concept exploits have been published.

Mozilla Multiple Remote Vulnerabilities

CVE Names:
CAN-2004-0902
CAN-2004-0903
CAN-2004-0904
CAN-2004-0905
CAN-2004-0908

Medium/ High

(High if arbitrary code can be executed)

Technical Cyber Security Alert TA04-261A, September 17, 2004

US-CERT Vulnerability Notes VU#414240, VU#847200, VU#808216, VU#125776, VU#327560, VU#651928, VU#460528, VU#113192, September 17, 2004

Gentoo Linux Security Advisory, GLSA 200409-26, September 20, 2004

RedHat Security Bulletin, RHSA-2004:486-18, September 30, 2004

HP Security Bulletin, HPSBTU01081, October 5, 2004

SUSE Security Announcement, SUSE-SA:2004:036, October 6, 2004

Conectiva Linux Security Announcement, CLA-2004:877, October 22, 2004

Mozilla.org

Mozilla Browser 1.0, RC1&2, 1.0.1, 1.0.2, 1.1 Beta, 1.1 Alpha, 1.1, 1.2 Beta, 1.2 Alpha, 1.2, 1.2.1, 1.3, 1.3.1, 1.4 b, 1.4 a, 1.4, 1.4.1, 1.4.2. 1.5, 1.6, 1.7 rc3, 1.7-1.7.3, 1.8 Alpha 2

Multiple memory corruption vulnerabilities exist because certain HTML tag sequences and formatting may cause a remote Denial of Service and possibly execution of arbitrary code; and a remote Denial of Service vulnerability exists when an invalid pointer is dereferenced.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Mozilla Multiple Memory Corruption & Invalid Pointer

Low/High

(High if arbitrary code can be executed)

Bugtraq, October 18, 2004

Mozilla.org

Mozilla Firefox 0.9.2 and Mozilla 1.7.1 on Windows

Mozilla Firefox 0.9.2 on Linux

A spoofing vulnerability exists that could allow malicious sites to abuse SSL certificates of other sites. An attacker could make the browser load a valid certificate from a trusted website by using a specially crafted "onunload" event. The problem is that Mozilla loads the certificate from a trusted website and shows the "secure padlock" while actually displaying the content of the malicious website. The URL shown in the address bar correctly reads that of the malicious website.

An additional cause has been noted due to Mozilla not restricting websites from including arbitrary, remote XUL (XML User Interface Language) files.

Workaround: Do not follow links from untrusted websites and verify the correct URL in the address bar with the one in the SSL certificate.

SuSE: ftp://ftp.suse.com/pub/suse/

Conectiva: ftp://atualizacoes.conectiva.com.br/

A Proof of Concept exploit has been published.

Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing

CVE Name:
CAN-2004-0763

Medium

Cipher.org, July 25, 2004

Secunia, SA12160, July 26, 2004; SA12180, July 30, 2004

SUSE Security Announcement, SUSE-SA:2004:036, October 6, 2004

Conectiva Linux Security Announcement, CLA-2004:877, October 22, 2004

Multiple Vendors

Mozilla Browser 1.7.2, 1.7.3, Camino 0.8, Firefox 0.10.1; Netscape Navigator 7.2

Several vulnerabilities exist: a vulnerability exists when multiple tabs are open, which could let a remote malicious user spoof functions on the web site in the active tab; and a vulnerability exists because a web form field in an inactive tab can gain focus, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

Vulnerability has appeared in the press and other public media.

There is no exploit code required; however, Proof of Concept exploit has been published.

Multiple Vendors Browser Cross-Domain Dialog Box Spoofing
Medium
Secunia Advisory,
SA12712, October 20, 2004

Multiple Vendors

Linux Kernel USB Driver prior to 2.4.27

A vulnerability exists in certain USB drivers because uninitialized structures are used and then 'copy_to_user(...)' kernel calls are made from these structures, which could let a malicious user obtain obtain uninitialized kernel memory contents.

Update available at: http://kernel.org/

Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml

We are not aware of any exploits for this vulnerability.

Linux Kernel USB Driver Kernel Memory

CVE Name:
CAN-2004-0685

Medium
US-CERT Vulnerability Note VU#981134, October 25, 2004

Netscape

Netscape Web Mail

A Cross-Site Scripting vulnerability exists in the 'msglist.adp' script due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Netscape Web Mail 'msglist.adp' Cross-Site Scripting
High
SecurityTracker Alert ID, 1011792, October 20, 2004

Opera Software

Opera Web Browser 6.0 win32, 6.0 6, 6.0.6win32, 6.0, 6.0.1-6.0.5 win32, 6.0.1-6.0.3 linux, 6.10 linux, 7.0 win32 Beta 1&2,
7.0 -7.0.3 win32, 7.10, 7.11 j, 7.11 b, 7.11, 7.20 Beta 1 build 2981, 7.20-7.23, 7.50-7.54

A memory corruption vulnerability vulnerability exists in the 'TBODY' tag when an excessive 'COL SPAN' is specified, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Opera TBODY COL SPAN Memory Corruption
Low/High

(High if arbitrary code can be executed)

Bugtraq, October 18, 2004

Opera Software

Opera Web Browser 7.54

A cross-domain vulnerability exists when multiple windows are open, which could let a remote malicious user spoof web page functions.

No workaround or patch available at time of publishing.

Vulnerability has appeared in the press and other public media.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Opera Web Browser Cross-Domain Dialog Box Spoofing
Medium
Secunia Advisory,
SA12713, October 20, 2004

PBLang-Team

PBLang 4.x

Multiple security vulnerabilities exist, including a cookie management flaw in CheckLoginStatus() in 'functions.php', a flaw in the pm section in 'admin.php' and 'pmpshow.php', and a password changing vulnerability in 'ucp.php'. The impact was not specified.

Update available at: https://sourceforge.net/project/showfiles.php?group_id=62953

We are not aware of any exploits for these vulnerabilities.

PBLang Multiple Security Flaws
Not Specified
Secunia Advisory,
SA12880, October 19, 2004

S9Y

Serendipity 0.3, 0.4, 0.5, -pl, 0.6, rc1&rc2, pl1-pl3, 0.7 -beta1-beta4

An input validation vulnerability exists when processing the requested URI in 'index.php' and the HTTP Referer field in 'comments.php,' which could let a remote malicious user create an HTTP request that will cause arbitrary content to be displayed.

Upgrades available at:
http://prdownloads.sourceforge.net/php-blog/
serendipity-0.7-rc1.tar.gz?download

A Proof of Concept exploit has been published.

Serendipity Input Validation
Medium
Secunia Advisory,
SA12909, October 21, 2004

Singapore

Singapore prior to 0.9.10

A vulnerability exists in 'thumb.php' due to insufficient validation of user-supplied input, which could let a remote malicious user view files that are not image files on the target system (however, the vendor did not confirm the impact.)

Update available at: http://singapore.sourceforge.net/?page=download

We are not aware of any exploits for this vulnerability.

Singapore 'thumb.php' Input Validation
Not Specified
SecurityTracker Alert ID, 1011804, October 20, 2004

Stuart Caie

cabextract 0.6, 1.0

A Directory Traversal vulnerability exists in the 'create_output_name()' function in 'cabextract.c' due to insufficient input validation, which could let a remote malicious user create or overwrite files.

Update available at: http://www.kyz.uklinux.net/downloads/
cabextract-1.1.tar.gz

There is no exploit code required.

cabextract Remote Directory Traversal
Medium

Secunia Advisory,
SA12882, October 19, 2004

Sun Microsystems, Inc.

Java 2 Micro Edition (J2ME)

A vulnerability exists in the Connected Limited Device Configuration (CLDC) implementation in the K Virtual Machine (KVM) bytecode verifier, which could let a remote malicious user bypass Java security mechanisms.

No workaround or patch available at time of publishing.

Exploit information has been published.

Sun Java 2 Micro Edition (J2ME) Sandbox Bypass Restrictions
Medium
Secunia Advisory,
SA12945, October 22, 2004

Symantec

Clientless VPN Gateway Version 5.0, Model 4000

Various security vulnerabilities exist in the ActiveX file browser and HTML file browser, which could let a remote malicious user obtain unauthorized access to the system or could lead to unpredictable behavior.

Hotfix available at:
ftp://ftp.symantec.com/public/english_us_canada/products/sym
_clientless_vpn/sym_clientless_vpn_5/updates/hf3-readme.txt

We are not aware of any exploits for this vulnerability.

Symantec Clientless VPN Gateway 4400 Credential Modification
Medium
US-CERT Vulnerability Note VU#760256, October 20, 2004

Symantec

Firewall/VPN Appliance 100, 200, 200R, Gateway Security 320, 360, 360R

Multiple vulnerabilities exist: a remote Denial of Service vulnerability exists when a malicious user conducts a fast map UDP port scan against all ports on the WAN interface; a vulnerability exists when a UDP port scan is conducted against the WAN interface from a source port of UDP 53, which could let a remote malicious user obtain sensitive information; and a vulnerability exists because the default read/write community string used by the firewall is public, which could let a malicious user alter the firewall's configuration.

The vendor has released a fixed firmware version (1.63) available at: ftp://ftp.symantec.com/public/updates/

There is no exploit code required.

Symantec Enterprise Firewall/VPN Appliance Multiple Remote Denials of Service & Configuration Modification
Low

Rigel Kent Security & Advisory Services Inc. Advisory, RK-001-04, September 22, 20024

US-CERT Vulnerability Notes VU#329230, VU#441078, & VU#173910, October 20, 2004

Tripwire, Inc.
Gentoo
Mandrake

Tripwire 2.2.1, 2.3.0, 2.3.1 -2, 2.3.1, 2.4 .0, 2.4.2, 3.0 1, 3.0, 4.0, 4.0.1, 4.1, 4.2, Tripwire Open Source 2.3.0, 2.3.1

A format string vulnerability exists in 'pipedmailmessage.cpp' when an e-mail report is generated, which could let a malicious user execute arbitrary code. Note: It is reported that this issue only presents itself when the MAILMETHOD is sendmail.

Patch available at: http://securityfocus.com/bid/10454/solution/

Gentoo: http://security.gentoo.org/glsa/glsa-200406.02.xml

Mandrake: http://www.mandrakesoft.com/security/advisories

Fedora Legacy: http://download.fedoralegacy.org/redhat/

Currently we are not aware of any exploits for this vulnerability.

 

 

Tripwire Email Reporting Format String

CVE Name:
CAN-2004-0536

High

SecurityFocus, June 5, 2004

Gentoo Linux Security Advisory, GLSA 200406-02, June 4, 2004

] Mandrakelinux Security Update Advisory, MDKSA-2004:057, June 8, 2004

Fedora Legacy Update Advisory, FLSA:1719, October 23, 2004

Veritas Software

NetBackup BusinesServer 3.4, 3.4.1, 4.5, NetBackup DataCenter 3.4, 3.4.1, 4.5, NetBackup Enterprise Server 5.1, NetBackup Server 5.0, 5.1

A input validation vulnerability exists in the 'bpjava-susvc' process used for administration, which could let a remote authenticated malicious user execute commands with root privileges.

The vendor has described a configuration workaround available at: http://support.veritas.com/docs/271727

We are not aware of any exploits for this vulnerability.

VERITAS NetBackup Input Validation
High
SecurityTracker Alert ID: 1011863, October

winkled.
sourceforge.net

MediaWiki prior to 1.3.7

A Cross-Site Scripting vulnerability exists 'n 'Title.php' due to insufficient filtering of HTML code from user-supplied input in 'DefaultSettings.php' and 'Title.php,' which could let a remote malicious user execute arbitrary HTML and script code.

Updates available at:
http://prdownloads.sourceforge.net/
wikipedia/mediawiki-1.3.7.tar.gz?download

There is no exploit code required.

MediaWiki 'Title.php' Cross-Site Scripting

Medium/ High

(High if arbitrary code can be executed)

SecurityFocus, October 20, 2004

yahoopops.sourceforge.net

YPOPs! 0.x

Several buffer overflow vulnerabilities exist in the POP3 and SMTP services, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Another exploit script has been published.

YPOPs! Buffer Overflows
High

Hat-Squad Advisory, September 27, 2004

SecurityFocus, October 18, 2004

 

