U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Bulletin (SB04-329)

Summary of Security Items from November 17 through November 23, 2004

Original release date: November 24, 2004

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.


Bugs, Holes, & Patches The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Altiris

AClient Service for Windows 5.6.181; 5.6 SP1 (Hotfix E)

A vulnerability may permit a local malicious user to invoke the Windows tray icon for the AClient Service to gain System level privileges.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Altiris AClient Service Windows Tray Icon Access Control
Medium
SecurityTracker Alert ID, 1012271, November 19, 2004

Citrix

ICA Win32 client (The ICA Win32 Web Client, ICA Win32 Program Neighborhood Client, and ICA Win32 Program Neighborhood Agent) version 8.0 and prior

A vulnerability exists that could permit a local malicious user to monitor ICA keystrokes. The vendor reported that the ICA Win32 client version 8.0 and prior versions contain a debugging feature that allows a local user to create a log containing the keyboard scan codes transmitted during an ICA connection.

The vendor has issued a fixed version (8.1 and later), available at:
http://www.citrix.com/site/SS/downloads/index.asp

A Proof of Concept exploit has been published.

Citrix ICA Client Keystroke Monitor
Medium
Citrix, Document ID, CTX105215, November 19, 2004

Computer Associates

eTrust EZ Antivirus prior to 7.0.2.1

A vulnerability exists that could permit a local malicious user to bypass the GUI password protection feature. The vendor reported that the proxy password in the GUI can be recovered by the local user.

The vendor has issued a fixed version (7.0.2.1 or later):
http://www.ca.com

Currently we are not aware of any exploits for this vulnerability.

Computer Associates eTrust EZ Antivirus Access

Medium
SecurityTracker Alert ID, 1012283, November 19, 2004

Danware

NetOp Host prior to 7.65 build 2004278

A vulnerability exists that could allow a remote malicious user to determine system information. A remote user can send a specially crafted NetOp HELO request to the target system to cause the system to disclose system information such as the hostname, username, and local IP address of the host system.

Update to version 7.65 build 2004278 available at: http://www.danware.com

A Proof of Concept exploit has been published.

Danware NetOp Host Remote Information Disclosure

CVE Name:
CAN-2004-0950

Medium
Corsaire Advisory, November 19, 2004

Digital Mapping Systems

DMS POP3 Server 1.5.3.27

A vulnerability exists which can be exploited by malicious people to execute arbitrary code. The vulnerability is caused due to a boundary error during the authentication process and can be exploited to cause a buffer overflow by supplying an overly long username or password (more than 1024 bytes).

Apply patch at:
http://www.digitalmapping.sk.ca/pop3srv/Update.asp

Exploit scripts have been published.

Digital Mapping DMS POP3 Server Authentication Buffer Overflow
High
Digital Mapping Systems Security Update, November 16, 2004

Enstar

Mailtraq 2.6.1.1677

A vulnerability exists which may permit a local malicious user to invoke the Windows tray icon for Mailtraq to gain System level privileges.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Enstar Mailtraq Windows Tray Icon Access Control
Medium
SecurityFocus, Bugtraq ID 11708, November 19, 2004

Fastream Technologies

Fastream NETFile Server 7.1.2

A vulnerability exists which could permit a malicious user to cause Denial of Service conditions. The web service does not properly process 'keepalive' connection timeouts for HTTP HEAD requests. The service fails to close HEAD request connections. A remote user can make multiple HEAD requests to consume all available connections and deny service to other users.

Update to version 7.1.3, available at: http://www.fastream.com/download.htm

A Proof of Concept exploit has been published.

Fastream NETFile Server Denial of Service
Low
SecurityTracker Alert ID, 1012267, November 19, 2004

Google

Gmail

An input validation vulnerability may exist which could permit a remote malicious user to conduct cross-site scripting attacks. It is reported that the 'zx' variable is not properly validated. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Gmail site and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

SecurityTracker testing indicates that this vulnerability has been corrected.

A Proof of Concept exploit has been published.

Google Gmail 'zx' Variable Input Validation
High
SecurityTracker Alert ID, 1012289, November 20, 2004

Ipswitch

IMail 8.13

A buffer overflow vulnerability exists in the 'DELETE' command due to insufficient boundary checks, which could let a remote malicious user execute arbitrary code.

Patch available at:
ftp://ftp.ipswitch.com/Ipswitch/Product_
Support/IMail/imail814.exe

An exploit script has been published.

Ipswitch IMail Server Remote Buffer Overflow
High

Securiteam, November 15, 2004

SecurityFocus, November 16, 2004

Microsoft

Internet Explorer with SP2

Several vulnerabilities were reported that could allow a remote malicious user to create a specially crafted web page that, when loaded by the target user, will execute arbitrary scripting code in the local computer zone and allow the remote user to take full control of the target user's system. The problem is that if the downloaded file was sent with a specially crafted 'Content-Location' HTTP header or referenced using a specially crafted URL, then in some situations, no security warning will be displayed when the file is opened.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Microsoft Internet Explorer File Download Restriction Bypass
High

SecurityTracker Alert ID, 1012234, November 14, 2004

Secunia Advisory ID, SA13203, November 17, 2004

Microsoft

ISA Server 2000, Proxy Server 2.0

A spoofing vulnerability exists that could enable a malicious user to spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example a malicious web site.

Updates available at:
http://www.microsoft.com/technet/
security/bulletin/ms04-039.mspx

V2.0 (November 9, 2004): Bulletin updated to reflect the release of an updated ISA Server 2000 security update for the German language only. This issue does not affect any other language version of this security update. The Security Update Replacement section has also been revised.

V3.0 (November 16, 2004): Bulletin updated to reflect the release of updated ISA Server 2000 security updates for all languages. These issues affected customers using ISA Server 2000 Service Pack 1 or using Windows 2000 Service Pack 3. The Security Update Replacement section has also been revised.

Microsoft Security Bulletin updated to reflect a revised Security Update Information section for the Proxy 2.0 Service Pack 1 security update.

Currently we are not aware of any exploits for this vulnerability.

Microsoft Server Spoofing

CVE Name:
CAN-2004-0892

Medium

Microsoft Security Bulletin, MS04-039 2.0, 3.0, 3.1, November 19, 2004 (Updated)

 

Microsoft

Internet Explorer (IE) 6 on Windows XP SP2 and Windows 2000

A vulnerability exists that could permit a remote malicious user to invoke the execCommand 'SaveAs' function via a custom HTTP 404 Not Found error message to download arbitrary files to the target user's system without the XP SP2 warning messages. Internet Explorer does not properly process URLs with certain extraneous characters.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Microsoft IE Custom 404 Error Message & execCommand SaveAs File Download
High
SecuriTeam, November 22, 2004

Microsoft

Internet Explorer 6.0 SP1 on
Microsoft Windows XP SP1

A vulnerability has been reported which can be exploited by malicious people to conduct session fixation attacks. The vulnerability is caused due to a validation error in the handling of the path attribute when accepting cookies. This can potentially be exploited by a malicious web site, if the trusted site supports wildcard domains or the domain name contains the malicious sites domain, using a specially crafted path attribute to overwrite cookies for the trusted site.

Update to Windows XP SP2.

Currently we are not aware of any exploits for this vulnerability.

Microsoft Internet Explorer Cookie Path Attribute
Low
Secunia Advisory ID, SA13208, November 17, 2004

Microsoft

Windows NT, 2000 and XP

The Microsoft Windows default logon screensaver is prone to a local privilege escalation vulnerability. It is reported that the screensaver is started with SYSTEM privileges. A local malicious user that has sufficient privileges to modify or replace the default logon screensaver, or that had sufficient privileges to modify registry entries that relate to the logon screensaver, may exploit this vulnerability to attain local SYSTEM privileges.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Microsoft Windows Logon Screensaver Elevated Privileges
Medium
SecurityFocus Bugtraq ID, 11711, November 19, 2004

Microsoft

Windows XP Home Edition, XP Professional, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition; Avaya DefinityOne Media Servers; IP600 Media Servers; Modular Messaging (MSS) 1.1, 2.0; S3400 Message Application Server; S8100 Media Servers; Real Networks RealOne Player 1.0, 2.0, RealPlayer 10.0, 10.5 v6.0.12.1053, 10.5 v6.0.12.1040, 10.5 Beta v6.0.12.1016

A remote code execution vulnerability exists in Compressed (zipped) Folders because of an unchecked buffer in the way that it handles specially crafted compressed files. A malicious user could exploit the vulnerability by constructing a malicious compressed file that could potentially allow remote code execution if a user visited a malicious web site.

Updates available at:
http://www.microsoft.com/technet/
security/bulletin/MS04-034.mspx

Avaya customers are advised to follow Microsoft's guidance for applying patches. Please see the referenced Avaya advisory at the following location for further details:

http://support.avaya.com/japple/css/japple?temp.
groupID=128450&temp.selectedFamily=128451
&temp.selectedProduct=154235&temp.selected
Bucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=203487&PAGE=
avaya.css.CSSLvl1Detail&executeTransaction=
avaya.css.UsageUpdate()

RealNetworks:
http://www.service.real.com/help/faq
/security/041026_player/EN/

An exploit script has been published.

Microsoft Compressed (zipped) Folders Remote Code Execution

CVE Name:
CAN-2004-0575

High

Microsoft Security Bulletin MS04-034, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Note VU#649374, October 14, 2004

SecurityFocus, Bugtraq ID 11382, October 18, 2004

SecurityFocus, November 19, 2004

Nullsoft

Winamp 5.05

A vulnerability exists which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the 'IN_CDDA.dll' file. This can be exploited in various ways to cause a stack-based buffer overflow e.g. by tricking a user into visiting a malicious web site containing a specially crafted '.m3u' playlist. Successful exploitation allows execution of arbitrary code.

Update to version 5.0.6:
http://www.winamp.com/player/

A Proof of Concept exploit has been published.

Nullsoft Winamp 'IN_CDDA.dll' Buffer Overflow
High
Security-Assessment Vulnerability Advisory, November 23, 2004

Prevx

Prevx Home 1.0

A vulnerability exists that could permit a local malicious user to disable the registry and buffer overflow protection mechanisms. Aa local user with administrative privileges can modify SDT ServiceTable entries by directly writing to '\device\physicalmemory' to return the entries to their original settings, thereby disabling the kernel hooks and preventing Prevx Home from performing its protection functions.

The vendor has released a fixed version (2.0):
http://www.prevx.com

A Proof of Concept exploit has been published.

Prevx Home Protection Mechanisms Registry Disable
Medium
SIG^2 Vulnerability Research Advisory, November 22, 2004

Soft3304

04WebServer 1.42

Multiple vulnerabilities exist that could allow a remote malicious user to inject arbitrary characters into the log file, conduct Cross-Site Scripting attacks, or cause a Denial of Service. The default 404 Not Found response (Response_default.html) does not properly filter HTML code before displaying the originally requested URL. A remote malicious user can also inject arbitrary characters into the log file or request a MS-DOS device name to prevent the server from restarting properly.

Upgrade to 04Webserver 1.5:
http://soft3304.net/04WebServer/
Download/04WebServer150.zip

A Proof of Concept exploit has been published.

Soft3304 04WebServer Input Validation Vulnerabilities

Low/High

(High if arbitrary code can be executed)

SIG^2 Vulnerability Research Advisory, November 11, 2004

SecurityFocus, Bugtraq ID: 11652, November 15, 2004

Sourceforge.net

MiniShare Buffer 1.4.1 and prior

A buffer overflow vulnerability exists that could allow a remote malicious user to execute arbitrary code on the target system. A remote user can submit a specially crafted, long HTTP GET request to trigger the overflow and execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Sourceforge.net MiniShare Buffer Overflow
High

SecurityTracker Alert ID, 1012106, November 7, 2004

PacketStorm, November 16, 2004

VanDyke Software

SecureCRT 4.0, 4.1

A vulnerability exists which can be exploited by malicious users to execute arbitrary code. The vulnerability is caused due to a design error, as the product allows an arbitrary configuration folder to be specified to the 'telnet:' URI handler via the '/F' command line option. This can e.g. be exploited by including a link to a remote configuration folder on a SMB share and trick a user into visiting a malicious web site containing the link.

A patch is available from the vendor:
http://www.vandyke.com/download/
securecrt/index.html

A Proof of Concept exploit has been published.

VanDyke SecureCRT - Remote Command Execution
High
Security-Assessment Vulnerability Advisory, November 23, 2004

Zone Labs

ZoneAlarm Security Suite 5.x

ZoneAlarm Pro 5.x, 4.x, and 3.x

A vulnerability exists which can be exploited by malicious people
to cause a 'Denial of Service. The vulnerability is caused due to an error in the Ad-Blocking feature (disabled by default) when processing JavaScript and can be exploited by tricking a user into visiting a malicious web site containing specially crafted JavaScript.

Update to version 5.5.062 or later via the "Check For Update"
feature.

Currently we are not aware of any exploits for this vulnerability.

Zone Labs ZoneAlarm Advertising Blocking Denial of Service
Low
Zone Labs Security Advisory, November 18, 2004

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Apache Software Foundation
Conectiva
Gentoo
HP
Immunix
Mandrake OpenBSD
OpenPKG
RedHat
SGI
Trustix

Apache 1.3.26‑1.3.29, 1.3.31;
OpenBSD –current, 3.4, 3.5

A buffer overflow vulnerability exists in Apache mod_proxy when a ‘ContentLength:’ header is submitted that contains a large negative value, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code.

Patches available at:
http://marc.theaimsgroup.com/
?l=apache-httpd-dev&m=108687304202140&q=p3

OpenBSD:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/

OpenPKG:
ftp://ftp.openpkg.org/release/2.0/
UPD/apache-1.3.29-2.0.3.src.rpm

Gentoo:
http://security.gentoo.org/glsa/glsa-200406-16.xml

Mandrake:
http://www.mandrakesoft.com/security/advisories

SGI:
ftp://patches.sgi.com/support/free/security/

Fedora Legacy: http://download.fedoralegacy.org/redhat/

Slackware:
ftp://ftp.slackware.com/pub/slackware/

Trustix:
http://http.trustix.org/pub/trustix/updates/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

TurboLinux: ftp://ftp.turbolinux.co.jp/pub/Turbo
Linux/TurboLinux/ia32/

Currently we are not aware of any exploits for this vulnerability.

Apache Mod_Proxy Remote Buffer Overflow

CVE Name:
CAN-2004-0492

Low/High

(High if arbitrary code can be executed)

SecurityTracker Alert, 1010462, June 10, 2004

Gentoo Linux Security Advisory, GLSA 200406-16, June 22, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:065, June 29, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.029, June 11, 2004

SGI Security Advisory, 20040605-01-U, June 21, 2004

Fedora Legacy Update Advisory, FLSA:1737, October 14, 2004

US-Cert Vulnerability Note VU#541310, October 19, 2004

Slackware Security Advisory, SSA:2004-299-01, October 26, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0056, November 5, 2004

Turbolinux Security Announcement, November 18, 2004

Apache Software Foundation

Apache 1.3, 1.3.1, 1.3.3, 1.3.4, 1.3.46, 1.3.7 -dev, 1.3.9, 1.3.11, 1.3.12, 1.3.14, 1.3.17-1.3.20, 1.3.22-1.3.29, 1.3.31

A buffer overflow vulnerability exists in the 'get_tag()' function, which could let a malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-03.xml

Slackware:
ftp://ftp.slackware.com/pub/slackware/s

Trustix:
http://http.trustix.org/pub/trustix/updates/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

Exploit scripts have been published.

