U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Bulletin (SB04-350)

Summary of Security Items from December 8 through December 14, 2004

Original release date: December 15, 2004

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.


Bugs, Holes, & Patches The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

 

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

21-6 Productions

Orbz 2.10 and prior

A vulnerability exists due to a boundary error when handling
join requests. This can be exploited to cause a buffer overflow by supplying an overly long password. Successful exploitation may allow execution of arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

21-6 Productions Orbz Password Field Buffer Overflow
High

Secunia Advisory ID, SA13327, November 30, 2004

PacketStorm, December 12, 2004

AMAX Information Technologies Inc.

Winmail Server 4.0 (Build 1112)

A vulnerability exists when the 'admin/chgpwd.php,' 'admin/domain.php,' or 'admin/user.php'
script is accessed directly, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Winmail Server 'chgpwd.php', 'domain.php', and 'user.php' Information Disclosure
Medium
GSSIT - Global Security Solution IT Advisory, December 13, 2004

Clearswift

MIMEsweeper for SMTP 5.0, 5.0.5

A remote Denial of Service vulnerability exists in the Security Service when processing PDF files.

Updates available at:
http://www.clearswift.com/download/info.aspx?ID=562

Currently we are not aware of any exploits for this vulnerability.

Clearswift MIMEsweeper For SMTP Remote Denial of Service
Low
Secunia Advisory, SA13411, December 10, 2004

Code-Crafters

Ability Server 2.25-2.34

A buffer overflow vulnerability exists in the processing of the APPE FTP command, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Ability Server 'APPE FTP' Command Buffer Overflow
High
SecurityTracker Alert ID, 1012464, December 8, 2004

CoffeeCup Software

CoffeeCup Direct FTP 6.0, 6.2, CoffeeCup Free FTP 6.0, 6.2

A buffer overflow vulnerability exists due to the way long buffer file names are handled, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Another exploit script has been published.

CoffeeCup Direct/Free FTP ActiveX Component Remote Buffer Overflow
High

Secunia Advisory,
SA13282, November 23, 2004

PacketStorm December 11, 2004

David Harris

Mercury (win32 version) 4.0 1a

Multiple stack-based buffer overflow vulnerabilities exist in the IMAP server implementation due to insufficient bounds checking, which could let a remote malicious user execute arbitrary code.

Update available at:
ftp://ftp.usm.maine.edu/pegasus/
mercury32/m32-401b.zip

An exploit script has been published.

Mercury Mail Multiple Remote IMAP Stack Buffer Overflows
High

Bugtraq, December 1, 2004

PacketStorm, December 12, 2004

Digital Illusions

Codename Eagle 1.42 & prior

A remote Denial of Service vulnerability exists when a malicious user submits an empty UDP datagram.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Codename Eagle UDP Packet Processing Remote Denial of Service
Low
Secunia Advisory,
SA13423, December 13, 2004

Headlight Software, Inc.

GetRight 5.2a & prior

A buffer overflow vulnerability exists in the 'DUNZIP32.DLL' component when a specially crafted skin file is created, which could let a remote malicious user execute arbitrary code.

Upgrade available at:
http://www.getright.com/get.html

A Proof of Concept exploit has been published.

GetRight 'DUNZIP32.DLL' Buffer Overflow
High

Secunia Advisory,
SA13391, December 7, 2004

SecurityFocus, December 7, 2004

IBEX Software

Remote Execute 2.x

A remote Denial of Service vulnerability exists due to an error in the connection handling.

Update available at: http://www.ibexsoftware.com/downloadRemoteExecute.asp

Currently we are not aware of any exploits for this vulnerability.

IBEX Software Remote Execute Denial of Service
Low

SecurityTracker Alert, 1012445, December 7, 2004

US-CERT Vulnerability Note, VU#136424, December 10, 2004

IpSwitch

WS_FTP Server 5.03, 2004.10.14

Several vulnerabilities were reported that could permit a remote authenticated malicious user to execute arbitrary code on the target system. A remote authenticated user can trigger a buffer overflow in several FTP commands. The SITE, XMKD, MKD, and RFNR FTP commands are affected. A remote user can cause the FTP service to crash or execute arbitrary code.

No workaround or patch available at time of publishing.

An exploit script has been published.

IpSwitch WS_FTP Buffer Overflow
High

SecurityTracker Alert ID: 1012353, November 29, 2004

PacketStorm, December 11, 2004

Kerio

Personal Firewall 4.0.6-4.0.10, 4.0.16, 4.1-4.1.2, Personal Firewall 2 2.1-2.1.5

A Denial of Service vulnerability exists due to insufficient sanitization of SPI parameters that are received from hooked APIs.

No workaround or patch available at time of publishing.

An exploit script has been published.

Kerio Personal Firewall Local Denial of Service
Low
SecurityFocus, December 8, 2004

Kerio

WinRoute Firewall 6.0-6.0.8

A remote Denial of Service, a DNS cache poisoning, and an information disclosure vulnerability exist, which could let a remote malicious user obtain sensitive information, manipulate the DNS cache, and cause the computer to crash or hang.

The vendor has released WinRoute Firewall version 6.0.9 resolving this issue. Users running the affected firewall are advised to contact the vendor for more information on obtaining the upgrade.

Currently we are not aware of any exploits for these vulnerabilities.

Kerio WinRoute Firewall Multiple Unspecified Remote

Low/ Medium

(Medium if sensitive information can be obtained)

SecurityFocus, December 10, 2004

MailEnable

MailEnable Professional Edition v1.52, MailEnable Enterprise Edition v1.01

Two vulnerabilities exist in the IMAP service that could permit a remote malicious user to execute arbitrary code. A remote user can trigger a stack-based buffer overflow or an object pointer overwrite to execute arbitrary code on the target system.

The vendor has issued a fix, available at:
http://mailenable.com/hotfix.asp

An exploit script has been published.

MailEnable Stack Overflow & Pointer Overwrite
High

Hat-Squad Security Team Advisory, November 25, 2004

PacketStorm, December 11, 2004

Microsoft

Internet Explorer 6.0 SP1,
Microsoft Internet Explorer 6.0

Avaya DefinityOne Media Servers R6-12, IP600, Media Servers R6-R12, IP600 Media Servers
Avaya Modular Messaging S3400,
S3400 Message Application Server,
S8100 Media Servers R6-R12

A remote buffer overflow vulnerability exists due to insufficient boundary checks performed by the application and results in a Denial of Service condition. Arbitrary code execution may be possible as well.

Patches available at:
http://www.microsoft.com/technet/
security/bulletin/ms04-040.mspx

Note: Customers who have received hotfixes from Microsoft or from their support providers since the release of MS04-004 or MS04-038 should not install this update. Instead customers should deploy update 889669.

Microsoft Knowledge Base Article 889293 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.

Avaya: http://support.avaya.com/japple/css/
japple?temp.groupID=128450&temp.selectedFamily=
128451&temp.selectedProduct=154235&temp.
selectedBucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=212001&
PAGE=avaya.css.CSSLvl1Detail&execute
Transaction=avaya.css.UsageUpdate()

An exploit script has been published.

Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow

CVE Name:
CAN-2004-1050

Low/High

(High if arbitrary code can be executed)

SecurityFocus, Bugtraq ID 11515, October 25, 2004

Packetstorm, November 4, 2004

Microsoft Security Bulletin, MS04-040, December 1, 2004

Technical Cyber Security Alert, TA04-336A, December 3, 2004

Avaya Security Advisory, ASA-2004-085, December 9, 2004

Microsoft

Internet Explorer 6.0, SP1

A vulnerability exists in the 'sysimage://' protocol handler because the existence of a file can be detected, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

An exploit script is not required; however, a Proof of Concept exploit script has been published.
Microsoft Internet Explorer Sysimage Protocol Handler Information Disclosure

Medium

Bugtraq, December 7, 2004

Microsoft

SharePoint Portal Server SP3, 2003, 2001 SP3
Microsoft SharePoint Portal Server 2001, SP1-SP2A

A vulnerability exists due to an error when installing SPS components using a user account with a password containing a leading dash, which could let a malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required.

Microsoft Office SharePoint Portal Server Information Disclosure
Medium
SecurityFocus, December 10, 2004

Microsoft

Internet Explorer 5.0.1, SP1-SP4, 5.0.1 for Windows NT 4.0/98/95/2000, 5.5, SP1&SP2, preview, 6.0, SP1&SP2, Internet Explorer Macintosh Edition 5.2.3

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

Microsoft Internet Explorer Remote Window Hijacking

CVE Name:
CAN-2004-1155

Medium
Secunia Advisory, SA13251, December 10, 2004

Microsoft

Internet Explorer 6.0, SP1&SP2

 

A vulnerability exists due to a failure to present the URI address of HTML and script code loaded into the search pane, which could let a remote malicious user present web pages to users that seem to originate from a trusted location.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Microsoft Internet Explorer Search Pane URI Obfuscation
Medium
Bugtraq, December 8, 2004

Microsoft

Windows (ME), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (2003), Windows (XP)

A vulnerability was reported that could allow a remote user to execute arbitrary code on the target system. A remote user can send a specially crafted WINS packet to the target server on TCP port 42 to modify a memory pointer and write arbitrary contents to arbitrary memory locations.

UPDATE: The WINS service is installed and enabled by default on Microsoft Small Business Server 2000/2003. However, the ports used for the service are reportedly not remotely accessible by default on Small Business Server.

Updates available at: http://www.microsoft.com/technet/security/
bulletin/MS04-045.mspx

A Proof of Concept exploit has been published.

Microsoft WINS Memory Overwrite

CVE Name:
CAN-2004-1080

High

US-CERT Vulnerability Note VU#145134, November 29, 2004

SecurityFocus, December 6, 2004

Microsoft Security Bulletin, SB04-045, December 14, 2004

Microsoft

Windows NT Server 4.0 SP6a, Windows 2000 SP3&SP4, Windows XP SP1 &SP2, XP 64-Bit Edition, SP1, XP 64-Bit Edition Version 2003, Windows Server 2003, Windows Server 2003 64-Bit Edition, Windows 98, 98SE, ME

Several vulnerabilities exist due to boundary errors in the table
and font conversion in the Word for Windows 6.0 converter, which could let a remote malicious user execute arbitrary code. Note: Exploitation requires that the handler for Word for Windows 6.0 converter is enabled.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-041.mspx

Currently we are not aware of any exploits for these vulnerabilities.

Microsoft Table & Font Conversion Remote Code Execution

CVE Names:
CAN-2004-0571
CAN-2004-0901

High
Microsoft Security Bulletin, MS04-041, December 14, 2004

Microsoft

Windows NT Server 4.0 SP6a , NT Server 4.0 Terminal Server Edition SP6

Several vulnerabilities exist: A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted DHCP message to the DHCP server; and a vulnerability exists when handling DHCP request traffic due to an unchecked buffer, which could let a remote malicious user execute arbitrary code.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-042.mspx

Currently we are not aware of any exploits for these vulnerabilities.

Microsoft DHCP Remote Code Execution & Denial of Service

CVE Names:
CAN-2004-0899
CAN-2004-0900

Low/High

(High if arbitrary code can be executed)

Microsoft Security Bulletin, MS04-042, December 14, 2004

Microsoft

Windows NT Server 4.0 SP6a, NT Server 4.0 Terminal Server Edition SP6, Windows 2000 SP3&SP4, Windows XP SP1 &SP2, XP 64-Bit Edition SP1, XP 64-Bit Edition Version 2003, Windows Server 2003, Windows Server 2003 64-Bit Edition, Windows 98, 98SE, ME

A buffer overflow vulnerability exists due to boundary errors in the handling of HyperTerminal session files and telnet URLs, which could let a remote malicious user execute arbitrary code.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-043.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft HyperTerminal Remote Code Execution

CVE Name:
CAN-2004-0568

High
Microsoft Security Bulletin, MS04-043, December 14, 2004

Microsoft

Windows NT Server 4.0 SP6a, NT Server 4.0 Terminal Server Edition SP6, Windows 2000 SP3&SP4, Windows XP SP1 &SP2, XP 64-Bit Edition SP1, XP 64-Bit Edition Version 2003, Windows Server 2003, Windows Server 2003 64-Bit Edition, Windows 98, 98SE, ME

 

Several vulnerabilities exist: a vulnerability exists due to an unchecked buffer in the handling of data sent through a LPC (Local Procedure Call) port, which could let a remote malicious user execute arbitrary code with elevated privileges; and a vulnerability exists due to an error in the validation of identity tokens in LSASS (Local Security Authority Subsystem Service), which could let a remote malicious user obtain elevated privileges.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

Currently we are not aware of any exploits for these vulnerabilities.

Microsoft Windows Kernel & LSASS Elevated Privileges & Code Execution

CVE Names:
CAN-2004-0893
CAN-2004-0894

Medium/ High

(High if arbitrary code can be executed)

Microsoft Security Bulletin, SB04-044, December 14, 2004

Microsoft

Windows NT Server 4.0 SP 6a, NT Server 4.0 Terminal Server Edition SP 6, Windows 2000 Server SP 3 & SP4, Windows Server 2003, 2003 64-Bit Edition

A vulnerability exists due to an unchecked buffer in the handling of the 'Name' parameter from certain packets, which could let a remote malicious user execute arbitrary code.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft WINS Name Validation

CVE Name:
CAN-2004-0567

High
Microsoft Security Bulletin, SB04-045, December 14, 2004

Microsoft

Microsoft .NET Framework 1.x, Digital Image Pro 7.x, 9.x, Digital Image Suite 9.x, Frontpage 2002, Greetings 2002, Internet Explorer 6, Office 2003 Professional Edition, 2003 Small Business Edition, 2003 Standard Edition, 2003 Student and Teacher Edition, Office XP, Outlook 2002, 2003, Picture It! 2002, 7.x, 9.x, PowerPoint 2002, Producer for Microsoft Office PowerPoint 2003, Project 2002, 2003, Publisher 2002, Visio 2002, 2003, Visual Studio .NET 2002, 2003, Word 2002;
Avaya DefinityOne Media Servers, IP600 Media Servers, S3400 Modular Messaging, S8100 Media Servers

A buffer overflow vulnerability exists in the processing of JPEG image formats, which could let a remote malicious user execute arbitrary code.

Frequently asked questions regarding this vulnerability and the patch can be found at: http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

Bulletin updated to advise on the availability of additional security updates. Standalone security updates for The Microsoft .NET Framework version 1.0 Service Pack 2 and The Microsoft .NET Framework version 1.1 are now available. Security updates for Microsoft Visual FoxPro 8.0 and the Microsoft Visual FoxPro 8.0 runtime are also now available. Bulletin updated to reflect the release of Windows Messenger 5.1 that contains an updated version of the affected file. The MS04-028 Enterprise Update Scanning Tool has been updated to detect and deploy the additional security updates.

Another exploit script has been published.

Microsoft JPEG Processing Buffer Overflow

CVE Name:
CAN-2004-0200

High

Microsoft Security Bulletin, MS04-028, September 14, 2004

US-CERT Vulnerability Note VU#297462, September 14, 2004

Technical Cyber Security Alert TA04-260A, September 16, 2004

SecurityFocus, September 17, 2004

SecurityFocus, September 28, 2004

Packet Storm, October 7, 2004.

Microsoft Security Bulletin, MS04-028, V3.0 December 14, 2004

Multiple Vendors

Archive::Zip 1.13,
F-Secure Anti-Virus for Microsoft Exchange 6.30, 6.30 SR1, and 6.31,
Computer Associates,
Eset,
Kaspersky,
McAfee,
Sophos,
RAV

Remote exploitation of an exceptional condition error in multiple vendors' anti-virus software allows malicious users to bypass security protections by evading virus detection. The problem specifically exists in the parsing of .zip archive headers. This vulnerability affects multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV.

Instructions for Computer Associates, Eset, Kaspersky, McAfee, Sophos, and RAV are available at: http://www.idefense.com/application/poi/display?id
=153&type=vulnerabilities&flashstatus=true

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-31.xml

Mandrakelinux 10.1 and Mandrakelinux 10.1/X86_64:
http://www.mandrakesoft.com/security/advisories

A fix for F-Secure is available at::
ftp://ftp.f-secure.com/support/
hotfix/fsav-mse/fsavmse63x-02.zip

SUSE:
http://www.SUSE.com/en/private/
download/updates/92_i386.html

A Proof of Concept exploit script has been published.

Multiple Vendor Anti-Virus Software Detection Evasion

CVE Names:
CAN-2004-0932
CAN-2004-0933
CAN-2004-0934
CAN-2004-0935

CAN-2004-0936

CAN-2004-0937

 

High

iDEFENSE Security Advisory, October 18, 2004

Secunia Advisory ID: SA13038, November 1, 2004

SecurityFocus, Bugtraq ID: 11448, November 2, 2004

SecurityTracker Alert ID: 1012057, November 3, 2004

SecurityFocus, November 15, 2004

SecurityFocus, November 29, 2004

US-CERT Vulnerability Note, VU#968818, December 13, 2004

Netscape

Navigator 7.0, 7.0.2, 7.1-7.2

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

Netscape Remote Window Hijacking

CVE Name:
CAN-2004-1155

Medium
Secunia Advisory,
SA13402, December 8, 2004

Nullsoft

Winamp 5.05

A vulnerability exists which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the 'IN_CDDA.dll' file. This can be exploited in various ways to cause a stack-based buffer overflow e.g. by tricking a user into visiting a malicious web site containing a specially crafted '.m3u' playlist. Successful exploitation allows execution of arbitrary code.