Recent Exploit Scripts/Techniques

The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
October 26, 2004 85mod_include.c
No
Proof of Concept exploit for the Apache mod_include Buffer Overflow vulnerability.
October 26, 2004 ethereal-0.10.7.tar.gz
N/A
A GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames.
October 26, 2004 javascript.txt
N/A
A write-up discussion on how to use Javascript to spoof what page is actually being visited.
October 26, 2004 navRant.txt
NA
Proof of Concept regarding how easy it is to bypass Norton Antivirus.
October 26, 2004 nmap-3.75.tgz
N/A
A utility for port scanning large networks, although it works fine for single hosts.
October 26, 2004 osx86_mmdfdeliver.c
Yes
Script that exploits the SCO OpenServer MMDF vulnerability.
October 26, 2004 proftpdEnum.c
No
Proof of Concept script that exploits the ProFTPd Login Timing Account Disclosure vulnerability.
October 26, 2004 rkdscan.zip
N/A
A scanner designed to detect whether or not an NT based computer is infected with the Hacker Defender root kit.
October 25, 2004 socat_exp.c
Yes
Script that exploits the Socat Remote Format String vulnerability.
October 24, 2004 creating_a_asp_command
_shell_using_BACKUP.txt
N/A
This is a text document that describes how MS SQL can be "tricked" into creating a command.asp script under the webroot, even when you do not have access to 'sa' privs (dbo privs are probably still a must, though). The technique described uses the SQL server 'backup' command.
October 24, 2004 ksb26-2.6.9.tar.gz
N/A
KSB26, Kernel Socks Bouncer for 2.6.x, is a Linux 2.6.x-kernel patch that redirects full tcp connections through a socks5 proxy. KSB26 uses a character device to pass socks5 and the target IPs the Linux kernel.
October 24, 2004 lgool.c
N/A
Lgool is a program that will search Google for a given vulnerability.
October 24, 2004 SetWindowLong_Shatter_Attacks.pdf
N/A
This paper gives an example of the variety of shatter attacks which should be corrected by MS04-032 (KB840987). This sort of attack can typically be used for local privilege escalation.
October 24, 2004 uml.c
N/A
Userspace Logger is functioning code based on the example given in the article in Phrack 51 entitled "Shared Library Redirection". The following functions are logged: read()/recv() output and intercepts open(), open64(), close(), socket(), connect(), exit(). This is an effective keystroke logger, among other things, despite that the author says it is only at the Proof-of-Concept phase.
October 23, 2004 101_shixx.cpp
No
Exploit for the Mavel ShixxNote 6.net Buffer Overflow in Font Field vulnerability.
October 23, 2004 amap-4.7.tar.gz
N/A
Application Mapper is a next-generation scanning tool that allows you to identify the applications that are running on a specific port. It does this by connecting to the port(s) and sending trigger packets.
October 23, 2004 Camou121.exe
N/A
Camouflage v1.2.1 is an incredibly weak steganography tool for Windows that uses various image files and doc files as a carrier to hide arbitrary data inside of.
October 23, 2004 CKFP.zip
N/A
This is a Windows program that "unprotects" files which have been hidden using a steganography program called Camouflage. If the Camouflage'd file requires a password, the password is reset to nothing.
October 23, 2004 hitb04-shreeraj-shah.pdf
N/A
"Web Services - Attacks and Defense Strategies, Methods and Tools" presentation that discusses how the web service is the new security Lego Land. The main building blocks are UDDI, SOAP and WSDL. This presentation will briefly touch upon each of these aspects.
October 23, 2004 hitb04-sk-chong.pdf
N/A
"Windows Local Kernel Exploitation" presentation that discusses mechanisms to exploit the Windows Kernel for useful local privilege escalation.
October 23, 2004 hitb04-teo-sze-siong.zip
N/A
"Stealth Virus Design Thru Breeding Concept (Non Polymorphic)" presentation that includes Proof of Concept code samples.
October 23, 2004 SetecAstronomy.pl
N/A
This is a Perl script that can search files to identify whether data has been hidden using a weak steganography tool for Windows named Camouflage.
October 22, 2004 ability-2.34-ftp-stor.py
No
Exploit for the Code-Crafters Ability Server FTP STOR Argument Remote Buffer Overflow vulnerability.
October 20, 2004 akellaPrivateersBountyExploit.zip
No
Script that exploits the Akella Privateer's Bounty: Age of Sail II Remote Nickname Buffer Overflow vulnerability.
October 20, 2004 apacheModIncludeLocal
BufferOverflowExploit.c
No
Script that exploits the Apache mod_include Buffer Overflow vulnerability.
October 20, 2004 Intro_to_Win32_Exploits.pdf
N/A
An introduction to writing exploits for the Win32 platform. Walks through creation of an exploit for a real vulnerable piece of software, using OllyDbg to help isolate the fault and exploit it.
October 20, 2004 ms04-030_spl.pl
Yes
Perl script that exploits the Microsoft WebDav XML Message Handler Denial of Service vulnerability.
October 20, 2004 noceegar.html
No
Exploit for the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass & File Drag and Drop Embedded Code vulnerabilities.
October 20, 2004 windowsEMF_WMF_Exploit.c
Yes
Script that exploits the Microsoft Windows WMF/EMF Remote Buffer Overflow vulnerability.
October 19, 2004 HOD-ms04032-emf-expl2.c
Yes
Exploit that creates crafted metadata files to exploit Microsoft Internet Explorer 6.0.
October 19, 2004 toneboom.zip
No
Script that exploits the Vypress Tonecast Remote Denial of Service vulnerability.
October 18, 2004 dc_ypop.c
No
Script that exploits the YPOPs! Buffer Overflows vulnerability.
October 18, 2004 salesLogixFileUploadPoC.pl
Yes
Proof of Concept exploit for the Best Software SalesLogix File Upload vulnerability.
October 16, 2004 bmon.sh
Yes
Proof of Concept exploit for theBMON Arbitrary Code Execution vulnerability.

[back to top]

Trends

  • Results of a survey of 2,000 consumers conducted in August indicated that consumers, increasingly fearful of identity theft, want more security before they'll engage in online banking and other Internet-based services, according to a survey released Tuesday, October 26. Such findings may indicate the marketplace has reached a tipping point in which security is now viewed by users as an imperative rather than impediment to online usage. For more information, see http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1017458,00.html.

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trends
Date
1
Netsky-P Win32 Worm Stable March 2004
2
Zafi-B Win32 Worm Stable June 2004
3
Netsky-Z Win32 Worm Stable April 2004
4
Netsky-D Win32 Worm Stable March 2004
5
Bagle-AA Win32 Worm Stable April 2004
6
Netsky-B Win32 Worm Stable February 2004
7
Netsky-Q Win32 Worm Stable March 2004
8
MyDoom-O Win32 Worm Stable July 2004
9
Bagle-Z Win32 Worm Stable April 2004
10
MyDoom.M Win32 Worm Stable July 2004

Table Updated October 26, 2004

Viruses or Trojans Considered to be a High Level of Threat

  • Opener - A script-based threat that spies on Mac users has been discovered. The malware disables Mac OS X's built-in firewall, steals personal information and can destroy data. (CNET News, October 25, 2004)
  • Famus.B - After a series of celebrity related Trojans that spread through social engineering techniques the latest one preys on potential victims' curiosity about the ongoing conflict in Iraq. Antivirus companies warned of a new worm on Monday, October 25, that is sent by email and appears to contain photographs of the Iraq war. The Famus.B worm affects Windows systems and tries to trick users into believing its attached file -- called Iraq.scr -- contains pictures from inside Iraq. This virus type was first reported in May 2004. (ZDNet News, October 26, 2004)

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name
Aliases
Type
Backdoor.Emcommander   Trojan
Backdoor.Haxdoor.C   Trojan
Backdoor.Roxe.B Bloodhound.Exploit.13
Exploit.Win32.MS04-028.gen
Trojan
Backdoor.Sdbot.AE Backdoor.Win32.Wootbot.gen Win32 Worm
Bagz.d W32.Bagz.D@mm
W32/Bagz.d@MM
Win32 Worm
Bagz.E W32/Bagz.E.worm Win32 Worm
Netsky.AH W32/Netsky.AH.worm
Win32 Worm
SH/Renepo-A Opener
MacOS.Renepo.A
SH.Renepo
SH.Renepo.A
SH.Renepo.B
SH/Renepo-A
Sh/Renepo.A.Worm
Unix/Opener.Worm
MacOS.Renepo.B
Macintosh Worm
StartPage-FG Troj/Dloader-DG
Trojan
Trojan.Win32.StartPage.jc
TROJ_STARTPGE.R
Trojan
Troj/Banker-EK PWS-Bancban.gen.b Trojan: Password Stealer
Trojan.Sens   Trojan
W32.Buchon.A@mm I-Worm.Buchon.b
W32.Netsky.AE@mm
W32/Baba-A
W32/Buchon.gen@MM
W32/Buchon@mm
Win32.Buchon.B
WORM_BUCHON.B
Win32 Worm
W32.Huayu   Win32 Worm
W32.Mydoom.AG@mm   Win32 Worm
W32.Spybot.FCD Backdoor.Win32.Rbot.gen
W32.Spybot.Worm
W32/Sdbot.worm.gen.j
Win32 Worm
W32.Watsoon.A   Win32 Worm
W32/Baba-A W32/Netsky-AE
I-Worm.Baba.b
W32/Netsky.ai@MM
W32/Buchon@mm
Win32 Worm
W32/Bagz-D I-Worm.Bagz.d Win32 Worm
W32/Forbot-BQ
Backdoor.Win32.Wootbot.gen Win32 Worm
W32/Forbot-BR   Win32 Worm
W32/Forbot-BU Backdoor.Win32.Wootbot Win32 Worm
W32/Forbot-BW
WORM_WOOTBOT.BM Win32 Worm
W32/Rbot-NG Win32.Rbot.gen
W32/Sdbot.worm.gen.i
WORM_RBOT.RW
Win32 Worm
W32/Rbot-NJ
Backdoor.Win32.Rbot.gen Win32 Worm
W32/Rbot-NK
Backdoor.Win32.Rbot.gen Win32 Worm
W32/Rbot-NS

Backdoor.Win32.Rbot.gen

Win32 Worm
W32/Rbot-NS Backdoor.Win32.Rbot.gen Win32 Worm
W32/Rbot-NT Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.j
WORM_RBOT.RY
Win32 Worm
W32/Rbot-NU WORM_RBOT.PK
W32/Sdbot.worm.gen.w
Win32 Worm
W32/Spybot-DF Worm.P2P.SpyBot.gen
W32/Spybot.worm.gen.a
Win32 Worm
Win32.Gema.D PWS-Datei
Troj/Cryptldr-A
TrojanDownloader.Win32.Crypt
TROJ_CRYPT.A
W32/Crypter.B@dl
Win32/Gema.14336.Trojan
Win32 Worm
Win32.Scranor.A W32.Narcs
W32/Scran.worm
Win32/Scranor.A.Worm
Worm.P2P.Scranor
Win32 Worm
WORM_BAGZ.C   Win32 Worm
WORM_BAGZ.D I-Worm.Bagz.d
W32.Bagz.E@mm
W32/Bagz-D
W32/Bagz.D@mm
W32/Bagz.e@MM
Win32.Bagz.C
Win32 Worm
WORM_BUCHON.B I-Worm.Baba.B
I-Worm.Buchon.b
I-Worm/Buchon.B
Netsky.AG
Netsky.AI
W32.Netsky.AE@mm
W32/Baba-A
W32/Buchon.B@mm
W32/Buchon.gen@MM
W32/Buchon@mm
W32/Netsky-AE
W32/Netsky.ah@MM
W32/Netsky.AI.worm
W32/Netsky.ai@MM
W32/Netsky.AJ@mm
Win32.Buchon.B
Win32.Netsky.AG
Win32/Buchon.B@mm
Win32/Netsky.AG.Worm
Win32:Netsky-AF
Worm/Buchon.B
WORM_NETSKY.AI
Win32 Worm
WORM_TURON.B   Win32 Worm
WORM_VOTE.L   Win32 Worm

[back to top]

 

 

 

Last updated

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.


Bugs, Holes, & Patches

The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Abyss

Abyss Web Server X1

An input validation vulnerability exists, which could allow a remote malicious user to crash the target service. It is reported that a remote user can submit an HTTP request for a URL containing a MS-DOS device name (e.g., CON, PRN, AUX) in the 'cgi-bin' directory to cause the web service to crash.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Abyss Web Server MS-DOS Device Names Processing
Low
SecurityTracker Alert ID, 1011812, October 20, 2004

Akella

Age of Sail II 1.04.151 and prior versions

A buffer overflow vulnerability may permit a remote malicious user to execute arbitrary code on the target system. A remote user can join a game server and supply a specially crafted nickname to trigger a buffer overflow.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Akella Age of Sail II Buffer Overflow
High
Secunia Advisory ID, SA12905, October 21, 2004

Altiris

Altiris Carbon Copy Solution 6.0.5257

A vulnerability exists which can be exploited by local malicious users to gain escalated privileges. The vulnerability is caused due to the "CCW32.exe" process invoking the help functionality with SYSTEM privileges. Certain prior versions reportedly also ran the Carbon Copy Scheduler with SYSTEM privileges.

No workaround or patch available at time of publishing.

There is no exploit required.

Altiris Carbon Copy Solution Privilege Escalation
Medium
SecurityFocus, Bugtraq ID 11500, October 22, 2004

Altiris

Altiris Deployment Server 5.x, 6.x; 6.1sp1 and prior versions

An authentication vulnerability was reported in the Altiris Deployment Server which could allow a remote malicious user to obtain full control of all target clients. The 'AClient.exe' client process does not authenticate the Deployment Server when connecting.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

Altiris Deployment Server Client Authentication Hole
High
SecurityTracker Alert ID, 1011862, October 21, 2004

Best Software

SalesLogix 6

Multiple vulnerabilities were reported in which a remote malicious user can gain administrative access on the application. A remote malicious user can inject SQL commands, determine the installation path, determine passwords, and upload arbitrary files.

The vendor has issued a fix, available at: http://support.saleslogix.com/

Proof of Concept exploit script has been published.

Best Software SalesLogix Multiple Vulnerabilities

Medium/High

(High if arbitrary code can be executed)

SecurityTracker Alert ID, 1011769, October 18, 2004

SecurityFocus, October 18, 2004

Code-Crafters

Ability (Mail and FTP) Server 2.3.4

A buffer overflow vulnerability was reported in the Ability Server in the FTP service which could allow a remote authenticated malicious user to execute arbitrary code on the target system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Code-Crafters Ability Server Buffer Overflow
High

Secunia Advisory ID, SA12941, October 25, 2004

SecurityFocus, Bugtraq ID 11508, October 22, 2004

Distinct Web Creations

Dwc_Articles 1.6 and prior versions

A vulnerability was reported in Dwc_Articles in which a remote malicious user can inject SQL commands. Nearly all of the scripts do not properly validate user-supplied input.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

Dwc_Articles Input Validation
Medium
SecurityTracker Alert ID, 1011909, October 23, 2004

ElektroPost Stockholm AB

EPiServer

A vulnerability was reported in EPiServer in which a remote malicious user may be able to view files on the target system, obtain sensitive information, and cause Denial of Service conditions.

The vendor has reportedly issued a fix for sensitive information issue in version 4.20. There is no solution for the other vulnerabilities at this time.

A Proof of Concept exploit has been published.

ElektroPost EPiServer Input Validation Errors

Low/Medium

(Medium if sensitive information can be obtained)

SecurityTracker Alert ID, 1011913, October 25, 2004

FIL Security Laboratory

Twister Anti-TrojanVirus 5.5

A vulnerability exists that could permit a remote malicious user to create a file that will not be detected by the application. A file or directory name that contains certain character strings related to MS-DOS device names (e.g., COM1, LPT1, AUX, CON, PRN) will not be scanned by the anti-virus system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Twister Anti-Trojan Virus MS DOS Device Names Scan File Failure
High
SecurityTracker Alert ID, 1011843, October 21, 2004

H+BEDV

AntiVir DOS 6.28 .00.03, AntiVir Windows Server NT/2000/2003 6.28.01.03, AntiVir Windows Workstation 6.28 .00.01

A vulnerability exists that could permit a remote malicious user to create a file that will not be detected by the application. A file or directory name that contains certain character strings related to MS-DOS device names (e.g., COM1, LPT1, AUX, CON, PRN) will not be scanned by the anti-virus system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

H+BEDV AntiVir Fails to Scan Files Named With MS DOS Device Names
High
SecurityTracker Alert ID, 1011842, October 21, 2004

Hummingbird

Hummingbird Connectivity 7.1 and 9.0

Two vulnerabilities have been reported in which can be exploited to gain escalated privileges or cause a Denial of Service. The Inetd32 administration tool makes it possible for malicious, local users to configure services including changing the executables that are executed, when a connection is received. A boundary error in the FTP service when handling "XCWD" FTP commands can be exploited by malicious users to crash the service by passing an overly long directory name.

The vendor has issued patches: http://connectivity.hummingbird.com/
support/nc/request.html

We are not aware of any exploits for this vulnerability.