Apache mod_include Buffer Overflow

CVE Name:
CAN-2004-0940

High

SecurityFocus, October 20, 2004

Slackware Security Advisory, SA:2004-305-01, November 1, 2004

Gentoo Linux Security Advisory, GLSA 200411-03, November 2, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0056, November 5, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:134, November 17,2004

Turbolinux Security Announcement, November 18, 2004

Apache
Software Foundation

 

A remote Denial of Service vulnerability exists when a malicious user submits multiple specially crafted HTTP GET requests that contain spaces.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Apache Web Server Remote Denial of Service

CVE Name:
CAN-2004-0942

Low

SecurityTracker Alert ID, 1012083, November 4, 2004

PacketStorm, November 18, 2004

ARJ Software Inc.

UNARJ 2.62-2.65

 

A buffer overflow vulnerability exists due to insufficient bounds checking on user-supplied strings prior to processing, which could let a remote malicious user execute arbitrary code.

Fedora:
http://download.fedora.redhat.com/pub/fedora
/linux/core/updates/2/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-29.xml

Currently we are not aware of any exploits for this vulnerability.

ARJ Software UNARJ Remote Buffer Overflow

CVE Name:
CAN-2004-0947

High

SecurityTracker Alert I,: 1012194, November 11, 2004

Gentoo Linux Security Advisory, GLSA 200411-29, November 19, 2004

Cscope

Cscope 13.0, 15.1, 15.3-15.5

Several vulnerabilities exist: a vulnerability exists due to the insecure creation of temporary files, which could let a malicious user obtain elevated privileges; and a buffer overflow vulnerability exists when parsing source code with '#include' statements, which could let a malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Cscope Insecure Temporary File Creation & #include Statement Buffer Overflow

Medium/ High

(High if arbitrary code can be executed)

DV RX171104 Advisory, November 17, 2004

Eric S. Raymond

Email Filter 0.9 .0.5, 0.9 .0.4, 0.9 .0.3, 0.92, 0.92.4, 0.92.6, 0.92.7

A remote Denial of Service vulnerability exists in 'quoted-printable decoder' due to a failure to handle malformed email headers.

Upgrades available at:
http://sourceforge.net/project/showfiles.
php?group_id=62265

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/b/bogofilter/

There is no exploit code required; however, a Proof of Concept exploit has been published.

Bogofilter EMail Filter Remote Denial of Service

CVE Name:
CAN-2004-1007

Low

Securiteam, November 3, 200

Ubuntu Security Notice, USN-26-1, November 16, 2004

FreeBSD

fetch

A buffer overflow vulnerability exists in the fetch utility due to insufficient bounds checks of HTTP response header data, which could let a remote malicious user execute arbitrary code.

Patch available at:
ftp://ftp.FreeBSD.org/pub/FreeBSD/
CERT/patches/SA-04:16/fetch.patch

Currently we are not aware of any exploits for this vulnerability.

FreeBSD fetch() Buffer Overflow
High
FreeBSD Security Advisory, FreeBSD-SA-04:16, November 18, 2004

GD Graphics Library

gdlib 2.0.23, 2.0.26-2.0.28

A vulnerability exists in the 'gdImageCreateFromPngCtx()' function when processing PNG images due to insufficient sanity checking on size values, which could let a remote malicious user execute arbitrary code.

OpenPKG:
ftp://ftp.openpkg.org/release/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-08.xml

Debian:
http://security.debian.org/pool/updates/main/libg

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

Trustix:
http://http.trustix.org/pub/trustix/updates/

An exploit script has been published.

GD Graphics Library Remote Integer Overflow

CVE Name:
CAN-2004-0990

High

Secunia Advisory,
SA12996, October 28, 2004

Gentoo Linux Security Advisory, GLSA 200411-08, November 3, 2004

Ubuntu Security Notice, USN-21-1, November 9, 2004

Debian Security Advisories, DSA 589-1 & 591-1, November 9, 2004

Fedora Update Notifications,
FEDORA-2004-411 & 412, November 11, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:132, November 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

Ubuntu Security Notice, USN-25-1, November 16, 2004

Gentoo

Gentoo Linux

A vulnerability exists in the ChessBrain eBuild package due to weak default permissions, which could let a malicious user obtain elevated privileges.

Update available at:
http://security.gentoo.org/glsa/glsa-200411-26.xml

There is no exploit code required.

Gentoo ChessBrain EBuild Insecure Default Permissions
Medium
Gentoo Linux Security Advisory, GLSA 200411-26, November 17, 2004

Gentoo

Gentoo Linux

A vulnerability exists in the GIMPS eBuild package due to weak default permissions, which could let a malicious user obtain elevated privileges.

Update available at:
http://security.gentoo.org/glsa/glsa-200411-26.xml

There is no exploit code required.

Gentoo GIMPS EBuild Insecure Default Permissions
Medium
Gentoo Linux Security Advisory, GLSA 200411-26, November 17, 2004

Gentoo

Gentoo Linux

A vulnerability exists in the SETI@home eBuild package due to weak default permissions, which could let a malicious user obtain elevated privileges.

Update available at:
http://security.gentoo.org/glsa/glsa-200411-26.xml

There is no exploit code required.

Gentoo SETI@home EBuild Insecure Default Permissions
Medium
Gentoo Linux Security Advisory, GLSA 200411-26, November 17, 2004

ImageMagick

ImageMagick 5.3.3, 5.4.3, 5.4.4.5, 5.4.7, 5.4.8 .2-1.1.0, 5.4.8,
5.5.3 .2-1.2.0, 5.5.6 .0-20030409, 5.5.7, 6.0, 6.0.1, 6.0.3-6.0.8

A buffer overflow vulnerability exists in the 'EXIF' parsing routine due to a boundary error, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://sourceforge.net/project/showfiles.php?group_id=24099

Redhat:
http://rhn.redhat.com/errata/RHSA-2004-480.html

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/
i/imagemagick/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-11.xml

Debian:
http://security.debian.org/pool/
updates/main/i/imagemagick/

SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/

We are not aware of any exploits for this vulnerability.

ImageMagick Remote EXIF Parsing Buffer Overflow

CVE Name:
CAN-2004-0981

High

SecurityTracker Alert ID, 1011946, October 26, 2004

Gentoo Linux Security Advisory, GLSA 200411-11:01, November 6, 2004

Debian Security Advisory DSA 593-1, November 16, 2004

SUSE Security Announcement, SUSE-SA:2004:041, November 17, 2004

Multiple Vendors

Apache Software Foundation Apache 2.0.50 & prior; Gentoo Linux 1.4;
RedHat Desktop 3.0, Enterprise Linux WS 3, ES 3, AS 3;
Trustix Secure Enterprise Linux 2.0, Secure Linux 2.0, 2.1

A remote Denial of Service vulnerability exists in the Apache mod_dav module when an authorized malicious user submits a specific sequence of LOCK requests.

Update available at:
http://httpd.apache.org/

Gentoo:
http://www.gentoo.org/security/en/glsa/
glsa-200409-21.xml

RedHat:
ftp://updates.redhat.com/enterprise

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Debian:
http://security.debian.org/pool/updates/main/liba/

HP:
http://software.hp.com

IBM:
http://www-1.ibm.com/support/docview.
wss?uid=swg21190212

There is no exploit code required; however, a Proof of Concept exploit has been published.

Apache mod_dav Remote Denial of Service

CVE Name:
CAN-2004-0809

Low

SecurityTracker Alert ID, 1011248, September 14, 2004

Conectiva Linux Security Announcement, CLA-2004:868, September 23, 2004

Fedora Update Notification,
FEDORA-2004-313, September 23, 2004

Debian Security Advisory DSA 558-1 , October 6, 2004

HP Security Bulletin,
HPSBUX01090, October 26, 2004

1190212
IBM Group Advisory, 1190212, November 18, 2004

Multiple Vendors

Apple Mac OS X 10.2-10.2.8, 10.3 -10.3.5, OS X Server 10.2-10.2.8, 10.3 -10.3.5; Easy Software Products CUPS 1.0.4 -8, 1.0.4, 1.1.1,
1.1.4-5, 1.1.4 -3, 1.1.4 -2, 1.1.4, 1.1.6, 1.1.7, 1.1.10, 1.1.12-1.1.21

A vulnerability exists in 'error_log' when certain methods of remote printing are carried out by an authenticated malicious user, which could disclose user passwords.

Update available at:
http://www.cups.org/software.php

Apple:
http://wsidecar.apple.com/cgi-bin/nph-
reg3rdpty1.pl/product=04829&platform=osx&
method=sa/SecUpd2004-09-30Jag.dmg


http://wsidecar.apple.com/cgi-bin/nph-
reg3rdpty1.pl/product=04830&platform=osx&
method=sa/SecUpd2004-09-30Pan.dmg

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

Gentoo:
http://security.gentoo.org/glsa/
glsa-200410-06.xml

Debian:
http://security.debian.org/pool/
updates/main/c/cupsys/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-543.html

There is no exploit code required.

CUPS Error_Log Password Disclosure

CVE Name:
CAN-2004-0923

Medium

Apple Security Update, APPLE-SA-2004-09-30, October 4, 2004

Fedora Update Notification,
FEDORA-2004-331, October 5, 2004

Gentoo Linux Security Advisory, GLSA 200410-06, October 9, 2004

Debian Security Advisory, DSA 566-1, October 14, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:116, October 21, 2004

RedHat Security Advisory, RHSA-2004:543-15, October 22, 2004

US-CERT Vulnerability Note, VU#557062, November 19, 2004

Multiple Vendors

GD Graphics Library gdlib 1.8.4, 2.0.1, 2.0.20-2.0.23, 2.0.26-2.0.28

Multiple buffer overflow vulnerabilities exist due to insufficient bounds checking prior to processing user-supplied strings, which could let ak remote malicious user execute arbitrary code.

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/

Trustix:
http://http.trustix.org/pub/trustix/updates/

Currently we are not aware of any exploits for these vulnerabilities.

GD Graphics Library Multiple Remote Buffer Overflows

CVE Name:
CAN-2004-0941

High

SecurityTracker, 1012195, November 11, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

Multiple Vendors

Gentoo Linux;
Samba Samba 3.0-3.0.7

 

A remote Denial of Service vulnerability exists in 'ms_fnmatch()' function due to insufficient input validation.

Patch available at:
http://us4.samba.org/samba/ftp/patches/security
/samba-3.0.7-CAN-2004-0930.patch

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-21.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/s/samba/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-632.html

Trustix:
http://http.trustix.org/pub/trustix/updates/

There is no exploit code required.

Samba Remote Wild Card Denial of Service

CVE Name:
CAN-2004-0930

Low

SecurityFocus, November 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

RedHat Security Advisory, RHSA-2004:632-17, November 16, 2004

Multiple Vendors

Gentoo Linux;
RedHat Fedora Core3, Core2;
SuSE Linux 8.1, 8.2, 9.0-9.2, Desktop 1.0, Enterprise Server 9, 8, Novell Linux Desktop 1.0;
X.org X11R6 6.7 .0, 6.8, 6.8.1;
XFree86 X11R6 3.3, 3.3.2-3.3.6, 4.0-4.0.3, 4.1 .0, 4.1 -12, 4.1 -11, 4.2 .0, 4.2.1 Errata, 4.2.1
4.3 .0

Multiple vulnerabilities exist due to integer overflows, memory access errors, input validation errors, and logic errors, which could let a remote malicious user execute arbitrary code, obtain sensitive information or cause a Denial of Service.

Fedora:
http://download.fedora.redhat.com
/pub/fedora/linux/core/updates

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-28.xml

SuSE:
ftp://ftp.suse.com/pub/suse

X.org:
http://www.x.org/pub/

Currently we are not aware of any exploits for these vulnerabilities

LibXPM Multiple Vulnerabilities

CVE Name:
CAN-2004-0914

Low/ Medium/ High

(Low if a DoS; Medium if sensitive information can be obtained; and High if arbitrary code can be executed)

X.Org Foundation Security Advisory, November 17, 2004

Fedora Update Notifications,
FEDORA-2004-433 & 434, November 17 & 18, 2004

SUSE Security Announcement, SUSE-SA:2004:041, November 17, 2004

Gentoo Linux Security Advisory, GLSA 200411-28, November 19, 2004

Multiple Vendors

Linux kernel 2.4 .0-test1-test12, 2.4-2.4.27

A vulnerability exists in the 'AF_UNIX' address family due to a serialization error, which could let a malicious user obtain elevated privileges or possibly execute arbitrary code.

Upgrades available at:
http://kernel.org/pub/linux/kernel/v2.4/linux-2.4.28.tar.bz2

Currently we are not aware of any exploits for this vulnerability.

 

Linux Kernel AF_UNIX Arbitrary Kernel Memory Modification

Medium/ High

(High if arbitrary code can be executed)

Bugtraq, November 19, 2004

Multiple Vendors

Linux Kernel 2.4-2.4.27, 2.6-2.6.9; Trustix Secure Enterprise Linux 2.0, Secure Linux 1.5, 2.0-2.2;
Ubuntu Linux 4.1 ppc, 4.1 ia64, 4.1 ia32

Multiple remote Denial of Service vulnerabilities exist in the SMB filesystem (SMBFS) implementation due to various errors when handling server responses. This could also possibly lead to the execution of arbitrary code.

Upgrades available at:
http://kernel.org/pub/linux/kernel/v2.4/linux-2.4.28.tar.bz2

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/l/

Currently we are not aware of any exploits for these vulnerabilities

Linux Kernel smbfs Filesystem Memory Errors Remote Denial of Service

CVE Names:
CAN-2004-0883
CAN-2004-0949

Low/High

(High if arbitrary code can be executed)

e-matters GmbH Security Advisory, November 11, 2004

Multiple Vendors

OpenBSD 3.4, 3.5; SuSE Linux 8.1, 8.2, 9.0, x86_64, 9.1, Linux Enterprise Server 9, 8;
X.org X11R6 6.7.0, 6.8;
XFree86 X11R6 3.3.6, 4.0, 4.0.1, 4.0.2 -11, 4.0.3, 4.1 .0, 4.1 -12, 4.1 -11, 4.2 .0, 4.2.1, Errata, 4.3.0; Avaya Intuity LX, MN100, Modular Messaging (MSS) 1.1, 2.0

Multiple vulnerabilities exist: a stack overflow vulnerability exists in 'xpmParseColors()' in 'parse.c' when a specially crafted XPMv1 and XPMv2/3 file is submitted, which could let a remote malicious user execute arbitrary code; a stack overflow vulnerability exists in the 'ParseAndPutPixels()' function in -create.c' when reading pixel values, which could let a remote malicious user execute arbitrary code; and an integer overflow vulnerability exists in the colorTable allocation in 'xpmParseColors()' in 'parse.c,' which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/i/imlib/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

OpenBSD:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/

SuSE:
ftp://ftp.suse.com/pub/suse/

X.org:
http://x.org/X11R6.8.1/

Gentoo:
http://security.gentoo.org/glsa/glsa-200409-34.xml

IBM:
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-478.html

Avaya:
http://support.avaya.com/japple/css/japple?
temp.groupID=128450&temp.selectedFamily=128451
&temp.selectedProduct=154235&temp.selectedBucket
=126655&temp.feedbackState=askForFeedback&temp.
documentID=203389& PAGE=avaya.css.CSSLvl1Detail
&executeTransaction=avaya.css.UsageUpdate()

Sun:
http://sunsolve.sun.com/search/document.do
?assetkey=1-26-57652-1&searchclause=

Mandrake:
http://www.mandrakesoft.com/security/advisories

Ubuntu: http://security.ubuntu.com/ubuntu
/pool/main/x/xfree86/

Proofs of Concept exploits have been published.