Update to version 5.0.6:
http://www.winamp.com/player/

An exploit script has been published.

Nullsoft Winamp 'IN_CDDA.dll' Buffer Overflow
High

Security-Assessment Vulnerability Advisory, November 23, 2004

PacketStorm, December 11, 2004

Open Text Corporation

FirstClass 8.0

A remote Denial of Service vulnerability exists in the HTTP Daemon Search function.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

OpenText FirstClass HTTP Daemon Search Function Remote Denial of Service
Low
SecurityTracker Alert ID, 1012478, December 11, 2004

Symantec

Windows LiveUpdate prior to v2.5, Norton SystemWorks 2001-2004, Norton AntiVirus and Pro 2001-2004, Norton Internet Security and Pro 2001-2004,
Symantec AntiVirus for Handhelds Retail and Corporate Edition v3.0

A vulnerability exists in the LiveUpdate GUI during an interactive LiveUpdate session when running the scheduled 'NetDetect' task, which could let a remote malicious user execute arbitrary commands.

The vendor has issued a fixed version of LiveUpdate (2.5), available via LiveUpdate.

Currently we are not aware of any exploits for this vulnerability.

Symantec LiveUpdate NetDetect Scheduled Task
High
SecurityTracker Alert ID, 1012492, December 13, 2004

WeOnlyDo!

wodFtpDLX ActiveX component, wodFtpDLX ActiveX component 2.1.1 8

A buffer overflow vulnerability exists due to the way long buffer file names are handled, which could let a remote malicious user execute arbitrary code.

Update available at:
http://www.weonlydo.com/index.asp?showform=FtpDLX

Exploit scripts have been published.

WeOnlyDo! wodFtpDLX ActiveX Component Remote Buffer Overflow
High

Securiteam, November 23, 2004

PacketStorm December 11, 2004

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Adobe

Adobe Version Cue on Mac OS X

A vulnerability exists that could permit a local malicious user to obtain root privileges on the target system. The scripts used to start and stop Adobe Version Cue are configured with set user id (setuid) root user privileges and do not validate the path names. A local user can create specially crafted scripts and modify the current path to point to the directory containing those scripts. When Adobe Version Cue is started or stopped, the scripts will run with root user privileges.

No workaround or patch available at time of publishing.

An exploit script has been published.

Adobe Version Cue Start/Stop Scripts Arbitrary Script Execution
High
SecurityTracker Alert ID: 1012446, December 7, 2004

Apache Software Foundation

Apache 2.0.35-2.0.52

A vulnerability exists when the 'SSLCipherSuite' directive is used in a directory or location context to require a restricted set of cipher suites, which could let a remote malicious user bypass security policies and obtain sensitive information.

OpenPKG:
ftp://ftp.openpkg.org/release/

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-21.xml

Slackware:
ftp://ftp.slackware.com/pub/slackware/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Fedora:
http://download.fedora.redhat.com/pub/fedora
/linux/core/updates/2/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-562.html

SuSE: In the process of releasing packages.

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-600.html

There is no exploit code required.

Apache mod_ssl SSLCipherSuite Access Validation

CVE Name:
CAN-2004-0885

Medium

OpenPKG Security Advisory, OpenPKG-SA-2004.044, October 15, 2004

Gentoo Linux Security Advisory, GLSA 200410-21, October 22, 2004

Slackware Security Advisory, SSA:2004-299-01, October 26, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:122, November 2, 2004

Conectiva Linux Security Announcement, CLA-2004:885, November 4, 2004

Fedora Update Notification,
FEDORA-2004-420, November 12, 2004

RedHat Security Advisory, RHSA-2004:562-11, November 12, 2004

SUSE Security Summary Report, SUSE-SR:2004:001, November 24, 2004

RedHat Security Advisory, RHSA-2004:600-12, December 13, 2004

Apache Software Foundation

Apache 1.3, 1.3.1, 1.3.3, 1.3.4, 1.3.46, 1.3.7 -dev, 1.3.9, 1.3.11, 1.3.12, 1.3.14, 1.3.17-1.3.20, 1.3.22-1.3.29, 1.3.31

A buffer overflow vulnerability exists in the 'get_tag()' function, which could let a malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-03.xml

Slackware:
ftp://ftp.slackware.com/pub/slackware/s

Trustix:
http://http.trustix.org/pub/trustix/updates/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-600.html

Exploit scripts have been published.

Apache mod_include Buffer Overflow

CVE Name:
CAN-2004-0940

High

SecurityFocus, October 20, 2004

Slackware Security Advisory, SA:2004-305-01, November 1, 2004

Gentoo Linux Security Advisory, GLSA 200411-03, November 2, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0056, November 5, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:134, November 17,2004

Turbolinux Security Announcement, November 18, 2004

Red Hat Advisory: RHSA-2004:600-12, December 13, 2004

Apple

Darwin
Streaming Server 5.0.1 on Mac OS X 10.2.8 or 10.3.6 Server

A vulnerability exists due to an input validation error in the handling of 'DESCRIBE' requests. This can be exploited to cause a vulnerable server to crash by sending a specially crafted request for a location containing a null byte.

Apple has issued a fix as part of Security Update 2004-12-02, available at: http://www.apple.com/swupdates/

Currently we are not aware of any exploits for this vulnerability.

Apple Darwin Streaming Server DESCRIBE Null Byte Denial of Service

CVE Name:
CAN-2004-1123

Low
iDEFENSE Advisory 12.03.04

Apple

Safari 1.2.4

A vulnerability exists which could allow a remote malicious user to inject content into an open window in certain cases to spoof web site contents. If the target name of an open window is known, a remote user can create Javascript that, when loaded by the target user, will display arbitrary content in the opened window. A remote user can exploit this to spoof the content of potentially trusted web sites.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Apple Safari Open Windows Injection
Medium
SecurityTracker Alert ID: 1012459, December 8, 2004

ARJ Software Inc.

UNARJ 2.62-2.65

 

A buffer overflow vulnerability exists due to insufficient bounds checking on user-supplied strings prior to processing, which could let a remote malicious user execute arbitrary code.

Fedora:
http://download.fedora.redhat.com/pub/fedora
/linux/core/updates/2/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-29.xml

SUSE:
http://www.suse.de/de/security/2004_03_sr.html

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

Currently we are not aware of any exploits for this vulnerability.

ARJ Software UNARJ Remote Buffer Overflow

CVE Name:
CAN-2004-0947

High

SecurityTracker Alert I,: 1012194, November 11, 2004

Gentoo Linux Security Advisory, GLSA 200411-29, November 19, 2004

SUSE Security Summary Report SUSE-SR:2004:003, December 7, 2004

Fedora Update Notification
FEDORA-2004-414, December 11, 2004

Atari

Atari800 1.3.1 & prior

Several buffer overflow vulnerabilities exist in the 'log.c' and 'rt-config.c' files due to insufficient boundary checks, which could let a malicious user execute arbitrary code with root privileges.

The vendor reports that the vulnerability described in 'log.c' is fixed in versions after 2003-11-13, and that they are currently looking into the issue in 'rt-config.c'.

An exploit script has been published.

Atari800 Emulator Multiple Buffer Overflows
High

Securiteam, November 25, 2004

PacketStorm, December 11, 2004

BitWizard

mtr 0.55 through 0.65

A vulnerability exists which can be exploited by malicious, local users to perform certain actions with escalated privileges.The vulnerability is caused due to an off-by-one error in the keybinding routine in "mtr_curses_keyaction()". This may be exploited by supplying specially crafted, overly long input. Exploitation requires that mtr is setuid "root" and not compiled with gcc 3.x.

Update to version 0.67:
ftp://ftp.bitwizard.nl/mtr/

Currently we are not aware of any exploits for this vulnerability.

BitWizard mtr 'mtr_curses_keyaction()' Function Buffer Overflow
Medium
Secunia Advisory ID:
SA13430, December 14, 2004

Carnegie Mellon University

Cyrus IMAP Server 2.2.9 and prior versions

A vulnerability exists in the mysasl_canon_user() function that could allow a remote user to execute arbitrary code on the target system. An off-by-one error exists in the mysasl_canon_user() function that may result in an unterminated user name string. A remote user may be able to trigger the buffer overflow to execute arbitrary code on the target system with the privileges of the target IMAP process.

The vendor has issued a fixed version (2.2.10), available at: ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/

Currently we are not aware of any exploits for this vulnerability.

Carnegie Mellon Cyrus IMAP Server Off-by-one Overflow

CVE Name:
CAN-2004-1067

High

SecurityTracker Alert ID: 1012474, December 10, 2004

Carsten Haitzler

imlib 1.x

Multiple vulnerabilities exist due to integer overflows within the image decoding routines. This can be exploited to cause buffer overflows by tricking a user into viewing a specially crafted image in an application linked against the vulnerable library.

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-03.xml

Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-651.html

Currently we are not aware of any exploits for these vulnerabilities.

Carsten Haitzler imlib Image Decoding Integer Overflow

CVE Name:
CAN-2004-1026
CAN-2004-1025

High

Secunia Advisory ID:
SA13381, December 7, 2004

Red Hat Advisory, RHSA-2004:651-03, December 10, 2004

Citadel Systems

Citadel/UX 6.27 and prior versions

A format string vulnerability exists that could allow a remote user to execute arbitrary code on the target system. The lprintf() function in 'sysdep.c' makes an unsafe syslog() call based on user-supplied input but without providing the format string specifier or filtering the user-supplied input. A remote user can connect to the target service and supply a specially crafted string to trigger the error and cause the target service to crash or to execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Citadel/UX Format String
High
No System Group, Advisory #09, December 12, 2004

Free Software Foundation

rootsh prior to version 1.4.1

A vulnerably exists in rootsh, which can be exploited by malicious, local users to bypass the logging functionality. The problem is caused due to an input validation error when handling certain xterm escape sequences. This can be exploited to generate empty syslog messages, allowing users to hide their actions in a syslog-only environment.

Update to version 1.4.1:
http://sourceforge.net/project/
showfiles.php?group_id=110309

Currently we are not aware of any exploits for this vulnerability.

Free Software Foundation rootsh Security Bypass
Medium
Secunia Advisory ID: SA13405, December 9, 2004

GNU

a2ps 4.13

A vulnerability exists that could allow a malicious user to execute arbitrary shell commands on the target system. a2ps will execute shell commands contained within filenames. A user can create a specially crafted filename that, when processed by a2ps, will execute shell commands with the privileges of the a2ps process.

A patch for FreeBSD is available at:
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/
print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain

A Proof of Concept exploit has been published.

GNU a2ps Filenames Shell Commands Execution
High
SecurityTracker Alert ID: 1012475, December 10, 2004

GNU

mysql_auth prior to 0.8

A vulnerability exists due to a memory leak in mysql_auth. The impact was not specified.

The vendor has issued a fixed version (0.8), available at: http://people.arxnet.hu/airween/mysql_auth/mysql_auth-0.8.tar.gz

Currently we are not aware of any exploits for this vulnerability.

GNU mysql_auth Memory Leak
Not Specified
SecurityTracker Alert ID: 1012500, December 14, 2004

GNU

Squid-2.5

A vulnerability exists which can be exploited by malicious people to gain knowledge of potentially sensitive information. Squid returns random error messages due to reference to freed memory in certain conditions involving a sequence of failed DNS lookups, resulting in random messages being shown as error message in response to such host names.

Apply patch: http://www.squid-cache.org/
Versions/v2/2.5/bugs/squid-2.5.STABLE7-dothost.patch

A Proof of Concept exploit has been published.

GNU Squid Malformed Host Name
Medium
Squid Project Bugzilla Bug 1143, November 23, 2004

GNU

wget 1.9.1

A vulnerability exists which could permit a remote malicious user to create or overwrite files on the target user's system. wget does not properly validate user-supplied input. A remote user can bypass the filtering mechanism if DNS can be modified so that '..' resolves to an IP address. A specially crafted HTTP response can include control characters to overwrite portions of the terminal window.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

GNU wget File Creation & Overwrite
Medium
SecurityTracker Alert ID: 1012472, December 10, 2004

ImageMagick

ImageMagick 5.3.3, 5.4.3, 5.4.4.5, 5.4.7, 5.4.8 .2-1.1.0, 5.4.8,
5.5.3 .2-1.2.0, 5.5.6 .0-20030409, 5.5.7, 6.0, 6.0.1, 6.0.3-6.0.8

A buffer overflow vulnerability exists in the 'EXIF' parsing routine due to a boundary error, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://sourceforge.net/project/
showfiles.php?group_id=24099

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/
i/imagemagick/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-11.xml

Debian:
http://security.debian.org/pool/
updates/main/i/imagemagick/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE/i386/update/

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:143

(Red Hat has re-issued it's update.)
http://rhn.redhat.com/errata/RHSA-2004-480.html

Currently we are not aware of any exploits for this vulnerability.

ImageMagick Remote EXIF Parsing Buffer Overflow

CVE Names:
CAN-2004-0827
CAN-2004-0981

High

SecurityTracker Alert ID, 1011946, October 26, 2004

Gentoo Linux Security Advisory, GLSA 200411-11:01, November 6, 2004

Debian Security Advisory DSA 593-1, November 16, 2004

SUSE Security Announcement, SUSE-SA:2004:041, November 17, 2004

SUSE Security Summary Report, USE-SR:2004:001, November 24, 2004

Mandrakesoft Security Advisory, MDKSA-2004:143, December 6, 2004

Red Hat Security Advisory, RHSA-2004:636-03, December 8, 2004

Info-ZIP

Zip 2.3

A buffer overflow vulnerability exists due to a boundary error when doing recursive compression of directories with 'zip,' which could let a remote malicious user execute arbitrary code.

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/z/zip/

Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates/

Gentoo:
http://security.gentoo.org/glsa/
glsa-200411-16.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

Info-ZIP Zip Remote Recursive Directory Compression Buffer Overflow

CVE Name:
CAN-2004-1010

High

Bugtraq, November 3, 2004

Ubuntu Security Notice, USN-18-1, November 5, 2004

Fedora Update Notification,
FEDORA-2004-399 & FEDORA-2004-400, November 8 & 9, 2004

Gentoo Linux Security Advisory, GLSA 200411-16, November 9, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:141, November 26, 2004

SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004

KDE

KDE prior to 3.3.2

When a user creates a link to a remote file using various KDE applications, the resulting link may include authentication credentials for the remote system. This may include Samba passwords for files located on SMB servers.

Patches are available:
http://www.kde.org/info/security/advisory-20041209-1.txt

Currently we are not aware of any exploits for this vulnerability.

KDE Privacy

Medium
KDE Security Advisory, December 9, 2004

KDE

Konqueror 3.2.2-6

 

A vulnerability exists which can be exploited by malicious people to spoof the content of websites. A website can inject content into another site's window if the target name of the window is known. This can be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

KDE Konqueror Window Injection
Medium

Secunia Advisory ID: SA13254, December 8, 2004

Larry Wall

Perl 5.8.3

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/p/perl/

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-04.xml

There is no exploit code required.

Perl
Insecure Temporary File Creation

CVE Name:
CAN-2004-0976

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Ubuntu Security Notice, USN-16-1, November 3, 2004

Gentoo Linux Security Advisory, GLSA 200412-04, December 7, 2004

libtiff.org

LibTIFF 3.6.1

Several buffer overflow vulnerabilities exist: a vulnerability exists because a specially crafted image file can be created, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; a remote Denial of Service vulnerability exists in 'libtiff/tif_dirread.c' due to a division by zero error; and a vulnerability exists in the 'tif_next.c,' 'tif_thunder.c,' and 'tif_luv.c' RLE decoding routines, which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/t/tiff/

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-11.xml

Fedora:
http://download.fedora.redhat.com/pub/fedora/
linux/core/updates/2/

OpenPKG:
ftp://ftp.openpkg.org/release/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-577.html

Slackware:
ftp://ftp.slackware.com/pub/slackware/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

KDE: Update to version 3.3.2:
http://kde.org/download/

Apple Mac OS X:
http://www.apple.com/swupdates/

Proofs of Concept exploits have been published.

LibTIFF Buffer Overflows

CVE Name:
CAN-2004-0803
CAN-2004-0804
CAN-2004-0886

Low/High

(High if arbitrary code can be execute)

Gentoo Linux Security Advisory, GLSA 200410-11, October 13, 2004

Fedora Update Notification,
FEDORA-2004-334, October 14, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.043, October 14, 2004

Debian Security Advisory, DSA 567-1, October 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:109 & MDKSA-2004:111, October 20 & 21, 2004

SuSE Security Announcement, SUSE-SA:2004:038, October 22, 2004

RedHat Security Advisory, RHSA-2004:577-16, October 22, 2004

Slackware Security Advisory, SSA:2004-305-02, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:888, November 8, 2004

US-CERT Vulnerability Notes VU#687568 & VU#948752, December 1, 2004

Gentoo Linux Security Advisory, GLSA 200412-02, December 6, 2004

KDE Security Advisory, December 9, 2004

Apple Security Update SA-2004-12-02

MediaWiki

MediaWiki 1.3.8

A vulnerability exists which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to insufficient validation of files uploaded to the "images" directory located inside the web root. This can be exploited to upload and execute arbitrary malicious scripts.