Hummingbird Connectivity Vulnerabilities
Medium
NISCC Vulnerability Advisory 841713/Hummingbird, October 26, 2004

LANDesk Software

LANDesk 8

A vulnerability exists that could allow a remote malicious user to connect to the remote desktop port (port 3389) on a target system that is being managed by LANDesk to cause the target system to crash and reboot.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

LANDesk Error Permits Remote Users to Cause a Denial of Service
Low
SecurityTracker Alert ID: 1011787, October 19, 2004

Mavel d.o.o. Software Company

ShixxNote 6.net

A buffer overflow vulnerability exists that could permit a remote malicious user to execute arbitrary code on the target system. It is reported that a remote user can supply a specially crafted value for the field that specifies the font.

No workaround or patch available at time of publishing.

Exploit script has been published.

Mavel ShixxNote 6.net Buffer Overflow in Font Field
High

SecurityTracker Alert ID, 1011672, October 14, 2004

PacketStorm, October 23, 2004

Microsoft

Internet Explorer 6

Two vulnerabilities exist in Internet Explorer, which can be exploited by malicious users to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2.The two vulnerabilities in combination with actions in the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system.

Microsoft advises customers who have applied the latest Internet Explorer update, MS04-038, to set the "Drag and Drop or copy and paste files" option in the Internet and Intranet zone to "Disable" or "Prompt." No patch is currently available.

A Proof of Concept exploit has been published.

Microsoft Internet Explorer Two Vulnerabilities

CVE Names:
CAN-2004-0979
CAN-2004-0727

High

Secunia Advisory ID: SA12889, October 20, 2004

US-CERT Vulnerability Note #630720, October 22, 2004

US-CERT Vulnerability Note #207264, October 19, 2004

Microsoft

Outlook

A vulnerability was reported in Microsoft Outlook. The e-mail client may display images even when configured to view messages in plain text.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Microsoft Outlook May Display Images in Plaintext Only Mode
Low
SecurityTracker Alert ID, 1011890 October 22, 2004

Microsoft

Windows NT Server 4.0, Windows NT Server 4.0 Enterprise Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Server, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Exchange 2000 Server, Exchange Server 2003

A remote code execution vulnerability exists within the Network News Transfer Protocol (NNTP) component of the affected operating systems, which could let a remote malicious user execute arbitrary code. This vulnerability could potentially affect systems that do not use NNTP.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-036.mspx

We are not aware of any exploits for this vulnerability.

Microsoft NNTP Remote Code Execution

CVE Name: CAN-2004-0574

High

Microsoft Security Bulletin MS04-036, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Note VU#203126, October 22, 2004

Microsoft

Windows XP Explorer SP1

A vulnerability was reported in Microsoft Windows XP Explorer in the processing of WAV files. A remote malicious user can create a WAV file that, when loaded by the target user, will consume all available CPU resources on the target system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Microsoft Windows XP Error in Explorer in Processing WAV Files
Low
SecurityFocus, Bugtraq ID 11503, October 22, 2004

Microsoft

Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Internet Information Services 5.0, Internet Information Services 5.1, Internet Information Services 6.0;

Avaya DefinityOne Media Servers, IP600 Media Servers, Modular Messaging (MSS) 1.1, (MSS) 2.0,
S3400 Message Application Server,
S8100 Media Servers

A Denial of Service vulnerability exists that could allow a malicious user to send a specially crafted WebDAV request to a server that is running IIS and WebDAV. A malicious user could cause WebDAV to consume all available memory and CPU time on an affected server. The IIS service would have to be restarted to restore functionality.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-030.mspx

An exploit script has been published.

 

Microsoft WebDav XML Message Handler Denial of Service

CVE Name:
CAN-2004-0718

Low

Microsoft Security Bulletin MS04-030, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

SecurityFocus, October 20, 2004

Microsoft

Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Exchange Server 2003;

Avaya DefinityOne Media Servers, IP600 Media Servers, Modular Messaging (MSS) 1.1, (MSS) 2.0,
S3400 Message Application Server,
S8100 Media Servers

A remote code execution vulnerability exists in the Windows Server 2003 SMTP component because of the way that it handles Domain Name System (DNS) lookups. A malicious user could exploit the vulnerability by causing the server to process a particular DNS response that could potentially allow remote code execution. The vulnerability also exists in the Microsoft Exchange Server 2003 Routing Engine component when installed on Microsoft Windows 2000 Service Pack 3 or on Microsoft Windows 2000 Service Pack 4.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-035.mspx

We are not aware of any exploits for this vulnerability.

Microsoft SMTP Remote Code Execution

CVE Name:
CAN-2004-0840

High

Microsoft Security Bulletin MS04-035, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Note VU#394792, October 15, 2004

SecurityFocus, October 20, 2004

Microsoft

Windows NT Server 4.0, Windows NT Server 4.0 Enterprise Edition, Windows NT Server 4.0 Terminal Server Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, Windows 98, Windows 98 SE, Windows ME

Avaya DefinityOne Media Servers, IP600 Media Servers, Modular Messaging (MSS) 1.1, 2.0, Avaya S3400 Message Application Server
Avaya S8100 Media Servers

Multiple vulnerabilities are corrected with Microsoft Security Update MS04-032. These vulnerabilities include: Window Management Vulnerability, Virtual DOS Machine Vulnerability, Graphics Rendering Engine Vulnerability, Windows Kernel Vulnerability. These vulnerabilities could permit elevation of privilege, remote code execution, and Denial of Service.

A vulnerability exists in the Windows SetWindowLong and SetWindowLongPtr API function calls. In some cases this can be exploited to gain execution control.

Updates available at: http://www.microsoft.com/technet/
security/bulletin/MS04-032.mspx

Avaya: Customers are advised to follow Microsoft's guidance for applying patches. Advisories are located at the following locations:

http://support.avaya.com/japple/css/japple?
temp.groupID=128450&temp.selectedFamily=
128451&temp.selectedProduct=154235&temp.selectedBucket=
126655&temp.feedbackState=askForFeedback&temp.documentID=
203487&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=
avaya.css.UsageUpdate()

http://support.avaya.com/japple/css/japple?temp.groupID
=128450&temp.selectedFamily=128451&temp.selectedProduct=
154235&temp.selectedBucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=203487&PAGE=
avaya.css.CSSLvl1Detail&executeTransaction=
avaya.css.UsageUpdate()

Exploit script has been published.

 

 

 

Microsoft Windows Security Update

CVE Name:
CAN-2004-0207

CAN-2004-0208
CAN-2004-0209
CAN-2004-0211

High

Microsoft Security Bulletin MS04-032, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Notes, VU#910998, VU#218526, VU#806278, October 13, 2004, VU#119262, October 15, 2004

SecurityFocus Bugtraq ID: 11369, October 18, 2004

SecurityFocus Bugtraq ID: 11365, October 18, 2004

 

Microsoft

Windows NT Server 4.0, Windows NT Server 4.0 Enterprise Edition, Windows NT Server 4.0 Terminal Server Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Server, Windows 2000 Professional, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Windows Server 2003 Datacenter Edition, Windows 98, Windows 98 SE, Windows ME

A Shell vulnerability and Program Group vulnerability exists in Microsoft Windows. These vulnerabilities could allow remote code execution.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-037.mspx

Bulletin updated to reduce the scope of a documented workaround to only support Windows XP, Windows XP Service Pack 1, and Windows Server 2003.

We are not aware of any exploits for these vulnerabilities.

Microsoft Windows Shell Remote Code Execution

CVE Names:
CAN-2004-0214

CAN-2004-0572

High

Microsoft Security Bulletin MS04-037 v1.1, October 25, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Note VU#543864, October 15, 2004

Microsoft

Windows XP Home Edition, XP Professional, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition

Avaya DefinityOne Media Servers; IP600 Media Servers; Modular Messaging (MSS) 1.1, 2.0; S3400 Message Application Server; S8100 Media Servers

A remote code execution vulnerability exists in Compressed (zipped) Folders because of an unchecked buffer in the way that it handles specially crafted compressed files. A malicious user could exploit the vulnerability by constructing a malicious compressed file that could potentially allow remote code execution if a user visited a malicious web site.

Updates available at: http://www.microsoft.com/technet/
security/bulletin/MS04-034.mspx

We are not aware of any exploits for this vulnerability.

Avaya customers are advised to follow Microsoft's guidance for applying patches. Please see the referenced Avaya advisory at the following location for further details:

http://support.avaya.com/japple/css/japple?temp.groupID=
128450&temp.selectedFamily=128451&temp.selectedProduct=
154235&temp.selectedBucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=203487&PAGE=
avaya.css.CSSLvl1Detail&executeTransaction=
avaya.css.UsageUpdate()

Microsoft Compressed (zipped) Folders Remote Code Execution

CVE Name:
CAN-2004-0575

High

Microsoft Security Bulletin MS04-034, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Note VU#649374, October 14, 2004

SecurityFocus, Bugtraq ID 11382, October 18, 2004

Mozilla.org

Mozilla Firefox

When attempting to render a large binary file as HTML, the browser will consume all available memory on the target system and hang. Files larger than 5 MB will trigger the flaw. A remote user can cause a Denial of Service.

No workaround or patch available at time of publishing.

We are not aware of any exploits for this vulnerability.

Mozilla Firefox Browser Denial of Service
Low
SecurityTracker Alert ID, 1011917, October 25, 2004

Multiple Browser Vendors

Maxthon (MyIE2) 1.1.039

Avant Browser 9.02 build 101 and 10.0 build 029

stilesoft Netcaptor 7.5.2

Flashpeak Slim Browser 4.x

Two vulnerabilities exist which can be exploited by malicious web sites to obtain sensitive information and spoof dialog boxes. Inactive tabs can launch dialog boxes so they appear to be displayed by a web site in another tab and inactive tabs can gain focus from form fields on web sites in another tab. Successful exploitation would normally require that a user is tricked into opening a link from a malicious web site to a trusted web site in a new tab.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Multiple Vendors Tabbed Browsing Vulnerabilities
Medium

Secunia Advisory ID: SA12731, October 20, 2004

Secunia Advisory ID: SA12717, October 20, 2004

Secunia Advisory ID: SA12966, October 25, 2004

Secunia Advisory ID: SA12983, October 26, 2004

Multiple Vendors

Altnet ADM;
Grokster Grokster 1.3, 1.3.3, 2.6; KaZaA KaZaA Media Desktop 1.3-1.3.2, 1.6.1, 2.0, 2.0.2, 2.6.4

A buffer overflow vulnerability exists in Altnet Download Manager in the 'IsValidFile()' method, which could let a remote malicious user execute arbitrary code.

Upgrade available at: http://www.altnet.com/install/upgrade.asp

A Proof of Concept exploit has been published.

Altnet ADM ActiveX Control Remote Buffer Overflow
High

SecurityFocus, September 3, 2004

SecurityFocus, October 22, 2004

Nortel

Nortel Contivity Multi-OS VPN Client 4.91

A vulnerability exists in Nortel Contivity VPN Client, potentially allowing malicious users to open a VPN tunnel to the client. When the Contivity VPN Client establishes a connection to a gateway, the gateway certificate isn't checked before the user answers a dialog box. While the dialog box is displayed to the user, the VPN tunnel remains open allowing the gateway network access to the client system.

There is no solution at this time. Reportedly, this will be fixed in version 5.1.

We are not aware of any exploits for this vulnerability.

Nortel Contivity VPN Client Open Tunnel Certificate Verification
Issue
Medium
Secunia Advisory ID, SA12881, October 20, 2004

Novell

Novell ZENworks for Desktops 4.0.1

A vulnerability has been reported in Novell ZENworks for Desktops, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to the Remote Management Agent invoking the ZENworks Remote Control Help functionality with SYSTEM privileges. This can be exploited to execute arbitrary programs with escalated privileges.

The vulnerability has been fixed in version 4 SP1b/4.0.1 Interim
Release 5: http://support.novell.com/servlet/
filedownload/sec/pub/zfd401_ir5.exe

We are not aware of any exploits for this vulnerability.

Novell ZENworks for Desktops Privilege Escalation
High
Novell Technical Information Documents TID10095153, October 25, 2004 and TID2969662, October 26, 2004

Proland Software

Protector Plus

A vulnerability exists that could permit a remote malicious user to create a file that will not be detected by the application. A file or directory name that contains certain character strings related to MS-DOS device names (e.g., COM1, LPT1, AUX, CON, PRN) will not be scanned by the anti-virus system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Proland Protector Plus MS DOs Device Name Scan Failure
High
SecurityTracker Alert ID, 1011844, October 21, 2004

Vypress

Vypress Tonecast version 1.3 and prior

A vulnerability exists due to the software not properly processing malformed media streams. A remote malicious user can send specially crafted data to a target system or to all systems on a subnet to cause the application to crash.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vypress Tonecast Denial of Service
Low
SecurityTracker Alert ID, 1011784, October 19, 2004

XPA Systems

pGina 1.7.6

A configuration vulnerability in pGina could permit a remote malicious user to cause Denial of Service conditions. When the administrator does not disable the "Restart" or "Shutdown" options from the login screen, then a remote user connecting via Remote Desktop can cause the system to reboot or shutdown.

Solution: The administrator should disable the shutdown and restart options via the pGina configuration utility.

A Proof of Concept exploit has been published.

XPA Systems pGina Default Configuration Remote Denial of Service
Low
SecurityTracker Alert ID, 1011896, October 22, 2004

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Aladdin Enterprises

Ghostscript 4.3, 4.3.2, 5.10 cl, 5.10.10 -1 mdk, 5.10.10 -1, 5.10.10 mdk, 5.10.10, 5.10.12 cl, 5.10.15, 5.10.16, 5.50, 5.50.8 _7, 5.50.8, 6.51, 6.52, 6.53, 7.0 4-7.07

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-18.xml

here is no exploit code required.

GhostScript Insecure Temporary File Creation

CVE Name:
CAN-2004-0967

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Gentoo Linux Security Advisory, GLSA 200410-18, October 20, 2004

Apache Software Foundation

Apache 2.0.35-2.0.52

A vulnerability exists when the 'SSLCipherSuite' directive is used in a directory or location context to require a restricted set of cipher suites, which could let a remote malicious user bypass security policies and obtain sensitive information.

OpenPKG: ftp://ftp.openpkg.org/release/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-21.xml

Slackware: ftp://ftp.slackware.com/pub/slackware/

There is no exploit code required.

Apache mod_ssl SSLCipherSuite Access Validation

CVE Name:
CAN-2004-0885

Medium

OpenPKG Security Advisory, OpenPKG-SA-2004.044, October 15, 2004

Gentoo Linux Security Advisory, GLSA 200410-21, October 22, 2004

Slackware Security Advisory, SSA:2004-299-01, October 26, 2004

Apache Software Foundation

Apache 1.3, 1.3.1, 1.3.3, 1.3.4, 1.3.46, 1.3.7 -dev, 1.3.9, 1.3.11, 1.3.12, 1.3.14, 1.3.17-1.3.20, 1.3.22-1.3.29, 1.3.31

A buffer overflow vulnerability exists in the 'get_tag()' function, which could let a malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Exploit scripts have been published.