LibXpm Image Decoding Multiple Remote Buffer Overflow

CVE Names:
CAN-2004-0687
CAN-2004-0688

High

X.Org Foundation Security Advisory, September 16, 2004

US-CERT Vulnerability Notes, VU#537878 & VU#882750, September 30, 2004

SecurityFocus, October 4, 2004

SecurityFocus, October 18, 2004

Sun(sm) Alert Notification, 5765, October 18, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:124, November 2, 2004

Ubuntu Security Notice, USN-27-1, November 17, 2004

MySQL AB

MySQL 3.20 .x, 3.20.32 a, 3.21 .x, 3.22 .x, 3.22.26-3.22.30, 3.22.32, 3.23 .x, 3.23.2-3.23.5, 3.23.8-3.23.10, 3.23.22-3.23.34, 3.23.36-3.23.56, 3.23.58, 4.0.0-4.0.15, 4.0.18, 4.0.20, 4.1 .0-alpha, 4.1 .0-0, 4.1.2 -alpha, 4.1.3 -beta, 4.1.3 -0, 5.0 .0-alpha, 5.0 .0-0

A buffer overflow vulnerability exists in the 'mysql_real_connect' function due to insufficient boundary checking, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code. Note: Computers using glibc on Linux and BSD platforms may not be vulnerable to this issue.

Debian:
http://security.debian.org/pool/updates/main/m/mysql/

Trustix:
http://http.trustix.org/pub/trustix/updates/

OpenPKG:
ftp://ftp.openpkg.org/release/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Conectiva:
ftp://atualizacoes.conectiva.com.br/

We are not aware of any exploits for this vulnerability.

MySQL Mysql_real_connect Function Remote Buffer Overflow

CVE Name:
CAN-2004-0836

Low/High

(Low if a DoS)

Secunia Advisory,
SA12305, August 20, 2004

Debian Security Advisory, DSA 562-1, October 11, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:119, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:892, November 18, 2004

MySQL AB

MySQL 3.x, 4.x

 

Two vulnerabilities exist: a vulnerability exists due to an error in 'ALTER TABLE ... RENAME' operations because the 'CREATE/INSERT' rights of old tables are checked, which potentially could let a remote malicious user bypass security restrictions; and a remote Denial of Service vulnerability exists when multiple threads issue 'alter' commands against 'merge' tables to modify the 'union.'

Updates available at:
http://dev.mysql.com/downloads/mysql/

Debian:
http://security.debian.org/pool/updates/main/m/mysql

Trustix:
http://http.trustix.org/pub/trustix/updates/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Conectiva:
ftp://atualizacoes.conectiva.com.br/

We are not aware of any exploits for these vulnerabilities.

MySQL Security Restriction Bypass & Remote Denial of Service

CVE Names:
CAN-2004-0835
CAN-2004-0837

Low/ Medium

(Low if a DoS; and Medium if security restrictions can be bypassed)

Secunia Advisory, SA12783, October 11, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:119, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:892, November 18, 2004

Netopia

Timbuktu Pro for Macintosh 6.0.1

A remote Denial of Service vulnerability exists in the Netopia Timbuktu server component for Apple Mac OSX due to a buffer overflow when multiple simultaneous connections are made and specially crafted data is submitted to the system.

Update to version 7.0.4.

Currently we are not aware of any exploits for this vulnerability.

Netopia Timbuktu Server For Apple Mac OSX Remote Buffer Overflow

CVE Name:
CAN-2004-0810

Low
Corsaire Security Advisory, November 19, 2004

SQLgrey

Postfix Greylisting Service 1.1.1, 1.1.3

A vulnerability exists due to insufficient sanitization of sender and recipient emails before being used in a SQL query, which could let a remote malicious user manipulate SQL queries.

Upgrade available at:
http://sourceforge.net/project/showfiles.php?
group_id=113566

Trustix:
http://http.trustix.org/pub/trustix/updates/

There is no exploit code required.

SQLgrey Postfix Greylisting Service SQL Injection
Medium

Secunia Advisory,
SA13135, November 9, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

The BNC Project

BNC 2.2.4, 2.4.6, 2.4.8, 2.6, 2.6.2, 2.8.8, 2.8.9

A buffer overflow vulnerability exists in ' getnickuserhost' when a malformed IRC server response is handled by the proxy, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://www.gotbnc.com/files/bnc2.9.1.tar.gz

Gentoo:
http://security.gentoo.org/
glsa/glsa-200411-24.xml

Currently we are not aware of any exploits for this vulnerability.

BNC Remote Buffer Overflow
High

LSS Security Advisory #LSS-2004-11-3, November 10, 2004

Gentoo Linux Security Advisory, GLSA 200411-24, November 16, 2004

Thibault Godouet

Fcron 2.x

Multiple vulnerabilities exist: a vulnerability exists in the 'fcronsighup' utility due to a design error, which could let a malicious user obtain sensitive information; a vulnerability exists because the 'fcronsighup' utility can bypass access restrictions, which could let a malicious user supply arbitrary configuration settings; an input validation vulnerability exists in the 'fcronsighup' utility, which could let a malicious user delete arbitrary files; and a vulnerability exists because a malicious user can view the contents of the 'fcron.allow' and 'fcron.deny' files due to a file descriptor leak.

Update available at:
http://fcron.free.fr/download.php

Gentoo:
http://security.gentoo.org/
glsa/glsa-200411-27.xml

Currently we are not aware of any exploits for these vulnerabilities.

Thibault Godouet Fcron Multiple Vulnerabilities

CVE Names:
CAN-2004-1030
CAN-2004-1031
CAN-2004-1032
CAN-2004-1033

Medium

iDEFENSE Security Advisory, November 15, 2004

Gentoo Linux Security Advisory, GLSA 200411-27, November 18, 2004

Todd Miller

Sudo 1.5.6-1.5.9, 1.6-1.6.8

A vulnerability exists due to an error in the environment cleaning, which could let a malicious user execute arbitrary commands.

Patch available at:
http://www.courtesan.com/sudo/download.html

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

Trustix:
http://http.trustix.org/pub/trustix/updates/

Ubuntu: http://security.ubuntu.com/
ubuntu/pool/main/s/sudo/

There is no exploit code required.

Sudo Restricted Command Execution Bypass
High

Secunia Advisory,
SA13199, November 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:133, November 15, 2004

Trustix Secure Linux Security Advisories, TSLSA-2004-0058 & 061, November 16 & 19, 2004

Ubuntu Security Notice, USN-28-1, November 17, 2004

TWiki

TWiki 20030201

A vulnerability exists in 'Search.pn' due to an input validation error when handling search requests, which could let a remote malicious user execute arbitrary commands.

Hotfix available at:
http://twiki.org/cgi-bin/view/Codev/SecurityAlert
Execute CommandsWithSearch

An exploit script has been published.

TWiki Search Shell Metacharacter Remote Arbitrary Command Execution

CVE Name:
CAN-2004-1037

High

Securiteam, November 15, 2004

PacketStorm, November 20, 2004

W-Channel

TC-IDE 1.50-1.53

Multiple vulnerability exist: a vulnerability exists in the 'Net Tools' dialog, which could let a malicious user obtain root privileges; a vulnerability exists in the username field of the 'PPPoE' dialer, which could let a malicious user obtain root privileges; and a vulnerability exists when Opera is configured to use '/bin/dillo' as a specific e-mail client, which could let a malicious user obtain administrative privileges.

The vendor has released an upgrade that deals with these issues. Users should contact the vendor for information on obtaining the fix.

There is no exploit code required.

W-Channel TC-IDE Embedded Linux Root Privileges
High
Securiteam, November 22, 2004

xmlsoft.org

Libxml2 2.6.12-2.6.14

Multiple buffer overflow vulnerabilities exist: a vulnerability exists in the 'xmlNanoFTPScanURL()' function in 'nanoftp.c' due to a boundary error, which could let a remote malicious user execute arbitrary code; a vulnerability exists in the 'xmlNanoFTPScanProxy()' function in 'nanoftp.c,' which could let a remote malicious user execute arbitrary code; and a vulnerability exists in the handling of DNS replies due to various boundary errors, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://xmlsoft.org/sources/libxml2-2.6.15.tar.gz

OpenPKG:
ftp://ftp.openpkg.org/release/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/2/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-05.xml

Mandrake:
http://www.mandrakesoft.com/security/advisories

OpenPKG:
ftp://ftp.openpkg.org/release/

Trustix:
http://www.trustix.org/errata/2004/0055/

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/libx/libxml2/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-615.html

Conectiva:
ftp://atualizacoes.conectiva.com.br/1

An exploit script has been published.

Libxml2 Multiple Remote Stack Buffer Overflows

CVE Name:
CAN-2004-0989

High

SecurityTracker Alert I, : 1011941, October 28, 2004

Fedora Update Notification,
FEDORA-2004-353, November 2, 2004

Gentoo Linux Security Advisory, GLSA 200411-05, November 2,2 004

Mandrakelinux Security Update Advisory, MDKSA-2004:127, November 4, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.050, November 1, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0055, November 1, 2004

Ubuntu Security Notice, USN-10-1, November 1, 2004

RedHat Security Advisory, RHSA-2004:615-11, November 12, 2004

Conectiva Linux Security Announcement, CLA-2004:890, November 18, 2004

Yukihiro Matsumoto

Ruby 1.8.x

A remote Denial of Service vulnerability exists due to an input validation error in 'cgi.rb.'

Debian:
http://security.debian.org/pool/updates/main/r/ruby

Mandrake:
http://www.mandrakesoft.com/security/advisories

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/universe/r/ruby1.8/l

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

Gentoo:
http://security.gentoo.org/glsa/
glsa-200411-23.xml

Currently we are not aware of any exploits for this vulnerability.

Ruby Infinite Loop Remote Denial of Service

CVE Name:
CAN-2004-0983

Low

Secunia Advisory,
SA13123, November 8, 2004

Ubuntu Security Notice, USN-20-1, November 9, 2004

Fedora Update Notification,
FEDORA-2004-402 & 403, November 11 & 12, 2004

Gentoo Linux Security Advisory, GLSA 200411-23, November 16, 2004

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

3Com

OfficeConnect ADSL Wireless 11g Firewall Router Firmware 1.13, 1.23, 1.24, 1.27

A remote Denial of Service vulnerability exists due to a failure to handle anomalous network traffic. .

Upgrades available at:
http://webprd1.3com.com/swd/jsp
/user/index.jsp?id=OCWG1215

Currently we are not aware of any exploits for this vulnerability.

3Com OfficeConnect ADSL Wireless 11g Firewall Router Remote Denial of Service
Low
SecurityFocus, November 16, 2004

AppServ

Open Project 2.4-2.4.2, 2.5-2.5.2

A vulnerability exists due to a failure to create default user accounts securely, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required.

AppServ Open Project Remote Insecure Default Password
Medium
Bugtraq, November 18, 2004

holbrookau.net

Event Calendar

Multiple vulnerabilities exist: a vulnerability exists in error pages when invalid input is submitted or scripts are accessed directly, which could let a remote malicious user obtain sensitive information; a Cross-Site Scripting vulnerability exists due to insufficient sanitization of input passed to various parameters, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability exists due to insufficient sanitization of comments before being stored, which could let a remote malicious user execute arbitrary code; and a vulnerability exists in 'eid,' 'cid,' and possibly other parameters due to insufficient verification before being used in a SQL query, which could let a remote malicious user manipulate SQL queries.

Proofs of Concept exploits have been published.

Currently we are not aware of any exploits for these vulnerabilities.

Event Calendar Multiple Remote Vulnerabilities

Medium/ High

(High if arbitrary code can be executed)

waraxe-2004-SA#038 Advisory, November 17, 2004

ibproarcade.com

ipbProArcade 2.5

An input validation vulnerability exists due to insufficient validation of the 'category' field, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

IPBProArcade 'category' Input Validation

Medium
SecurityTracker Alert ID, 1012292, November 21, 2004

Invision Power Services

Invision Board 2.0-2.0.2

A vulnerability exists in 'index.php' due to insufficient validation of user-supplied input passed to the 'qpid' parameter, which could let a remote malicious user obtain or corrupt sensitive information.

Patch available at: http://forums.invisionpower.com/index.php
?showtopic=154916

Proofs of Concept exploit scripts have been published.

Invision Power Board 'Index.PHP' Post Action SQL Injection
Medium
MaxPatrol Security Advisory, November 18, 2004

Multiple Vendors

Samba 3.0 - 3.0.7; RedHat Advanced Workstation for the Itanium Processor 2.1, IA64, Desktop 3.0, Enterprise Linux WS 3, WS 2.1 IA64, 2.1, ES 3, 2.1 IA64, 2.1, AS 3, 2.1 IA64, 2.1; Ubuntu Linux 4.1 ppc, ia64, ia32

A buffer overflow vulnerability exists in the 'QFILEPATHINFO' request handler when constructing
'TRANSACT2_QFILEPATHINFO' responses, which could let a remote malicious user execute arbitrary code.

Update available at:
http://www.samba.org/samba/download/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
Ubuntu Upgrade samba-doc_
3.0.7-1ubuntu6.2_all.deb

Currently we are not aware of any exploits for this vulnerability.

Samba 'QFILEPATHINFO' Buffer Overflow

CVE Name:
CAN-2004-0882

High

e-matters GmbH Security Advisory, November 14, 2004

SuSE Security Announcement, SUSE-SA:2004:040, November 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

Ubuntu Security Notice, USN-29-1, November 18, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:136, November 19, 2004

US-CERT Vulnerability Note VU#457622, November 19, 2004

Multiple Vendors

Archive::Zip 1.13,
F-Secure Anti-Virus for Microsoft Exchange 6.30, 6.30 SR1, and 6.31,
Computer Associates,
Eset,
Kaspersky,
McAfee,
Sophos,
RAV

Remote exploitation of an exceptional condition error in multiple vendors' anti-virus software allows malicious users to bypass security protections by evading virus detection. The problem specifically exists in the parsing of .zip archive headers. This vulnerability affects multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV.

Instructions for Computer Associates, Eset, Kaspersky, McAfee, Sophos, and RAV are available at: http://www.idefense.com/application/poi/display?id
=153&type=vulnerabilities&flashstatus=true

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-31.xml

Mandrakelinux 10.1 and Mandrakelinux 10.1/X86_64:
http://www.mandrakesoft.com/security/advisories

A fix for F-Secure is available at::
ftp://ftp.f-secure.com/support/
hotfix/fsav-mse/fsavmse63x-02.zip

A Proof of Concept exploit script has been published.

Multiple Vendor Anti-Virus Software Detection Evasion

CVE Names:
CAN-2004-0932
CAN-2004-0933
CAN-2004-0934
CAN-2004-0935

CAN-2004-0936

CAN-2004-0937

 

High

iDEFENSE Security Advisory, October 18, 2004

Secunia Advisory ID: SA13038, November 1, 2004

SecurityFocus, Bugtraq ID: 11448, November 2, 2004

SecurityTracker Alert ID: 1012057, November 3, 2004

SecurityFocus, November 15, 2004

Multiple Vendors

Axis Communications 2100 Network Camera 2.0-2.03, 2.12, 2.30-2.34, 2.40, 2.41, 2110 Network Camera 2.12, 2.30-2.32, 2.34, 2.40, 2.41, 2120 Network Camera 2.12, 2.30-2.32, 2.34, 2.40, 2.41, 2400+ Video Server 3.11, 3.12, 2401 Video Server 3.12, 2420 Network Camera 2.12, 2.30-2.34, 2.40, 2.41, 2460 Digital Video Recorder 3.12;
dnrd dnrd 1.0-1.4, 2.0-2.10; Don Moore MyDNS 0.6 ,x, 0.7 ,x, 0.8 ,x, 0.9 ,x 0.10 .0;
Posadis Posadis m5pre1&2, 0.50.4-0.50.9, 0.60 .0, 0.60.1

A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted DNS response that contains a spoofed source address.