Update to version 1.3.9:
http://wikipedia.sourceforge.net/

A Proof of Concept exploit has been published.

MediaWiki 'images' Arbitrary Script Upload and Execution
High
Secunia Advisory ID:
SA13419, December 13, 2004

Multiple Vendors

file 4.11 and prior (Trustix)

A vulnerability exists in the ELF header parsing code in 'file'. A malicious user may be able to create a specially crafted ELF file that, when processed using 'file', may be able to modify the stack and potentially execute arbitrary code.

Update to version 4.12:
ftp://ftp.astron.com/pub/file/

Gentoo:
http://www.gentoo.org/security/
en/glsa/glsa-200412-07.xml

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors 'File' Processing ELF Headers Stack Overflow

High

Trustix Secure Linux Advisory #2004-0063, November 26, 2004

Gentoo Linux Security Advisory, GLSA 200412-07/ file, December 13, 2004

Multiple Vendors

Gentoo Linux;
Samba Samba 3.0-3.0.7

 

A remote Denial of Service vulnerability exists in 'ms_fnmatch()' function due to insufficient input validation.

Patch available at:
http://us4.samba.org/samba/ftp/patches/security
/samba-3.0.7-CAN-2004-0930.patch

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-21.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/s/samba/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-632.html

Trustix:
http://http.trustix.org/pub/trustix/updates/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

SGI:
http://www.sgi.com/support/security/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/TurboLinux
/TurboLinux/ia32/Server/10/updates/

There is no exploit code required.

Samba Remote Wild Card Denial of Service

CVE Name:
CAN-2004-0930

Low

SecurityFocus, November 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

RedHat Security Advisory, RHSA-2004:632-17, November 16, 2004

Conectiva Linux Security Announcement, CLA-2004:899, November 25, 2004

Fedora Update Notifications,
FEDORA-2004-459 & 460, November 29, 2004

Turbolinux Security Advisory, TLSA-2004-32, December 8, 2004

SGI Security Advisory, 20041201-01-P, December 13, 2004

Multiple Vendors

gzip

A vulnerability exists in the gzip(1) command, which could let a malicious user access the files of other users that were processed using gzip.

Sun Solaris:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57600-1

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:142

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Debian:
http://www.debian.org/security/2004/dsa-588

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors
Gzip File Access

CVE Name:
CAN-2204-0970

Medium

Sun(sm) Alert Notification, 57600, October 1, 2004

US-CERT Vulnerability Note VU#635998, October 18, 2004

Mandrakesoft Security Advisory, MDKSA-2004:142, December 6, 2004

Trustix Advisory TSL-2004-0050, September 30, 2004

Debian Security Advisory DSA 588-1, November 8, 2004

Multiple Vendors

Linux Kernel 2.6.x

Some potential vulnerabilities exist with an unknown impact in the Linux Kernel. The vulnerabilities are caused due to boundary errors within the
"sys32_ni_syscall()" and "sys32_vm86_warning()" functions and can be exploited to cause buffer overflows. The attack vectors and impact are currently unknown.

Patches are available at:
http://linux.bkbits.net:8080/linux-2.6/cset@1.2079

http://linux.bkbits.net:8080/linux-2.6/
gnupatch@41ae6af1cR3mJYlW6D8EHxCKSxuJiQ

Currently we are not aware of any exploits for these vulnerabilities.

Multiple Vendors Linux Kernel 'sys32_ni_syscall' and 'sys32_vm86_warning' Buffer Overflows
Not Specified
Secunia Advisory ID: SA13410, December 9, 2004

Multiple Vendors

MySQL AB MySQL 3.20 .x, 3.20.32 a, 3.21.x, 3.22 .x, 3.22.26-3.22.30, 3.22.32, 3.23 .x, 3.23.2-3.23.5, 3.23.8-3.23.10, 3.23.22-3.23.34, 3.23.36-3.23.54, 3.23.56, 3.23.58, 3.23.59, 4.0.0-4.0.15, 4.0.18, 4.0.20;
Trustix Secure Enterprise Linux 2.0, Secure Linux 1.5, 2.0, 2.1

A vulnerability exists in the 'GRANT' command due to a failure to ensure sufficient privileges, which could let a malicious user obtain unauthorized access.

Upgrades available at:
http://dev.mysql.com/downloads/mysql/4.0.html

OpenPKG:
ftp.openpkg.org

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-611.html

SuSE:
ftp://ftp.suse.com/pub/suse

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/m

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/2/

There is no exploit code required.

 

MySQL Database Unauthorized GRANT Privilege

CVE Name:
CAN-2004-0957

Medium

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Fedora Update Notification,
FEDORA-2004-530, December 8, 2004

Multiple Vendors

nfs-utils 1.0.6

A vulnerability exists due to an error in the NFS statd server in "statd.c" where the "SIGPIPE" signal is not correctly ignored. This can be exploited to crash a vulnerable service via a malicious peer terminating a TCP connection prematurely.

Upgrade to 1.0.7-pre1:
http://sourceforge.net/project/
showfiles.php?group_id=14&package_id=174

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:146

Debian:
http://www.debian.org/security/2004/dsa-606

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors nfs-utils "SIGPIPE" TCP Connection Termination Denial of Service
Low

Secunia Advisory ID: SA13384, December 7, 2004

Debian Security Advisory
DSA-606-1 nfs-utils, December 8, 2004

Multiple Vendors

perl

Multiple vulnerabilities exist which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the file system. When a Perl script is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user.

Gentoo: update to "perl-5.8.5-r2" or later:
http://security.gentoo.org/glsa/glsa-200412-04.xml

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/universe/p/perl/

Currently we are not aware of any exploits for these vulnerabilities.

Multiple Vendors Perl Insecure Temporary File Creation
Medium

Gentoo Security Advisory, GLSA 200412-04 / perl, December 7, 2004

Trustix Secure Linux Bugfix Advisory #2004-0050, November 30, 2004

Ubuntu Security Notice USN-16-1 November 02, 2004

Multiple Vendors

Samba 3.0 - 3.0.7; RedHat Advanced Workstation for the Itanium Processor 2.1, IA64, Desktop 3.0, Enterprise Linux WS 3, WS 2.1 IA64, 2.1, ES 3, 2.1 IA64, 2.1, AS 3, 2.1 IA64, 2.1; Ubuntu Linux 4.1 ppc, ia64, ia32

A buffer overflow vulnerability exists in the 'QFILEPATHINFO' request handler when constructing 'TRANSACT2_QFILEPATHINFO' responses, which could let a remote malicious user execute arbitrary code.

Update available at:
http://www.samba.org/samba/download/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
Ubuntu Upgrade samba-doc_
3.0.7-1ubuntu6.2_all.deb

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/TurboLinux
/TurboLinux/ia32/Server/10/updates/

Currently we are not aware of any exploits for this vulnerability.

Samba 'QFILEPATHINFO' Buffer Overflow

CVE Name:
CAN-2004-0882

High

e-matters GmbH Security Advisory, November 14, 2004

SuSE Security Announcement, SUSE-SA:2004:040, November 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

Ubuntu Security Notice, USN-29-1, November 18, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:136, November 19, 2004

US-CERT Vulnerability Note VU#457622, November 19, 2004

Conectiva Linux Security Announcement, CLA-2004:899, November 25, 2004

Fedora Update Notifications,
FEDORA-2004-459 & 460, November 29, 2004

Turbolinux Security Advisory, TLSA-2004-32, December 8, 2004

Multiple Vendors

Unix OpenBSD 3.3, 3.4;
XFree86 X11R6 4.1 .0, 4.1–12,
4.1–11, 4.2 .0, 4.2 1, 4.2.1 Errata, 4.3

A buffer overflow vulnerability exists in the 'font.alias' file due to insufficient validation of user supplied data, which could let a malicious user obtain ROOT privileges.

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

Immunix:
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/

Mandrake:
http://www.mandrakesecure.net/en/advisories/

OpenBSD:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/

RedHat:
ftp://updates.redhat.com/9/en/os/

Slackware:
ftp://ftp.slackware.com/pub/slackware/

TurboLinux:
ftp://ftp.turbolinux.com/pub/TurboLinux/
TurboLinux/ia32/Desktop/10/updates/

Xfree86:
ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff

A Proof of Concept exploit has been published.

Multiple Vendors XFree86 Font Information File Buffer Overflow

CVE Name:
CAN-2004-0083

High

iDEFENSE Security Advisory, February 10, 2004.

Slackware Security Advisory, SSA:2004-043-02, February 12, 2004.

Fedora Update Notification, FEDORA-2004-069, February 13, 2004.

Immunix Secured OS Security Advisory, IMNX-2004-73-002-01, February 13, 2004.

Mandrake Linux Security Update Advisory, MDKSA-2004:012, February 13, 2004.

Red Hat Security Advisories, RHSA-2004:059-01& RHSA-2004:060-16, February 13, 2004.

TurboLinux Security Advisory, TLSA-2004-5, February 17, 2004.

US-CERT Vulnerability Note VU#820006, December 7, 2004

Multiple Vendors

Easy Software Products CUPS 1.1.14-1.1.20; Trustix Secure Enterprise Linux 2.0, Secure Linux 2.0, 2.1

 

A Denial of Service vulnerability exists in 'scheduler/dirsvc.c' due to insufficient validation of UDP datagrams.

Update available at:
http://www.cups.org/software.php

Debian:
http://security.debian.org/pool/updates/main/c/cupsys/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

RedHat:
http://rhn.redhat.com/

SuSE:
ftp://ftp.suse.com/pub/suse/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

ALTLinux:
http://altlinux.com/index.php?
module=sisyphus&package=cups

Gentoo:
http://security.gentoo.org/glsa/glsa-200409-25.xml

Slackware:
ftp://ftp.slackware.com/pub/slackware/

Apple:
http://www.apple.com/support/security/
security_updates.html

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/2/

Sun:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57646-1&searchclause=

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Fedora Legacy:
http://download.fedoralegacy.org/fedora/1/updates/

SCO:
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.15

TurboLinux: ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/

A Proof of Concept exploit has been published.

CUPS Browsing Denial of Service

CVE Name:
CAN-2004-0558

Low

SecurityTracker Alert ID, 1011283, September 15, 2004

ALTLinux Advisory, September 17, 2004

Gentoo Linux Security Advisory GLSA 200409-25, September 20, 2004

Slackware Security Advisory, SSA:2004-266-01, September 23, 2004

Fedora Update Notification,
FEDORA-2004-275, September 28, 2004

Apple Security Update, APPLE-SA-2004-09-30, October 4, 2004

Sun(sm) Alert Notification, 57646, October 7, 2004

SCO Security Advisory, COSA-2004.15, October 12, 2004

Conectiva Linux Security Announcement, CLA-2004:872, October 14, 2004

Fedora Legacy Update Advisory, FLSA:2072, October 16, 2004

Turbolinux Security Advisory, TLSA-2004-33, December 8, 2004

Multiple Vendors

Enlightenment Imlib2 1.0-1.0.5, 1.1, 1.1.1;
ImageMagick ImageMagick 5.4.3, 5.4.4 .5, 5.4.8 .2-1.1.0 , 5.5.3 .2-1.2.0, 5.5.6 .0- 2003040, 5.5.7,6.0.2;
Imlib Imlib 1.9-1.9.14

Multiple buffer overflow vulnerabilities exist in the Iimlib/Imlib2 libraries when handling malformed bitmap images, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

lmlib:
http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/

ImageMagick:
http://www.imagemagick.org/www/download.html

Gentoo:
http://security.gentoo.org/glsa/glsa-200409-12.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Debian:
http://security.debian.org/pool/
updates/main/i/imagemagick/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-465.html

SUSE:
ftp://ftp.SUSE.com/pub/SUSE/

TurboLinux:
ftp://ftp.turbolinux.com/pub/TurboLinux/
TurboLinux/ia32/Desktop/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Sun:
http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57648-1&searchclause=

http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57645-1&searchclause=

TurboLinux:
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-480.html

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/i/imagemagick/i

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-636.html

Currently we are not aware of any exploits for these vulnerabilities.

IMLib/IMLib2 Multiple BMP Image
Decoding Buffer Overflows

 

CVE Names:
CAN-2004-0817
CAN-2004-0802

Low/High

(High if arbitrary code can be executed)

SecurityFocus, September 1, 2004

Gentoo Linux Security Advisory, GLSA 200409-12, September 8, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:089, September 8, 2004

Fedora Update Notifications,
FEDORA-2004-300 &301, September 9, 2004

Turbolinux Security Advisory, TLSA-2004-27, September 15, 2004

RedHat Security Advisory, RHSA-2004:465-08, September 15, 2004

Debian Security Advisories, DSA 547-1 & 548-1, September 16, 2004

Conectiva Linux Security Announcement, CLA-2004:870, September 28, 2004

Sun(sm) Alert Notifications, 57645 & 57648, September 20, 2004

Turbolinux Security Announcement, October 5, 2004

RedHat Security Update, RHSA-2004:480-05, October 20, 2004

Ubuntu Security Notice USN-35-1, November 30, 2004

RedHat Security Advisory, RHSA-2004:636-03, December 8, 2004

Multiple Vendors

Gentoo Linux;
RedHat Fedora Core3, Core2;
SUSE Linux 8.1, 8.2, 9.0-9.2, Desktop 1.0, Enterprise Server 9, 8, Novell Linux Desktop 1.0;
X.org X11R6 6.7 .0, 6.8, 6.8.1;
XFree86 X11R6 3.3, 3.3.2-3.3.6, 4.0-4.0.3, 4.1 .0, 4.1 -12, 4.1 -11, 4.2 .0, 4.2.1 Errata, 4.2.1
4.3 .0

Multiple vulnerabilities exist due to integer overflows, memory access errors, input validation errors, and logic errors, which could let a remote malicious user execute arbitrary code, obtain sensitive information or cause a Denial of Service.

Fedora:
http://download.fedora.redhat.com
/pub/fedora/linux/core/updates

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-28.xml

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

X.org:
http://www.x.org/pub/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-537.html

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:137
(libxpm)

http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:138
(XFree86)

Debian:
http://www.debian.org/security/2004/dsa-607
(XFree86)

Currently we are not aware of any exploits for these vulnerabilities

Multiple Vendors LibXPM Multiple Vulnerabilities

CVE Name:
CAN-2004-0914

Low/ Medium/ High

(Low if a DoS; Medium if sensitive information can be obtained; and High if arbitrary code can be executed)

X.Org Foundation Security Advisory, November 17, 2004

Fedora Update Notifications,
FEDORA-2004-433 & 434, November 17 & 18, 2004

SUSE Security Announcement, SUSE-SA:2004:041, November 17, 2004

Gentoo Linux Security Advisory, GLSA 200411-28, November 19, 2004

Fedora Security Update Notifications
FEDORA-2003-464, 465, 466, & 467, December 1, 2004

RedHat Security Advisory, RHSA-2004:537-17, December 2, 2004

Mandrakesoft: MDKSA-2004:137: libxpm4; MDKSA-2004:138: XFree86, November 22, 2004

Debian Security Advisory
DSA-607-1 xfree86 -- several vulnerabilities, December 10, 2004

Multiple Vendors

iproute2

A vulnerability exists because iproute can accept spoofed messages sent via the kernel netlink interface by other users on the local machine. This could lead to a local Denial of Service attack.

Updates available:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:148

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors iproute Denial of Service
Low
Mandrakesoft Security Advisory, MDKSA-2004:148, December 13, 2004

Multiple Vendors

Linux Kernel

A vulnerability exists in the Linux kernel io_edgeport driver. A local user with a USB dongle can cause the kernel to crash or may be able to gain elevated privileges on the target system. The flaw resides in the edge_startup() function in 'drivers/usb/serial/io_edgeport.c'.

Red Hat:
https://bugzilla.redhat.com/bugzilla
/attachment.cgi?id=107493&action=view

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Linux Kernel USB io_edgeport Driver Integer Overflow

Low/ Medium

(Medium if elevated privileges can be obtained)

SecurityTracker Alert ID: 1012477, December 10, 2004

Multiple Vendors

Linux Kernel 2.6 -test1-test11, 2.6, l 2.6.1 -rc1&rc2, 2.6.1- 2.6.9;
SuSE Linux 8.2, 9.0-9.2

A Denial of Service vulnerability exists due to a failure by 'aio_free_ring' to handle exceptional conditions.

No workaround or patch available at time of publishing.

An exploit script has been published.

Linux Kernel AIO_Free_Ring Denial of Service

Low
SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004

Multiple Vendors

Linux kernel 2.4 .0-test1-test12, 2.4-2.4.27

A vulnerability exists in the 'AF_UNIX' address family due to a serialization error, which could let a malicious user obtain elevated privileges or possibly execute arbitrary code.