Apache mod_include Buffer Overflow

CVE Name:
CAN-2004-0940

High
SecurityFocus, October 20, 2004

Apple

Safari 1.2.3

A cross-domain vulnerability exists when multiple windows are open, which could let a remote malicious user spoof web page functions.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Apple Safari Cross-Domain Dialog Box Spoofing
Medium
Secunia Advisory, SA12892, October 20, 2004

Concurrent Versions Systems (CVS) 1.11

A vulnerability exists in Concurrent Versions System (CVS) in which a malicious user can exploit to determine the existence and permissions of arbitrary files and directories. The problem is caused due to an undocumented switch to the "history" command implemented in "src/history.c". Using the "-X" switch and supplying an arbitrary filename, CVS will try to access the specified file and returns various information depending on whether the file exists and can be accessed.

Upgrade to version 1.11.17 or 1.12.9 available at:
https://www.cvshome.org/

FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/
SA-04:14/cvs.patch

Fedora Legacy: http://download.fedoralegacy.org/redhat/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

A Proof of Concept exploit has been published.

CVS Undocumented Flag Information Disclosure

CVE Name:
CAN-2004-0778

Low

iDEFENSE Security Advisory 08.16.04

FreeBSD Security Advisory, FreeBSD-SA-04:14, September 20, 2004

Fedora Legacy Update Advisory, FLSA:1735, October 7, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004, October 20, 2004

cPanel, Inc.

cPanel 9.4.1-RELEASE-64; 9.9.1-RELEASE-3

Several vulnerabilities exist: a vulnerability exists in the backup feature, which could let a remote authenticated malicious user obtain sensitive information; a vulnerability exists when FrontPage extensions are turned on or off, which could let a remote authenticated malicious user change ownership of critical files; and a vulnerability exists in the '_private' directory when FrontPage extensions are turned on or off, which could let a remote authenticated malicious user change permissions on any file on the target system to 0755.

The vendor has released fixes dealing with this issue. Users are advised to update to the latest Edge or Current version of cPanel. This update can be uploaded from WHM under 'Update to Latest Version' if the update preferences are set to 'Edge' or 'Current'.

Proofs of Concept exploits have been published.

cPanel Backup & FrontPage Management Remote Arbitrary File Modifications

Medium/ High

(High if root access can be obtained)

SecurityTracker Alert ID, 1011762, October 18, 2004

SecurityFocus, October 20, 2004

cPanel, Inc.

cPanel 9.4.1-STABLE 65

A vulnerability exists in the webmail feature due to insufficient validation of all password characters, which could let a remote malicious user brute force webmail account passwords.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

cPanel Truncated Password Brute Force
Medium
Secunia Advisory, SA12943, October 22, 2004

dadaIMC

dadaimc 0.95-0.98.2

A vulnerability exists due to insufficient sanitization of user-supplied input before including in dynamically generated web page content, which could let a remote malicious user execute arbitrary HTML code.

No workaround or patch available at time of publishing.

There is no exploit code required.

dadaIMC HTML Injection
High SecurityFocus, October 18, 2004

Debian

telnetd 0.17 -25, 0.17 -18

A vulnerability exists due to a failure to ensure that memory buffers are properly allocated and deallocated, which could let a malicious user cause a Denial of Service or potentially execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/n/netkit-telnet/

Debian: http://security.debian.org/pool/updates/main
/n/netkit-telnet-ssl

We are not aware of any exploits for this vulnerability.

Debian GNU/Linux Telnetd Invalid Memory Handling

CVE Name:
CAN-2004-0911

Low/High

(High if arbitrary code can be executed)

Debian Security Advisory, DSA 556-1, October 3, 2004

Debian Security Advisory DSA 569-1, October 18, 2004

Gaim

  Gentoo

Multiple vulnerabilities were reported in Gaim in the processing of the MSN protocol. A remote user may be able to execute arbitrary code on the target system. Several remotely exploitable buffer overflows were reported in the MSN protocol parsing functions.

Gentoo: http://security.gentoo.org/glsa/glsa-200408-12.xml

SuSE: http://www.suse.de/de/security/2004_25_gaim.html

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Rob Flynn:
http://sourceforge.net/project/showfiles.php?group_id=
235&package_id=253&release_id=263425

Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/
patches/packages/gaim-0.82-i486-1.tgz

Fedora Legacy: http://download.fedoralegacy.org/redhat/

We are not aware of any exploits for this vulnerability.

Gaim Buffer Overflows in Processing MSN Protocol


CVE Name:
CAN-2004-0500

High

SecurityTracker, 1010872, August 5, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:081, August 13, 2004

Slackware Security Advisory, SSA:2004-239-01, August 26, 2004

Fedora Legacy Update Advisory, FLSA:1237, October 16, 2004

Gerhard Rieger

socat 1.0 .x, 1.1 .x, 1.2 .x, 1.3 .x, 1.4 .0.2, 1.4 .0.1, 1.4 .0.0

A format string vulnerability exists in the 'void _msg()' function in 'error.c' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary code.

Socat:
http://www.dest-unreach.org/socat/download/socat-1.4.0.3.tar.gz

Gentoo: http://security.gentoo.org/glsa/glsa-200410-26.xml

An exploit script has been published.

Gerhard Rieger Socat Remote Format String
High

socat Security Advisory 1, October 22,2 004

Gentoo Linux Security Advisory, GLSA 200410-26, October 25, 2004

GNU

glibc 2.0-2.0.6, 2.1, 2.1.1 -6, 2.1.1, 2.1.2, 2.1.3 -10, 2.1.3, 2.1.9 & greater, 2.2-2.2.5, 2.3-2.3.4, 2.3.10

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-19.xml

There is no exploit code required.

GNU
GLibC Insecure Temporary File Creation

CVE Name:
CAN-2004-0968

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Gentoo Linux Security Advisory, GLSA 200410-19, October 21, 2004

Heiko Stamer

OpenSkat 1.1-1.9

Several security issues related to the non-interactive zero knowledge protocols exist. The impact was not specified.

Upgrades available at:
http://freshmeat.net/redir/openskat/36295/url_tgz/openSkat-2.0.tar.gz

We are not aware of any exploits for this vulnerability.

Heiko Stamer openSkat Game Unspecified Security Issues
Not Specified
SecurityTracker Alert ID, 1011805, October 20, 2004

Hewlett Packard Company

Cluster Object Manager B.03.00.01, B.03.00.00, B.02.02.02, B.02.02.00, B.02.01.02, B.01.04, A.01.03, Serviceguard A.11.16.00, A.11.15.00, A.11.14, A.11.13, Serviceguard for Linux A.11.15.04, A.11.14.04

A vulnerability exists which could let a remote malicious user obtain root privileges.

Patches available at: http://itrc.hp.com

We are not aware of any exploits for this vulnerability.

HP ServiceGuard & Cluster Object Manager Remote Root Access
High
HP Security Bulletin,
HPSBUX01080 , October 22, 2004

Hewlett Packard Company

HP-UX B.11.23, B.11.22, B.11.11, B.11.00

A vulnerability exists in 'stmkfont' due to the way paths to external executables are handled, which could let a malicious user execute arbitrary code.

Patches available at: http://itrc.hp.com/

There is no exploit code required.

 

HP-UX 'STMKFONT' External Executables

CVE Name:
CAN-2004-0965

High
HP Security Bulletin, HPSBUX01088, October 20, 2004

Hewlett Packard Company

Tru64 4.0 G PK4, 4.0 F PK8, 5.1 B-2 PK4 (BL25),
4 5.1 B-1 PK3 (BL24), 5.1 A PK6

A file permissions and a buffer overflow vulnerability exists in the X Window System, which could let a malicious user obtain elevated privileges.

Patches available at:
http://www.itrc.hp.com/service/patch/

We are not aware of any exploits for this vulnerability.

HP Tru64 X Window System Elevated Privileges

Medium
HP Security Bulletin,
HPSBTU01084, October 18, 2004

KDE.org

Konqueror 3.2.2 -6

A cross-domain dialog vulnerability exists because inactive tabs can launch dialog boxes so they appear to be displayed by a web site in another tab, which could let a remote malicious user spoof an interface of a trusted web site.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Konqueror Browser Cross-Domain Dialog Box Spoofing
Medium
Secunia Advisory,
SA12706, October 20, 2004

libtiff.org

LibTIFF 3.6.1

Several buffer overflow vulnerabilities exist: a vulnerability exists because a specially crafted image file can be created, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; a remote Denial of Service vulnerability exists in 'libtiff/tif_dirread.c' due to a division by zero error; and a vulnerability exists in the 'tif_next.c,' 'tif_thunder.c,' and 'tif_luv.c' RLE decoding routines, which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/t/tiff/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-11.xml

Fedora: http://download.fedora.redhat.com/pub/fedora/
linux/core/updates/2/

OpenPKG:
ftp://ftp.openpkg.org/release/

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

SuSE: ftp://ftp.suse.com/pub/suse/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-577.html

Proofs of Concept exploits have been published.

LibTIFF Buffer Overflows

CVE Name:
CAN-2004-0803
CAN-2004-0804
CAN-2004-0886

Low/High

(High if arbitrary code can be execute)

Gentoo Linux Security Advisory, GLSA 200410-11, October 13, 2004

Fedora Update Notification,
FEDORA-2004-334, October 14, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.043, October 14, 2004

Debian Security Advisory, DSA 567-1, October 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:109 & MDKSA-2004:111, October 20 & 21, 2004

SuSE Security Announcement, SUSE-SA:2004:038, October 22, 2004

RedHat Security Advisory, RHSA-2004:577-16, October 22, 2004

mpg123.de

mpg123 pre0.59s, 0.59r

A buffer overflow vulnerability exists in the 'getauthfromURL()' function due to a boundary error, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

MPG123 Remote URL Open Buffer Overflow
High
Securiteam, October 21, 2004

Multiple Vendors

FileZilla Server 0.7, 0.7.1; OpenBSD -current, 3.5;
OpenPKG Current, 2.0, 2.1;
zlib 1.2.1

A remote Denial of Service vulnerability during the decompression process due to a failure to handle malformed input.

Gentoo: http://security.gentoo.org/glsa/glsa-200408-26.xml

FileZilla: http://sourceforge.net/project/showfiles.
php?group_id=21558

OpenBSD:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/
3.5/common/017_libz.patch

OpenPKG: ftp ftp.openpkg.org

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

SuSE: ftp://ftp.suse.com/pub/suse/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Conectiva: ftp://atualizacoes.conectiva.com.br/

SCO: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.17

We are not aware of any exploits for this vulnerability.

Zlib Compression Library Remote
Denial of Service

CVE Name:
CAN-2004-0797

Low

SecurityFocus, August 25, 2004

SUSE Security Announcement, SUSE-SA:2004:029, September 2, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:090, September 8, 2004

Conectiva Linux Security Announcement, CLA-2004:865, September 13, 2004

US-CERT Vulnerability Note VU#238678, October 1, 2004

SCO Security Advisory, SCOSA-2004.17, October 19, 2004

Multiple Vendors

Gaim version 0.75 & prior

Multiple buffer overflow vulnerabilities exist due to boundary errors in the YMSG protocol handler, the oscar protocol handler, various utility functions, and the HTTP proxy connection handling, which could let a remote malicious user execute arbitrary code.

Upgrade available at:
http://prdownloads.sourceforge.net/ultramagnetic/
ultramagnetic-0.81.tar.bz2?download

Debian:
http://security.debian.org/pool/updates/main/g/gaim/

Mandrake: http://www.mandrakesecure.net/en/advisories/

RedHat: ftp://updates.redhat.com/

Slackware: ftp://ftp.slackware.com/pub/slackware/

SuSE: ftp://ftp.suse.com/pub/suse/i386/update/

Conectiva: ftp://atualizacoes.cbronectiva.com./

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

SGI:
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/

Fedora Legacy: http://download.fedoralegacy.org/redhat/

We are not aware of any exploits for this vulnerability.

Gaim
Remote
Buffer Overflows

CVE Names:
CAN-2004-0005
CAN-2004-0006
CAN-2004-0007
CAN-2004-0008

High

Red Hat Security Advisory, RHSA-2004:032-01, January 26, 2004

Slackware Security Advisory, SSA:2004-026-01, January 27, 2004

SuSE Security Announcement, SuSE-SA:2004:004, January 29, 2004

Mandrake Linux Security Update Advisory, MDKSA-2004:006-1, January 30, 2004

Debian Security Advisory, DSA 434-1, February 5, 2004

Conectiva Linux Security Announcement, CLA-2004:813, February 10, 2004

SGI Security Advisory, 20040201-01-U, February 11, 1004

Fedora Update Notification, FEDORA-2004-070, February 16, 2004

US-CERT Vulnerability Notes, VU#197142, VU#779614, VU#444158, VU#871838, VU#527142, VU#297198, VU#371382, VU#503030, VU#190366, VU#226974,
VU#655974, VU#404470, May 2004

Fedora Legacy Update Advisory, FLSA:1237, October 16, 2004

Multiple Vendors

Apple Mac OS X 10.2-10.2.8, 10.3 -10.3.5, OS X Server 10.2-10.2.8, 10.3 -10.3.5; Easy Software Products CUPS 1.0.4 -8, 1.0.4, 1.1.1,
1.1.4-5, 1.1.4 -3, 1.1.4 -2, 1.1.4, 1.1.6, 1.1.7, 1.1.10, 1.1.12-1.1.21

A vulnerability exists in 'error_log' when certain methods of remote printing are carried out by an authenticated malicious user, which could disclose user passwords.

Update available at: http://www.cups.org/software.php

Apple:
http://wsidecar.apple.com/cgi-bin/nph-
reg3rdpty1.pl/product=04829&platform=osx&
method=sa/SecUpd2004-09-30Jag.dmg


http://wsidecar.apple.com/cgi-bin/nph-
reg3rdpty1.pl/product=04830&platform=osx&
method=sa/SecUpd2004-09-30Pan.dmg

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-06.xml

Debian: http://security.debian.org/pool/updates/main/c/cupsys/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

RedHat: http://rhn.redhat.com/errata/RHSA-2004-543.html

There is no exploit code required.