Axis:
http://www.axis.com/techsup/firmware.php

DNRD:
http://prdownloads.sourceforge.net
/dnrd/dnrd-2.17.1.tar.gz?download

Don Moore:
http://mydns.bboy.net/download/
mydns-0.11.0.tar.gz

Posadis:
http://prdownloads.sourceforge.
net/posadis/

Delegate:
ftp://ftp.delegate.org/pub/DeleGate/
delegate8.9.6.tar.gz

MaraDNS:
http://www.maradns.org/download
/maradns-1.0.23.tar.bz2

Qbik:
http://www334.pair.com/qbiknz/
downloads/WinGate6.0.3.1005-USE.EXE

Currently we are not aware of any exploits for this vulnerability.

 

Multiple Vendor DNS Remote Denial of Service

CVE Name:
CAN-2004-0789

Low

SecurityFocus, November 9, 2004

SecurityFocus, November 18, 2004

Opera Software

Opera Web Browser 7.54

Multiple remote vulnerabilities exist in the Java implementation due to insecure proprietary design, which could let a malicious user obtain sensitive information or cause a Denial of Service.

The vendor has released a fixed version (7.60 beta).

Exploit scripts have been published.

Opera Web Browser Java Implementation Multiple Remote Vulnerabilities

Low/ Medium

(Medium if sensitive information can be obtained)

llegalaccess.org Advisory, November 19, 2004

Pablo Hernandez

GFHost 0.2

Multiple Cross-Site Scripting vulnerabilities exist in the 'label.php' and 'dl.php' scripts due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

An exploit script has been published.

Pablo Hernandez GFHost Cross-Site Scripting & Server-Side Script Execution
High

SecurityTracker Alert ID, 1012112, November 8, 2004

PacketStorm, November 20, 2004

phpBB Group

phpBB 1.0 .0, 1.2 .0, 1.2.1, 1.4 .0-1.4.2, 1.4.4, 2.0 .0, rc1-rc4, Beta 1, 2.0.1-2.0.10

A vulnerability exists in the 'Cash_Mod' module due to insufficient verification of the input passed to the 'phpbb_root_path' parameter, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://www.phpbb.com/phpBB/catdb.php
?mode=download&id=539420

There is no exploit code required; however, a Proof of Concept exploit script has been published.

PHPBB Admin_cash.PHP Remote PHP File Include

High

 

Secunia Advisory ID, SA1324, November 19, 2004

phpBB Group

phpBB 2.0.0-2.0.9

Multiple vulnerabilities exist: a vulnerability exists in 'viewtopic.php' due to insufficient sanitization of the 'highlight' parameter, which could let a malicious user obtain sensitive information or execute arbitrary code; a vulnerability exists due to insufficient sanitization of input passed to the username handling, which could let a remote malicious user execute arbitrary HTML or script code; and a vulnerability exists due to insufficient sanitization of input passed to the username handling before being used in an SQL query, which could let a malicious user execute arbitrary code.

Upgrades available at:
http://www.phpbb.com/downloads.php

There is no exploit code required; however, a Proof of Concept exploit script has been published.

PHPBB Login Form Multiple Input Validation
High
SECUNIA ADVISORY ID:
SA13239, November 19, 2004

phpMyAdmin Development Team

phpMyAdmin 2.5 .0-2.5.7, 2.6 .0pl1&2

Multiple Cross-Site Scripting vulnerabilities exist: a vulnerability exists in 'config.inc.php' if the 'PmaAbsoluteUri' parameter is not set, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability exists in 'read_dump.php' due to insufficient validation of the 'zero_rows' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability exists due to insufficient validation of inputs on the confirm page, which could let a remote malicious user execute arbitrary HTML and script code.

Upgrades available at:
http://prdownloads.sourceforge.net/
phpmyadmin/phpMyAdmin-2.6.0-pl3.tar.gz?download

Proofs of Concept exploits have been published.

PHPMyAdmin Multiple Remote Cross-Site Scripting

High
netVigilance Security Advisory 5, November 19, 2004

phpScheduleIt

phpScheduleIt 1.0.0RC1, 1.0

A vulnerability exists in 'Reservation.class.php' due to an unspecified error, which could let a malicious user bypass certain security restrictions.

Update available at:
http://sourceforge.net/tracker/download.php?group
_id=95547&atid=611778&file_id=106007&aid=1051841

Currently we are not aware of any exploits for this vulnerability.

PHPScheduleIt 'Reservation.Class.PHP' Security Restriction Bypass
Medium
Secunia Advisory ID, SA13206, November 16, 2004

Something4 Limited

ClickandBuild 3.1, 5.0

A Cross-Site Scripting vulnerability exists in the 'listPos' parameter due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required.

ClickandBuild 'listPos' Parameter Cross-Site Scripting
High
SecurityTracker Alert ID, 1012282, November 19, 2004

SquirrelMail Development Team

SquirrelMail 1.x

A Cross-Site Scripting vulnerability exists in the 'decodeHeader()' function in 'mime.php' when processing encoded text in headers due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code.

Patch available at:
http://prdownloads.sourceforge.net/
squirrelmail/sm143a-xss.diff?download

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-25.xml

An exploit script is not required.

SquirrelMail Cross-Site Scripting
High

Secunia Advisory,
SA13155, November 11, 2004

Gentoo Linux Security Advisory, GLSA 200411-25, November 17, 2004

Sun Microsytems, Inc.

Sun Java JRE 1.3.x, 1.4.x,
Sun Java SDK 1.3.x, 1.4.x

A vulnerability exists due to a design error because untrusted applets for some private and restricted classes used internally can create and transfer objects, which could let a remote malicious user turn off the Java security manager and disable the sandbox restrictions for untrusted applets.

Updates available at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1

Currently we are not aware of any exploits for this vulnerability.

Sun Java Plug-in Sandbox Security Bypass

CVE Name:
CAN-2004-1029

Medium

Sun(sm) Alert Notification, 57591, November 22, 2004

US-CERT Vulnerability Note, VU#760344, November 23, 2004

 

 

Recent Exploit Scripts/Techniques The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
November 24, 2004 b4b0-phpbb.tgz
Yes
Script that exploits the PHPBB Admin_cash.PHP Remote PHP File Include vulnerability.
November 24, 2004 efuzz01.zip
N/A
An easy to use Win32 tcp/udp protocol fuzzer which finds unknown buffer overflows in local and remote services.
November 24, 2004 mailtraq-update.txt
No
Proof of Concept exploit for the Enstar Mailtraq Windows Tray Icon Access Control vulnerability.
November 22, 2004 DMS_POP3_Overflow.pl
dmsPOP3BufferOverflowExpNoPh0Bia.c
dmsPOP3.txt
Yes
Scripts that exploit the Digital Mappings Systems POP3 Server Remote Buffer Overflow vulnerability.
November 21, 2004 Cisco6509_Reverse.tar.bz2
N/A
Simple C tool and binutils patch with step by step description (HowTo_Reverse_engineering_ Cisco_image.html) how to convert cisco image to MIPSIV file for reverse engineering.
November 20, 2004 20041119.IESP2Unpatched.html
No
Exploit for the Microsoft Internet Explorer File Download Restriction Bypass vulnerability.
November 20, 2004 20041119.IESP2Unpatched.php
No
Exploit for the Microsoft IE Custom 404 Error Message & execCommand SaveAs File Download vulnerability.
November 20, 2004 aclient.txt
No
Step by step exploit for the Altiris AClient Service Windows Tray Icon Access Control vulnerability.
November 20, 2004 atk-3.0.zip
N/A
The Attack Tool Kit (ATK) is an open-source utility to perform vulnerability checks and enhance security audits.
November 20, 2004 atk-3.0src.zip
N/A
The Attack Tool Kit (ATK) is an open-source utility to perform vulnerability checks and enhance security audits.
November 20, 2004 bofra_overview.txt
N/A
Brief analysis of the Bofra, aka MyDoom.AG/AH, worm that was first discovered circulating in the wild November 8th.
November 20, 2004 eudora62014.txt
No
Proof of Concept exploit for the Eudora 6.2.14 for Windows Attachment Spoofing vulnerability.
November 20, 2004 GFHost.pl
GFHostExploit.pl
No
Perl script that exploits the Pablo Hernandez GFHost Cross-Site Scripting & Server-Side Script Execution vulnerability.
November 20, 2004 nsg-advisory-08.txt
No
Proof of Concept exploit for the TipxD versions Format String vulnerability.
November 20, 2004 phpbb.php.txt
Yes
Exploit for the PHPBB Login Form Multiple Input Validation vulnerability.
November 20, 2004 slmail5x.txt
No
Exploit for the SLMail 5.x POP3 Remote Buffer Overflow vulnerability.
November 20, 2004 tweaky.pl
Yes
Perl script that exploits the TWiki Search Shell Metacharacter Remote Arbitrary Command Execution vulnerability.
November 20, 2004 zipbrk.zip
N/A
A tool that searches for the central and local headers contained in a zip file and alters the uncompressed data variable to be 0 in an attempt to trick anti-virus software into not scanning the files inside the zip file.
November 19, 2004 Opera754FontCrashApplet.java
Opera754EcmaScriptApplet.java
Opera754LauncherApplet.java
Opera754KerberosAppletPrint.java
Yes
Exploits for the Opera Web Browser Java Implementation Multiple Remote Vulnerabilities.
November 19, 2004 ZipMe!.cpp
Yes
Proof of Concept exploit for the Microsoft Compressed (zipped) Folders Remote Code Execution vulnerability.
November 18, 2004 apache-squ1rt.c
No
Script that exploits the Apache Web Server Remote Denial of Service vulnerability.
November 17, 2004 ipbQPIDExploitSQLInjection.pl
Yes
Perl script that exploits the Invision Power Board 'Index.PHP' Post Action SQL Injection vulnerability.
November 17, 2004 RXcscope_proof.sh
RXcscope_proof.c
advRX181104.txt
No
Proof of Concept exploit scripts for the Cscope Temporary Files Elevated Privileges vulnerability.
November 16, 2004 mini-exploit.c
No
Script that exploits the MiniShare Buffer Overflow vulnerability.
November 15, 2004 zipbrk.c
Yes
Proof of Concept exploit script for the Multiple Vendor Anti-Virus Software Detection Evasion vulnerability.

[back to top]

Trends
  • Analysis indicates that some of the banner activity recently seen is a combination of both the IFRAME and Drag-and-Drop vulnerability. The US-CERT is monitoring reports of popular European web sites which have been directing traffic to sites that install malware on visitors' computers. Users who have updated versions of IE and using Windows XP Service Pack 2 should not be affected.
  • According to the Anti-Phishing Working Group, an industry association focused on identity theft and fraud, phishing attacks have risen from 2,158 in August to 6,597 new, unique phishing e-mail messages in October. For more information, see http://www.mediapost.com/dtls_dsp_news.cfm?newsID=279857.

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trends
Date
1
Netsky-P Win32 Worm Stable March 2004
2
Netsky-Z Win32 Worm Slight Increase April 2004
3
Netsky-B Win32 Worm Slight Increase March 2004
4
Zafi-B Win32 Worm Decrease June 2004
5
Bagle-AA Win32 Worm Stable April 2004
6
Netsky-B Win32 Worm Stable February 2004
7
Bagle-AT Win32 Worm Increase October 2004
8
Netsky-Q Win32 Worm Slight Decrease March 2004
9
Bagle-Z Win32 Worm Slight Decrease April 2004
10
Netsky-C Win32 Worm Stable July 2004

Table Updated November 22, 2004

Viruses or Trojans Considered to be a High Level of Threat

  • Viruses or Trojans Considered to be a High Level of Threat

    • Sober: Twelve months since the W32/Sober mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/Sober are known to use their own SMTP engine to spread through email. The most recent variant is W32/Sober.I (discovered on November 19th). (US-CERT, November 19, 2004)
    • Skulls: Virus writers are targeting Symbian-based cell phones with a Trojan horse that kills off system applications and replaces their icons with images of skulls. The program, dubbed "Skulls" by antivirus companies, is disguised as a theme manager for Nokia phones in the Symbian Installation System format. While the program can cause some headaches, it is not a significant threat. Still, it is a signpost indicating the direction that virus writers could be headed. (CNET, November 19, 2004)

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name
Aliases
Type
Backdoor.Sdbot.AH   Trojan
BackDoor-CLK   Trojan
Bagle.BG W32/Bagle.BG.worm Win32 Worm
Downloader-RK   Trojan
Drew.A W32/Drew.A.worm Win32 Worm
JS.Gynamed   Java Script Virus
Jupdate BackDoor-CLH
Backdoor.Jupdate
Backdoor.Win32.Agent.ec
Trojan
Msnsoug.A Trj/Msnsoug.A Trojan
ProcKill-KnlKillP   Program Killer
Sdbot.AF Backdoor.Sdbot.AF Trojan
Sdbot.AG Backdoor.Sdbot.AG Trojan
Skulls SymbOS.Skulls
SymbOS/Skulls
SymbOS_SKULLS.A
Trojan.SymbOS.Skuller.a
Symbian OS Phone Virus
Tasin.A I-Worm/Pawur.A
Tasin.A
W32/Tasin.A.worm
Win32 Worm
Tasin.B W32/Tasin.B.worm Win32 Worm
Tasin.C W32/Tasin.C.worm Win32 Worm
Troj/Banker-AM   Trojan
Troj/Mirchack-D IRC/Flood.cd.dr
BKDR_IRCFLOOD.CD
Trojan
Troj/Narod-D Trojan.Win32.Starter
Trojan.StartPage
PWS-NAROD
Trojan
Troj/Swizzor-BQ TrojanDownloader.Win32.Swizzor.bo Trojan
Vundo Trojan.Vundo
Vundo.dldr
Trojan
W32/Agobot-NX   Win32 Worm
W32/Agobot-NZ Backdoor.Win32.Agobot.gen Win32 Worm
W32/Agobot-OC WORM_AGOBOT.ABH
W32/Gaobot.worm.gen.f
Win32 Worm
W32/Agobot-OD   Win32 Worm
W32/Anzae-A
I-Worm.Pawur.a
W32/Anzae.worm
WORM_ANZAE.A
Tasin
Win32 Worm
W32/Bofra-H I-Worm.Bofra.b
W32.Mydoom.ah@MM
WORM_BOFRA.E
W32/Mydoom.gen@MM
Win32 Worm
W32/Favsin-A   Win32 Worm
W32/Forbot-CP Backdoor.Win32.Wootbot.gen
W32/Sdbot.worm.gen.t
Win32 Worm
W32/Mofei-E Worm.Win32.Aler.a
W32/Golten.worm
WORM_GOLTEN.A
Backdoor.Win32.Small.bq
BackDoor-CJV
Win32 Worm
W32/Primat-C Worm.P2P.Primat.c
W32/HLLP.20606c
Win32 Worm
W32/Protoride-W
Worm.W32.Protoride.Gen Win32 Worm
W32/Rbot-PX   Win32 Worm
W32/Rbot-PY Backdoor.Win32.Rbot.gen
W32/Rbot-KW
W32/Rbot-Fam
WORM_RBOT.VE
Win32 Worm
W32/Rbot-QE Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.p
Win32 Worm
W32/Sober-I
I-Worm.Sober.i
Sober.H@mm
Sober.I
Sobor.I
Trojan.Win32.VB.qa
W32.Sober.I@mm
W32/Sober.H@mm
W32/Sober.I.worm
W32/Sober.I@mm
W32/Sober.j@MM
Win32.Sober.I
WORM_SOBER.I
Win32 Worm
WORM_WOOTBOT.DI   Trojan
Yanz.A I-Worm.Yanz.a
W32/Yanz.A.worm
W32/Yanz.a@MM
Win32 Worm
Yanz.B W32/Yanz.b@MM Win32 Worm

[back to top]

 

 

 

Last updated

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.