Upgrades available at:
http://kernel.org/pub/linux/kernel/v2.4/linux-2.4.28.tar.bz2

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

 

Linux Kernel AF_UNIX Arbitrary Kernel Memory Modification

CVE Name:
CAN-2004-1068

Medium/ High

(High if arbitrary code can be executed)

Bugtraq, November 19, 2004

SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004

Multiple Vendors

Linux Kernel 2.6 - 2.6.10 r2

An unspecified buffer overflow vulnerability reportedly affects the 'sys_ia32.c' file of the Linux kernel. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into finite kernel buffers. A malicious user might leverage this issue to overflow the affected buffer.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Linux Kernel SYS_IA32.C Buffer Overflow
High
SecurityFocus, December 9, 2004

Multiple Vendors

Linux Kernel 2.6 - 2.6.9

A local Denial of Service vulnerability affects the ELF header processing functionality on 64 bit systems of the Linux kernel. This issue is due to a failure of the affected kernel to properly handle malformed ELF headers. A local attacker may leverage this issue to cause a computer running the affected kernel to crash, denying service to legitimate users.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

 

Multiple Vendors Linux Kernel 64 Bit ELF Header Local Denial of Service
Low
SecurityFocus, Bugtraq ID 11846, December 7, 2004

Multiple Vendors

nfs-utils

A vulnerability exists which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the function "getquotainfo()" in "rquota_server.c" and can be exploited to cause a buffer overflow. Successful exploitation may lead to execution of arbitrary code on 64-bit architectures.

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-08.xml

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors nfs-utils 'getquotainfo()' Buffer Overflow
High

Secunia Advisory ID: SA13440, December 14, 2004

Multiple Vendors

Unix OpenBSD 3.3, 3.4;
XFree86 X11R6 4.1 .0, 4.1–12,
4.1–11, 4.2 .0, 4.2 1, 4.2.1 Errata, 4.3

A buffer overflow vulnerability exists due to insufficient bounds checking when parsing the ‘font.alias’ file, which could let a remote malicious user execute arbitrary code with ROOT privileges.

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/1/

Immunix:
http://download.immunix.org/
ImmunixOS/7.3/Updates/RPMS/

Mandrake:
http://www.mandrakesecure.net/en/advisories/

OpenBSD:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/

RedHat:
ftp://updates.redhat.com/9/en/os/

Slackware:
ftp://ftp.slackware.com/pub/slackware/

TurboLinux:
ftp://ftp.turbolinux.com/pub/TurboLinux/
TurboLinux/ia32/Desktop/10/updates/

Xfree86:
ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff

A Proof of Concept exploit has been published.

Multiple Vendors Xfree86 Font_Name Buffer Overflow

CVE Name:
CAN-2004-0084

High

iDEFENSE Security Advisory, February 12, 2004

Slackware Security Advisory, SSA:2004-043-02, February 12, 2004

Fedora Update Notification, FEDORA-2004-069, February 13, 2004

Immunix Secured OS Security Advisory, IMNX-2004-73-002-01, February 13, 2004.

Mandrake Linux Security Update Advisory, MDKSA-2004:012, February 13, 2004.

Red Hat Security Advisories, RHSA-2004:059-01& RHSA-2004:060-16, February 13, 2004.

TurboLinux Security Advisory, TLSA-2004-5, February 17, 2004.

US-CERT Vulnerability Note VU#667502, December 7, 2004

MySQL AB

MySQL 3.20 .x, 3.20.32 a, 3.21 .x, 3.22 .x, 3.22.26-3.22.30, 3.22.32, 3.23 .x, 3.23.2-3.23.5, 3.23.8-3.23.10, 3.23.22-3.23.34, 3.23.36-3.23.56, 3.23.58, 4.0.0-4.0.15, 4.0.18, 4.0.20, 4.1 .0-alpha, 4.1 .0-0, 4.1.2 -alpha, 4.1.3 -beta, 4.1.3 -0, 5.0 .0-alpha, 5.0 .0-0

A buffer overflow vulnerability exists in the 'mysql_real_connect' function due to insufficient boundary checking, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code. Note: Computers using glibc on Linux and BSD platforms may not be vulnerable to this issue.

Debian:
http://security.debian.org/pool/updates/main/m/mysql/

Trustix:
http://http.trustix.org/pub/trustix/updates/

OpenPKG:
ftp://ftp.openpkg.org/release/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Conectiva:
ftp://atualizacoes.conectiva.com.br/

SUSE:
ftp://ftp.suse.com/pub/suse

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

We are not aware of any exploits for this vulnerability.

MySQL Mysql_real_connect Function Remote Buffer Overflow

CVE Name:
CAN-2004-0836

Low/High

(Low if a DoS)

Secunia Advisory,
SA12305, August 20, 2004

Debian Security Advisory, DSA 562-1, October 11, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:119, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:892, November 18, 2004

Fedora Update Notification,
FEDORA-2004-530, December 8, 2004

MySQL AB

MySQL 3.23.49, 4.0.20

A vulnerability exists in the 'mysqlhotcopy' script due to predictable files names of temporary files, which could let a malicious user obtain elevated privileges.

Debian:
http://security.debian.org/pool/updates/main/m/

Gentoo:
http://security.gentoo.org/glsa/glsa-200409-02.xml

SuSE:
ftp://ftp.suse.com/pub/suse/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-569.html

OpenPKG:
ftp://ftp.openpkg.org/release/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

There is no exploit code required.

MySQL
'Mysqlhotcopy' Script Elevated Privileges

CVE Name:
CAN-2004-0457

Medium

Debian Security Advisory, DSA 540-1, August 18, 2004

Gentoo Linux Security Advisory GLSA 200409-02, September 1, 2004

SUSE Security Announcement, SUSE-SA:2004:030, September 6, 2004

RedHat Security Advisory, ,RHSA-2004:569-16, October 20, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:119, November 1, 2004

SUSE Security Summary Report, USE-SR:2004:001, November 24, 2004

Fedora Update Notification,
FEDORA-2004-530, December 8, 2004

MySQL AB

MySQL 3.x, 4.x

 

Two vulnerabilities exist: a vulnerability exists due to an error in 'ALTER TABLE ... RENAME' operations because the 'CREATE/INSERT' rights of old tables are checked, which potentially could let a remote malicious user bypass security restrictions; and a remote Denial of Service vulnerability exists when multiple threads issue 'alter' commands against 'merge' tables to modify the 'union.'

Updates available at:
http://dev.mysql.com/downloads/mysql/

Debian:
http://security.debian.org/pool/updates/main/m/mysql

Trustix:
http://http.trustix.org/pub/trustix/updates/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/m/mysql-dfsg/

SuSE:
ftp://ftp.suse.com/pub/suse

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

We are not aware of any exploits for these vulnerabilities.

MySQL Security Restriction Bypass & Remote Denial of Service

CVE Names:
CAN-2004-0835
CAN-2004-0837

Low/ Medium

(Low if a DoS; and Medium if security restrictions can be bypassed)

Secunia Advisory, SA12783, October 11, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:119, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:892, November 18, 2004

Ubuntu Security Notice, USN-32-1, November 25, 2004

SUSE Security Summary Report, SUSE-SR:2004:001, November 24, 2004

Fedora Update Notification,
FEDORA-2004-530, December 8, 2004

Netatalk

Netatalk Open Source Apple File Share Protocol Suite 1.5 pre6, 1.6.1, 1.6.4

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-25.xml

Mandrake:
http://www.mandrakesoft.com/security/advisories

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

There is no exploit code required.

NetaTalk Insecure Temporary File Creation

CVE Name:
CAN-2004-0974

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Gentoo Linux Security Advisory GLSA 200410-25, October 25, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:121, November 2, 2004

Fedora Update Notifications,
FEDORA-2004-505 & 506, December 6, 2004

Omni Group

OmniWeb 5.0.1

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

Omni Group OmniWeb Browser Remote Window Hijacking
Medium
Secunia Advisory, SA13418, December 10, 2004

Opera Software

Opera 7.54 on Linux with KDE 3.2.3

A vulnerability exists that could permit a remote user to cause the target user to execute arbitrary commands. KDE uses 'kfmclient exec' as the default application for processing saved files. A remote user can cause arbitrary shell commands to be executed on the target system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Opera Default 'kfmclient exec' Configuration
High
Zone-H Advisory, ZH2004-19SA, December 12, 2004

PHP Group
  Debian
  Slackware
  Fedora

pp 4.3.7 and prior

Updates to fix multiple vulnerabilities with php4 which could allow remote code execution.

Debian:
Update to Debian GNU/Linux 3.0 alias woody at
http://www.debian.org/releases/stable/

Slackware:
http://www.slackware.com/security/viewer.
php?l=slackware- security&y=2004&m=
slackware-security.406480

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/

An exploit script has been published.

PHP 'memory_limit' and strip_tags() Remote Vulnerabilities

CVE Names:
CAN-2004-0594
CAN-2004-0595

High

Secunia, SA12113 and SA12116, July 21, 2004

Debian, Slackware, and Fedora Security Advisories

Turbolinux Security Advisory TLSA-2004-23, September 15, 2004

PacketStorm, December 11, 2004

PHPNews

PHPNews 1.2.3

A vulnerability exists in 'sendtofriend.php' due to insufficient sanitization of the 'mid' parameter, which could let a remote malicious user manipulate data.

Upgrade available at:
http://prdownloads.sourceforge.net/
newsphp/phpnews_1-2-4.zip?download

An exploit script has been published.

PHPNews SQL Injection

Medium

Secunia Advisory,
SA13300, November 24, 2004

PacketStorm, December 11, 2004

PostgreSQL

PostgreSQL 7.4.5

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-16.xml

Debian:
http://security.debian.org/pool/updates/
main/p/postgresql/

OpenPKG:
ftp://ftp.openpkg.org/release/

Mandrakesoft:
http://www.mandrakesoft.com/security
/advisories?name=MDKSA-2004:149

There is no exploit code required.

PostgreSQL Insecure Temporary File Creation

CVE Name:
CAN-2004-0977

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Gentoo Linux Security Advisory, GLSA 200410-16, October 18, 2004

Debian Security Advisory, DSA 577-1, October 29, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.046, October 29, 2004

Mandrakesoft Security Advisory, MDKSA-2004:149, December 13, 2004

 

ProFTPD Project

ProFTPD 1.2.9

A vulnerability exists that could permit a remote authenticated user to change the group ownership of FTP-accessible files and directories. A remote authenticated user can issue the SITE CHGRP command to change the group permissions on files and directories. The server does not check the user's privileges when executing the command.

No vendor solution available at this time.

A Proof of Concept exploit has been published.

ProFTPD SITE CHGRP CommandFile/Directory Group Ownership Modification
Medium
SecurityTracker Alert ID: 1012488, December 13, 2004

Red Hat

Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), Advanced Workstation 2.1 for the Itanium Processor

A vulnerability exists in the way ncompress handles long filenames has been discovered. It is possible that an attacker could execute arbitrary code on a victims machine by tricking the user into decompressing a carefully crafted filename.

Updates available at: http://rhn.redhat.com/errata/RHSA-2004-536.html

Currently we are not aware of any exploits for this vulnerability.

 

Red Hat ncompress Buffer Overflow

CVE Name:
CAN-2001-1413

High
Red Hat Advisory: RHSA-2004:536-05, December 13, 2004

Redhat

GNOME VFS

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64;
Red Hat Linux Advanced Workstation 2.1 - ia64;
Red Hat Enterprise Linux ES version 2.1 - i386;
Red Hat Enterprise Linux WS version 2.1 - i386;
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64;
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64;
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

Multiple vulnerabilities exist in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. A malicious user who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts.

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

SUSE: http://www.suse.com/en/private/download/updates/92_i386.html

Avaya: http://support.avaya.com/japple/css/japple?temp.groupID=
128450&temp.selectedFamily=128451&temp.selectedProduct=
154235&temp.selectedBucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=198525&PAGE=
avaya.css.CSSLvl1Detail&executeTransaction= avaya.css.UsageUpdate()

SGI: ftp://patches.sgi.com/support/free/security/patches/ProPack/3/

We are not aware of any exploits for these vulnerabilities.

Red Hat GNOME VFS updates address extfs vulnerability

CVE Name:
CAN-2004-0494

High

Red Hat Security Advisory ID: RHSA-2004:373-01, August 4, 2004

Fedora Update Notification
FEDORA-2004-272 & 273, September 1, 2004

SecurityFocus, Bugtraq ID: 10864, December 7, 2004

Roaring Penguin Software

Roaring Penguin 3.5 & prior

A vulnerability exists in the pppoe driver, which could let a malicious user obtain elevated privileges.

Debian:
http://security.debian.org/pool/updates/main/r/rp-pppoe/

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:145

We are not aware of any exploits for this vulnerability.

Roaring Penguin pppoe Elevated Privileges

CVE Name:
CAN-2004-0564

Medium

Debian Security Advisory, DSA 557-1 , October 4, 2004

Mandrakesoft, MDKSA-2004:145, December 6th, 2004

Russell Marks

xzgv .8

An integer overflow vulnerability exists in the processing of PRF files. A remote malicious user may be able to cause arbitrary code to be executed on the target user's computer. A remote user can create a specially crafted image file that, when processed by the target user, will trigger an overflow in the read_prf_file() function. The flaw resides in 'src/readprf.c', where image height and width parameters are not properly limited.

A patch is available at:
http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff

Currently we are not aware of any exploits for this vulnerability.

 

Russell Marks xzgv Integer Overflow

CVE Name:
CAN-2004-0994

High

iDEFENSE Security Advisory, December 13, 2004

SGI

Samba on SGI IRIX 6.5.x

Multiple vulnerabilities exist which can be exploited to cause a DoS or compromise a vulnerable system.

Apply patch 5798 for Samba 3.0.7:
ftp://patches.sgi.com/support/free/
security/advisories/20041201-01-P.asc

Currently we are not aware of any exploits for these vulnerabilities.

SGI Multiple Samba Vulnerabilities

CVE Names:
CAN-2004-0807
CAN-2004-0882
CAN-2004-0930

Low/High

(High if arbitrary code can be executed)

Samba Security Vulnerability
Number : 20041201-01-P, December 7, 2004

Sun Java Plugin

A privilege escalation problem was found in the Sun Java Plugin which could have a remote attacker reading and writing files of a local user browsing websites. This bug affects all SUSE versions on the Intel x86 and AMD64 / Intel Extended Memory Architecture (EM64T) platforms.

SUSE is in the process of releasing updated Java packages.

Currently we are not aware of any exploits for this vulnerability.

Sun Java Plugin Privilege Escalation
Medium
SUSE Security Summary Report SUSE-SR:2004:003, December 7, 2004

Sun Microsystems

sendmail on Sun Solaris 9

A vulnerability exists in sendmail included in Solaris 9, which can be exploited by malicious people to cause a Denial of Service and potentially compromise a vulnerable system. The vulnerability is caused due to a boundary error when processing DNS responses. This can be exploited to cause a buffer overflow by returning a specially crafted DNS response.

Apply patch:
http://sunsolve.sun.com/search/document.do
?assetkey=urn:cds:docid:1-21-113575-01-1

Currently we are not aware of any exploits for this vulnerability.

Sun Solaris Sendmail DNS TXT Records Buffer Overflow

 

Low/High

(High if arbitrary code can be executed)

Sun Alert ID: 57696, December 12, 2004

US-CERT VU#814627, March 10, 2003

Sun Microsystems

Solaris 7, 8, 9

A security vulnerability in the in.rwhod(1M) daemon may allow a remote malicious privileged user to execute arbitrary code with "root" privileges when the in.rwhod(1M) daemon is enabled on the system.

Updates available at:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57659-1

Currently we are not aware of any exploits for this vulnerability.

Sun Solaris IN.RWHOD(1M) Daemon
High
Sun Alert ID: 57659, December 6, 2004

Yukihiro Matsumoto

Ruby 1.8.x

A remote Denial of Service vulnerability exists due to an input validation error in 'cgi.rb.'

Debian:
http://security.debian.org/pool/updates/main/r/ruby

Mandrake:
http://www.mandrakesoft.com/security/advisories

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/universe/r/ruby1.8/l

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

Gentoo:
http://security.gentoo.org/glsa/
glsa-200411-23.xml

Red Hat:
http://rhn.redhat.com/errata/
RHSA-2004-635.html

Currently we are not aware of any exploits for this vulnerability.

Yukihiro Matsumoto Ruby Infinite Loop Remote Denial of Service

CVE Name:
CAN-2004-0983

Low

Secunia Advisory,
SA13123, November 8, 2004

Ubuntu Security Notice, USN-20-1, November 9, 2004

Fedora Update Notification,
FEDORA-2004-402 & 403, November 11 & 12, 2004

Gentoo Linux Security Advisory, GLSA 200411-23, November 16, 2004

Red Hat Advisory, RHSA-2004:635-03, December 13, 2004

 

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Albrecht Guenther

PHProjekt 2.0, 2.0.1, 2.1 a, 2.1-2.4, 3.0-3.2, 4.2

A vulnerability exists in 'setup.php' because arbitrary PHP scripts can be uploaded, including operating system commands, which could let a remote malicious user modify the configuration and execute arbitrary scripts.

Patch available at:
http://phprojekt.com/files/4.2/setup.zip

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-06.xml

Currently we are not aware of any exploits for this vulnerability.

PHProjekt 'setup.php' File Upload
High

Secunia Advisory,
SA13355, December 2, 2004

Gentoo Linux Security Advisory, GLSA 200412-06, December 10, 2004

Codestriker

Codestriker 1.7-1.7.8, 1.8-1.8.4

A vulnerability exists in the Codestriker repository because the repository is not correctly checked against the configuration list, which could let a remote malicious user bypass certain security restrictions.