CUPS Error_Log Password Disclosure

CVE Name:
CAN-2004-0923

Medium

Apple Security Update, APPLE-SA-2004-09-30, October 4, 2004

Fedora Update Notification,
FEDORA-2004-331, October 5, 2004

Gentoo Linux Security Advisory, GLSA 200410-06, October 9, 2004

Debian Security Advisory, DSA 566-1, October 14, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:116, October 21, 2004

RedHat Security Advisory, RHSA-2004:543-15, October 22, 2004

Multiple Vendors

Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha;
Ecartis Ecartis 0.129 a, 1.0 .0 snapshot 20030417, 20030416, 20030404, 20030318, 20030312, 20030309, 20030303, 20030227, 20021013, 20020514, 20020427, 20020125, 20020121

A vulnerability exists in 'src/modules/lsg2/lsg2-main.c,' which could let a remote malicious user obtain administrator privileges and modify list settings.

Debian: http://security.debian.org/pool/updates/main/e/ecartis/

We are not aware of any exploits for this vulnerability.

Ecartis Remote Administrator Privileges

CVE Name:
CAN-2004-0913

High
Debian Security Advisory, DSA 572-1, October 21, 2004

Multiple Vendors

Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha;
Easy Software Products CUPS 1.0.4 -8, 1.0.4, 1.1.1, 1.1.4 -5, 1.1.4 -3, 1.1.4 -2, 1.1.4, 1.1.6, 1.1.7, 1.1.10, 1.1.12-1.1.20;
Gentoo Linux;
GNOME GPdf 0.112;
KDE KDE 3.2-3.2.3, 3.3, 3.3.1, kpdf 3.2;
RedHat Fedora Core2;
Ubuntu ubuntu 4.1, ppc, ia64, ia32, Xpdf Xpdf 0.90-0.93; 1.0.1, 1.0 0a, 1.0, 2.0 3, 2.0 1, 2.0, 3.0

Several integer overflow vulnerabilities exist in 'pdftops/Catalog.cc' and 'pdftops/XRef.cc,' which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/c/cupsys/

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-20.xml

KDE:
ftp://ftp.kde.org/pub/kde/security_patches/post-3.3.1-kdegraphics.diff

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Ubuntu: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/

We are not aware of any exploits for this vulnerability.

 

Xpdf PDFTOPS Multiple Integer Overflows

CVE Names:
CAN-2004-0888
CAN-2004-0889

High
SecurityTracker Alert ID, 1011865, October 21, 2004

Multiple Vendors

Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha; libpng libpng 1.0, 1.0.5-1.0.17, ibpng3 1.2 .0-1.2.6; SuSE Linux 9.; Ubuntu ubuntu 4.1 ppc, 4.1 ia64, 4.1 ia32

A buffer overflow vulnerability exists in the processing of images with excessive height, which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/libp/libpng/

SuSE:
ftp://ftp.suse.com/pub/suse/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/

We are not aware of any exploits for this vulnerability.

LibPNG Graphics Library Image Height Buffer Overflow

CVE Name:
CAN-2004-0955

High

Debian Security Advisories, DSA 570-1 & 571-1, October 20, 2004

SuSE Security Announcement, SUSE-SA:2004:037, October 20, 2004

Ubuntu Security Notice 1-1, October 22, 2004

Multiple Vendors

Enlightenment Imlib2 1.0-1.0.5, 1.1, 1.1.1;
ImageMagick ImageMagick 5.4.3, 5.4.4 .5, 5.4.8 .2-1.1.0 , 5.5.3 .2-1.2.0, 5.5.6 .0- 2003040, 5.5.7,6.0.2;
Imlib Imlib 1.9-1.9.14

Multiple buffer overflow vulnerabilities exist in the Iimlib/Imlib2 libraries when handling malformed bitmap images, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

lmlib: http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/

ImageMagick: http://www.imagemagick.org/www/download.html

Gentoo: http://security.gentoo.org/glsa/glsa-200409-12.xml

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Fedora: http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Debian: http://security.debian.org/pool/updates/main/i/imagemagick/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-465.html

SuSE:ftp://ftp.suse.com/pub/suse/

TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/
TurboLinux/ia32/Desktop/

Conectiva: ftp://atualizacoes.conectiva.com.br/

Sun: http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57648-1&searchclause=

http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57645-1&searchclause=

TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-480.html

We are not aware of any exploits for this vulnerability.

IMLib/IMLib2 Multiple BMP Image
Decoding Buffer Overflows

 

CVE Names:
CAN-2004-0817
CAN-2004-0802

Low/High

(High if arbitrary code can be executed)

SecurityFocus, September 1, 2004

Gentoo Linux Security Advisory, GLSA 200409-12, September 8, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:089, September 8, 2004

Fedora Update Notifications,
FEDORA-2004-300 &301, September 9, 2004

Turbolinux Security Advisory, TLSA-2004-27, September 15, 2004

RedHat Security Advisory, RHSA-2004:465-08, September 15, 2004

Debian Security Advisories, DSA 547-1 & 548-1, September 16, 2004

Conectiva Linux Security Announcement, CLA-2004:870, September 28, 2004

Sun(sm) Alert Notifications, 57645 & 57648, September 20, 2004

Turbolinux Security Announcement, October 5, 2004

RedHat Security Update, RHSA-2004:480-05, October 20, 2004

Multiple Vendors

FreeBSD 4.8-4.10, 5.1, 5.2, 5.2.1-RELEASE;
Thomas Graf bmon 1.2.1

A vulnerability exists in bmon, which could let a malicious user execute arbitrary code.

FreeBSD has updated their port system to remove the setuid bit from the bmon package. Users of affected packages should upgrade to version 1.2.1_2 or greater of the port.

A Proof of Concept exploit script has been published.

BMON Arbitrary Code Execution

High
Securiteam October 17, 2004

Multiple Vendors

Gentoo Linux 1.4;
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1, Desktop 3.0, t Enterprise Linux WS 3, WS 2.1 IA64, WS 2.1, ES 3, 2.1 IA64, 2.1, AS 3, AS 2.1 IA64, AS 2.1'
Trolltech Qt 3.0, 3.0.5, 3.1, 3.1.1, 3.1.2, 3.2.1, 3.2.3, 3.3 .0, 3.3.1, 3.3.2; Avaya Intuity LX, MN100, Modular Messaging (MSS) 1.1, 2.0

Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the 'read_dib()' function when handling 8-bit RLE encoded BMP files, which could let a malicious user execute arbitrary code; and buffer overflow vulnerabilities exist in the in the XPM, GIF, and JPEG image file handlers, which could let a remote malicious user execute arbitrary code.

Debian: http://security.debian.org/pool/updates/main/q/qt-copy/

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

Gentoo: http://security.gentoo.org/glsa/glsa-200408-20.xml

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Slackware: ftp://ftp.slackware.com/pub/slackware/
slackware-9.0/patches/packages/kde/qt-3.1.2-i486-4.tgz

SuSE: ftp://ftp.suse.com/pub/suse/i386/update

Trolltech Upgrade: http://www.trolltech.com/download/index.html

TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/

Sun: http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57637-1&searchclause=security

Conectiva: ftp://atualizacoes.conectiva.com.br/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-478.html
http://rhn.redhat.com/errata/RHSA-2004-479.html

SuSE: ftp://ftp.suse.com/pub/suse/

Avaya: http://support.avaya.com/japple/css/japple
?temp.groupID=128450&temp.selectedFamily=128451
&temp.selectedProduct=154235&temp.selectedBucket
=126655&temp.feedbackState=askForFeedback&temp.
documentID=203389& PAGE=avaya.css.CSSLvl1Detail
&executeTransaction=avaya.css.UsageUpdate()

Proof of Concept exploit has been published.

QT Image File Buffer Overflows

CVE Names:
CAN-2004-0691
CAN-2004-0692

CAN-2004-0693

High

Secunia Advisory, SA12325, August 10, 2004

Sun Alert ID: 57637, September 3, 2004

Conectiva Linux Security Announcement, CLA-2004:866, September 22, 2004

RedHat Security Advisories, RHSA-2004:478-13 & RHSA-2004:479-05, October 4 & 6, 2004

SUSE Security Announcement, SUSE-SA:2004:035, October 5, 2004

SecurityFocus, October 18, 2004

Multiple Vendors

Gentoo Linux, 1.4; Rob Flynn Gaim 0.10 x, 0.10.3, 0.50-0.75, 0.78, 0.82, 0.82.1, 1.0, 1.0.1; Slackware Linux -current, 9.0, 9.1, 10.0

A buffer overflow vulnerability exists in the processing of MSNSLP messages due to insufficient verification, which could let a remote malicious user execute arbitrary code.

Gentoo: http://security.gentoo.org/glsa/glsa-200410-23.xml

Rob Flynn:
http://prdownloads.sourceforge.net/gaim/gaim-1.0.2.tar.gz?download

RedHat: ftp://updates.redhat.com

Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/
patches/packages/gaim-1.0.2-i486-1.tgz

We are not aware of any exploits for this vulnerability.

Gaim MSNSLP Remote Buffer Overflow

CVE Name:
CAN-2004-0891

High

Gentoo Linux Security Advisory, GLSA 200410-23, October 25, 2004

RedHat Security Advisory, RHSA-2004:604-01, October 20, 2004

Slackware Security Advisory, SSA:2004-296-01, October 22, 2004

Multiple Vendors

GNU Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha;
GNOME gdk-pixbug 0.22 & prior; GTK GTK+ 2.0.2, 2.0.6, 2.2.1, 2.2.3, 2.2.4;
MandrakeSoft Linux Mandrake 9.2, amd64, 10.0, AMD64;
RedHat Advanced Workstation for the Itanium Processor 2.1, IA64, Desktop 3.0, Enterprise Linux WS 3, WS 2.1 IA64, WS 2.1, ES 3, ES 2.1 IA64, ES 2.1, AS 3, AS 2.1 IA64, AS 2.1,
RedHat Fedora Core1&2;
SuSE. Linux 8.1, 8.2, 9.0, x86_64, 9.1, Desktop 1.0, Enterprise Server 9, 8

Multiple vulnerabilities exist: a vulnerability exists when decoding BMP images, which could let a remote malicious user cause a Denial of Service; a vulnerability exists when decoding XPM images, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; and a vulnerability exists when attempting to decode ICO images, which could let a remote malicious user cause a Denial of Service.

Debian:
http://security.debian.org/pool/updates/main/g/gdk-pixbuf/

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

RedHat: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

SuSE: ftp://ftp.suse.com/pub/suse/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-28.xml

Conectiva: ftp://atualizacoes.conectiva.com.br/

We are not aware of any exploits for this vulnerability.

gdk-pixbug BMP, ICO, and XPM Image Processing Errors

CVE Names:
CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788

Low/High

(High if arbitrary code can be executed)

SecurityTracker Alert ID, 1011285, September 17, 2004

Gentoo Linux Security Advisory, GLSA 200409-28, September 21, 2004

US-CERT Vulnerability Notes VU#577654, VU#369358, VU#729894, VU#825374, October 1, 2004

Conectiva Linux Security Announcement, CLA-2004:875, October 18, 2004

Multiple Vendors

Linux kernel 2.6 -test1-test11, 2.6-l 2.6.8; SuSE Linux 9.1

A remote Denial of Service vulnerability exists in the iptables logging rules due to an integer underflow.

Update available at: http://kernel.org/

SuSE: ftp://ftp.suse.com/pub/suse/

We are not aware of any exploits for this vulnerability.

 

Linux Kernel IPTables Logging Rules Remote Denial of Service

CVE Name:
CAN-2004-0816

Low
SuSE Security Announcement, SUSE-SA:2004:037, October 20, 2004

Multiple Vendors

Linux kernel kernel 2.2- 2.2.25, 2.4 .0-test1-test11, 2.4-2.4.27, 2.6 -2.6.8

Two vulnerabilities exist: a vulnerability exists in the terminal subsystem due to a race condition, which could let a malicious user cause a Denial of Service or obtain sensitive information; and a vulnerability exists in the PPP dial-up-port due to a race conditions, which could let a malicious user cause a Denial of Service.

Upgrades available at:
http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.9.tar.bz2

We are not aware of any exploits for this vulnerability.

Linux Kernel Race Conditions

CVE Name:
CAN-2004-0814

Low/ Medium

(Medium if sensitive information can be obtained)

Secunia Advisory,
SA12951, October 22, 2004

Multiple Vendors

Luke Mewburn lukemftp 1.5, TNFTPD 20031217; NetBSD Current, 1.3-1.3.3, 1.4 x86, 1.4, SPARC, arm32, Alpha, 1.4.1 x86, 1.4.1, SPARC, sh3, arm32, Alpha, 1.4.2 x86, 1,4.2, SPARC, arm32, Alpha, 1.4.3, 1.5 x86, 1.5, sh3, 1.5.1-1.5.3, 1.6, beta, 1.6-1.6.2, 2.0

Several vulnerabilities exist in the out-of-band signal handling code due to race condition errors, which could let a remote malicious user obtain superuser privileges.

Luke Mewburn Upgrade:
ftp://ftp.netbsd.org/pub/NetBSD/misc/tnftp/tnftpd-20040810.tar.gz

Apple: http://wsidecar.apple.com/cgi-bin/

Debian: http://security.debian.org/pool/updates/main/l/lukemftpd/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-19.xml

Sun: http://sunsolve.sun.com/search/document.do
?assetkey=1-26-57655-1&searchclause=

We are not aware of any exploits for this vulnerability.

TNFTPD Multiple Signal Handler Remote Privilege Escalation

CVE Name:
CAN-2004-0794

High

NetBSD Security Advisory 2004-009, August 17, 2004

Apple Security Update, APPLE-SA-2004-09-07, September 7, 2004

Debian Security Advisory DSA 551-1, September 21, 2004

Gentoo Linux Security Advisory, GLSA 200409-19, September 16, 2004

Sun(sm) Alert Notification, 57655, October 15, 2004

Multiple Vendors

OpenBSD 3.4, 3.5; SuSE Linux 8.1, 8.2, 9.0, x86_64, 9.1, Linux Enterprise Server 9, 8;
X.org X11R6 6.7.0, 6.8;
XFree86 X11R6 3.3.6, 4.0, 4.0.1, 4.0.2 -11, 4.0.3, 4.1 .0, 4.1 -12, 4.1 -11, 4.2 .0, 4.2.1, Errata, 4.3.0; Avaya Intuity LX, MN100, Modular Messaging (MSS) 1.1, 2.0

Multiple vulnerabilities exist: a stack overflow vulnerability exists in 'xpmParseColors()' in 'parse.c' when a specially crafted XPMv1 and XPMv2/3 file is submitted, which could let a remote malicious user execute arbitrary code; a stack overflow vulnerability exists in the 'ParseAndPutPixels()' function in -create.c' when reading pixel values, which could let a remote malicious user execute arbitrary code; and an integer overflow vulnerability exists in the colorTable allocation in 'xpmParseColors()' in 'parse.c,' which could let a remote malicious user execute arbitrary code.