Bugs, Holes, & Patches The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Altiris

AClient Service for Windows 5.6.181; 5.6 SP1 (Hotfix E)

A vulnerability may permit a local malicious user to invoke the Windows tray icon for the AClient Service to gain System level privileges.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Altiris AClient Service Windows Tray Icon Access Control
Medium
SecurityTracker Alert ID, 1012271, November 19, 2004

Citrix

ICA Win32 client (The ICA Win32 Web Client, ICA Win32 Program Neighborhood Client, and ICA Win32 Program Neighborhood Agent) version 8.0 and prior

A vulnerability exists that could permit a local malicious user to monitor ICA keystrokes. The vendor reported that the ICA Win32 client version 8.0 and prior versions contain a debugging feature that allows a local user to create a log containing the keyboard scan codes transmitted during an ICA connection.

The vendor has issued a fixed version (8.1 and later), available at:
http://www.citrix.com/site/SS/downloads/index.asp

A Proof of Concept exploit has been published.

Citrix ICA Client Keystroke Monitor
Medium
Citrix, Document ID, CTX105215, November 19, 2004

Computer Associates

eTrust EZ Antivirus prior to 7.0.2.1

A vulnerability exists that could permit a local malicious user to bypass the GUI password protection feature. The vendor reported that the proxy password in the GUI can be recovered by the local user.

The vendor has issued a fixed version (7.0.2.1 or later):
http://www.ca.com

Currently we are not aware of any exploits for this vulnerability.

Computer Associates eTrust EZ Antivirus Access

Medium
SecurityTracker Alert ID, 1012283, November 19, 2004

Danware

NetOp Host prior to 7.65 build 2004278

A vulnerability exists that could allow a remote malicious user to determine system information. A remote user can send a specially crafted NetOp HELO request to the target system to cause the system to disclose system information such as the hostname, username, and local IP address of the host system.

Update to version 7.65 build 2004278 available at: http://www.danware.com

A Proof of Concept exploit has been published.

Danware NetOp Host Remote Information Disclosure

CVE Name:
CAN-2004-0950

Medium
Corsaire Advisory, November 19, 2004

Digital Mapping Systems

DMS POP3 Server 1.5.3.27

A vulnerability exists which can be exploited by malicious people to execute arbitrary code. The vulnerability is caused due to a boundary error during the authentication process and can be exploited to cause a buffer overflow by supplying an overly long username or password (more than 1024 bytes).

Apply patch at:
http://www.digitalmapping.sk.ca/pop3srv/Update.asp

Exploit scripts have been published.

Digital Mapping DMS POP3 Server Authentication Buffer Overflow
High
Digital Mapping Systems Security Update, November 16, 2004

Enstar

Mailtraq 2.6.1.1677

A vulnerability exists which may permit a local malicious user to invoke the Windows tray icon for Mailtraq to gain System level privileges.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Enstar Mailtraq Windows Tray Icon Access Control
Medium
SecurityFocus, Bugtraq ID 11708, November 19, 2004

Fastream Technologies

Fastream NETFile Server 7.1.2

A vulnerability exists which could permit a malicious user to cause Denial of Service conditions. The web service does not properly process 'keepalive' connection timeouts for HTTP HEAD requests. The service fails to close HEAD request connections. A remote user can make multiple HEAD requests to consume all available connections and deny service to other users.

Update to version 7.1.3, available at: http://www.fastream.com/download.htm

A Proof of Concept exploit has been published.

Fastream NETFile Server Denial of Service
Low
SecurityTracker Alert ID, 1012267, November 19, 2004

Google

Gmail

An input validation vulnerability may exist which could permit a remote malicious user to conduct cross-site scripting attacks. It is reported that the 'zx' variable is not properly validated. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Gmail site and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

SecurityTracker testing indicates that this vulnerability has been corrected.

A Proof of Concept exploit has been published.

Google Gmail 'zx' Variable Input Validation
High
SecurityTracker Alert ID, 1012289, November 20, 2004

Ipswitch

IMail 8.13

A buffer overflow vulnerability exists in the 'DELETE' command due to insufficient boundary checks, which could let a remote malicious user execute arbitrary code.

Patch available at:
ftp://ftp.ipswitch.com/Ipswitch/Product_
Support/IMail/imail814.exe

An exploit script has been published.

Ipswitch IMail Server Remote Buffer Overflow
High

Securiteam, November 15, 2004

SecurityFocus, November 16, 2004

Microsoft

Internet Explorer with SP2

Several vulnerabilities were reported that could allow a remote malicious user to create a specially crafted web page that, when loaded by the target user, will execute arbitrary scripting code in the local computer zone and allow the remote user to take full control of the target user's system. The problem is that if the downloaded file was sent with a specially crafted 'Content-Location' HTTP header or referenced using a specially crafted URL, then in some situations, no security warning will be displayed when the file is opened.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Microsoft Internet Explorer File Download Restriction Bypass
High

SecurityTracker Alert ID, 1012234, November 14, 2004

Secunia Advisory ID, SA13203, November 17, 2004

Microsoft

ISA Server 2000, Proxy Server 2.0

A spoofing vulnerability exists that could enable a malicious user to spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example a malicious web site.

Updates available at:
http://www.microsoft.com/technet/
security/bulletin/ms04-039.mspx

V2.0 (November 9, 2004): Bulletin updated to reflect the release of an updated ISA Server 2000 security update for the German language only. This issue does not affect any other language version of this security update. The Security Update Replacement section has also been revised.

V3.0 (November 16, 2004): Bulletin updated to reflect the release of updated ISA Server 2000 security updates for all languages. These issues affected customers using ISA Server 2000 Service Pack 1 or using Windows 2000 Service Pack 3. The Security Update Replacement section has also been revised.

Microsoft Security Bulletin updated to reflect a revised Security Update Information section for the Proxy 2.0 Service Pack 1 security update.

Currently we are not aware of any exploits for this vulnerability.

Microsoft Server Spoofing

CVE Name:
CAN-2004-0892

Medium

Microsoft Security Bulletin, MS04-039 2.0, 3.0, 3.1, November 19, 2004 (Updated)

 

Microsoft

Internet Explorer (IE) 6 on Windows XP SP2 and Windows 2000

A vulnerability exists that could permit a remote malicious user to invoke the execCommand 'SaveAs' function via a custom HTTP 404 Not Found error message to download arbitrary files to the target user's system without the XP SP2 warning messages. Internet Explorer does not properly process URLs with certain extraneous characters.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Microsoft IE Custom 404 Error Message & execCommand SaveAs File Download
High
SecuriTeam, November 22, 2004

Microsoft

Internet Explorer 6.0 SP1 on
Microsoft Windows XP SP1

A vulnerability has been reported which can be exploited by malicious people to conduct session fixation attacks. The vulnerability is caused due to a validation error in the handling of the path attribute when accepting cookies. This can potentially be exploited by a malicious web site, if the trusted site supports wildcard domains or the domain name contains the malicious sites domain, using a specially crafted path attribute to overwrite cookies for the trusted site.

Update to Windows XP SP2.

Currently we are not aware of any exploits for this vulnerability.

Microsoft Internet Explorer Cookie Path Attribute
Low
Secunia Advisory ID, SA13208, November 17, 2004

Microsoft

Windows NT, 2000 and XP

The Microsoft Windows default logon screensaver is prone to a local privilege escalation vulnerability. It is reported that the screensaver is started with SYSTEM privileges. A local malicious user that has sufficient privileges to modify or replace the default logon screensaver, or that had sufficient privileges to modify registry entries that relate to the logon screensaver, may exploit this vulnerability to attain local SYSTEM privileges.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Microsoft Windows Logon Screensaver Elevated Privileges
Medium
SecurityFocus Bugtraq ID, 11711, November 19, 2004

Microsoft

Windows XP Home Edition, XP Professional, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition; Avaya DefinityOne Media Servers; IP600 Media Servers; Modular Messaging (MSS) 1.1, 2.0; S3400 Message Application Server; S8100 Media Servers; Real Networks RealOne Player 1.0, 2.0, RealPlayer 10.0, 10.5 v6.0.12.1053, 10.5 v6.0.12.1040, 10.5 Beta v6.0.12.1016

A remote code execution vulnerability exists in Compressed (zipped) Folders because of an unchecked buffer in the way that it handles specially crafted compressed files. A malicious user could exploit the vulnerability by constructing a malicious compressed file that could potentially allow remote code execution if a user visited a malicious web site.

Updates available at:
http://www.microsoft.com/technet/
security/bulletin/MS04-034.mspx

Avaya customers are advised to follow Microsoft's guidance for applying patches. Please see the referenced Avaya advisory at the following location for further details:

http://support.avaya.com/japple/css/japple?temp.
groupID=128450&temp.selectedFamily=128451
&temp.selectedProduct=154235&temp.selected
Bucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=203487&PAGE=
avaya.css.CSSLvl1Detail&executeTransaction=
avaya.css.UsageUpdate()

RealNetworks:
http://www.service.real.com/help/faq
/security/041026_player/EN/

An exploit script has been published.

Microsoft Compressed (zipped) Folders Remote Code Execution

CVE Name:
CAN-2004-0575

High

Microsoft Security Bulletin MS04-034, October 12, 2004

US-CERT Cyber Security Alert SA04-286A, October 12, 2004

US-CERT Vulnerability Note VU#649374, October 14, 2004

SecurityFocus, Bugtraq ID 11382, October 18, 2004

SecurityFocus, November 19, 2004

Nullsoft

Winamp 5.05

A vulnerability exists which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the 'IN_CDDA.dll' file. This can be exploited in various ways to cause a stack-based buffer overflow e.g. by tricking a user into visiting a malicious web site containing a specially crafted '.m3u' playlist. Successful exploitation allows execution of arbitrary code.

Update to version 5.0.6:
http://www.winamp.com/player/

A Proof of Concept exploit has been published.

Nullsoft Winamp 'IN_CDDA.dll' Buffer Overflow
High
Security-Assessment Vulnerability Advisory, November 23, 2004

Prevx

Prevx Home 1.0

A vulnerability exists that could permit a local malicious user to disable the registry and buffer overflow protection mechanisms. Aa local user with administrative privileges can modify SDT ServiceTable entries by directly writing to '\device\physicalmemory' to return the entries to their original settings, thereby disabling the kernel hooks and preventing Prevx Home from performing its protection functions.

The vendor has released a fixed version (2.0):
http://www.prevx.com

A Proof of Concept exploit has been published.

Prevx Home Protection Mechanisms Registry Disable
Medium
SIG^2 Vulnerability Research Advisory, November 22, 2004

Soft3304

04WebServer 1.42

Multiple vulnerabilities exist that could allow a remote malicious user to inject arbitrary characters into the log file, conduct Cross-Site Scripting attacks, or cause a Denial of Service. The default 404 Not Found response (Response_default.html) does not properly filter HTML code before displaying the originally requested URL. A remote malicious user can also inject arbitrary characters into the log file or request a MS-DOS device name to prevent the server from restarting properly.

Upgrade to 04Webserver 1.5:
http://soft3304.net/04WebServer/
Download/04WebServer150.zip

A Proof of Concept exploit has been published.

Soft3304 04WebServer Input Validation Vulnerabilities

Low/High

(High if arbitrary code can be executed)

SIG^2 Vulnerability Research Advisory, November 11, 2004

SecurityFocus, Bugtraq ID: 11652, November 15, 2004

Sourceforge.net

MiniShare Buffer 1.4.1 and prior

A buffer overflow vulnerability exists that could allow a remote malicious user to execute arbitrary code on the target system. A remote user can submit a specially crafted, long HTTP GET request to trigger the overflow and execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Sourceforge.net MiniShare Buffer Overflow
High

SecurityTracker Alert ID, 1012106, November 7, 2004

PacketStorm, November 16, 2004

VanDyke Software

SecureCRT 4.0, 4.1

A vulnerability exists which can be exploited by malicious users to execute arbitrary code. The vulnerability is caused due to a design error, as the product allows an arbitrary configuration folder to be specified to the 'telnet:' URI handler via the '/F' command line option. This can e.g. be exploited by including a link to a remote configuration folder on a SMB share and trick a user into visiting a malicious web site containing the link.

A patch is available from the vendor:
http://www.vandyke.com/download/
securecrt/index.html

A Proof of Concept exploit has been published.

VanDyke SecureCRT - Remote Command Execution
High
Security-Assessment Vulnerability Advisory, November 23, 2004

Zone Labs

ZoneAlarm Security Suite 5.x

ZoneAlarm Pro 5.x, 4.x, and 3.x

A vulnerability exists which can be exploited by malicious people
to cause a 'Denial of Service. The vulnerability is caused due to an error in the Ad-Blocking feature (disabled by default) when processing JavaScript and can be exploited by tricking a user into visiting a malicious web site containing specially crafted JavaScript.

Update to version 5.5.062 or later via the "Check For Update"
feature.

Currently we are not aware of any exploits for this vulnerability.

Zone Labs ZoneAlarm Advertising Blocking Denial of Service
Low
Zone Labs Security Advisory, November 18, 2004

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Apache Software Foundation
Conectiva
Gentoo
HP
Immunix
Mandrake OpenBSD
OpenPKG
RedHat
SGI
Trustix

Apache 1.3.26‑1.3.29, 1.3.31;
OpenBSD –current, 3.4, 3.5

A buffer overflow vulnerability exists in Apache mod_proxy when a ‘ContentLength:’ header is submitted that contains a large negative value, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code.

Patches available at:
http://marc.theaimsgroup.com/
?l=apache-httpd-dev&m=108687304202140&q=p3

OpenBSD:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/

OpenPKG:
ftp://ftp.openpkg.org/release/2.0/
UPD/apache-1.3.29-2.0.3.src.rpm

Gentoo:
http://security.gentoo.org/glsa/glsa-200406-16.xml

Mandrake:
http://www.mandrakesoft.com/security/advisories

SGI:
ftp://patches.sgi.com/support/free/security/

Fedora Legacy: http://download.fedoralegacy.org/redhat/

Slackware:
ftp://ftp.slackware.com/pub/slackware/

Trustix:
http://http.trustix.org/pub/trustix/updates/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

TurboLinux: ftp://ftp.turbolinux.co.jp/pub/Turbo
Linux/TurboLinux/ia32/

Currently we are not aware of any exploits for this vulnerability.

Apache Mod_Proxy Remote Buffer Overflow

CVE Name:
CAN-2004-0492

Low/High

(High if arbitrary code can be executed)

SecurityTracker Alert, 1010462, June 10, 2004

Gentoo Linux Security Advisory, GLSA 200406-16, June 22, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:065, June 29, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.029, June 11, 2004

SGI Security Advisory, 20040605-01-U, June 21, 2004

Fedora Legacy Update Advisory, FLSA:1737, October 14, 2004

US-Cert Vulnerability Note VU#541310, October 19, 2004

Slackware Security Advisory, SSA:2004-299-01, October 26, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0056, November 5, 2004

Turbolinux Security Announcement, November 18, 2004

Apache Software Foundation

Apache 1.3, 1.3.1, 1.3.3, 1.3.4, 1.3.46, 1.3.7 -dev, 1.3.9, 1.3.11, 1.3.12, 1.3.14, 1.3.17-1.3.20, 1.3.22-1.3.29, 1.3.31

A buffer overflow vulnerability exists in the 'get_tag()' function, which could let a malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-03.xml

Slackware:
ftp://ftp.slackware.com/pub/slackware/s

Trustix:
http://http.trustix.org/pub/trustix/updates/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

Exploit scripts have been published.