Upgrades available at:
http://prdownloads.sourceforge.net/codestriker/codestriker-1.8.5.tar.gz?download

Currently we are not aware of any exploits for this vulnerability.

Codestriker Repository Access Control Bypass
Medium
Secunia Advisory,
SA13393, December 8, 2004

Darryl Burgdorf

WebLibs 1.0

A Directory Traversal vulnerability exists in 'weblibs.pl' due to insufficient validation, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is not exploit required; however, a Proof of Concept exploit script has been published.

Darryl Burgdorf WebLibs Directory Traversal
Medium
SecurityTracker Alert ID, 1012451, December 7, 2004

Digital Illusions

Battlefield 1942 1.6.19, Battlefield Vietnam 1.2

A remote Denial of Service vulnerability exists due to insufficient validation of the server-supplied 'numplayers' field.

This issue has been addresses in Battlefield 1942 1.61b and Battlefield Vietnam 1.21.

A Proof of Concept exploit script has been published.

Digital Illusions Multiple Games Remote Denial of Service
Low
Secunia Advisory,
SA13368, December 7, 2004

F-Secure

Policy Manager 5.11

A vulnerability exists in the 'fsmsh.dll' CGI application, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

F-Secure Policy Manager FSMSH.DLL CGI Path Disclosure
Medium
Securiteam, December 12, 2004

GameSpy Industries

GameSpy Software Development Kit

A buffer overflow vulnerability exists in the CD-key validation functionality due to insufficient validation, which could let a remote malicious user execute arbitrary code.

The vendor issued a fix on November 19, 2004.

An exploit script has been published.

Gamespy Software Development Kit CD-Key Validation Buffer Overflow
High
Securiteam, December 13, 2004

iCab

iCab 2.9.8

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

ICab Web Browser Remote Window Hijacking
Medium
Secunia Advisory,
SA13412, December 10, 2004

Infopop

UBBThreads 6.2.3, 6.5

A Cross-Site Scripting vulnerability exists in several scripts due to insufficient validation of the 'Cat' parameter, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Infopop UBBThreads Cross-Site Scripting
High
SecurityTracker Alert ID, 1012503, December 14, 2004

Last 10 Posts

Last 10 Posts 2.0.1

A vulnerability exists in the 'Last 10 Posts' script for vBulletin due to insufficient sanitization of user-supplied input prior to using in an SQL query, which could let a remote malicious user manipulate and inject SQL queries into the database.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Last 10 Posts Add-On Script For VBulletin SQL Injection

Medium
SecurityFocus, December 6, 2004

Mozilla.org

Firefox 1.x, 0.x,
Mozilla 1.7.x, 1.6, 1.5, 1.4, 1.3, 1.2, 1.1, 1.0, 0.x

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

Mozilla Browser and Mozilla Firefox Remote Window Hijacking

CVE Name:
CAN-2004-1156

Medium
SECUNIA ADVISORY ID:
SA13129, December 8, 2004

Multiple Vendors

Mozilla Browser M16, M15, 0.8, 0.9.2 .1, 0.9.2-0.9.9, 0.9.35, 0.9.48, 1.0 RC1&RC2, 1.0-1.0.2, 1.1 Beta, Alpha, 1.1, 1.2 Beta, Alpha, 1.2, 1.2.1, 1.3, 1.3.1, 1.4 b, 1.4 a, 1.4-1.4.2, 1.5, 1.5.1, 1.6, 1.7 rc1-rc3, beta, alpha, 1.7-1.7.3, 1.8 Alpha 1-Alpha 4, Firebird 0.5, 0.6.1, 0.7, Firefox Preview Release, 0.8, 0.9 rc, 0.9-0.9.3, 0.10, 0.10.1, 1.0;
Netscape Navigator 3.0 4, 4.0 x, 4.0 7, 4.06, 4.0.8, 6.0, 7.0, 7.0.2, 7.1, 7.2

A remote Denial of Service vulnerability exists due to a NULL pointer dereference when a JavaScript functions attempts to print an IFRAME that is embedded on the page.

Patch available at: https://bugzilla.mozilla.org/show_bug.cgi?id=272381

A Proof of Concept exploit has been published.

Mozilla/Netscape/ Firefox Browsers JavaScript IFRAME Rendering Denial of Service

Low
SecurityFocus, December 6, 2004

MySQL AB

MaxDB 7.5 .00.18, 7.5 .00.11-7.5.00.16, 7.5.00.08

Two vulnerabilities exist: a vulnerability exists due to a boundary error in the WebDAV handler when an overly long 'Overwrite' header is submitted, which could let a remote malicious user execute arbitrary code; and a remote Denial of Service vulnerability exist due to a NULL pointer dereference error in 'WAHTTP.'

Updates available at: http://dev.mysql.com/downloads/maxdb/7.5.00.html

There is no exploit required for the Denial of Service vulnerability; however, a Proof of Concept exploit has been published.

MaxDB WebTools Buffer Overflow & Denial of Service

CVE Names:
CAN-2004-1168
CAN-2004-1169

LowHigh

(High if arbitrary code can be executed)

Secunia Advisory,
SA13397, December 8, 2004

Novell

Netware 5, 5.1, 6.0, 6.5

A vulnerability exists because some hotkeys are still enabled when the password protected 'nlm' screensaver locks a console, which could let a malicious user bypass the authentication process.

The vendor has included a fix in the BorderManager ICSA Compliance Kit v5.0d, described at:

http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969741.htm

A Proof of Concept exploit has been published.

Novell NetWare Console Screen Saver Authentication
Medium
Secunia Advisory,
SA13434, December 14, 2004

opendchub.sourceforge. net

Open DC Hub Direct Connect Peer-to-peer Client 0.7.14

A buffer overflow vulnerability exists in the 'RedirectAll' command due to a boundary error, which could let a remote malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-37.xml

An exploit script has been published.

Open DC Hub Remote Buffer Overflow
High

Gentoo Linux Security Advisory, GLSA 200411-37, November 29, 2004

PacketStorm, December 11, 2004

Opera Software

Opera Web Browser 7.0 win32, Beta 1 & Beta2,
Opera Software Opera Web Browser 7.0 1win32-7.03win32, 7.10, 7.11 j, 7.11 b, 7.11, 7.20 Beta 1 build 2981, 7.20-7.23, 7.50-7.53

A vulnerability exists due to a design error that facilitates the spoofing of file names, which could let a remote malicious user spoof the download dialog box.

Upgrades available at: http://www.opera.com/download/

Currently we are not aware of any exploits for this vulnerability.

Opera Web Browser Name Spoofing
Medium
Opera Security Advisory, December 10, 2004

Opera Software

Opera Web Browser 7.54

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

Opera Web Browser Remote Window Hijacking

CVE Name:
CAN-2004-1157

Medium
Secunia Advisory, SA13253, December 13, 2004

OSI Codes Inc.

PHP Live! 2.8.1

A directory and configuration file include file vulnerability exists. The impact was not specified, except to indicate that it is a "major security problem."

Update available at: http://www.phplivesupport.com/index_source.php

Currently we are not aware of any exploits for this vulnerability.

PHP Live! Unspecified Remote Configuration File Include
Not Specified
Secunia Advisory,
SA13420, December 13, 2004

PhpGedView

PhpGedView 2.52.3, 2.60, 2.61, 2.61.1, 2.65 beta5

A Cross-Site Scripting vulnerability exists in 'Descendancy.php,' 'Index.PHP,' and 'Individual.PHP' due to insufficient sanitization of user-supplied URI input, which could let a remote malicious user execute arbitrary HTML and script code.

Upgrades available at:
http://prdownloads.sourceforge.net/phpgedview/phpGedView-2.65.2.zip?download

There is not exploit required; however, Proofs of Concept exploits have been published.

PhpGedView Cross-Site Scripting

CVE Name:
CAN-2004-0067

High
SecurityFocus, December 9, 2004

Ryan Walberg

PHP Gift Registry 1.3.5

Multiple Cross-Site Scripting vulnerabilities exist in 'event..php' and 'index.php' due to insufficient sanitization of the 'message' parameter, which could let a remote malicious user execute arbitrary HTML and script code.

Upgrade available at:
http://prdownloads.sourceforge.net/phpgiftreg/phpgiftreg-1.4.0.tar.gz?download

There is not exploit required.

PHP Gift Registry Multiple Cross-Site Scripting
High
Secunia Advisory,
SA13414, December 10, 2004

SugarCRM Inc.

Sugar Sales 2.0.1c & prior

Multiple vulnerabilities exist: a vulnerability exists when a remote malicious user submits specially crafted parameters to view the contents of files with the privileges of the target web service; a vulnerability exists due to a failure to remove or restrict access to the install script files after installation, which could let a remote malicious user cause a Denial of Service or obtain sensitive information; a vulnerability exists because a remote malicious user can inject SQL commands that will be executed by the underlying database; and a vulnerability exists because a remote malicious user can invoke certain scripts that will display the full installation path.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

SugarSales Input Validation

Low/ Medium

(Medium if sensitive information can be obtained)

SecurityTracker Alert ID, 1012490, December 13, 2004

Sun Microsystems, Inc.

Java System Web Server (Sun ONE/iPlanet) 6.x, Java System Application Server (Sun ONE) 7.x

A vulnerability was reported in the Sun Java System Web Server. A remote user may be able to access active sessions.

Sun reported that a remote user may be able to access active sessions by obtaining the session ID of a target user.
Impact: A remote user can access another user's active session.

Update available at: http://wwws.sun.com/software/download/products/415a094d.html

Currently we are not aware of any exploits for this vulnerability.

Sun Java System Web Server / Application Server Active Sessions Access
Medium
Sun Security Alert, Sun Alert ID: 57699, December 13, 2004

usemod.com

UseModWiki 1.0

A Cross-Site Scripting vulnerability exists in the 'wiki.pl' script due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

UseModWiki Cross-Site Scripting
High
STG Security Advisory, SSA-20041209-13, December 14, 2004

 

Recent Exploit Scripts/Techniques The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
December 12, 2004 AdobeMac.txt
No
Exploit for the Adobe Version Cue Start/Stop Scripts Arbitrary Script Execution vulnerability.
December 12, 2004 Absinthe-1.1.tar.gz
N/A
A gui-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection.
December 12, 2004 citadel_fsexp.c
No
Remote root exploit for Citadel/UX format string vulnerability.
December 12, 2004 mercury.c
Yes
Exploit for the Mercury Mail Multiple Remote IMAP Stack Buffer Overflow vulnerabilities.
December 12, 2004 orbzbof.zip
No
Remote Proof of Concept exploit for the 21-6 Productions Orbz Password Field Buffer Overflow vulnerability.
December 12, 2004 WebLibs10.txt
No
Exploit for the Darryl Burgdorf WebLibs Directory Traversal vulnerability.
December 11, 2004 phpkitSQLXSS.txt
No
Proof of Concept exploit for the PHP KIT SQL injection and Cross-Site Scripting vulnerabilities.
December 11, 2004 ipbSQL.txt
No
Exploit for the IPB Pro Arcade SQL injection vulnerability.
December 11, 2004 ezshopper.txt
No
Exploit for the EZshopper Directory Traversal vulnerability.
December 11, 2004 ssfakep.zip
No
Remote Denial of Service exploit for games using the Serious engine. Generates UDP packets that have fake players enter a room
December 11, 2004 mimedefang-2.49.tar.gz
N/A
A flexible MIME email scanner designed to protect Windows clients from viruses.
December 11, 2004 winfingerprint-0.5.13.zip
N/A
A Win32 Host/Network Enumeration Scanner. Winfingerprint is capable of performing SMB, TCP, UDP, ICMP, RPC, and SNMP scans.
December 11, 2004 bilbo-0.11.tar.gz
N/A
A wrapper for nmap that makes it easier to scan lots of machines or networks.
December 11, 2004 IPSWSFTP-exploit.c
No
Exploit for the IpSwitch WS_FTP Buffer Overflow vulnerability.
December 11, 2004 coffeecupbof.txt
No
Script that exploits the CoffeeCup Direct/Free FTP ActiveX Component Remote Buffer Overflow vulnerability.
December 11, 2004 OpenDcHub-poc.zip
Yes
Exploit for the Open DC Hub Remote Buffer Overflow vulnerability.
December 11, 2004 winampm3u.c
Yes
Script that exploits the Nullsoft Winamp 'IN_CDDA.dll' Buffer Overflow vulnerability.
December 11, 2004 atari800.txt
Yes
Exploit for the Atari800 Emulator Multiple Buffer Overflows vulnerabilities.
December 11, 2004 000102advisory.txt
Yes
Exploit for the MailEnable Stack Overflow & Pointer Overwrite vulnerability.
December 11, 2004 phpnolimit.c
Yes
Exploit for the PHP 'memory_limit' and strip_tags() Remote Vulnerabilities
December 11, 2004 phpnews.txt
Yes
Exploit for the PHPNews SQL Injection vulnerability.
December 11, 2004 wodftpcrash.txt
Yes
Denial of Service exploit for the WodFtpDLX buffer overflow vulnerability.
December 10, 2004 wgetTrapPOC.pl
No
Perl script that exploits the GNU WGet Multiple Remote Vulnerabilities.
December 10, 2004 goregsbof.zip
Yes
Exploit for the Gamespy Software Development Kit CD-Key Validation Buffer Overflow vulnerability.
December 9, 2004 ie6-file-detection.txt
No
Exploit for the Microsoft Internet Explorer Sysimage Protocol Handler Information Disclosure vulnerability,
December 8, 2004 keriodos.txt
No
Exploit for the Kerio Personal Firewall Local Denial of Service vulnerability.
December 7, 2004 md5_someday.pdf
N/A
Collision vulnerabilities in MD5 Checksums - It is possible to create different executables which have the same md5 hash. The attacks remain limited, for now. The attack allows blocks in the checksumm'd file to be swapped out for other blocks without changing the final hash. A tool to demonstrate these vulnerabilities is available here.
December 7, 2004 iosetup_crash.c
No
Script that exploits the Linux Kernel AIO_Free_Ring Local Denial of Service vulnerability.
December 7, 2004 bfcboom.tar
bfcboom.zip
Yes
Proof of Concept exploits for the Digital Illusions Multiple Games Remote Denial of Service vulnerability.

[back to top]

Trends

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trends
Date
1
Netsky-P Win32 Worm Stable March 2004
2
Netsky-D Win32 Worm Stable March 2004
3
Zafi-B Win32 Worm Stable June 2004
4
Sober-I Win32 Worm Slight Increase November 2004
5
Netsky-Z Win32 Worm Slight Increase April 2004
6
Netsky-Q Win32 Worm Slight Increase March 2004
7
Bagle-AA Win32 Worm Slight Increase April 2004
8
Bagle-AT Win32 Worm Decrease October 2004
9
Bagle-AU Win32 Worm Stable October 2004
10
Netsky-B Win32 Worm Stable February 2004

Table Updated December 14, 2004

Viruses or Trojans Considered to be a High Level of Threat

  • Sophos, a leader in protecting businesses against viruses and spam, released a report revealing the hardest hitting viruses of 2004. In a year which saw a 51.8 percent increase in the number of new viruses, the Netsky-P worm has accounted for almost a quarter of all virus incidents reported, making it the hardest hitting virus of 2004. For more information, see: http://www.govtech.net/?pg=news/news&id=92407.
  • US-CERT has received reports of a new variant of the Zafi virus referred to as "W32/Zafi.D" or "W32.Erkez.D@mm". It arrives as an attachment to an email containing a holiday greeting message. For more information, see: http://www.us-cert.gov/current/current_activity.html.