Debian: http://security.debian.org/pool/updates/main/i/imlib/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

OpenBSD:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/

SuSE: ftp://ftp.suse.com/pub/suse/

X.org: http://x.org/X11R6.8.1/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-34.xml

IBM: http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

RedHat: http://rhn.redhat.com/errata/RHSA-2004-478.html

Avaya: http://support.avaya.com/japple/css/japple?
temp.groupID=128450&temp.selectedFamily=128451
&temp.selectedProduct=154235&temp.selectedBucket
=126655&temp.feedbackState=askForFeedback&temp.
documentID=203389& PAGE=avaya.css.CSSLvl1Detail
&executeTransaction=avaya.css.UsageUpdate()

Sun: http://sunsolve.sun.com/search/document.do
?assetkey=1-26-57652-1&searchclause=

Proofs of Concept exploits have been published.

LibXpm Image Decoding Multiple Remote Buffer Overflow

CVE Names:
CAN-2004-0687
CAN-2004-0688

High

X.Org Foundation Security Advisory, September 16, 2004

US-CERT Vulnerability Notes, VU#537878 & VU#882750, September 30, 2004

SecurityFocus, October 4, 2004

SecurityFocus, October 18, 2004

Sun(sm) Alert Notification, 5765, October 18, 2004

MySQL AB

MySQL 3.23.49, 4.0.20

A vulnerability exists in the 'mysqlhotcopy' script due to predictable files names of temporary files, which could let a malicious user obtain elevated privileges.

Debian: http://security.debian.org/pool/updates/main/m/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-02.xml

SuSE: ftp://ftp.suse.com/pub/suse/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-569.html

There is no exploit code required.

MySQL
'Mysqlhotcopy' Script Elevated Privileges

CVE Name:
CAN-2004-0457

Medium

Debian Security Advisory, DSA 540-1, August 18, 2004

Gentoo Linux Security Advisory GLSA 200409-02, September 1, 2004

SUSE Security Announcement, SUSE-SA:2004:030, September 6, 2004

RedHat Security Advisory, ,RHSA-2004:569-16, October 20, 2004

Netbilling, Inc.

nbmember.cgi

A vulnerability exists in the 'nbmember.cgi' script, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

Netbilling NBMEMBER Script Information Disclosure
Medium
SecurityFocus, October 22, 2004

OpenOffice

OpenOffice 1.1.2,
Sun StarOffice 7.0

A vulnerability exists in the '/tmp' folder due to insecure permissions, which could let a malicious user obtain sensitive information.

Upgrades available at: http://sunsolve.sun.com/search/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-446.html

Mandrake: http://www.mandrakesecure.net/en/ftp.php

Gentoo: http://security.gentoo.org/glsa/glsa-200410-17.xml

There is no exploit code required.

OpenOffice/
StarOffice Insure Temporary File Permissions

CVE Name:
CAN-2004-0752

Medium

Secunia Advisory, SA12302, September 13, 2004

RedHat Security Bulletin, RHSA-2004:446-08, September 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:103, September 28, 2004

Gentoo Linux Security Advisory, GLSA 200410-17, October 20, 2004

PostgreSQL

PostgreSQL 7.4.5

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix: ftp://ftp.trustix.org/pub/trustix/updates/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-16.xml

There is no exploit code required.

PostgreSQL Insecure Temporary File Creation

CVE Name:
CAN-2004-0977

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Gentoo Linux Security Advisory, GLSA 200410-16, October 18, 2004

ProFTPd.net

ProFTPd 1.2.8, 1.2.10; possibly other versions

A vulnerability exists due to a time delay difference in the login
process for existing and non-existing usernames, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

Another Proof of Concept exploit script has been published.

ProFTPd Login Timing Account Disclosure
Medium

LSS Security Team Advisory, October 14, 2004

PacketStorm, October 26, 2004

Rob Flynn

Gaim 0.50-0.75, 0.82, 0.82.1, 1.0, 1.0.1

A remote MSN file transfer and a remote MSN SLP Denial of Service vulnerability exists due to a failure to properly handle exceptional conditions.

Upgrades available at:
http://prdownloads.sourceforge.net/gaim/gaim-1.0.2.tar.gz?download

There is no exploit code required.

Gaim Remote Denials of Service
Low
SecurityFocus, October 20, 2004

Rob Flynn

Gaim 0.10 x, 0.10.3, 0.50-0.75

Multiple vulnerabilities exist which could let a remote malicious user execute arbitrary code or cause a Denial of Service: a vulnerability exists during the installation of a smiley theme; a heap overflow vulnerability exists when processing data from a groupware server; a buffer overflow vulnerability exists in the URI parsing utility; a buffer overflow vulnerability exists when performing a DNS query to obtain a hostname when signing on to zephyr; a buffer overflow vulnerability exists when processing Rich Text Format (RTF) messages; and a buffer overflow vulnerability exists in the 'content-length' header when an excessive value is submitted.

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

Gentoo:http://security.gentoo.org/glsa/glsa-200408-27.xml

Rob Flynn:
http://sourceforge.net/project/showfiles.php?
group_id=235&package_id=253&release_id=263425

Slackware: ftp://ftp.slackware.com/pub/slackware/slackware-10.0/
patches/packages/gaim-0.82-i486-1.tgz

Fedora Legacy: http://download.fedoralegacy.org/redhat/

Mandrake: http://www.mandrakesecure.net/en/ftp.php

We are not aware of any exploits for this vulnerability.

Gaim Multiple Vulnerabilities

CVE Names:
CAN-2004-0784
CAN-2004-0754
CAN-2004-0785

Low/High

 

(High if arbitrary code can be executed)

SecurityFocus, August 26, 2004

Fedora Legacy Update Advisory, FLSA:1237, October 16, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:110, October 21, 2004

rssh

rssh 2.2.1 & prior

A vulnerability exists in 'log.c' due to a format string error, which could let a remote malicious user execute arbitrary code.

Update available at: http://www.pizzashack.org/rssh/downloads.shtml

We are not aware of any exploits for this vulnerability.

rssh 'log.c' Format String
High
Secunia Advisory, SA12954, October 25, 2004
SCO Group

SCO OpenServer 5.x

Multiple vulnerabilities exist in SCO MMDF. According to SCO the vulnerabilities are: buffer overflows, null dereferences and core dumps. One of the buffer overflows is known to affect "execmail".

Updates available at: ftp://ftp.sco.com/pub/updates/OpenServer/
SCOSA-2004.7/

An exploit script has been published.

SCO OpenServer Multiple Vulnerabilities in MMDF

CVE Names:
CAN-2004-0510
CAN-2004-0511
CAN-2004-0512

Medium
SCO Advisory, SCOSA-2004.7, July 14, 2004

Deprotect Security Advisory 20040206, July 2, 2004

PacketStorm October 26, 2004

Speedtouch

USB Driver 1.0, 1.1, 1.2 , beta1-beta3, 1.3

A format string vulnerability exists because the 'modem_run,' 'pppoa2,' and 'pppoa3' functions make an unsafe 'syslog()' call due to insufficient sanitization, which could let a malicious user execute arbitrary code.

Upgrades available at:
http://sourceforge.net/project/showfiles.php?group
_id=32758&package_id=28264&release_id=271734

We are not aware of any exploits for this vulnerability.

Speedtouch USB Driver Format String

CVE Name:
CAN-2004-0834

High
SecurityFocus, October 21, 2004

splitbrain.org

DokuWiki 2004-09-30, 2004-09-25, 2004-09-12, 2004-08-22, 2004-08-15a, 2004-08-15, 2004-08-08, 2004-07-25, 2004-07-21

A vulnerability exists due to improper enforcement of the the access control list, which could let a remote malicious user access some functions without authorization. Affected functions include recent changes, feed, search, and mediaselectiondialog.

Updates available at:
http://freshmeat.net/redir/dokuwiki/51558/url_tgz/dokuwiki-2004-10-19.tgz

There is no exploit code required.

DokuWiki Access Control Enforcement

Medium
SecurityTracker Alert ID, 1011802, October 20, 2004

Squid-cache.org

Squid 2.5-STABLE6, 3.0-PRE3-20040702; when compiled with SNMP support

 

A remote Denial of Service vulnerability exists in the 'asn_parse_header()' function in 'snmplib/asn1.c' due to an input validation error when handling certain negative length fields.

Updates available at: http://www.squid-cache.org/

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

Gentoo: http://security.gentoo.org/glsa/glsa-200410-15.xml

Trustix: http://http.trustix.org/pub/trustix/updates/

RedHat: http://rhn.redhat.com/errata/RHSA-2004-591.html

Mandrake: http://www.mandrakesecure.net/en/ftp.php

We are not aware of any exploits for this vulnerability.

Squid Remote Denial of Service

CVE Name:
CAN-2004-0918

Low

iDEFENSE Security Advisory, October 11, 2004

Fedora Update Notification,
FEDORA-2004-338, October 13, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Gentoo Linux Security Advisory, GLSA 200410-15, October 18, 2004

RedHat Security Advisory, RHSA-2004:591-04, October 20, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:112, October 21, 2004

Sun Microsystems, Inc.

Solaris 8.0, 8.0 _x86, 9.0, 9.0 _x86

A vulnerability exists in 'ldap(1)' when used with Role Based Access Control (RBAC), which could let a malicious user execute arbitrary commands with root privileges.

Update available at: http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57657-1

We are not aware of any exploits for this vulnerability.

Sun Solaris LDAP RBAC Root Privileges
High
Sun(sm) Alert Notification, 57657, October 18, 2004

SuSE

Linux Enterprise Server for S/390, 9.0

A vulnerability exists due to an incorrectly handled privileged instruction which could let a malicious user obtain root user privileges. Note: Vulnerability only affects SuSE Linux Enterprise Server 9 when it is installed on the IBM S/390 platform.

Upgrade available at: ftp://ftp.suse.com/pub/suse/

We are not aware of any exploits for this vulnerability.

SuSE Linux IBM S/390 Kernel Root Privileges

CVE Name:
CAN-2004-0887

High
SuSE Security Announcement, SUSE-SA:2004:037, October 21, 2004

SuSE

LibTIFF LibTIFF 3.6.1;
SuSE. Linux 8.1, 8.2, 9.0, 9.1Linux Desktop 1.0, Linux Enterprise Server 9, 8

A buffer overflow vulnerability exists in libtiff on SuSE Linux in the OJPEGVSetField() function in 'libtiff/tif_ojpeg.c,' which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

Upgrades and patches available at:
ftp://ftp.suse.com/pub/suse/

We are not aware of any exploits for this vulnerability.

LibTIFF OJPEG Buffer Overflow

CVE Name:
CAN-2004-0929

Low/High

(High if arbitrary code can be executed)

SUSE Security Announcement, SUSE-SA:2004:038, October 22, 2004

Twibright Labs

Links 0.91-0.99

A remote Denial of Service vulnerability exists when handling HTML tables of excessive size.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Links Malformed Table Remote Denial of Service

Low
Bugtraq, October 18, 2004

University of Kansas

Lynx 2.7, 2.8-2.8.5, 2.8.5 dev2-5, dev8

A remote Denial of Service vulnerability exists when handling malformed HTML tag sequences and formatting.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Lynx Malformed HTML Remote Denial of Service
Low
Bugtraq, October 18, 2004

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

America OnLine

America Online Webmail

A Cross-Site Scripting vulnerability exists in the 'msglist.adp' script due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

AOL Web Mail 'msglist.adp' Cross-Site Scripting
High
SecurityTracker Alert ID, 1011791, October 20, 2004

America OnLine

AOL

An information disclosure vulnerability exists in AOL Journals, which could let a remote malicious user obtain email addresses.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

AOL Journals Email Address Disclosure
Medium
SecurityTracker Alert ID, 1011900, October 22, 2004

brooky.com

CubeCart 2.0.1

A vulnerability exists due to insufficient sanitization of the 'cat_id' parameter, which could let a remote malicious user obtain sensitive information.

The vendor has recommended the following fix:
INSERT
if (!is_numeric($cat_id))
unset($cat_id);

BEFORE
include("header.inc.php");

IN
index.php

There is no exploit code required; however, a Proof of Concept exploit has been published.

CubeCart Input Validation
Medium

Secunia Advisory, SA12764, October 8, 2004

SecurityFocus, October 22, 2004

Cisco Systems

IOS R12.x, 12.x

 

A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted TCP connection to a telnet or reverse telnet port.

Potential workarounds available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml

We are not aware of any exploits for this vulnerability.

Cisco IOS Telnet Service Remote Denial of Service
Low

Cisco Security Advisory, cisco-sa-20040827, August 27, 2004

US-CERT Vulnerability Note VU#384230

Cisco Security Advisory, 61671 Rev 2.2, October 20, 2004

Google

Google

A Cross-Site Scripting vulnerability exists in the 'custom' script due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability has appeared in the press and other public media.

A Proof of Concept exploit has been published.

Google Input Validation
High
SecurityTracker Alert ID, 1011786, October 19, 2004

Gregory DEMAR

Coppermine Photo Gallery 1.0-1.3.2

A vulnerability exists due to a design error that may allow remote malicious users to cast multiple votes for an image.

No workaround or patch available at time of publishing.

There is no exploit code required.

Coppermine Photo Gallery Voting Restriction Failure
Medium
SecurityTracker Alert ID, 1011860, October 21, 2004

IBM

Lotus Domino 6.0-6.0.3, 6.5.0-6.5.2

Two vulnerabilities exist: a Cross-Site Scripting vulnerability exists due to an input validation error in the native Lotus Notes HTML encoding for computed values, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability exists which could let a remote malicious user inject malicious HTML and script code into the application.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

IBM Lotus Domino Cross-Site Scripting & HTML Injection
High
SecurityFocus, October 18, 2004

Infopop

UBB.threads 3.4, 3.5

An input validation vulnerability exists in 'dosearch.php' due to insufficient validation of user-supplied input in the 'Name' parameter, which could let a remote malicious user execute arbitrary SQL commands.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

UBBThreads Input Validation
High
Bugtraq, October 21, 2004

moinmoin.wikiwikiweb.de

MoniWiki 1.0.8 & prior

A Cross-Site Scripting vulnerability exists in 'wiki.php' due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code.

Update available at: http://kldp.net/project/showfiles.php?group
_id=210&release_id=954

A Proof of Concept exploit has been published.

MoniWiki 'wiki.php' Cross-Site Scripting
High
Secunia Advisory,
SA12975, October 26, 2004
Mozilla.org

Mozilla 1.6 & prior; Netscape 7.0, 7.1, and prior

A input validation vulnerability exists in the SOAPParameter object constructor in Netscape and Mozilla which allows execution of arbitrary code. The SOAPParameter object's constructor contains an integer overflow that allows controllable heap corruption. A web page can be constructed to leverage this into remote execution of arbitrary code.