Apache mod_include Buffer Overflow

CVE Name:
CAN-2004-0940

High

SecurityFocus, October 20, 2004

Slackware Security Advisory, SA:2004-305-01, November 1, 2004

Gentoo Linux Security Advisory, GLSA 200411-03, November 2, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0056, November 5, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:134, November 17,2004

Turbolinux Security Announcement, November 18, 2004

Apache
Software Foundation

 

A remote Denial of Service vulnerability exists when a malicious user submits multiple specially crafted HTTP GET requests that contain spaces.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Apache Web Server Remote Denial of Service

CVE Name:
CAN-2004-0942

Low

SecurityTracker Alert ID, 1012083, November 4, 2004

PacketStorm, November 18, 2004

ARJ Software Inc.

UNARJ 2.62-2.65

 

A buffer overflow vulnerability exists due to insufficient bounds checking on user-supplied strings prior to processing, which could let a remote malicious user execute arbitrary code.

Fedora:
http://download.fedora.redhat.com/pub/fedora
/linux/core/updates/2/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-29.xml

Currently we are not aware of any exploits for this vulnerability.

ARJ Software UNARJ Remote Buffer Overflow

CVE Name:
CAN-2004-0947

High

SecurityTracker Alert I,: 1012194, November 11, 2004

Gentoo Linux Security Advisory, GLSA 200411-29, November 19, 2004

Cscope

Cscope 13.0, 15.1, 15.3-15.5

Several vulnerabilities exist: a vulnerability exists due to the insecure creation of temporary files, which could let a malicious user obtain elevated privileges; and a buffer overflow vulnerability exists when parsing source code with '#include' statements, which could let a malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Cscope Insecure Temporary File Creation & #include Statement Buffer Overflow

Medium/ High

(High if arbitrary code can be executed)

DV RX171104 Advisory, November 17, 2004

Eric S. Raymond

Email Filter 0.9 .0.5, 0.9 .0.4, 0.9 .0.3, 0.92, 0.92.4, 0.92.6, 0.92.7

A remote Denial of Service vulnerability exists in 'quoted-printable decoder' due to a failure to handle malformed email headers.

Upgrades available at:
http://sourceforge.net/project/showfiles.
php?group_id=62265

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/b/bogofilter/

There is no exploit code required; however, a Proof of Concept exploit has been published.

Bogofilter EMail Filter Remote Denial of Service

CVE Name:
CAN-2004-1007

Low

Securiteam, November 3, 200

Ubuntu Security Notice, USN-26-1, November 16, 2004

FreeBSD

fetch

A buffer overflow vulnerability exists in the fetch utility due to insufficient bounds checks of HTTP response header data, which could let a remote malicious user execute arbitrary code.

Patch available at:
ftp://ftp.FreeBSD.org/pub/FreeBSD/
CERT/patches/SA-04:16/fetch.patch

Currently we are not aware of any exploits for this vulnerability.

FreeBSD fetch() Buffer Overflow
High
FreeBSD Security Advisory, FreeBSD-SA-04:16, November 18, 2004

GD Graphics Library

gdlib 2.0.23, 2.0.26-2.0.28

A vulnerability exists in the 'gdImageCreateFromPngCtx()' function when processing PNG images due to insufficient sanity checking on size values, which could let a remote malicious user execute arbitrary code.

OpenPKG:
ftp://ftp.openpkg.org/release/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-08.xml

Debian:
http://security.debian.org/pool/updates/main/libg

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

Trustix:
http://http.trustix.org/pub/trustix/updates/

An exploit script has been published.

GD Graphics Library Remote Integer Overflow

CVE Name:
CAN-2004-0990

High

Secunia Advisory,
SA12996, October 28, 2004

Gentoo Linux Security Advisory, GLSA 200411-08, November 3, 2004

Ubuntu Security Notice, USN-21-1, November 9, 2004

Debian Security Advisories, DSA 589-1 & 591-1, November 9, 2004

Fedora Update Notifications,
FEDORA-2004-411 & 412, November 11, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:132, November 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

Ubuntu Security Notice, USN-25-1, November 16, 2004

Gentoo

Gentoo Linux

A vulnerability exists in the ChessBrain eBuild package due to weak default permissions, which could let a malicious user obtain elevated privileges.

Update available at:
http://security.gentoo.org/glsa/glsa-200411-26.xml

There is no exploit code required.

Gentoo ChessBrain EBuild Insecure Default Permissions
Medium
Gentoo Linux Security Advisory, GLSA 200411-26, November 17, 2004

Gentoo

Gentoo Linux

A vulnerability exists in the GIMPS eBuild package due to weak default permissions, which could let a malicious user obtain elevated privileges.

Update available at:
http://security.gentoo.org/glsa/glsa-200411-26.xml

There is no exploit code required.

Gentoo GIMPS EBuild Insecure Default Permissions
Medium
Gentoo Linux Security Advisory, GLSA 200411-26, November 17, 2004

Gentoo

Gentoo Linux

A vulnerability exists in the SETI@home eBuild package due to weak default permissions, which could let a malicious user obtain elevated privileges.

Update available at:
http://security.gentoo.org/glsa/glsa-200411-26.xml

There is no exploit code required.

Gentoo SETI@home EBuild Insecure Default Permissions
Medium
Gentoo Linux Security Advisory, GLSA 200411-26, November 17, 2004

ImageMagick

ImageMagick 5.3.3, 5.4.3, 5.4.4.5, 5.4.7, 5.4.8 .2-1.1.0, 5.4.8,
5.5.3 .2-1.2.0, 5.5.6 .0-20030409, 5.5.7, 6.0, 6.0.1, 6.0.3-6.0.8

A buffer overflow vulnerability exists in the 'EXIF' parsing routine due to a boundary error, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://sourceforge.net/project/showfiles.php?group_id=24099

Redhat:
http://rhn.redhat.com/errata/RHSA-2004-480.html

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/
i/imagemagick/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-11.xml

Debian:
http://security.debian.org/pool/
updates/main/i/imagemagick/

SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/

We are not aware of any exploits for this vulnerability.

ImageMagick Remote EXIF Parsing Buffer Overflow

CVE Name:
CAN-2004-0981

High

SecurityTracker Alert ID, 1011946, October 26, 2004

Gentoo Linux Security Advisory, GLSA 200411-11:01, November 6, 2004

Debian Security Advisory DSA 593-1, November 16, 2004

SUSE Security Announcement, SUSE-SA:2004:041, November 17, 2004

Multiple Vendors

Apache Software Foundation Apache 2.0.50 & prior; Gentoo Linux 1.4;
RedHat Desktop 3.0, Enterprise Linux WS 3, ES 3, AS 3;
Trustix Secure Enterprise Linux 2.0, Secure Linux 2.0, 2.1

A remote Denial of Service vulnerability exists in the Apache mod_dav module when an authorized malicious user submits a specific sequence of LOCK requests.

Update available at:
http://httpd.apache.org/

Gentoo:
http://www.gentoo.org/security/en/glsa/
glsa-200409-21.xml

RedHat:
ftp://updates.redhat.com/enterprise

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Debian:
http://security.debian.org/pool/updates/main/liba/

HP:
http://software.hp.com

IBM:
http://www-1.ibm.com/support/docview.
wss?uid=swg21190212

There is no exploit code required; however, a Proof of Concept exploit has been published.

Apache mod_dav Remote Denial of Service

CVE Name:
CAN-2004-0809

Low

SecurityTracker Alert ID, 1011248, September 14, 2004

Conectiva Linux Security Announcement, CLA-2004:868, September 23, 2004

Fedora Update Notification,
FEDORA-2004-313, September 23, 2004

Debian Security Advisory DSA 558-1 , October 6, 2004

HP Security Bulletin,
HPSBUX01090, October 26, 2004

1190212
IBM Group Advisory, 1190212, November 18, 2004

Multiple Vendors

Apple Mac OS X 10.2-10.2.8, 10.3 -10.3.5, OS X Server 10.2-10.2.8, 10.3 -10.3.5; Easy Software Products CUPS 1.0.4 -8, 1.0.4, 1.1.1,
1.1.4-5, 1.1.4 -3, 1.1.4 -2, 1.1.4, 1.1.6, 1.1.7, 1.1.10, 1.1.12-1.1.21

A vulnerability exists in 'error_log' when certain methods of remote printing are carried out by an authenticated malicious user, which could disclose user passwords.

Update available at:
http://www.cups.org/software.php

Apple:
http://wsidecar.apple.com/cgi-bin/nph-
reg3rdpty1.pl/product=04829&platform=osx&
method=sa/SecUpd2004-09-30Jag.dmg


http://wsidecar.apple.com/cgi-bin/nph-
reg3rdpty1.pl/product=04830&platform=osx&
method=sa/SecUpd2004-09-30Pan.dmg

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

Gentoo:
http://security.gentoo.org/glsa/
glsa-200410-06.xml

Debian:
http://security.debian.org/pool/
updates/main/c/cupsys/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-543.html

There is no exploit code required.

CUPS Error_Log Password Disclosure

CVE Name:
CAN-2004-0923

Medium

Apple Security Update, APPLE-SA-2004-09-30, October 4, 2004

Fedora Update Notification,
FEDORA-2004-331, October 5, 2004

Gentoo Linux Security Advisory, GLSA 200410-06, October 9, 2004

Debian Security Advisory, DSA 566-1, October 14, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:116, October 21, 2004

RedHat Security Advisory, RHSA-2004:543-15, October 22, 2004

US-CERT Vulnerability Note, VU#557062, November 19, 2004

Multiple Vendors

GD Graphics Library gdlib 1.8.4, 2.0.1, 2.0.20-2.0.23, 2.0.26-2.0.28

Multiple buffer overflow vulnerabilities exist due to insufficient bounds checking prior to processing user-supplied strings, which could let ak remote malicious user execute arbitrary code.

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/libg/libgd2/

Trustix:
http://http.trustix.org/pub/trustix/updates/

Currently we are not aware of any exploits for these vulnerabilities.

GD Graphics Library Multiple Remote Buffer Overflows

CVE Name:
CAN-2004-0941

High

SecurityTracker, 1012195, November 11, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

Multiple Vendors

Gentoo Linux;
Samba Samba 3.0-3.0.7

 

A remote Denial of Service vulnerability exists in 'ms_fnmatch()' function due to insufficient input validation.

Patch available at:
http://us4.samba.org/samba/ftp/patches/security
/samba-3.0.7-CAN-2004-0930.patch

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-21.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/s/samba/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-632.html

Trustix:
http://http.trustix.org/pub/trustix/updates/

There is no exploit code required.

Samba Remote Wild Card Denial of Service

CVE Name:
CAN-2004-0930

Low

SecurityFocus, November 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

RedHat Security Advisory, RHSA-2004:632-17, November 16, 2004

Multiple Vendors

Gentoo Linux;
RedHat Fedora Core3, Core2;
SuSE Linux 8.1, 8.2, 9.0-9.2, Desktop 1.0, Enterprise Server 9, 8, Novell Linux Desktop 1.0;
X.org X11R6 6.7 .0, 6.8, 6.8.1;
XFree86 X11R6 3.3, 3.3.2-3.3.6, 4.0-4.0.3, 4.1 .0, 4.1 -12, 4.1 -11, 4.2 .0, 4.2.1 Errata, 4.2.1
4.3 .0

Multiple vulnerabilities exist due to integer overflows, memory access errors, input validation errors, and logic errors, which could let a remote malicious user execute arbitrary code, obtain sensitive information or cause a Denial of Service.

Fedora:
http://download.fedora.redhat.com
/pub/fedora/linux/core/updates

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-28.xml

SuSE:
ftp://ftp.suse.com/pub/suse

X.org:
http://www.x.org/pub/

Currently we are not aware of any exploits for these vulnerabilities

LibXPM Multiple Vulnerabilities

CVE Name:
CAN-2004-0914

Low/ Medium/ High

(Low if a DoS; Medium if sensitive information can be obtained; and High if arbitrary code can be executed)

X.Org Foundation Security Advisory, November 17, 2004

Fedora Update Notifications,
FEDORA-2004-433 & 434, November 17 & 18, 2004

SUSE Security Announcement, SUSE-SA:2004:041, November 17, 2004

Gentoo Linux Security Advisory, GLSA 200411-28, November 19, 2004

Multiple Vendors

Linux kernel 2.4 .0-test1-test12, 2.4-2.4.27

A vulnerability exists in the 'AF_UNIX' address family due to a serialization error, which could let a malicious user obtain elevated privileges or possibly execute arbitrary code.

Upgrades available at:
http://kernel.org/pub/linux/kernel/v2.4/linux-2.4.28.tar.bz2

Currently we are not aware of any exploits for this vulnerability.

 

Linux Kernel AF_UNIX Arbitrary Kernel Memory Modification

Medium/ High

(High if arbitrary code can be executed)

Bugtraq, November 19, 2004

Multiple Vendors

Linux Kernel 2.4-2.4.27, 2.6-2.6.9; Trustix Secure Enterprise Linux 2.0, Secure Linux 1.5, 2.0-2.2;
Ubuntu Linux 4.1 ppc, 4.1 ia64, 4.1 ia32

Multiple remote Denial of Service vulnerabilities exist in the SMB filesystem (SMBFS) implementation due to various errors when handling server responses. This could also possibly lead to the execution of arbitrary code.

Upgrades available at:
http://kernel.org/pub/linux/kernel/v2.4/linux-2.4.28.tar.bz2

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/l/

Currently we are not aware of any exploits for these vulnerabilities

Linux Kernel smbfs Filesystem Memory Errors Remote Denial of Service

CVE Names:
CAN-2004-0883
CAN-2004-0949

Low/High

(High if arbitrary code can be executed)

e-matters GmbH Security Advisory, November 11, 2004

Multiple Vendors

OpenBSD 3.4, 3.5; SuSE Linux 8.1, 8.2, 9.0, x86_64, 9.1, Linux Enterprise Server 9, 8;
X.org X11R6 6.7.0, 6.8;
XFree86 X11R6 3.3.6, 4.0, 4.0.1, 4.0.2 -11, 4.0.3, 4.1 .0, 4.1 -12, 4.1 -11, 4.2 .0, 4.2.1, Errata, 4.3.0; Avaya Intuity LX, MN100, Modular Messaging (MSS) 1.1, 2.0

Multiple vulnerabilities exist: a stack overflow vulnerability exists in 'xpmParseColors()' in 'parse.c' when a specially crafted XPMv1 and XPMv2/3 file is submitted, which could let a remote malicious user execute arbitrary code; a stack overflow vulnerability exists in the 'ParseAndPutPixels()' function in -create.c' when reading pixel values, which could let a remote malicious user execute arbitrary code; and an integer overflow vulnerability exists in the colorTable allocation in 'xpmParseColors()' in 'parse.c,' which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/i/imlib/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

OpenBSD:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/

SuSE:
ftp://ftp.suse.com/pub/suse/

X.org:
http://x.org/X11R6.8.1/

Gentoo:
http://security.gentoo.org/glsa/glsa-200409-34.xml

IBM:
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-478.html

Avaya:
http://support.avaya.com/japple/css/japple?
temp.groupID=128450&temp.selectedFamily=128451
&temp.selectedProduct=154235&temp.selectedBucket
=126655&temp.feedbackState=askForFeedback&temp.
documentID=203389& PAGE=avaya.css.CSSLvl1Detail
&executeTransaction=avaya.css.UsageUpdate()

Sun:
http://sunsolve.sun.com/search/document.do
?assetkey=1-26-57652-1&searchclause=

Mandrake:
http://www.mandrakesoft.com/security/advisories

Ubuntu: http://security.ubuntu.com/ubuntu
/pool/main/x/xfree86/

Proofs of Concept exploits have been published.