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name
Aliases
Type
Backdoor.Ranky.N   Trojan
BackDoor-BAC.dll   Trojan
Cabir.C SymbOS/Cabir.c
EPOC/Cabir.c
Worm.Symbian.Cabir.c, MYTITI virus
Worm
Cabir.D SymbOS/Cabir.D
EPOC/Cabir.D Worm.Symbian.Cabir.D, [YUAN] virus
Worm
Cabir.Dropper SymbOS/Cabir.Dropper
Norton AntiVirus 2004 Professional.sis
Worm
Downloader-TA.dll BackDoor-BAC.dll Trojan
HotWorld   Trojan
Janx.A   Internet Worm
JS.Speth.Worm   JavaScript Worm
Troj/Brabot-A W32/Generic.worm!p2p
Backdoor.Win32.Brabot.a
Trojan
Trojan.Conycspa   Trojan
TrojanDropper.FakeSpamFighter Fake Lycos Screensave
FakeSpamFighter
Fake Spam Fighter
Trojan
VBS.Junkmail@mm   Visual Basic Script Worm
W32.Gaobot.BUU   Win32 Worm
W32.Janx   Win32 Worm
W32.Maslan.C@mm W32/Maslan.c@MM
Backdoor.Win32.SdBot.ts
Net-Worm.Win32.Maslan.b
PE_MASLAN.C
W32/Maslan-C
W32/Sdbot-RW
Win32.HLLM.Alaxala
Win32 Worm
W32.Qeds@mm   Win32 Worm
W32/Agobot-DAA   Win32 Worm
W32/Agobot-NX   Win32 Worm
W32/Anig-C W32/Anig.worm.gen
W32.HLLW.Anig
Win32 Worm
W32/Atak-F   Win32 Worm
W32/Atak-G   Win32 Worm
W32/Bagle.bf@MM   Win32 Virus
W32/Bagle.bg@MM I-Worm.Bagle.g
W32.Beagle.H@mm
Win32/Bagle.H.Worm
Win32 Virus
W32/Maslan-C Net-Worm.Win32.Maslan.b Win32 Worm
W32/Rbot-RJ   Win32 Worm
W32/Rbot-RN   Win32 Worm
W32/Sdbot-SB   Win32 Worm
W32/Sdbot-SG   Win32 Worm
W32/Zafi-D

WORM_ZAFI.D
W32/Zafi.d@MM
Email-Worm.Win32.Zafi.d
W32/Zafi.D.worm
W32.Erkez.D@mm
Win32.Zafi.D
Zafi.D

Win32 Worm
Win32.Lemoor.B 32.Lemoor.A
Win32/Lemoor.B.Worm
W32/Lemoor.gen
Worm.Win32.Lemoor.c
Win32 Worm
Win32.Lioten.GJ

Win32/Randex.45568.Worm
W32/Sdbot.ARW
WORM_SDBOT.ZW

Win32 Worm
Win32.Prutec.A Win32/Prutec.A.Trojan Trojan
Win32.Yanz.B W32/Favsin-A
Email-Worm.Win32.Yanz.b
Win32/Yaha.Variant.Worm
WORM_YANZ.B
W32/Yanz.b@MM
W32.Yanz.B@mm
W32/Yanzi.B@mm
Win32 Worm
WORM_BAGZ.I W32.Bagz@mm
W32/Bagz.b@MM
Win32/Bagz.B@mm
I-Worm.Bagz.b
W32/Bagz.A@mm
W32/Bagz-B
Worm/Bagz.B.1
I-Worm/Bagz.B
I-Worm.Win32.Bagz.163846
Win32 Worm
WORM_MASLAN.A Email-Worm.Win32.Maslan.a
W32.Maslan.A@mm
Maslan.A
Net-Worm.Win32.Maslan.a
W32/Maslan-A
Maslan.A
Win32 Worm
WORM_RBOT.AEF   Win32 Worm

[back to top]

 

 

 

Last updated

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.


Bugs, Holes, & Patches The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

 

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

21-6 Productions

Orbz 2.10 and prior

A vulnerability exists due to a boundary error when handling
join requests. This can be exploited to cause a buffer overflow by supplying an overly long password. Successful exploitation may allow execution of arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

21-6 Productions Orbz Password Field Buffer Overflow
High

Secunia Advisory ID, SA13327, November 30, 2004

PacketStorm, December 12, 2004

AMAX Information Technologies Inc.

Winmail Server 4.0 (Build 1112)

A vulnerability exists when the 'admin/chgpwd.php,' 'admin/domain.php,' or 'admin/user.php'
script is accessed directly, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Winmail Server 'chgpwd.php', 'domain.php', and 'user.php' Information Disclosure
Medium
GSSIT - Global Security Solution IT Advisory, December 13, 2004

Clearswift

MIMEsweeper for SMTP 5.0, 5.0.5

A remote Denial of Service vulnerability exists in the Security Service when processing PDF files.

Updates available at:
http://www.clearswift.com/download/info.aspx?ID=562

Currently we are not aware of any exploits for this vulnerability.

Clearswift MIMEsweeper For SMTP Remote Denial of Service
Low
Secunia Advisory, SA13411, December 10, 2004

Code-Crafters

Ability Server 2.25-2.34

A buffer overflow vulnerability exists in the processing of the APPE FTP command, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Ability Server 'APPE FTP' Command Buffer Overflow
High
SecurityTracker Alert ID, 1012464, December 8, 2004

CoffeeCup Software

CoffeeCup Direct FTP 6.0, 6.2, CoffeeCup Free FTP 6.0, 6.2

A buffer overflow vulnerability exists due to the way long buffer file names are handled, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Another exploit script has been published.

CoffeeCup Direct/Free FTP ActiveX Component Remote Buffer Overflow
High

Secunia Advisory,
SA13282, November 23, 2004

PacketStorm December 11, 2004

David Harris

Mercury (win32 version) 4.0 1a

Multiple stack-based buffer overflow vulnerabilities exist in the IMAP server implementation due to insufficient bounds checking, which could let a remote malicious user execute arbitrary code.

Update available at:
ftp://ftp.usm.maine.edu/pegasus/
mercury32/m32-401b.zip

An exploit script has been published.

Mercury Mail Multiple Remote IMAP Stack Buffer Overflows
High

Bugtraq, December 1, 2004

PacketStorm, December 12, 2004

Digital Illusions

Codename Eagle 1.42 & prior

A remote Denial of Service vulnerability exists when a malicious user submits an empty UDP datagram.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Codename Eagle UDP Packet Processing Remote Denial of Service
Low
Secunia Advisory,
SA13423, December 13, 2004

Headlight Software, Inc.

GetRight 5.2a & prior

A buffer overflow vulnerability exists in the 'DUNZIP32.DLL' component when a specially crafted skin file is created, which could let a remote malicious user execute arbitrary code.

Upgrade available at:
http://www.getright.com/get.html

A Proof of Concept exploit has been published.

GetRight 'DUNZIP32.DLL' Buffer Overflow
High

Secunia Advisory,
SA13391, December 7, 2004

SecurityFocus, December 7, 2004

IBEX Software

Remote Execute 2.x

A remote Denial of Service vulnerability exists due to an error in the connection handling.

Update available at: http://www.ibexsoftware.com/downloadRemoteExecute.asp

Currently we are not aware of any exploits for this vulnerability.

IBEX Software Remote Execute Denial of Service
Low

SecurityTracker Alert, 1012445, December 7, 2004

US-CERT Vulnerability Note, VU#136424, December 10, 2004

IpSwitch

WS_FTP Server 5.03, 2004.10.14

Several vulnerabilities were reported that could permit a remote authenticated malicious user to execute arbitrary code on the target system. A remote authenticated user can trigger a buffer overflow in several FTP commands. The SITE, XMKD, MKD, and RFNR FTP commands are affected. A remote user can cause the FTP service to crash or execute arbitrary code.

No workaround or patch available at time of publishing.

An exploit script has been published.

IpSwitch WS_FTP Buffer Overflow
High

SecurityTracker Alert ID: 1012353, November 29, 2004

PacketStorm, December 11, 2004

Kerio

Personal Firewall 4.0.6-4.0.10, 4.0.16, 4.1-4.1.2, Personal Firewall 2 2.1-2.1.5

A Denial of Service vulnerability exists due to insufficient sanitization of SPI parameters that are received from hooked APIs.

No workaround or patch available at time of publishing.

An exploit script has been published.

Kerio Personal Firewall Local Denial of Service
Low
SecurityFocus, December 8, 2004

Kerio

WinRoute Firewall 6.0-6.0.8

A remote Denial of Service, a DNS cache poisoning, and an information disclosure vulnerability exist, which could let a remote malicious user obtain sensitive information, manipulate the DNS cache, and cause the computer to crash or hang.

The vendor has released WinRoute Firewall version 6.0.9 resolving this issue. Users running the affected firewall are advised to contact the vendor for more information on obtaining the upgrade.

Currently we are not aware of any exploits for these vulnerabilities.

Kerio WinRoute Firewall Multiple Unspecified Remote

Low/ Medium

(Medium if sensitive information can be obtained)

SecurityFocus, December 10, 2004

MailEnable

MailEnable Professional Edition v1.52, MailEnable Enterprise Edition v1.01

Two vulnerabilities exist in the IMAP service that could permit a remote malicious user to execute arbitrary code. A remote user can trigger a stack-based buffer overflow or an object pointer overwrite to execute arbitrary code on the target system.

The vendor has issued a fix, available at:
http://mailenable.com/hotfix.asp

An exploit script has been published.

MailEnable Stack Overflow & Pointer Overwrite
High

Hat-Squad Security Team Advisory, November 25, 2004

PacketStorm, December 11, 2004

Microsoft

Internet Explorer 6.0 SP1,
Microsoft Internet Explorer 6.0

Avaya DefinityOne Media Servers R6-12, IP600, Media Servers R6-R12, IP600 Media Servers
Avaya Modular Messaging S3400,
S3400 Message Application Server,
S8100 Media Servers R6-R12

A remote buffer overflow vulnerability exists due to insufficient boundary checks performed by the application and results in a Denial of Service condition. Arbitrary code execution may be possible as well.

Patches available at:
http://www.microsoft.com/technet/
security/bulletin/ms04-040.mspx

Note: Customers who have received hotfixes from Microsoft or from their support providers since the release of MS04-004 or MS04-038 should not install this update. Instead customers should deploy update 889669.

Microsoft Knowledge Base Article 889293 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.

Avaya: http://support.avaya.com/japple/css/
japple?temp.groupID=128450&temp.selectedFamily=
128451&temp.selectedProduct=154235&temp.
selectedBucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=212001&
PAGE=avaya.css.CSSLvl1Detail&execute
Transaction=avaya.css.UsageUpdate()

An exploit script has been published.

Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow

CVE Name:
CAN-2004-1050

Low/High

(High if arbitrary code can be executed)

SecurityFocus, Bugtraq ID 11515, October 25, 2004

Packetstorm, November 4, 2004

Microsoft Security Bulletin, MS04-040, December 1, 2004

Technical Cyber Security Alert, TA04-336A, December 3, 2004

Avaya Security Advisory, ASA-2004-085, December 9, 2004

Microsoft

Internet Explorer 6.0, SP1

A vulnerability exists in the 'sysimage://' protocol handler because the existence of a file can be detected, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

An exploit script is not required; however, a Proof of Concept exploit script has been published.
Microsoft Internet Explorer Sysimage Protocol Handler Information Disclosure

Medium

Bugtraq, December 7, 2004

Microsoft

SharePoint Portal Server SP3, 2003, 2001 SP3
Microsoft SharePoint Portal Server 2001, SP1-SP2A

A vulnerability exists due to an error when installing SPS components using a user account with a password containing a leading dash, which could let a malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required.

Microsoft Office SharePoint Portal Server Information Disclosure
Medium
SecurityFocus, December 10, 2004

Microsoft

Internet Explorer 5.0.1, SP1-SP4, 5.0.1 for Windows NT 4.0/98/95/2000, 5.5, SP1&SP2, preview, 6.0, SP1&SP2, Internet Explorer Macintosh Edition 5.2.3

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

Microsoft Internet Explorer Remote Window Hijacking

CVE Name:
CAN-2004-1155

Medium
Secunia Advisory, SA13251, December 10, 2004

Microsoft

Internet Explorer 6.0, SP1&SP2

 

A vulnerability exists due to a failure to present the URI address of HTML and script code loaded into the search pane, which could let a remote malicious user present web pages to users that seem to originate from a trusted location.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

Microsoft Internet Explorer Search Pane URI Obfuscation
Medium
Bugtraq, December 8, 2004

Microsoft

Windows (ME), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (2003), Windows (XP)

A vulnerability was reported that could allow a remote user to execute arbitrary code on the target system. A remote user can send a specially crafted WINS packet to the target server on TCP port 42 to modify a memory pointer and write arbitrary contents to arbitrary memory locations.

UPDATE: The WINS service is installed and enabled by default on Microsoft Small Business Server 2000/2003. However, the ports used for the service are reportedly not remotely accessible by default on Small Business Server.

Updates available at: http://www.microsoft.com/technet/security/
bulletin/MS04-045.mspx

A Proof of Concept exploit has been published.

Microsoft WINS Memory Overwrite

CVE Name:
CAN-2004-1080

High

US-CERT Vulnerability Note VU#145134, November 29, 2004

SecurityFocus, December 6, 2004

Microsoft Security Bulletin, SB04-045, December 14, 2004

Microsoft

Windows NT Server 4.0 SP6a, Windows 2000 SP3&SP4, Windows XP SP1 &SP2, XP 64-Bit Edition, SP1, XP 64-Bit Edition Version 2003, Windows Server 2003, Windows Server 2003 64-Bit Edition, Windows 98, 98SE, ME

Several vulnerabilities exist due to boundary errors in the table
and font conversion in the Word for Windows 6.0 converter, which could let a remote malicious user execute arbitrary code. Note: Exploitation requires that the handler for Word for Windows 6.0 converter is enabled.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-041.mspx

Currently we are not aware of any exploits for these vulnerabilities.

Microsoft Table & Font Conversion Remote Code Execution

CVE Names:
CAN-2004-0571
CAN-2004-0901

High
Microsoft Security Bulletin, MS04-041, December 14, 2004

Microsoft

Windows NT Server 4.0 SP6a , NT Server 4.0 Terminal Server Edition SP6

Several vulnerabilities exist: A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted DHCP message to the DHCP server; and a vulnerability exists when handling DHCP request traffic due to an unchecked buffer, which could let a remote malicious user execute arbitrary code.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-042.mspx

Currently we are not aware of any exploits for these vulnerabilities.

Microsoft DHCP Remote Code Execution & Denial of Service

CVE Names:
CAN-2004-0899
CAN-2004-0900

Low/High

(High if arbitrary code can be executed)

Microsoft Security Bulletin, MS04-042, December 14, 2004

Microsoft

Windows NT Server 4.0 SP6a, NT Server 4.0 Terminal Server Edition SP6, Windows 2000 SP3&SP4, Windows XP SP1 &SP2, XP 64-Bit Edition SP1, XP 64-Bit Edition Version 2003, Windows Server 2003, Windows Server 2003 64-Bit Edition, Windows 98, 98SE, ME

A buffer overflow vulnerability exists due to boundary errors in the handling of HyperTerminal session files and telnet URLs, which could let a remote malicious user execute arbitrary code.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-043.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft HyperTerminal Remote Code Execution

CVE Name:
CAN-2004-0568

High
Microsoft Security Bulletin, MS04-043, December 14, 2004

Microsoft

Windows NT Server 4.0 SP6a, NT Server 4.0 Terminal Server Edition SP6, Windows 2000 SP3&SP4, Windows XP SP1 &SP2, XP 64-Bit Edition SP1, XP 64-Bit Edition Version 2003, Windows Server 2003, Windows Server 2003 64-Bit Edition, Windows 98, 98SE, ME

 

Several vulnerabilities exist: a vulnerability exists due to an unchecked buffer in the handling of data sent through a LPC (Local Procedure Call) port, which could let a remote malicious user execute arbitrary code with elevated privileges; and a vulnerability exists due to an error in the validation of identity tokens in LSASS (Local Security Authority Subsystem Service), which could let a remote malicious user obtain elevated privileges.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

Currently we are not aware of any exploits for these vulnerabilities.

Microsoft Windows Kernel & LSASS Elevated Privileges & Code Execution

CVE Names:
CAN-2004-0893
CAN-2004-0894

Medium/ High

(High if arbitrary code can be executed)

Microsoft Security Bulletin, SB04-044, December 14, 2004

Microsoft

Windows NT Server 4.0 SP 6a, NT Server 4.0 Terminal Server Edition SP 6, Windows 2000 Server SP 3 & SP4, Windows Server 2003, 2003 64-Bit Edition

A vulnerability exists due to an unchecked buffer in the handling of the 'Name' parameter from certain packets, which could let a remote malicious user execute arbitrary code.

Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft WINS Name Validation

CVE Name:
CAN-2004-0567

High
Microsoft Security Bulletin, SB04-045, December 14, 2004

Microsoft

Microsoft .NET Framework 1.x, Digital Image Pro 7.x, 9.x, Digital Image Suite 9.x, Frontpage 2002, Greetings 2002, Internet Explorer 6, Office 2003 Professional Edition, 2003 Small Business Edition, 2003 Standard Edition, 2003 Student and Teacher Edition, Office XP, Outlook 2002, 2003, Picture It! 2002, 7.x, 9.x, PowerPoint 2002, Producer for Microsoft Office PowerPoint 2003, Project 2002, 2003, Publisher 2002, Visio 2002, 2003, Visual Studio .NET 2002, 2003, Word 2002;
Avaya DefinityOne Media Servers, IP600 Media Servers, S3400 Modular Messaging, S8100 Media Servers

A buffer overflow vulnerability exists in the processing of JPEG image formats, which could let a remote malicious user execute arbitrary code.

Frequently asked questions regarding this vulnerability and the patch can be found at: http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

Bulletin updated to advise on the availability of additional security updates. Standalone security updates for The Microsoft .NET Framework version 1.0 Service Pack 2 and The Microsoft .NET Framework version 1.1 are now available. Security updates for Microsoft Visual FoxPro 8.0 and the Microsoft Visual FoxPro 8.0 runtime are also now available. Bulletin updated to reflect the release of Windows Messenger 5.1 that contains an updated version of the affected file. The MS04-028 Enterprise Update Scanning Tool has been updated to detect and deploy the additional security updates.

Another exploit script has been published.

Microsoft JPEG Processing Buffer Overflow

CVE Name:
CAN-2004-0200

High

Microsoft Security Bulletin, MS04-028, September 14, 2004

US-CERT Vulnerability Note VU#297462, September 14, 2004

Technical Cyber Security Alert TA04-260A, September 16, 2004

SecurityFocus, September 17, 2004

SecurityFocus, September 28, 2004

Packet Storm, October 7, 2004.