Upgrade to Mozilla 1.7.1 available at: http://www.mozilla.org/products/mozilla1.x/

SuSE: ftp://ftp.suse.com/pub/suse/

Conectiva: ftp://atualizacoes.conectiva.com.br/

We are not aware of any exploits for this vulnerability.

Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability

CVE Name:
CAN-2004-0722

High
iDEFENSE Security Advisory, August 2, 2004

Bugzilla Bug 236618

SUSE Security Announcement, SUSE-SA:2004:036, October 6, 2004

Conectiva Linux Security Announcement, CLA-2004:877, October 22, 2004

Mozilla.org

Mozilla 1.6;
Mozilla 1.7.x;
Mozilla Firefox 0.x

A Denial of Service vulnerability exists in which arbitrary root certificates are imported silently without presenting users with a import dialog box. Due to another problem, this can e.g. be exploited by malicious websites or HTML-based emails to prevent users from accessing valid SSL sites.

Workaround: Check the certificate store and delete untrusted certificates if an error message is displayed with error code -8182 ("certificate presented by [domain] is invalid or corrupt") when attempting to access a SSL-based website.

SuSE: ftp://ftp.suse.com/pub/suse/

Conectiva: ftp://atualizacoes.conectiva.com.br/

Currently, we are not aware of any exploits for this vulnerability.

Mozilla / Firefox Certificate Store Corruption Vulnerability

CVE Name:
CAN-2004-0758

Low

Secunia Advisory, SA12076, July 16, 2004
Bugzilla Bug 24900, July 14, 2004

SUSE Security Announcement, SUSE-SA:2004:036, October 6, 2004

Conectiva Linux Security Announcement, CLA-2004:877, October 22, 2004

Mozilla.org
  Mandrakesoft
  Slackware

Mozilla 1.7 and prior;
Firefox 0.9 and prior;
Thunderbird 0.7 and prior

Multiple vulnerabilities exist in Mozilla, Firefox, and Thunderbird that could allow a malicious user to conduct spoofing attacks, compromise a vulnerable system, or cause a Denial of Service. These vulnerabilities include buffer overflow, input verification, insecure certificate name matching, and out-of-bounds reads.

Upgrade to the latest version of Mozilla, Firefox, or Thunderbird available at: http://www.mozilla.org/download.html

Slackware: http://www.slackware.com/security/viewer.php?l=
slackware-security&y=2004&m=slackware-security.667659

Mandrakesoft: http://www.mandrakesoft.com/security/advisories?
name=MDKSA-2004:082

RedHat: http://rhn.redhat.com/errata/RHSA-2004-421.html

SGI: ftp://patches.sgi.com/support/free/security/
patches/ProPack/3
/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-26.xml

HP: http://h30097.www3.hp.com/internet/download.htm

SuSE: ftp://ftp.suse.com/pub/suse/

Conectiva: ftp://atualizacoes.conectiva.com.br/

We are not aware of any exploits for this vulnerability.

Mozilla/Firefox/ Thunderbird
Multiple Vulnerabilities

CVE Name:
CAN-2004-0757
CAN-2004-0759
CAN-2004-0761
CAN-2004-0765

High

Secunia, SA10856, August 4, 2004

US-CERT Vulnerability Note VU#561022

RedHat Security Advisory, RHSA-2004:421-17, August 4, 2004

SGI Security Advisory, 20040802-01-U, August 14, 2004

Gentoo Linux Security Advisory, GLSA 200409-26, September 20, 2004

HP Security Bulletin, HPSBTU01081, October 5, 2004

SUSE Security Announcement, SUSE-SA:2004:036, October 6, 2004

Conectiva Linux Security Announcement, CLA-2004:877, October 22, 2004

Mozilla.org

Mozilla 0.x, 1.0-1.7.x, Firefox 0.x, Thunderbird 0.x; Netscape Navigator 7.0, 7.0.2, 7.1, 7.2

Multiple vulnerabilities exist: buffer overflow vulnerabilities exist in 'nsMsgCompUtils.cpp' when a specially crafted e-mail is forwarded, which could let a remote malicious user execute arbitrary code; a vulnerability exists due to insufficient restrictions on script generated events, which could let a remote malicious user obtain sensitive information; a buffer overflow vulnerability exists in the 'nsVCardObj.cpp' file due to insufficient boundary checks, which could let a remote malicious user execute arbitrary code; a buffer overflow vulnerability exists in 'nsPop3Protocol.cpp' due to boundary errors, which could let a remote malicious user execute arbitrary code; a heap overflow vulnerability exists when handling non-ASCII characters in URLs, which could let a remote malicious user execute arbitrary code; multiple integer overflow vulnerabilities exist in the image parsing routines due to insufficient boundary checks, which could let a remote malicious user execute arbitrary code; a cross-domain scripting vulnerability exists because URI links dragged from one browser window and dropped into another browser window will bypass same-origin policy security checks, which could let a remote malicious user execute arbitrary code; and a vulnerability exists because unsafe scripting operations are permitted, which could let a remote malicious user manipulate information displayed in the security dialog.

Updates available at: http://www.mozilla.org/

Gentoo: http://security.gentoo.org/glsa/glsa-200409-26.xml

HP: http://h30097.www3.hp.com/internet/download.htm

RedHat: http://rhn.redhat.com/errata/RHSA-2004-486.html

SuSE: ftp://ftp.suse.com/pub/suse/

Conectiva: ftp://atualizacoes.conectiva.com.br/

Proofs of Concept exploits have been published.

Mozilla Multiple Remote Vulnerabilities

CVE Names:
CAN-2004-0902
CAN-2004-0903
CAN-2004-0904
CAN-2004-0905
CAN-2004-0908

Medium/ High

(High if arbitrary code can be executed)

Technical Cyber Security Alert TA04-261A, September 17, 2004

US-CERT Vulnerability Notes VU#414240, VU#847200, VU#808216, VU#125776, VU#327560, VU#651928, VU#460528, VU#113192, September 17, 2004

Gentoo Linux Security Advisory, GLSA 200409-26, September 20, 2004

RedHat Security Bulletin, RHSA-2004:486-18, September 30, 2004

HP Security Bulletin, HPSBTU01081, October 5, 2004

SUSE Security Announcement, SUSE-SA:2004:036, October 6, 2004

Conectiva Linux Security Announcement, CLA-2004:877, October 22, 2004

Mozilla.org

Mozilla Browser 1.0, RC1&2, 1.0.1, 1.0.2, 1.1 Beta, 1.1 Alpha, 1.1, 1.2 Beta, 1.2 Alpha, 1.2, 1.2.1, 1.3, 1.3.1, 1.4 b, 1.4 a, 1.4, 1.4.1, 1.4.2. 1.5, 1.6, 1.7 rc3, 1.7-1.7.3, 1.8 Alpha 2

Multiple memory corruption vulnerabilities exist because certain HTML tag sequences and formatting may cause a remote Denial of Service and possibly execution of arbitrary code; and a remote Denial of Service vulnerability exists when an invalid pointer is dereferenced.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Mozilla Multiple Memory Corruption & Invalid Pointer

Low/High

(High if arbitrary code can be executed)

Bugtraq, October 18, 2004

Mozilla.org

Mozilla Firefox 0.9.2 and Mozilla 1.7.1 on Windows

Mozilla Firefox 0.9.2 on Linux

A spoofing vulnerability exists that could allow malicious sites to abuse SSL certificates of other sites. An attacker could make the browser load a valid certificate from a trusted website by using a specially crafted "onunload" event. The problem is that Mozilla loads the certificate from a trusted website and shows the "secure padlock" while actually displaying the content of the malicious website. The URL shown in the address bar correctly reads that of the malicious website.

An additional cause has been noted due to Mozilla not restricting websites from including arbitrary, remote XUL (XML User Interface Language) files.

Workaround: Do not follow links from untrusted websites and verify the correct URL in the address bar with the one in the SSL certificate.

SuSE: ftp://ftp.suse.com/pub/suse/

Conectiva: ftp://atualizacoes.conectiva.com.br/

A Proof of Concept exploit has been published.

Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing

CVE Name:
CAN-2004-0763

Medium

Cipher.org, July 25, 2004

Secunia, SA12160, July 26, 2004; SA12180, July 30, 2004

SUSE Security Announcement, SUSE-SA:2004:036, October 6, 2004

Conectiva Linux Security Announcement, CLA-2004:877, October 22, 2004

Multiple Vendors

Mozilla Browser 1.7.2, 1.7.3, Camino 0.8, Firefox 0.10.1; Netscape Navigator 7.2

Several vulnerabilities exist: a vulnerability exists when multiple tabs are open, which could let a remote malicious user spoof functions on the web site in the active tab; and a vulnerability exists because a web form field in an inactive tab can gain focus, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

Vulnerability has appeared in the press and other public media.

There is no exploit code required; however, Proof of Concept exploit has been published.

Multiple Vendors Browser Cross-Domain Dialog Box Spoofing
Medium
Secunia Advisory,
SA12712, October 20, 2004

Multiple Vendors

Linux Kernel USB Driver prior to 2.4.27

A vulnerability exists in certain USB drivers because uninitialized structures are used and then 'copy_to_user(...)' kernel calls are made from these structures, which could let a malicious user obtain obtain uninitialized kernel memory contents.

Update available at: http://kernel.org/

Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml

We are not aware of any exploits for this vulnerability.

Linux Kernel USB Driver Kernel Memory

CVE Name:
CAN-2004-0685

Medium
US-CERT Vulnerability Note VU#981134, October 25, 2004

Netscape

Netscape Web Mail

A Cross-Site Scripting vulnerability exists in the 'msglist.adp' script due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Netscape Web Mail 'msglist.adp' Cross-Site Scripting
High
SecurityTracker Alert ID, 1011792, October 20, 2004

Opera Software

Opera Web Browser 6.0 win32, 6.0 6, 6.0.6win32, 6.0, 6.0.1-6.0.5 win32, 6.0.1-6.0.3 linux, 6.10 linux, 7.0 win32 Beta 1&2,
7.0 -7.0.3 win32, 7.10, 7.11 j, 7.11 b, 7.11, 7.20 Beta 1 build 2981, 7.20-7.23, 7.50-7.54

A memory corruption vulnerability vulnerability exists in the 'TBODY' tag when an excessive 'COL SPAN' is specified, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Opera TBODY COL SPAN Memory Corruption
Low/High

(High if arbitrary code can be executed)

Bugtraq, October 18, 2004

Opera Software

Opera Web Browser 7.54

A cross-domain vulnerability exists when multiple windows are open, which could let a remote malicious user spoof web page functions.

No workaround or patch available at time of publishing.

Vulnerability has appeared in the press and other public media.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Opera Web Browser Cross-Domain Dialog Box Spoofing
Medium
Secunia Advisory,
SA12713, October 20, 2004

PBLang-Team

PBLang 4.x

Multiple security vulnerabilities exist, including a cookie management flaw in CheckLoginStatus() in 'functions.php', a flaw in the pm section in 'admin.php' and 'pmpshow.php', and a password changing vulnerability in 'ucp.php'. The impact was not specified.

Update available at: https://sourceforge.net/project/showfiles.php?group_id=62953

We are not aware of any exploits for these vulnerabilities.

PBLang Multiple Security Flaws
Not Specified
Secunia Advisory,
SA12880, October 19, 2004

S9Y

Serendipity 0.3, 0.4, 0.5, -pl, 0.6, rc1&rc2, pl1-pl3, 0.7 -beta1-beta4

An input validation vulnerability exists when processing the requested URI in 'index.php' and the HTTP Referer field in 'comments.php,' which could let a remote malicious user create an HTTP request that will cause arbitrary content to be displayed.

Upgrades available at:
http://prdownloads.sourceforge.net/php-blog/
serendipity-0.7-rc1.tar.gz?download

A Proof of Concept exploit has been published.

Serendipity Input Validation
Medium
Secunia Advisory,
SA12909, October 21, 2004

Singapore

Singapore prior to 0.9.10

A vulnerability exists in 'thumb.php' due to insufficient validation of user-supplied input, which could let a remote malicious user view files that are not image files on the target system (however, the vendor did not confirm the impact.)

Update available at: http://singapore.sourceforge.net/?page=download

We are not aware of any exploits for this vulnerability.

Singapore 'thumb.php' Input Validation
Not Specified
SecurityTracker Alert ID, 1011804, October 20, 2004

Stuart Caie

cabextract 0.6, 1.0

A Directory Traversal vulnerability exists in the 'create_output_name()' function in 'cabextract.c' due to insufficient input validation, which could let a remote malicious user create or overwrite files.

Update available at: http://www.kyz.uklinux.net/downloads/
cabextract-1.1.tar.gz

There is no exploit code required.

cabextract Remote Directory Traversal
Medium

Secunia Advisory,
SA12882, October 19, 2004

Sun Microsystems, Inc.

Java 2 Micro Edition (J2ME)

A vulnerability exists in the Connected Limited Device Configuration (CLDC) implementation in the K Virtual Machine (KVM) bytecode verifier, which could let a remote malicious user bypass Java security mechanisms.

No workaround or patch available at time of publishing.

Exploit information has been published.

Sun Java 2 Micro Edition (J2ME) Sandbox Bypass Restrictions
Medium
Secunia Advisory,
SA12945, October 22, 2004

Symantec

Clientless VPN Gateway Version 5.0, Model 4000

Various security vulnerabilities exist in the ActiveX file browser and HTML file browser, which could let a remote malicious user obtain unauthorized access to the system or could lead to unpredictable behavior.

Hotfix available at:
ftp://ftp.symantec.com/public/english_us_canada/products/sym
_clientless_vpn/sym_clientless_vpn_5/updates/hf3-readme.txt

We are not aware of any exploits for this vulnerability.

Symantec Clientless VPN Gateway 4400 Credential Modification
Medium
US-CERT Vulnerability Note VU#760256, October 20, 2004

Symantec

Firewall/VPN Appliance 100, 200, 200R, Gateway Security 320, 360, 360R

Multiple vulnerabilities exist: a remote Denial of Service vulnerability exists when a malicious user conducts a fast map UDP port scan against all ports on the WAN interface; a vulnerability exists when a UDP port scan is conducted against the WAN interface from a source port of UDP 53, which could let a remote malicious user obtain sensitive information; and a vulnerability exists because the default read/write community string used by the firewall is public, which could let a malicious user alter the firewall's configuration.

The vendor has released a fixed firmware version (1.63) available at: ftp://ftp.symantec.com/public/updates/

There is no exploit code required.