LibXpm Image Decoding Multiple Remote Buffer Overflow

CVE Names:
CAN-2004-0687
CAN-2004-0688

High

X.Org Foundation Security Advisory, September 16, 2004

US-CERT Vulnerability Notes, VU#537878 & VU#882750, September 30, 2004

SecurityFocus, October 4, 2004

SecurityFocus, October 18, 2004

Sun(sm) Alert Notification, 5765, October 18, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:124, November 2, 2004

Ubuntu Security Notice, USN-27-1, November 17, 2004

MySQL AB

MySQL 3.20 .x, 3.20.32 a, 3.21 .x, 3.22 .x, 3.22.26-3.22.30, 3.22.32, 3.23 .x, 3.23.2-3.23.5, 3.23.8-3.23.10, 3.23.22-3.23.34, 3.23.36-3.23.56, 3.23.58, 4.0.0-4.0.15, 4.0.18, 4.0.20, 4.1 .0-alpha, 4.1 .0-0, 4.1.2 -alpha, 4.1.3 -beta, 4.1.3 -0, 5.0 .0-alpha, 5.0 .0-0

A buffer overflow vulnerability exists in the 'mysql_real_connect' function due to insufficient boundary checking, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code. Note: Computers using glibc on Linux and BSD platforms may not be vulnerable to this issue.

Debian:
http://security.debian.org/pool/updates/main/m/mysql/

Trustix:
http://http.trustix.org/pub/trustix/updates/

OpenPKG:
ftp://ftp.openpkg.org/release/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Conectiva:
ftp://atualizacoes.conectiva.com.br/

We are not aware of any exploits for this vulnerability.

MySQL Mysql_real_connect Function Remote Buffer Overflow

CVE Name:
CAN-2004-0836

Low/High

(Low if a DoS)

Secunia Advisory,
SA12305, August 20, 2004

Debian Security Advisory, DSA 562-1, October 11, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:119, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:892, November 18, 2004

MySQL AB

MySQL 3.x, 4.x

 

Two vulnerabilities exist: a vulnerability exists due to an error in 'ALTER TABLE ... RENAME' operations because the 'CREATE/INSERT' rights of old tables are checked, which potentially could let a remote malicious user bypass security restrictions; and a remote Denial of Service vulnerability exists when multiple threads issue 'alter' commands against 'merge' tables to modify the 'union.'

Updates available at:
http://dev.mysql.com/downloads/mysql/

Debian:
http://security.debian.org/pool/updates/main/m/mysql

Trustix:
http://http.trustix.org/pub/trustix/updates/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Conectiva:
ftp://atualizacoes.conectiva.com.br/

We are not aware of any exploits for these vulnerabilities.

MySQL Security Restriction Bypass & Remote Denial of Service

CVE Names:
CAN-2004-0835
CAN-2004-0837

Low/ Medium

(Low if a DoS; and Medium if security restrictions can be bypassed)

Secunia Advisory, SA12783, October 11, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:119, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:892, November 18, 2004

Netopia

Timbuktu Pro for Macintosh 6.0.1

A remote Denial of Service vulnerability exists in the Netopia Timbuktu server component for Apple Mac OSX due to a buffer overflow when multiple simultaneous connections are made and specially crafted data is submitted to the system.

Update to version 7.0.4.

Currently we are not aware of any exploits for this vulnerability.

Netopia Timbuktu Server For Apple Mac OSX Remote Buffer Overflow

CVE Name:
CAN-2004-0810

Low
Corsaire Security Advisory, November 19, 2004

SQLgrey

Postfix Greylisting Service 1.1.1, 1.1.3

A vulnerability exists due to insufficient sanitization of sender and recipient emails before being used in a SQL query, which could let a remote malicious user manipulate SQL queries.

Upgrade available at:
http://sourceforge.net/project/showfiles.php?
group_id=113566

Trustix:
http://http.trustix.org/pub/trustix/updates/

There is no exploit code required.

SQLgrey Postfix Greylisting Service SQL Injection
Medium

Secunia Advisory,
SA13135, November 9, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

The BNC Project

BNC 2.2.4, 2.4.6, 2.4.8, 2.6, 2.6.2, 2.8.8, 2.8.9

A buffer overflow vulnerability exists in ' getnickuserhost' when a malformed IRC server response is handled by the proxy, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://www.gotbnc.com/files/bnc2.9.1.tar.gz

Gentoo:
http://security.gentoo.org/
glsa/glsa-200411-24.xml

Currently we are not aware of any exploits for this vulnerability.

BNC Remote Buffer Overflow
High

LSS Security Advisory #LSS-2004-11-3, November 10, 2004

Gentoo Linux Security Advisory, GLSA 200411-24, November 16, 2004

Thibault Godouet

Fcron 2.x

Multiple vulnerabilities exist: a vulnerability exists in the 'fcronsighup' utility due to a design error, which could let a malicious user obtain sensitive information; a vulnerability exists because the 'fcronsighup' utility can bypass access restrictions, which could let a malicious user supply arbitrary configuration settings; an input validation vulnerability exists in the 'fcronsighup' utility, which could let a malicious user delete arbitrary files; and a vulnerability exists because a malicious user can view the contents of the 'fcron.allow' and 'fcron.deny' files due to a file descriptor leak.

Update available at:
http://fcron.free.fr/download.php

Gentoo:
http://security.gentoo.org/
glsa/glsa-200411-27.xml

Currently we are not aware of any exploits for these vulnerabilities.

Thibault Godouet Fcron Multiple Vulnerabilities

CVE Names:
CAN-2004-1030
CAN-2004-1031
CAN-2004-1032
CAN-2004-1033

Medium

iDEFENSE Security Advisory, November 15, 2004

Gentoo Linux Security Advisory, GLSA 200411-27, November 18, 2004

Todd Miller

Sudo 1.5.6-1.5.9, 1.6-1.6.8

A vulnerability exists due to an error in the environment cleaning, which could let a malicious user execute arbitrary commands.

Patch available at:
http://www.courtesan.com/sudo/download.html

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

Trustix:
http://http.trustix.org/pub/trustix/updates/

Ubuntu: http://security.ubuntu.com/
ubuntu/pool/main/s/sudo/

There is no exploit code required.

Sudo Restricted Command Execution Bypass
High

Secunia Advisory,
SA13199, November 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:133, November 15, 2004

Trustix Secure Linux Security Advisories, TSLSA-2004-0058 & 061, November 16 & 19, 2004

Ubuntu Security Notice, USN-28-1, November 17, 2004

TWiki

TWiki 20030201

A vulnerability exists in 'Search.pn' due to an input validation error when handling search requests, which could let a remote malicious user execute arbitrary commands.

Hotfix available at:
http://twiki.org/cgi-bin/view/Codev/SecurityAlert
Execute CommandsWithSearch

An exploit script has been published.

TWiki Search Shell Metacharacter Remote Arbitrary Command Execution

CVE Name:
CAN-2004-1037

High

Securiteam, November 15, 2004

PacketStorm, November 20, 2004

W-Channel

TC-IDE 1.50-1.53

Multiple vulnerability exist: a vulnerability exists in the 'Net Tools' dialog, which could let a malicious user obtain root privileges; a vulnerability exists in the username field of the 'PPPoE' dialer, which could let a malicious user obtain root privileges; and a vulnerability exists when Opera is configured to use '/bin/dillo' as a specific e-mail client, which could let a malicious user obtain administrative privileges.

The vendor has released an upgrade that deals with these issues. Users should contact the vendor for information on obtaining the fix.

There is no exploit code required.

W-Channel TC-IDE Embedded Linux Root Privileges
High
Securiteam, November 22, 2004

xmlsoft.org

Libxml2 2.6.12-2.6.14

Multiple buffer overflow vulnerabilities exist: a vulnerability exists in the 'xmlNanoFTPScanURL()' function in 'nanoftp.c' due to a boundary error, which could let a remote malicious user execute arbitrary code; a vulnerability exists in the 'xmlNanoFTPScanProxy()' function in 'nanoftp.c,' which could let a remote malicious user execute arbitrary code; and a vulnerability exists in the handling of DNS replies due to various boundary errors, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://xmlsoft.org/sources/libxml2-2.6.15.tar.gz

OpenPKG:
ftp://ftp.openpkg.org/release/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/2/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-05.xml

Mandrake:
http://www.mandrakesoft.com/security/advisories

OpenPKG:
ftp://ftp.openpkg.org/release/

Trustix:
http://www.trustix.org/errata/2004/0055/

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/libx/libxml2/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-615.html

Conectiva:
ftp://atualizacoes.conectiva.com.br/1

An exploit script has been published.

Libxml2 Multiple Remote Stack Buffer Overflows

CVE Name:
CAN-2004-0989

High

SecurityTracker Alert I, : 1011941, October 28, 2004

Fedora Update Notification,
FEDORA-2004-353, November 2, 2004

Gentoo Linux Security Advisory, GLSA 200411-05, November 2,2 004

Mandrakelinux Security Update Advisory, MDKSA-2004:127, November 4, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.050, November 1, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0055, November 1, 2004

Ubuntu Security Notice, USN-10-1, November 1, 2004

RedHat Security Advisory, RHSA-2004:615-11, November 12, 2004

Conectiva Linux Security Announcement, CLA-2004:890, November 18, 2004

Yukihiro Matsumoto

Ruby 1.8.x

A remote Denial of Service vulnerability exists due to an input validation error in 'cgi.rb.'

Debian:
http://security.debian.org/pool/updates/main/r/ruby

Mandrake:
http://www.mandrakesoft.com/security/advisories

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/universe/r/ruby1.8/l

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

Gentoo:
http://security.gentoo.org/glsa/
glsa-200411-23.xml

Currently we are not aware of any exploits for this vulnerability.

Ruby Infinite Loop Remote Denial of Service

CVE Name:
CAN-2004-0983

Low

Secunia Advisory,
SA13123, November 8, 2004

Ubuntu Security Notice, USN-20-1, November 9, 2004

Fedora Update Notification,
FEDORA-2004-402 & 403, November 11 & 12, 2004

Gentoo Linux Security Advisory, GLSA 200411-23, November 16, 2004

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

3Com

OfficeConnect ADSL Wireless 11g Firewall Router Firmware 1.13, 1.23, 1.24, 1.27

A remote Denial of Service vulnerability exists due to a failure to handle anomalous network traffic. .

Upgrades available at:
http://webprd1.3com.com/swd/jsp
/user/index.jsp?id=OCWG1215

Currently we are not aware of any exploits for this vulnerability.

3Com OfficeConnect ADSL Wireless 11g Firewall Router Remote Denial of Service
Low
SecurityFocus, November 16, 2004

AppServ

Open Project 2.4-2.4.2, 2.5-2.5.2

A vulnerability exists due to a failure to create default user accounts securely, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required.

AppServ Open Project Remote Insecure Default Password
Medium
Bugtraq, November 18, 2004

holbrookau.net

Event Calendar

Multiple vulnerabilities exist: a vulnerability exists in error pages when invalid input is submitted or scripts are accessed directly, which could let a remote malicious user obtain sensitive information; a Cross-Site Scripting vulnerability exists due to insufficient sanitization of input passed to various parameters, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability exists due to insufficient sanitization of comments before being stored, which could let a remote malicious user execute arbitrary code; and a vulnerability exists in 'eid,' 'cid,' and possibly other parameters due to insufficient verification before being used in a SQL query, which could let a remote malicious user manipulate SQL queries.

Proofs of Concept exploits have been published.

Currently we are not aware of any exploits for these vulnerabilities.

Event Calendar Multiple Remote Vulnerabilities

Medium/ High

(High if arbitrary code can be executed)

waraxe-2004-SA#038 Advisory, November 17, 2004

ibproarcade.com

ipbProArcade 2.5

An input validation vulnerability exists due to insufficient validation of the 'category' field, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

IPBProArcade 'category' Input Validation

Medium
SecurityTracker Alert ID, 1012292, November 21, 2004

Invision Power Services

Invision Board 2.0-2.0.2

A vulnerability exists in 'index.php' due to insufficient validation of user-supplied input passed to the 'qpid' parameter, which could let a remote malicious user obtain or corrupt sensitive information.

Patch available at: http://forums.invisionpower.com/index.php
?showtopic=154916

Proofs of Concept exploit scripts have been published.

Invision Power Board 'Index.PHP' Post Action SQL Injection
Medium
MaxPatrol Security Advisory, November 18, 2004

Multiple Vendors

Samba 3.0 - 3.0.7; RedHat Advanced Workstation for the Itanium Processor 2.1, IA64, Desktop 3.0, Enterprise Linux WS 3, WS 2.1 IA64, 2.1, ES 3, 2.1 IA64, 2.1, AS 3, 2.1 IA64, 2.1; Ubuntu Linux 4.1 ppc, ia64, ia32

A buffer overflow vulnerability exists in the 'QFILEPATHINFO' request handler when constructing
'TRANSACT2_QFILEPATHINFO' responses, which could let a remote malicious user execute arbitrary code.

Update available at:
http://www.samba.org/samba/download/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
Ubuntu Upgrade samba-doc_
3.0.7-1ubuntu6.2_all.deb

Currently we are not aware of any exploits for this vulnerability.

Samba 'QFILEPATHINFO' Buffer Overflow

CVE Name:
CAN-2004-0882

High

e-matters GmbH Security Advisory, November 14, 2004

SuSE Security Announcement, SUSE-SA:2004:040, November 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

Ubuntu Security Notice, USN-29-1, November 18, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:136, November 19, 2004

US-CERT Vulnerability Note VU#457622, November 19, 2004

Multiple Vendors

Archive::Zip 1.13,
F-Secure Anti-Virus for Microsoft Exchange 6.30, 6.30 SR1, and 6.31,
Computer Associates,
Eset,
Kaspersky,
McAfee,
Sophos,
RAV

Remote exploitation of an exceptional condition error in multiple vendors' anti-virus software allows malicious users to bypass security protections by evading virus detection. The problem specifically exists in the parsing of .zip archive headers. This vulnerability affects multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV.

Instructions for Computer Associates, Eset, Kaspersky, McAfee, Sophos, and RAV are available at: http://www.idefense.com/application/poi/display?id
=153&type=vulnerabilities&flashstatus=true

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-31.xml

Mandrakelinux 10.1 and Mandrakelinux 10.1/X86_64:
http://www.mandrakesoft.com/security/advisories

A fix for F-Secure is available at::
ftp://ftp.f-secure.com/support/
hotfix/fsav-mse/fsavmse63x-02.zip

A Proof of Concept exploit script has been published.

Multiple Vendor Anti-Virus Software Detection Evasion

CVE Names:
CAN-2004-0932
CAN-2004-0933
CAN-2004-0934
CAN-2004-0935

CAN-2004-0936

CAN-2004-0937

 

High

iDEFENSE Security Advisory, October 18, 2004

Secunia Advisory ID: SA13038, November 1, 2004

SecurityFocus, Bugtraq ID: 11448, November 2, 2004

SecurityTracker Alert ID: 1012057, November 3, 2004

SecurityFocus, November 15, 2004

Multiple Vendors

Axis Communications 2100 Network Camera 2.0-2.03, 2.12, 2.30-2.34, 2.40, 2.41, 2110 Network Camera 2.12, 2.30-2.32, 2.34, 2.40, 2.41, 2120 Network Camera 2.12, 2.30-2.32, 2.34, 2.40, 2.41, 2400+ Video Server 3.11, 3.12, 2401 Video Server 3.12, 2420 Network Camera 2.12, 2.30-2.34, 2.40, 2.41, 2460 Digital Video Recorder 3.12;
dnrd dnrd 1.0-1.4, 2.0-2.10; Don Moore MyDNS 0.6 ,x, 0.7 ,x, 0.8 ,x, 0.9 ,x 0.10 .0;
Posadis Posadis m5pre1&2, 0.50.4-0.50.9, 0.60 .0, 0.60.1

A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted DNS response that contains a spoofed source address.