Microsoft Security Bulletin, MS04-028, V3.0 December 14, 2004

Multiple Vendors

Archive::Zip 1.13,
F-Secure Anti-Virus for Microsoft Exchange 6.30, 6.30 SR1, and 6.31,
Computer Associates,
Eset,
Kaspersky,
McAfee,
Sophos,
RAV

Remote exploitation of an exceptional condition error in multiple vendors' anti-virus software allows malicious users to bypass security protections by evading virus detection. The problem specifically exists in the parsing of .zip archive headers. This vulnerability affects multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV.

Instructions for Computer Associates, Eset, Kaspersky, McAfee, Sophos, and RAV are available at: http://www.idefense.com/application/poi/display?id
=153&type=vulnerabilities&flashstatus=true

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-31.xml

Mandrakelinux 10.1 and Mandrakelinux 10.1/X86_64:
http://www.mandrakesoft.com/security/advisories

A fix for F-Secure is available at::
ftp://ftp.f-secure.com/support/
hotfix/fsav-mse/fsavmse63x-02.zip

SUSE:
http://www.SUSE.com/en/private/
download/updates/92_i386.html

A Proof of Concept exploit script has been published.

Multiple Vendor Anti-Virus Software Detection Evasion

CVE Names:
CAN-2004-0932
CAN-2004-0933
CAN-2004-0934
CAN-2004-0935

CAN-2004-0936

CAN-2004-0937

 

High

iDEFENSE Security Advisory, October 18, 2004

Secunia Advisory ID: SA13038, November 1, 2004

SecurityFocus, Bugtraq ID: 11448, November 2, 2004

SecurityTracker Alert ID: 1012057, November 3, 2004

SecurityFocus, November 15, 2004

SecurityFocus, November 29, 2004

US-CERT Vulnerability Note, VU#968818, December 13, 2004

Netscape

Navigator 7.0, 7.0.2, 7.1-7.2

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

Netscape Remote Window Hijacking

CVE Name:
CAN-2004-1155

Medium
Secunia Advisory,
SA13402, December 8, 2004

Nullsoft

Winamp 5.05

A vulnerability exists which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the 'IN_CDDA.dll' file. This can be exploited in various ways to cause a stack-based buffer overflow e.g. by tricking a user into visiting a malicious web site containing a specially crafted '.m3u' playlist. Successful exploitation allows execution of arbitrary code.

Update to version 5.0.6:
http://www.winamp.com/player/

An exploit script has been published.

Nullsoft Winamp 'IN_CDDA.dll' Buffer Overflow
High

Security-Assessment Vulnerability Advisory, November 23, 2004

PacketStorm, December 11, 2004

Open Text Corporation

FirstClass 8.0

A remote Denial of Service vulnerability exists in the HTTP Daemon Search function.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

OpenText FirstClass HTTP Daemon Search Function Remote Denial of Service
Low
SecurityTracker Alert ID, 1012478, December 11, 2004

Symantec

Windows LiveUpdate prior to v2.5, Norton SystemWorks 2001-2004, Norton AntiVirus and Pro 2001-2004, Norton Internet Security and Pro 2001-2004,
Symantec AntiVirus for Handhelds Retail and Corporate Edition v3.0

A vulnerability exists in the LiveUpdate GUI during an interactive LiveUpdate session when running the scheduled 'NetDetect' task, which could let a remote malicious user execute arbitrary commands.

The vendor has issued a fixed version of LiveUpdate (2.5), available via LiveUpdate.

Currently we are not aware of any exploits for this vulnerability.

Symantec LiveUpdate NetDetect Scheduled Task
High
SecurityTracker Alert ID, 1012492, December 13, 2004

WeOnlyDo!

wodFtpDLX ActiveX component, wodFtpDLX ActiveX component 2.1.1 8

A buffer overflow vulnerability exists due to the way long buffer file names are handled, which could let a remote malicious user execute arbitrary code.

Update available at:
http://www.weonlydo.com/index.asp?showform=FtpDLX

Exploit scripts have been published.

WeOnlyDo! wodFtpDLX ActiveX Component Remote Buffer Overflow
High

Securiteam, November 23, 2004

PacketStorm December 11, 2004

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Adobe

Adobe Version Cue on Mac OS X

A vulnerability exists that could permit a local malicious user to obtain root privileges on the target system. The scripts used to start and stop Adobe Version Cue are configured with set user id (setuid) root user privileges and do not validate the path names. A local user can create specially crafted scripts and modify the current path to point to the directory containing those scripts. When Adobe Version Cue is started or stopped, the scripts will run with root user privileges.

No workaround or patch available at time of publishing.

An exploit script has been published.

Adobe Version Cue Start/Stop Scripts Arbitrary Script Execution
High
SecurityTracker Alert ID: 1012446, December 7, 2004

Apache Software Foundation

Apache 2.0.35-2.0.52

A vulnerability exists when the 'SSLCipherSuite' directive is used in a directory or location context to require a restricted set of cipher suites, which could let a remote malicious user bypass security policies and obtain sensitive information.

OpenPKG:
ftp://ftp.openpkg.org/release/

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-21.xml

Slackware:
ftp://ftp.slackware.com/pub/slackware/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Fedora:
http://download.fedora.redhat.com/pub/fedora
/linux/core/updates/2/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-562.html

SuSE: In the process of releasing packages.

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-600.html

There is no exploit code required.

Apache mod_ssl SSLCipherSuite Access Validation

CVE Name:
CAN-2004-0885

Medium

OpenPKG Security Advisory, OpenPKG-SA-2004.044, October 15, 2004

Gentoo Linux Security Advisory, GLSA 200410-21, October 22, 2004

Slackware Security Advisory, SSA:2004-299-01, October 26, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:122, November 2, 2004

Conectiva Linux Security Announcement, CLA-2004:885, November 4, 2004

Fedora Update Notification,
FEDORA-2004-420, November 12, 2004

RedHat Security Advisory, RHSA-2004:562-11, November 12, 2004

SUSE Security Summary Report, SUSE-SR:2004:001, November 24, 2004

RedHat Security Advisory, RHSA-2004:600-12, December 13, 2004

Apache Software Foundation

Apache 1.3, 1.3.1, 1.3.3, 1.3.4, 1.3.46, 1.3.7 -dev, 1.3.9, 1.3.11, 1.3.12, 1.3.14, 1.3.17-1.3.20, 1.3.22-1.3.29, 1.3.31

A buffer overflow vulnerability exists in the 'get_tag()' function, which could let a malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-03.xml

Slackware:
ftp://ftp.slackware.com/pub/slackware/s

Trustix:
http://http.trustix.org/pub/trustix/updates/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/ia32/

Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-600.html

Exploit scripts have been published.

Apache mod_include Buffer Overflow

CVE Name:
CAN-2004-0940

High

SecurityFocus, October 20, 2004

Slackware Security Advisory, SA:2004-305-01, November 1, 2004

Gentoo Linux Security Advisory, GLSA 200411-03, November 2, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0056, November 5, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:134, November 17,2004

Turbolinux Security Announcement, November 18, 2004

Red Hat Advisory: RHSA-2004:600-12, December 13, 2004

Apple

Darwin
Streaming Server 5.0.1 on Mac OS X 10.2.8 or 10.3.6 Server

A vulnerability exists due to an input validation error in the handling of 'DESCRIBE' requests. This can be exploited to cause a vulnerable server to crash by sending a specially crafted request for a location containing a null byte.

Apple has issued a fix as part of Security Update 2004-12-02, available at: http://www.apple.com/swupdates/

Currently we are not aware of any exploits for this vulnerability.

Apple Darwin Streaming Server DESCRIBE Null Byte Denial of Service

CVE Name:
CAN-2004-1123

Low
iDEFENSE Advisory 12.03.04

Apple

Safari 1.2.4

A vulnerability exists which could allow a remote malicious user to inject content into an open window in certain cases to spoof web site contents. If the target name of an open window is known, a remote user can create Javascript that, when loaded by the target user, will display arbitrary content in the opened window. A remote user can exploit this to spoof the content of potentially trusted web sites.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Apple Safari Open Windows Injection
Medium
SecurityTracker Alert ID: 1012459, December 8, 2004

ARJ Software Inc.

UNARJ 2.62-2.65

 

A buffer overflow vulnerability exists due to insufficient bounds checking on user-supplied strings prior to processing, which could let a remote malicious user execute arbitrary code.

Fedora:
http://download.fedora.redhat.com/pub/fedora
/linux/core/updates/2/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-29.xml

SUSE:
http://www.suse.de/de/security/2004_03_sr.html

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

Currently we are not aware of any exploits for this vulnerability.

ARJ Software UNARJ Remote Buffer Overflow

CVE Name:
CAN-2004-0947

High

SecurityTracker Alert I,: 1012194, November 11, 2004

Gentoo Linux Security Advisory, GLSA 200411-29, November 19, 2004

SUSE Security Summary Report SUSE-SR:2004:003, December 7, 2004

Fedora Update Notification
FEDORA-2004-414, December 11, 2004

Atari

Atari800 1.3.1 & prior

Several buffer overflow vulnerabilities exist in the 'log.c' and 'rt-config.c' files due to insufficient boundary checks, which could let a malicious user execute arbitrary code with root privileges.

The vendor reports that the vulnerability described in 'log.c' is fixed in versions after 2003-11-13, and that they are currently looking into the issue in 'rt-config.c'.

An exploit script has been published.

Atari800 Emulator Multiple Buffer Overflows
High

Securiteam, November 25, 2004

PacketStorm, December 11, 2004

BitWizard

mtr 0.55 through 0.65

A vulnerability exists which can be exploited by malicious, local users to perform certain actions with escalated privileges.The vulnerability is caused due to an off-by-one error in the keybinding routine in "mtr_curses_keyaction()". This may be exploited by supplying specially crafted, overly long input. Exploitation requires that mtr is setuid "root" and not compiled with gcc 3.x.

Update to version 0.67:
ftp://ftp.bitwizard.nl/mtr/

Currently we are not aware of any exploits for this vulnerability.

BitWizard mtr 'mtr_curses_keyaction()' Function Buffer Overflow
Medium
Secunia Advisory ID:
SA13430, December 14, 2004

Carnegie Mellon University

Cyrus IMAP Server 2.2.9 and prior versions

A vulnerability exists in the mysasl_canon_user() function that could allow a remote user to execute arbitrary code on the target system. An off-by-one error exists in the mysasl_canon_user() function that may result in an unterminated user name string. A remote user may be able to trigger the buffer overflow to execute arbitrary code on the target system with the privileges of the target IMAP process.

The vendor has issued a fixed version (2.2.10), available at: ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/

Currently we are not aware of any exploits for this vulnerability.

Carnegie Mellon Cyrus IMAP Server Off-by-one Overflow

CVE Name:
CAN-2004-1067

High

SecurityTracker Alert ID: 1012474, December 10, 2004

Carsten Haitzler

imlib 1.x

Multiple vulnerabilities exist due to integer overflows within the image decoding routines. This can be exploited to cause buffer overflows by tricking a user into viewing a specially crafted image in an application linked against the vulnerable library.

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-03.xml

Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-651.html

Currently we are not aware of any exploits for these vulnerabilities.

Carsten Haitzler imlib Image Decoding Integer Overflow

CVE Name:
CAN-2004-1026
CAN-2004-1025

High

Secunia Advisory ID:
SA13381, December 7, 2004

Red Hat Advisory, RHSA-2004:651-03, December 10, 2004

Citadel Systems

Citadel/UX 6.27 and prior versions

A format string vulnerability exists that could allow a remote user to execute arbitrary code on the target system. The lprintf() function in 'sysdep.c' makes an unsafe syslog() call based on user-supplied input but without providing the format string specifier or filtering the user-supplied input. A remote user can connect to the target service and supply a specially crafted string to trigger the error and cause the target service to crash or to execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Citadel/UX Format String
High
No System Group, Advisory #09, December 12, 2004

Free Software Foundation

rootsh prior to version 1.4.1

A vulnerably exists in rootsh, which can be exploited by malicious, local users to bypass the logging functionality. The problem is caused due to an input validation error when handling certain xterm escape sequences. This can be exploited to generate empty syslog messages, allowing users to hide their actions in a syslog-only environment.

Update to version 1.4.1:
http://sourceforge.net/project/
showfiles.php?group_id=110309

Currently we are not aware of any exploits for this vulnerability.

Free Software Foundation rootsh Security Bypass
Medium
Secunia Advisory ID: SA13405, December 9, 2004

GNU

a2ps 4.13

A vulnerability exists that could allow a malicious user to execute arbitrary shell commands on the target system. a2ps will execute shell commands contained within filenames. A user can create a specially crafted filename that, when processed by a2ps, will execute shell commands with the privileges of the a2ps process.

A patch for FreeBSD is available at:
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/
print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain

A Proof of Concept exploit has been published.

GNU a2ps Filenames Shell Commands Execution
High
SecurityTracker Alert ID: 1012475, December 10, 2004

GNU

mysql_auth prior to 0.8

A vulnerability exists due to a memory leak in mysql_auth. The impact was not specified.

The vendor has issued a fixed version (0.8), available at: http://people.arxnet.hu/airween/mysql_auth/mysql_auth-0.8.tar.gz

Currently we are not aware of any exploits for this vulnerability.

GNU mysql_auth Memory Leak
Not Specified
SecurityTracker Alert ID: 1012500, December 14, 2004

GNU

Squid-2.5

A vulnerability exists which can be exploited by malicious people to gain knowledge of potentially sensitive information. Squid returns random error messages due to reference to freed memory in certain conditions involving a sequence of failed DNS lookups, resulting in random messages being shown as error message in response to such host names.

Apply patch: http://www.squid-cache.org/
Versions/v2/2.5/bugs/squid-2.5.STABLE7-dothost.patch

A Proof of Concept exploit has been published.

GNU Squid Malformed Host Name
Medium
Squid Project Bugzilla Bug 1143, November 23, 2004

GNU

wget 1.9.1

A vulnerability exists which could permit a remote malicious user to create or overwrite files on the target user's system. wget does not properly validate user-supplied input. A remote user can bypass the filtering mechanism if DNS can be modified so that '..' resolves to an IP address. A specially crafted HTTP response can include control characters to overwrite portions of the terminal window.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

GNU wget File Creation & Overwrite
Medium
SecurityTracker Alert ID: 1012472, December 10, 2004

ImageMagick

ImageMagick 5.3.3, 5.4.3, 5.4.4.5, 5.4.7, 5.4.8 .2-1.1.0, 5.4.8,
5.5.3 .2-1.2.0, 5.5.6 .0-20030409, 5.5.7, 6.0, 6.0.1, 6.0.3-6.0.8

A buffer overflow vulnerability exists in the 'EXIF' parsing routine due to a boundary error, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://sourceforge.net/project/
showfiles.php?group_id=24099

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/
i/imagemagick/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-11.xml

Debian:
http://security.debian.org/pool/
updates/main/i/imagemagick/

SUSE:
ftp://ftp.SUSE.com/pub/SUSE/i386/update/

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:143

(Red Hat has re-issued it's update.)
http://rhn.redhat.com/errata/RHSA-2004-480.html

Currently we are not aware of any exploits for this vulnerability.

ImageMagick Remote EXIF Parsing Buffer Overflow

CVE Names:
CAN-2004-0827
CAN-2004-0981

High

SecurityTracker Alert ID, 1011946, October 26, 2004

Gentoo Linux Security Advisory, GLSA 200411-11:01, November 6, 2004

Debian Security Advisory DSA 593-1, November 16, 2004

SUSE Security Announcement, SUSE-SA:2004:041, November 17, 2004

SUSE Security Summary Report, USE-SR:2004:001, November 24, 2004

Mandrakesoft Security Advisory, MDKSA-2004:143, December 6, 2004

Red Hat Security Advisory, RHSA-2004:636-03, December 8, 2004

Info-ZIP

Zip 2.3

A buffer overflow vulnerability exists due to a boundary error when doing recursive compression of directories with 'zip,' which could let a remote malicious user execute arbitrary code.

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/z/zip/

Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates/

Gentoo:
http://security.gentoo.org/glsa/
glsa-200411-16.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

Info-ZIP Zip Remote Recursive Directory Compression Buffer Overflow

CVE Name:
CAN-2004-1010

High

Bugtraq, November 3, 2004

Ubuntu Security Notice, USN-18-1, November 5, 2004

Fedora Update Notification,
FEDORA-2004-399 & FEDORA-2004-400, November 8 & 9, 2004

Gentoo Linux Security Advisory, GLSA 200411-16, November 9, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:141, November 26, 2004

SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004

KDE

KDE prior to 3.3.2

When a user creates a link to a remote file using various KDE applications, the resulting link may include authentication credentials for the remote system. This may include Samba passwords for files located on SMB servers.

Patches are available:
http://www.kde.org/info/security/advisory-20041209-1.txt

Currently we are not aware of any exploits for this vulnerability.

KDE Privacy

Medium
KDE Security Advisory, December 9, 2004

KDE

Konqueror 3.2.2-6

 

A vulnerability exists which can be exploited by malicious people to spoof the content of websites. A website can inject content into another site's window if the target name of the window is known. This can be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

KDE Konqueror Window Injection
Medium

Secunia Advisory ID: SA13254, December 8, 2004

Larry Wall

Perl 5.8.3

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/p/perl/

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-04.xml

There is no exploit code required.