Symantec Enterprise Firewall/VPN Appliance Multiple Remote Denials of Service & Configuration Modification
Low

Rigel Kent Security & Advisory Services Inc. Advisory, RK-001-04, September 22, 20024

US-CERT Vulnerability Notes VU#329230, VU#441078, & VU#173910, October 20, 2004

Tripwire, Inc.
Gentoo
Mandrake

Tripwire 2.2.1, 2.3.0, 2.3.1 -2, 2.3.1, 2.4 .0, 2.4.2, 3.0 1, 3.0, 4.0, 4.0.1, 4.1, 4.2, Tripwire Open Source 2.3.0, 2.3.1

A format string vulnerability exists in 'pipedmailmessage.cpp' when an e-mail report is generated, which could let a malicious user execute arbitrary code. Note: It is reported that this issue only presents itself when the MAILMETHOD is sendmail.

Patch available at: http://securityfocus.com/bid/10454/solution/

Gentoo: http://security.gentoo.org/glsa/glsa-200406.02.xml

Mandrake: http://www.mandrakesoft.com/security/advisories

Fedora Legacy: http://download.fedoralegacy.org/redhat/

Currently we are not aware of any exploits for this vulnerability.

 

 

Tripwire Email Reporting Format String

CVE Name:
CAN-2004-0536

High

SecurityFocus, June 5, 2004

Gentoo Linux Security Advisory, GLSA 200406-02, June 4, 2004

] Mandrakelinux Security Update Advisory, MDKSA-2004:057, June 8, 2004

Fedora Legacy Update Advisory, FLSA:1719, October 23, 2004

Veritas Software

NetBackup BusinesServer 3.4, 3.4.1, 4.5, NetBackup DataCenter 3.4, 3.4.1, 4.5, NetBackup Enterprise Server 5.1, NetBackup Server 5.0, 5.1

A input validation vulnerability exists in the 'bpjava-susvc' process used for administration, which could let a remote authenticated malicious user execute commands with root privileges.

The vendor has described a configuration workaround available at: http://support.veritas.com/docs/271727

We are not aware of any exploits for this vulnerability.

VERITAS NetBackup Input Validation
High
SecurityTracker Alert ID: 1011863, October

winkled.
sourceforge.net

MediaWiki prior to 1.3.7

A Cross-Site Scripting vulnerability exists 'n 'Title.php' due to insufficient filtering of HTML code from user-supplied input in 'DefaultSettings.php' and 'Title.php,' which could let a remote malicious user execute arbitrary HTML and script code.

Updates available at:
http://prdownloads.sourceforge.net/
wikipedia/mediawiki-1.3.7.tar.gz?download

There is no exploit code required.

MediaWiki 'Title.php' Cross-Site Scripting

Medium/ High

(High if arbitrary code can be executed)

SecurityFocus, October 20, 2004

yahoopops.sourceforge.net

YPOPs! 0.x

Several buffer overflow vulnerabilities exist in the POP3 and SMTP services, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Another exploit script has been published.

YPOPs! Buffer Overflows
High

Hat-Squad Advisory, September 27, 2004

SecurityFocus, October 18, 2004

 

Recent Exploit Scripts/Techniques

The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
October 26, 2004 85mod_include.c
No
Proof of Concept exploit for the Apache mod_include Buffer Overflow vulnerability.
October 26, 2004 ethereal-0.10.7.tar.gz
N/A
A GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames.
October 26, 2004 javascript.txt
N/A
A write-up discussion on how to use Javascript to spoof what page is actually being visited.
October 26, 2004 navRant.txt
NA
Proof of Concept regarding how easy it is to bypass Norton Antivirus.
October 26, 2004 nmap-3.75.tgz
N/A
A utility for port scanning large networks, although it works fine for single hosts.
October 26, 2004 osx86_mmdfdeliver.c
Yes
Script that exploits the SCO OpenServer MMDF vulnerability.
October 26, 2004 proftpdEnum.c
No
Proof of Concept script that exploits the ProFTPd Login Timing Account Disclosure vulnerability.
October 26, 2004 rkdscan.zip
N/A
A scanner designed to detect whether or not an NT based computer is infected with the Hacker Defender root kit.
October 25, 2004 socat_exp.c
Yes
Script that exploits the Socat Remote Format String vulnerability.
October 24, 2004 creating_a_asp_command
_shell_using_BACKUP.txt
N/A
This is a text document that describes how MS SQL can be "tricked" into creating a command.asp script under the webroot, even when you do not have access to 'sa' privs (dbo privs are probably still a must, though). The technique described uses the SQL server 'backup' command.
October 24, 2004 ksb26-2.6.9.tar.gz
N/A
KSB26, Kernel Socks Bouncer for 2.6.x, is a Linux 2.6.x-kernel patch that redirects full tcp connections through a socks5 proxy. KSB26 uses a character device to pass socks5 and the target IPs the Linux kernel.
October 24, 2004 lgool.c
N/A
Lgool is a program that will search Google for a given vulnerability.
October 24, 2004 SetWindowLong_Shatter_Attacks.pdf
N/A
This paper gives an example of the variety of shatter attacks which should be corrected by MS04-032 (KB840987). This sort of attack can typically be used for local privilege escalation.
October 24, 2004 uml.c
N/A
Userspace Logger is functioning code based on the example given in the article in Phrack 51 entitled "Shared Library Redirection". The following functions are logged: read()/recv() output and intercepts open(), open64(), close(), socket(), connect(), exit(). This is an effective keystroke logger, among other things, despite that the author says it is only at the Proof-of-Concept phase.
October 23, 2004 101_shixx.cpp
No
Exploit for the Mavel ShixxNote 6.net Buffer Overflow in Font Field vulnerability.
October 23, 2004 amap-4.7.tar.gz
N/A
Application Mapper is a next-generation scanning tool that allows you to identify the applications that are running on a specific port. It does this by connecting to the port(s) and sending trigger packets.
October 23, 2004 Camou121.exe
N/A
Camouflage v1.2.1 is an incredibly weak steganography tool for Windows that uses various image files and doc files as a carrier to hide arbitrary data inside of.
October 23, 2004 CKFP.zip
N/A
This is a Windows program that "unprotects" files which have been hidden using a steganography program called Camouflage. If the Camouflage'd file requires a password, the password is reset to nothing.
October 23, 2004 hitb04-shreeraj-shah.pdf
N/A
"Web Services - Attacks and Defense Strategies, Methods and Tools" presentation that discusses how the web service is the new security Lego Land. The main building blocks are UDDI, SOAP and WSDL. This presentation will briefly touch upon each of these aspects.
October 23, 2004 hitb04-sk-chong.pdf
N/A
"Windows Local Kernel Exploitation" presentation that discusses mechanisms to exploit the Windows Kernel for useful local privilege escalation.
October 23, 2004 hitb04-teo-sze-siong.zip
N/A
"Stealth Virus Design Thru Breeding Concept (Non Polymorphic)" presentation that includes Proof of Concept code samples.
October 23, 2004 SetecAstronomy.pl
N/A
This is a Perl script that can search files to identify whether data has been hidden using a weak steganography tool for Windows named Camouflage.
October 22, 2004 ability-2.34-ftp-stor.py
No
Exploit for the Code-Crafters Ability Server FTP STOR Argument Remote Buffer Overflow vulnerability.
October 20, 2004 akellaPrivateersBountyExploit.zip
No
Script that exploits the Akella Privateer's Bounty: Age of Sail II Remote Nickname Buffer Overflow vulnerability.
October 20, 2004 apacheModIncludeLocal
BufferOverflowExploit.c
No
Script that exploits the Apache mod_include Buffer Overflow vulnerability.
October 20, 2004 Intro_to_Win32_Exploits.pdf
N/A
An introduction to writing exploits for the Win32 platform. Walks through creation of an exploit for a real vulnerable piece of software, using OllyDbg to help isolate the fault and exploit it.
October 20, 2004 ms04-030_spl.pl
Yes
Perl script that exploits the Microsoft WebDav XML Message Handler Denial of Service vulnerability.
October 20, 2004 noceegar.html
No
Exploit for the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass & File Drag and Drop Embedded Code vulnerabilities.
October 20, 2004 windowsEMF_WMF_Exploit.c
Yes
Script that exploits the Microsoft Windows WMF/EMF Remote Buffer Overflow vulnerability.
October 19, 2004 HOD-ms04032-emf-expl2.c
Yes
Exploit that creates crafted metadata files to exploit Microsoft Internet Explorer 6.0.
October 19, 2004 toneboom.zip
No
Script that exploits the Vypress Tonecast Remote Denial of Service vulnerability.
October 18, 2004 dc_ypop.c
No
Script that exploits the YPOPs! Buffer Overflows vulnerability.
October 18, 2004 salesLogixFileUploadPoC.pl
Yes
Proof of Concept exploit for the Best Software SalesLogix File Upload vulnerability.
October 16, 2004 bmon.sh
Yes
Proof of Concept exploit for theBMON Arbitrary Code Execution vulnerability.

[back to top]

Trends

  • Results of a survey of 2,000 consumers conducted in August indicated that consumers, increasingly fearful of identity theft, want more security before they'll engage in online banking and other Internet-based services, according to a survey released Tuesday, October 26. Such findings may indicate the marketplace has reached a tipping point in which security is now viewed by users as an imperative rather than impediment to online usage. For more information, see http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1017458,00.html.

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trends
Date
1
Netsky-P Win32 Worm Stable March 2004
2
Zafi-B Win32 Worm Stable June 2004
3
Netsky-Z Win32 Worm Stable April 2004
4
Netsky-D Win32 Worm Stable March 2004
5
Bagle-AA Win32 Worm Stable April 2004
6
Netsky-B Win32 Worm Stable February 2004
7
Netsky-Q Win32 Worm Stable March 2004
8
MyDoom-O Win32 Worm Stable July 2004
9
Bagle-Z Win32 Worm Stable April 2004
10
MyDoom.M Win32 Worm Stable July 2004

Table Updated October 26, 2004

Viruses or Trojans Considered to be a High Level of Threat

  • Opener - A script-based threat that spies on Mac users has been discovered. The malware disables Mac OS X's built-in firewall, steals personal information and can destroy data. (CNET News, October 25, 2004)
  • Famus.B - After a series of celebrity related Trojans that spread through social engineering techniques the latest one preys on potential victims' curiosity about the ongoing conflict in Iraq. Antivirus companies warned of a new worm on Monday, October 25, that is sent by email and appears to contain photographs of the Iraq war. The Famus.B worm affects Windows systems and tries to trick users into believing its attached file -- called Iraq.scr -- contains pictures from inside Iraq. This virus type was first reported in May 2004. (ZDNet News, October 26, 2004)

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name
Aliases
Type
Backdoor.Emcommander   Trojan
Backdoor.Haxdoor.C   Trojan
Backdoor.Roxe.B Bloodhound.Exploit.13
Exploit.Win32.MS04-028.gen
Trojan
Backdoor.Sdbot.AE Backdoor.Win32.Wootbot.gen Win32 Worm
Bagz.d W32.Bagz.D@mm
W32/Bagz.d@MM
Win32 Worm
Bagz.E W32/Bagz.E.worm Win32 Worm
Netsky.AH W32/Netsky.AH.worm
Win32 Worm
SH/Renepo-A Opener
MacOS.Renepo.A
SH.Renepo
SH.Renepo.A
SH.Renepo.B
SH/Renepo-A
Sh/Renepo.A.Worm
Unix/Opener.Worm
MacOS.Renepo.B
Macintosh Worm
StartPage-FG Troj/Dloader-DG
Trojan
Trojan.Win32.StartPage.jc
TROJ_STARTPGE.R
Trojan
Troj/Banker-EK PWS-Bancban.gen.b Trojan: Password Stealer
Trojan.Sens   Trojan
W32.Buchon.A@mm I-Worm.Buchon.b
W32.Netsky.AE@mm
W32/Baba-A
W32/Buchon.gen@MM
W32/Buchon@mm
Win32.Buchon.B
WORM_BUCHON.B
Win32 Worm
W32.Huayu   Win32 Worm
W32.Mydoom.AG@mm   Win32 Worm
W32.Spybot.FCD Backdoor.Win32.Rbot.gen
W32.Spybot.Worm
W32/Sdbot.worm.gen.j
Win32 Worm
W32.Watsoon.A   Win32 Worm
W32/Baba-A W32/Netsky-AE
I-Worm.Baba.b
W32/Netsky.ai@MM
W32/Buchon@mm
Win32 Worm
W32/Bagz-D I-Worm.Bagz.d Win32 Worm
W32/Forbot-BQ
Backdoor.Win32.Wootbot.gen Win32 Worm
W32/Forbot-BR   Win32 Worm
W32/Forbot-BU Backdoor.Win32.Wootbot Win32 Worm
W32/Forbot-BW
WORM_WOOTBOT.BM Win32 Worm
W32/Rbot-NG Win32.Rbot.gen
W32/Sdbot.worm.gen.i
WORM_RBOT.RW
Win32 Worm
W32/Rbot-NJ
Backdoor.Win32.Rbot.gen Win32 Worm
W32/Rbot-NK
Backdoor.Win32.Rbot.gen Win32 Worm
W32/Rbot-NS

Backdoor.Win32.Rbot.gen

Win32 Worm
W32/Rbot-NS Backdoor.Win32.Rbot.gen Win32 Worm
W32/Rbot-NT Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.j
WORM_RBOT.RY
Win32 Worm
W32/Rbot-NU WORM_RBOT.PK
W32/Sdbot.worm.gen.w
Win32 Worm
W32/Spybot-DF Worm.P2P.SpyBot.gen
W32/Spybot.worm.gen.a
Win32 Worm
Win32.Gema.D PWS-Datei
Troj/Cryptldr-A
TrojanDownloader.Win32.Crypt
TROJ_CRYPT.A
W32/Crypter.B@dl
Win32/Gema.14336.Trojan
Win32 Worm
Win32.Scranor.A W32.Narcs
W32/Scran.worm
Win32/Scranor.A.Worm
Worm.P2P.Scranor
Win32 Worm
WORM_BAGZ.C   Win32 Worm
WORM_BAGZ.D I-Worm.Bagz.d
W32.Bagz.E@mm
W32/Bagz-D
W32/Bagz.D@mm
W32/Bagz.e@MM
Win32.Bagz.C
Win32 Worm
WORM_BUCHON.B I-Worm.Baba.B
I-Worm.Buchon.b
I-Worm/Buchon.B
Netsky.AG
Netsky.AI
W32.Netsky.AE@mm
W32/Baba-A
W32/Buchon.B@mm
W32/Buchon.gen@MM
W32/Buchon@mm
W32/Netsky-AE
W32/Netsky.ah@MM
W32/Netsky.AI.worm
W32/Netsky.ai@MM
W32/Netsky.AJ@mm
Win32.Buchon.B
Win32.Netsky.AG
Win32/Buchon.B@mm
Win32/Netsky.AG.Worm
Win32:Netsky-AF
Worm/Buchon.B
WORM_NETSKY.AI
Win32 Worm
WORM_TURON.B   Win32 Worm
WORM_VOTE.L   Win32 Worm

[back to top]

 

 

 

Last updated

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top