Axis:
http://www.axis.com/techsup/firmware.php

DNRD:
http://prdownloads.sourceforge.net
/dnrd/dnrd-2.17.1.tar.gz?download

Don Moore:
http://mydns.bboy.net/download/
mydns-0.11.0.tar.gz

Posadis:
http://prdownloads.sourceforge.
net/posadis/

Delegate:
ftp://ftp.delegate.org/pub/DeleGate/
delegate8.9.6.tar.gz

MaraDNS:
http://www.maradns.org/download
/maradns-1.0.23.tar.bz2

Qbik:
http://www334.pair.com/qbiknz/
downloads/WinGate6.0.3.1005-USE.EXE

Currently we are not aware of any exploits for this vulnerability.

 

Multiple Vendor DNS Remote Denial of Service

CVE Name:
CAN-2004-0789

Low

SecurityFocus, November 9, 2004

SecurityFocus, November 18, 2004

Opera Software

Opera Web Browser 7.54

Multiple remote vulnerabilities exist in the Java implementation due to insecure proprietary design, which could let a malicious user obtain sensitive information or cause a Denial of Service.

The vendor has released a fixed version (7.60 beta).

Exploit scripts have been published.

Opera Web Browser Java Implementation Multiple Remote Vulnerabilities

Low/ Medium

(Medium if sensitive information can be obtained)

llegalaccess.org Advisory, November 19, 2004

Pablo Hernandez

GFHost 0.2

Multiple Cross-Site Scripting vulnerabilities exist in the 'label.php' and 'dl.php' scripts due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

An exploit script has been published.

Pablo Hernandez GFHost Cross-Site Scripting & Server-Side Script Execution
High

SecurityTracker Alert ID, 1012112, November 8, 2004

PacketStorm, November 20, 2004

phpBB Group

phpBB 1.0 .0, 1.2 .0, 1.2.1, 1.4 .0-1.4.2, 1.4.4, 2.0 .0, rc1-rc4, Beta 1, 2.0.1-2.0.10

A vulnerability exists in the 'Cash_Mod' module due to insufficient verification of the input passed to the 'phpbb_root_path' parameter, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://www.phpbb.com/phpBB/catdb.php
?mode=download&id=539420

There is no exploit code required; however, a Proof of Concept exploit script has been published.

PHPBB Admin_cash.PHP Remote PHP File Include

High

 

Secunia Advisory ID, SA1324, November 19, 2004

phpBB Group

phpBB 2.0.0-2.0.9

Multiple vulnerabilities exist: a vulnerability exists in 'viewtopic.php' due to insufficient sanitization of the 'highlight' parameter, which could let a malicious user obtain sensitive information or execute arbitrary code; a vulnerability exists due to insufficient sanitization of input passed to the username handling, which could let a remote malicious user execute arbitrary HTML or script code; and a vulnerability exists due to insufficient sanitization of input passed to the username handling before being used in an SQL query, which could let a malicious user execute arbitrary code.

Upgrades available at:
http://www.phpbb.com/downloads.php

There is no exploit code required; however, a Proof of Concept exploit script has been published.

PHPBB Login Form Multiple Input Validation
High
SECUNIA ADVISORY ID:
SA13239, November 19, 2004

phpMyAdmin Development Team

phpMyAdmin 2.5 .0-2.5.7, 2.6 .0pl1&2

Multiple Cross-Site Scripting vulnerabilities exist: a vulnerability exists in 'config.inc.php' if the 'PmaAbsoluteUri' parameter is not set, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability exists in 'read_dump.php' due to insufficient validation of the 'zero_rows' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability exists due to insufficient validation of inputs on the confirm page, which could let a remote malicious user execute arbitrary HTML and script code.

Upgrades available at:
http://prdownloads.sourceforge.net/
phpmyadmin/phpMyAdmin-2.6.0-pl3.tar.gz?download

Proofs of Concept exploits have been published.

PHPMyAdmin Multiple Remote Cross-Site Scripting

High
netVigilance Security Advisory 5, November 19, 2004

phpScheduleIt

phpScheduleIt 1.0.0RC1, 1.0

A vulnerability exists in 'Reservation.class.php' due to an unspecified error, which could let a malicious user bypass certain security restrictions.

Update available at:
http://sourceforge.net/tracker/download.php?group
_id=95547&atid=611778&file_id=106007&aid=1051841

Currently we are not aware of any exploits for this vulnerability.

PHPScheduleIt 'Reservation.Class.PHP' Security Restriction Bypass
Medium
Secunia Advisory ID, SA13206, November 16, 2004

Something4 Limited

ClickandBuild 3.1, 5.0

A Cross-Site Scripting vulnerability exists in the 'listPos' parameter due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required.

ClickandBuild 'listPos' Parameter Cross-Site Scripting
High
SecurityTracker Alert ID, 1012282, November 19, 2004

SquirrelMail Development Team

SquirrelMail 1.x

A Cross-Site Scripting vulnerability exists in the 'decodeHeader()' function in 'mime.php' when processing encoded text in headers due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code.

Patch available at:
http://prdownloads.sourceforge.net/
squirrelmail/sm143a-xss.diff?download

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-25.xml

An exploit script is not required.

SquirrelMail Cross-Site Scripting
High

Secunia Advisory,
SA13155, November 11, 2004

Gentoo Linux Security Advisory, GLSA 200411-25, November 17, 2004

Sun Microsytems, Inc.

Sun Java JRE 1.3.x, 1.4.x,
Sun Java SDK 1.3.x, 1.4.x

A vulnerability exists due to a design error because untrusted applets for some private and restricted classes used internally can create and transfer objects, which could let a remote malicious user turn off the Java security manager and disable the sandbox restrictions for untrusted applets.

Updates available at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1

Currently we are not aware of any exploits for this vulnerability.

Sun Java Plug-in Sandbox Security Bypass

CVE Name:
CAN-2004-1029

Medium

Sun(sm) Alert Notification, 57591, November 22, 2004

US-CERT Vulnerability Note, VU#760344, November 23, 2004

 

 

Recent Exploit Scripts/Techniques The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
November 24, 2004 b4b0-phpbb.tgz
Yes
Script that exploits the PHPBB Admin_cash.PHP Remote PHP File Include vulnerability.
November 24, 2004 efuzz01.zip
N/A
An easy to use Win32 tcp/udp protocol fuzzer which finds unknown buffer overflows in local and remote services.
November 24, 2004 mailtraq-update.txt
No
Proof of Concept exploit for the Enstar Mailtraq Windows Tray Icon Access Control vulnerability.
November 22, 2004 DMS_POP3_Overflow.pl
dmsPOP3BufferOverflowExpNoPh0Bia.c
dmsPOP3.txt
Yes
Scripts that exploit the Digital Mappings Systems POP3 Server Remote Buffer Overflow vulnerability.
November 21, 2004 Cisco6509_Reverse.tar.bz2
N/A
Simple C tool and binutils patch with step by step description (HowTo_Reverse_engineering_ Cisco_image.html) how to convert cisco image to MIPSIV file for reverse engineering.
November 20, 2004 20041119.IESP2Unpatched.html
No
Exploit for the Microsoft Internet Explorer File Download Restriction Bypass vulnerability.
November 20, 2004 20041119.IESP2Unpatched.php
No
Exploit for the Microsoft IE Custom 404 Error Message & execCommand SaveAs File Download vulnerability.
November 20, 2004 aclient.txt
No
Step by step exploit for the Altiris AClient Service Windows Tray Icon Access Control vulnerability.
November 20, 2004 atk-3.0.zip
N/A
The Attack Tool Kit (ATK) is an open-source utility to perform vulnerability checks and enhance security audits.
November 20, 2004 atk-3.0src.zip
N/A
The Attack Tool Kit (ATK) is an open-source utility to perform vulnerability checks and enhance security audits.
November 20, 2004 bofra_overview.txt
N/A
Brief analysis of the Bofra, aka MyDoom.AG/AH, worm that was first discovered circulating in the wild November 8th.
November 20, 2004 eudora62014.txt
No
Proof of Concept exploit for the Eudora 6.2.14 for Windows Attachment Spoofing vulnerability.
November 20, 2004 GFHost.pl
GFHostExploit.pl
No
Perl script that exploits the Pablo Hernandez GFHost Cross-Site Scripting & Server-Side Script Execution vulnerability.
November 20, 2004 nsg-advisory-08.txt
No
Proof of Concept exploit for the TipxD versions Format String vulnerability.
November 20, 2004 phpbb.php.txt
Yes
Exploit for the PHPBB Login Form Multiple Input Validation vulnerability.
November 20, 2004 slmail5x.txt
No
Exploit for the SLMail 5.x POP3 Remote Buffer Overflow vulnerability.
November 20, 2004 tweaky.pl
Yes
Perl script that exploits the TWiki Search Shell Metacharacter Remote Arbitrary Command Execution vulnerability.
November 20, 2004 zipbrk.zip
N/A
A tool that searches for the central and local headers contained in a zip file and alters the uncompressed data variable to be 0 in an attempt to trick anti-virus software into not scanning the files inside the zip file.
November 19, 2004 Opera754FontCrashApplet.java
Opera754EcmaScriptApplet.java
Opera754LauncherApplet.java
Opera754KerberosAppletPrint.java
Yes
Exploits for the Opera Web Browser Java Implementation Multiple Remote Vulnerabilities.
November 19, 2004 ZipMe!.cpp
Yes
Proof of Concept exploit for the Microsoft Compressed (zipped) Folders Remote Code Execution vulnerability.
November 18, 2004 apache-squ1rt.c
No
Script that exploits the Apache Web Server Remote Denial of Service vulnerability.
November 17, 2004 ipbQPIDExploitSQLInjection.pl
Yes
Perl script that exploits the Invision Power Board 'Index.PHP' Post Action SQL Injection vulnerability.
November 17, 2004 RXcscope_proof.sh
RXcscope_proof.c
advRX181104.txt
No
Proof of Concept exploit scripts for the Cscope Temporary Files Elevated Privileges vulnerability.
November 16, 2004 mini-exploit.c
No
Script that exploits the MiniShare Buffer Overflow vulnerability.
November 15, 2004 zipbrk.c
Yes
Proof of Concept exploit script for the Multiple Vendor Anti-Virus Software Detection Evasion vulnerability.

[back to top]

Trends
  • Analysis indicates that some of the banner activity recently seen is a combination of both the IFRAME and Drag-and-Drop vulnerability. The US-CERT is monitoring reports of popular European web sites which have been directing traffic to sites that install malware on visitors' computers. Users who have updated versions of IE and using Windows XP Service Pack 2 should not be affected.
  • According to the Anti-Phishing Working Group, an industry association focused on identity theft and fraud, phishing attacks have risen from 2,158 in August to 6,597 new, unique phishing e-mail messages in October. For more information, see http://www.mediapost.com/dtls_dsp_news.cfm?newsID=279857.

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trends
Date
1
Netsky-P Win32 Worm Stable March 2004
2
Netsky-Z Win32 Worm Slight Increase April 2004
3
Netsky-B Win32 Worm Slight Increase March 2004
4
Zafi-B Win32 Worm Decrease June 2004
5
Bagle-AA Win32 Worm Stable April 2004
6
Netsky-B Win32 Worm Stable February 2004
7
Bagle-AT Win32 Worm Increase October 2004
8
Netsky-Q Win32 Worm Slight Decrease March 2004
9
Bagle-Z Win32 Worm Slight Decrease April 2004
10
Netsky-C Win32 Worm Stable July 2004

Table Updated November 22, 2004

Viruses or Trojans Considered to be a High Level of Threat

  • Viruses or Trojans Considered to be a High Level of Threat

    • Sober: Twelve months since the W32/Sober mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/Sober are known to use their own SMTP engine to spread through email. The most recent variant is W32/Sober.I (discovered on November 19th). (US-CERT, November 19, 2004)
    • Skulls: Virus writers are targeting Symbian-based cell phones with a Trojan horse that kills off system applications and replaces their icons with images of skulls. The program, dubbed "Skulls" by antivirus companies, is disguised as a theme manager for Nokia phones in the Symbian Installation System format. While the program can cause some headaches, it is not a significant threat. Still, it is a signpost indicating the direction that virus writers could be headed. (CNET, November 19, 2004)

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name
Aliases
Type
Backdoor.Sdbot.AH   Trojan
BackDoor-CLK   Trojan
Bagle.BG W32/Bagle.BG.worm Win32 Worm
Downloader-RK   Trojan
Drew.A W32/Drew.A.worm Win32 Worm
JS.Gynamed   Java Script Virus
Jupdate BackDoor-CLH
Backdoor.Jupdate
Backdoor.Win32.Agent.ec
Trojan
Msnsoug.A Trj/Msnsoug.A Trojan
ProcKill-KnlKillP   Program Killer
Sdbot.AF Backdoor.Sdbot.AF Trojan
Sdbot.AG Backdoor.Sdbot.AG Trojan
Skulls SymbOS.Skulls
SymbOS/Skulls
SymbOS_SKULLS.A
Trojan.SymbOS.Skuller.a
Symbian OS Phone Virus
Tasin.A I-Worm/Pawur.A
Tasin.A
W32/Tasin.A.worm
Win32 Worm
Tasin.B W32/Tasin.B.worm Win32 Worm
Tasin.C W32/Tasin.C.worm Win32 Worm
Troj/Banker-AM   Trojan
Troj/Mirchack-D IRC/Flood.cd.dr
BKDR_IRCFLOOD.CD
Trojan
Troj/Narod-D Trojan.Win32.Starter
Trojan.StartPage
PWS-NAROD
Trojan
Troj/Swizzor-BQ TrojanDownloader.Win32.Swizzor.bo Trojan
Vundo Trojan.Vundo
Vundo.dldr
Trojan
W32/Agobot-NX   Win32 Worm
W32/Agobot-NZ Backdoor.Win32.Agobot.gen Win32 Worm
W32/Agobot-OC WORM_AGOBOT.ABH
W32/Gaobot.worm.gen.f
Win32 Worm
W32/Agobot-OD   Win32 Worm
W32/Anzae-A
I-Worm.Pawur.a
W32/Anzae.worm
WORM_ANZAE.A
Tasin
Win32 Worm
W32/Bofra-H I-Worm.Bofra.b
W32.Mydoom.ah@MM
WORM_BOFRA.E
W32/Mydoom.gen@MM
Win32 Worm
W32/Favsin-A   Win32 Worm
W32/Forbot-CP Backdoor.Win32.Wootbot.gen
W32/Sdbot.worm.gen.t
Win32 Worm
W32/Mofei-E Worm.Win32.Aler.a
W32/Golten.worm
WORM_GOLTEN.A
Backdoor.Win32.Small.bq
BackDoor-CJV
Win32 Worm
W32/Primat-C Worm.P2P.Primat.c
W32/HLLP.20606c
Win32 Worm
W32/Protoride-W
Worm.W32.Protoride.Gen Win32 Worm
W32/Rbot-PX   Win32 Worm
W32/Rbot-PY Backdoor.Win32.Rbot.gen
W32/Rbot-KW
W32/Rbot-Fam
WORM_RBOT.VE
Win32 Worm
W32/Rbot-QE Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.p
Win32 Worm
W32/Sober-I
I-Worm.Sober.i
Sober.H@mm
Sober.I
Sobor.I
Trojan.Win32.VB.qa
W32.Sober.I@mm
W32/Sober.H@mm
W32/Sober.I.worm
W32/Sober.I@mm
W32/Sober.j@MM
Win32.Sober.I
WORM_SOBER.I
Win32 Worm
WORM_WOOTBOT.DI   Trojan
Yanz.A I-Worm.Yanz.a
W32/Yanz.A.worm
W32/Yanz.a@MM
Win32 Worm
Yanz.B W32/Yanz.b@MM Win32 Worm

[back to top]

 

 

 

Last updated

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top