Perl
Insecure Temporary File Creation

CVE Name:
CAN-2004-0976

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Ubuntu Security Notice, USN-16-1, November 3, 2004

Gentoo Linux Security Advisory, GLSA 200412-04, December 7, 2004

libtiff.org

LibTIFF 3.6.1

Several buffer overflow vulnerabilities exist: a vulnerability exists because a specially crafted image file can be created, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; a remote Denial of Service vulnerability exists in 'libtiff/tif_dirread.c' due to a division by zero error; and a vulnerability exists in the 'tif_next.c,' 'tif_thunder.c,' and 'tif_luv.c' RLE decoding routines, which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/t/tiff/

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-11.xml

Fedora:
http://download.fedora.redhat.com/pub/fedora/
linux/core/updates/2/

OpenPKG:
ftp://ftp.openpkg.org/release/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-577.html

Slackware:
ftp://ftp.slackware.com/pub/slackware/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

KDE: Update to version 3.3.2:
http://kde.org/download/

Apple Mac OS X:
http://www.apple.com/swupdates/

Proofs of Concept exploits have been published.

LibTIFF Buffer Overflows

CVE Name:
CAN-2004-0803
CAN-2004-0804
CAN-2004-0886

Low/High

(High if arbitrary code can be execute)

Gentoo Linux Security Advisory, GLSA 200410-11, October 13, 2004

Fedora Update Notification,
FEDORA-2004-334, October 14, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.043, October 14, 2004

Debian Security Advisory, DSA 567-1, October 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:109 & MDKSA-2004:111, October 20 & 21, 2004

SuSE Security Announcement, SUSE-SA:2004:038, October 22, 2004

RedHat Security Advisory, RHSA-2004:577-16, October 22, 2004

Slackware Security Advisory, SSA:2004-305-02, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:888, November 8, 2004

US-CERT Vulnerability Notes VU#687568 & VU#948752, December 1, 2004

Gentoo Linux Security Advisory, GLSA 200412-02, December 6, 2004

KDE Security Advisory, December 9, 2004

Apple Security Update SA-2004-12-02

MediaWiki

MediaWiki 1.3.8

A vulnerability exists which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to insufficient validation of files uploaded to the "images" directory located inside the web root. This can be exploited to upload and execute arbitrary malicious scripts.

Update to version 1.3.9:
http://wikipedia.sourceforge.net/

A Proof of Concept exploit has been published.

MediaWiki 'images' Arbitrary Script Upload and Execution
High
Secunia Advisory ID:
SA13419, December 13, 2004

Multiple Vendors

file 4.11 and prior (Trustix)

A vulnerability exists in the ELF header parsing code in 'file'. A malicious user may be able to create a specially crafted ELF file that, when processed using 'file', may be able to modify the stack and potentially execute arbitrary code.

Update to version 4.12:
ftp://ftp.astron.com/pub/file/

Gentoo:
http://www.gentoo.org/security/
en/glsa/glsa-200412-07.xml

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors 'File' Processing ELF Headers Stack Overflow

High

Trustix Secure Linux Advisory #2004-0063, November 26, 2004

Gentoo Linux Security Advisory, GLSA 200412-07/ file, December 13, 2004

Multiple Vendors

Gentoo Linux;
Samba Samba 3.0-3.0.7

 

A remote Denial of Service vulnerability exists in 'ms_fnmatch()' function due to insufficient input validation.

Patch available at:
http://us4.samba.org/samba/ftp/patches/security
/samba-3.0.7-CAN-2004-0930.patch

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-21.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/s/samba/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-632.html

Trustix:
http://http.trustix.org/pub/trustix/updates/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

SGI:
http://www.sgi.com/support/security/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/TurboLinux
/TurboLinux/ia32/Server/10/updates/

There is no exploit code required.

Samba Remote Wild Card Denial of Service

CVE Name:
CAN-2004-0930

Low

SecurityFocus, November 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

RedHat Security Advisory, RHSA-2004:632-17, November 16, 2004

Conectiva Linux Security Announcement, CLA-2004:899, November 25, 2004

Fedora Update Notifications,
FEDORA-2004-459 & 460, November 29, 2004

Turbolinux Security Advisory, TLSA-2004-32, December 8, 2004

SGI Security Advisory, 20041201-01-P, December 13, 2004

Multiple Vendors

gzip

A vulnerability exists in the gzip(1) command, which could let a malicious user access the files of other users that were processed using gzip.

Sun Solaris:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57600-1

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:142

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Debian:
http://www.debian.org/security/2004/dsa-588

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors
Gzip File Access

CVE Name:
CAN-2204-0970

Medium

Sun(sm) Alert Notification, 57600, October 1, 2004

US-CERT Vulnerability Note VU#635998, October 18, 2004

Mandrakesoft Security Advisory, MDKSA-2004:142, December 6, 2004

Trustix Advisory TSL-2004-0050, September 30, 2004

Debian Security Advisory DSA 588-1, November 8, 2004

Multiple Vendors

Linux Kernel 2.6.x

Some potential vulnerabilities exist with an unknown impact in the Linux Kernel. The vulnerabilities are caused due to boundary errors within the
"sys32_ni_syscall()" and "sys32_vm86_warning()" functions and can be exploited to cause buffer overflows. The attack vectors and impact are currently unknown.

Patches are available at:
http://linux.bkbits.net:8080/linux-2.6/cset@1.2079

http://linux.bkbits.net:8080/linux-2.6/
gnupatch@41ae6af1cR3mJYlW6D8EHxCKSxuJiQ

Currently we are not aware of any exploits for these vulnerabilities.

Multiple Vendors Linux Kernel 'sys32_ni_syscall' and 'sys32_vm86_warning' Buffer Overflows
Not Specified
Secunia Advisory ID: SA13410, December 9, 2004

Multiple Vendors

MySQL AB MySQL 3.20 .x, 3.20.32 a, 3.21.x, 3.22 .x, 3.22.26-3.22.30, 3.22.32, 3.23 .x, 3.23.2-3.23.5, 3.23.8-3.23.10, 3.23.22-3.23.34, 3.23.36-3.23.54, 3.23.56, 3.23.58, 3.23.59, 4.0.0-4.0.15, 4.0.18, 4.0.20;
Trustix Secure Enterprise Linux 2.0, Secure Linux 1.5, 2.0, 2.1

A vulnerability exists in the 'GRANT' command due to a failure to ensure sufficient privileges, which could let a malicious user obtain unauthorized access.

Upgrades available at:
http://dev.mysql.com/downloads/mysql/4.0.html

OpenPKG:
ftp.openpkg.org

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-611.html

SuSE:
ftp://ftp.suse.com/pub/suse

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/m

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/2/

There is no exploit code required.

 

MySQL Database Unauthorized GRANT Privilege

CVE Name:
CAN-2004-0957

Medium

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Fedora Update Notification,
FEDORA-2004-530, December 8, 2004

Multiple Vendors

nfs-utils 1.0.6

A vulnerability exists due to an error in the NFS statd server in "statd.c" where the "SIGPIPE" signal is not correctly ignored. This can be exploited to crash a vulnerable service via a malicious peer terminating a TCP connection prematurely.

Upgrade to 1.0.7-pre1:
http://sourceforge.net/project/
showfiles.php?group_id=14&package_id=174

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:146

Debian:
http://www.debian.org/security/2004/dsa-606

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors nfs-utils "SIGPIPE" TCP Connection Termination Denial of Service
Low

Secunia Advisory ID: SA13384, December 7, 2004

Debian Security Advisory
DSA-606-1 nfs-utils, December 8, 2004

Multiple Vendors

perl

Multiple vulnerabilities exist which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the file system. When a Perl script is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user.

Gentoo: update to "perl-5.8.5-r2" or later:
http://security.gentoo.org/glsa/glsa-200412-04.xml

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/universe/p/perl/

Currently we are not aware of any exploits for these vulnerabilities.

Multiple Vendors Perl Insecure Temporary File Creation
Medium

Gentoo Security Advisory, GLSA 200412-04 / perl, December 7, 2004

Trustix Secure Linux Bugfix Advisory #2004-0050, November 30, 2004

Ubuntu Security Notice USN-16-1 November 02, 2004

Multiple Vendors

Samba 3.0 - 3.0.7; RedHat Advanced Workstation for the Itanium Processor 2.1, IA64, Desktop 3.0, Enterprise Linux WS 3, WS 2.1 IA64, 2.1, ES 3, 2.1 IA64, 2.1, AS 3, 2.1 IA64, 2.1; Ubuntu Linux 4.1 ppc, ia64, ia32

A buffer overflow vulnerability exists in the 'QFILEPATHINFO' request handler when constructing 'TRANSACT2_QFILEPATHINFO' responses, which could let a remote malicious user execute arbitrary code.

Update available at:
http://www.samba.org/samba/download/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
Ubuntu Upgrade samba-doc_
3.0.7-1ubuntu6.2_all.deb

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/TurboLinux
/TurboLinux/ia32/Server/10/updates/

Currently we are not aware of any exploits for this vulnerability.

Samba 'QFILEPATHINFO' Buffer Overflow

CVE Name:
CAN-2004-0882

High

e-matters GmbH Security Advisory, November 14, 2004

SuSE Security Announcement, SUSE-SA:2004:040, November 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0058, November 16, 2004

Ubuntu Security Notice, USN-29-1, November 18, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:136, November 19, 2004

US-CERT Vulnerability Note VU#457622, November 19, 2004

Conectiva Linux Security Announcement, CLA-2004:899, November 25, 2004

Fedora Update Notifications,
FEDORA-2004-459 & 460, November 29, 2004

Turbolinux Security Advisory, TLSA-2004-32, December 8, 2004

Multiple Vendors

Unix OpenBSD 3.3, 3.4;
XFree86 X11R6 4.1 .0, 4.1–12,
4.1–11, 4.2 .0, 4.2 1, 4.2.1 Errata, 4.3

A buffer overflow vulnerability exists in the 'font.alias' file due to insufficient validation of user supplied data, which could let a malicious user obtain ROOT privileges.

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

Immunix:
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/

Mandrake:
http://www.mandrakesecure.net/en/advisories/

OpenBSD:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/

RedHat:
ftp://updates.redhat.com/9/en/os/

Slackware:
ftp://ftp.slackware.com/pub/slackware/

TurboLinux:
ftp://ftp.turbolinux.com/pub/TurboLinux/
TurboLinux/ia32/Desktop/10/updates/

Xfree86:
ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff

A Proof of Concept exploit has been published.

Multiple Vendors XFree86 Font Information File Buffer Overflow

CVE Name:
CAN-2004-0083

High

iDEFENSE Security Advisory, February 10, 2004.

Slackware Security Advisory, SSA:2004-043-02, February 12, 2004.

Fedora Update Notification, FEDORA-2004-069, February 13, 2004.

Immunix Secured OS Security Advisory, IMNX-2004-73-002-01, February 13, 2004.

Mandrake Linux Security Update Advisory, MDKSA-2004:012, February 13, 2004.

Red Hat Security Advisories, RHSA-2004:059-01& RHSA-2004:060-16, February 13, 2004.

TurboLinux Security Advisory, TLSA-2004-5, February 17, 2004.

US-CERT Vulnerability Note VU#820006, December 7, 2004

Multiple Vendors

Easy Software Products CUPS 1.1.14-1.1.20; Trustix Secure Enterprise Linux 2.0, Secure Linux 2.0, 2.1

 

A Denial of Service vulnerability exists in 'scheduler/dirsvc.c' due to insufficient validation of UDP datagrams.

Update available at:
http://www.cups.org/software.php

Debian:
http://security.debian.org/pool/updates/main/c/cupsys/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

RedHat:
http://rhn.redhat.com/

SuSE:
ftp://ftp.suse.com/pub/suse/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

ALTLinux:
http://altlinux.com/index.php?
module=sisyphus&package=cups

Gentoo:
http://security.gentoo.org/glsa/glsa-200409-25.xml

Slackware:
ftp://ftp.slackware.com/pub/slackware/

Apple:
http://www.apple.com/support/security/
security_updates.html

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/2/

Sun:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57646-1&searchclause=

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Fedora Legacy:
http://download.fedoralegacy.org/fedora/1/updates/

SCO:
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.15

TurboLinux: ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/

A Proof of Concept exploit has been published.

CUPS Browsing Denial of Service

CVE Name:
CAN-2004-0558

Low

SecurityTracker Alert ID, 1011283, September 15, 2004

ALTLinux Advisory, September 17, 2004

Gentoo Linux Security Advisory GLSA 200409-25, September 20, 2004

Slackware Security Advisory, SSA:2004-266-01, September 23, 2004

Fedora Update Notification,
FEDORA-2004-275, September 28, 2004

Apple Security Update, APPLE-SA-2004-09-30, October 4, 2004

Sun(sm) Alert Notification, 57646, October 7, 2004

SCO Security Advisory, COSA-2004.15, October 12, 2004

Conectiva Linux Security Announcement, CLA-2004:872, October 14, 2004

Fedora Legacy Update Advisory, FLSA:2072, October 16, 2004

Turbolinux Security Advisory, TLSA-2004-33, December 8, 2004

Multiple Vendors

Enlightenment Imlib2 1.0-1.0.5, 1.1, 1.1.1;
ImageMagick ImageMagick 5.4.3, 5.4.4 .5, 5.4.8 .2-1.1.0 , 5.5.3 .2-1.2.0, 5.5.6 .0- 2003040, 5.5.7,6.0.2;
Imlib Imlib 1.9-1.9.14

Multiple buffer overflow vulnerabilities exist in the Iimlib/Imlib2 libraries when handling malformed bitmap images, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

lmlib:
http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/

ImageMagick:
http://www.imagemagick.org/www/download.html

Gentoo:
http://security.gentoo.org/glsa/glsa-200409-12.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Debian:
http://security.debian.org/pool/
updates/main/i/imagemagick/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-465.html

SUSE:
ftp://ftp.SUSE.com/pub/SUSE/

TurboLinux:
ftp://ftp.turbolinux.com/pub/TurboLinux/
TurboLinux/ia32/Desktop/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Sun:
http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57648-1&searchclause=

http://sunsolve.sun.com/search/document.do?
assetkey=1-26-57645-1&searchclause=

TurboLinux:
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-480.html

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/i/imagemagick/i

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-636.html

Currently we are not aware of any exploits for these vulnerabilities.

IMLib/IMLib2 Multiple BMP Image
Decoding Buffer Overflows

 

CVE Names:
CAN-2004-0817
CAN-2004-0802

Low/High

(High if arbitrary code can be executed)

SecurityFocus, September 1, 2004

Gentoo Linux Security Advisory, GLSA 200409-12, September 8, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:089, September 8, 2004

Fedora Update Notifications,
FEDORA-2004-300 &301, September 9, 2004

Turbolinux Security Advisory, TLSA-2004-27, September 15, 2004

RedHat Security Advisory, RHSA-2004:465-08, September 15, 2004

Debian Security Advisories, DSA 547-1 & 548-1, September 16, 2004

Conectiva Linux Security Announcement, CLA-2004:870, September 28, 2004

Sun(sm) Alert Notifications, 57645 & 57648, September 20, 2004

Turbolinux Security Announcement, October 5, 2004

RedHat Security Update, RHSA-2004:480-05, October 20, 2004

Ubuntu Security Notice USN-35-1, November 30, 2004

RedHat Security Advisory, RHSA-2004:636-03, December 8, 2004

Multiple Vendors

Gentoo Linux;
RedHat Fedora Core3, Core2;
SUSE Linux 8.1, 8.2, 9.0-9.2, Desktop 1.0, Enterprise Server 9, 8, Novell Linux Desktop 1.0;
X.org X11R6 6.7 .0, 6.8, 6.8.1;
XFree86 X11R6 3.3, 3.3.2-3.3.6, 4.0-4.0.3, 4.1 .0, 4.1 -12, 4.1 -11, 4.2 .0, 4.2.1 Errata, 4.2.1
4.3 .0

Multiple vulnerabilities exist due to integer overflows, memory access errors, input validation errors, and logic errors, which could let a remote malicious user execute arbitrary code, obtain sensitive information or cause a Denial of Service.

Fedora:
http://download.fedora.redhat.com
/pub/fedora/linux/core/updates

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-28.xml

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

X.org:
http://www.x.org/pub/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-537.html

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:137
(libxpm)

http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:138
(XFree86)

Debian:
http://www.debian.org/security/2004/dsa-607
(XFree86)

Currently we are not aware of any exploits for these vulnerabilities

Multiple Vendors LibXPM Multiple Vulnerabilities

CVE Name:
CAN-2004-0914

Low/ Medium/ High

(Low if a DoS; Medium if sensitive information can be obtained; and High if arbitrary code can be executed)

X.Org Foundation Security Advisory, November 17, 2004

Fedora Update Notifications,
FEDORA-2004-433 & 434, November 17 & 18, 2004

SUSE Security Announcement, SUSE-SA:2004:041, November 17, 2004

Gentoo Linux Security Advisory, GLSA 200411-28, November 19, 2004

Fedora Security Update Notifications
FEDORA-2003-464, 465, 466, & 467, December 1, 2004

RedHat Security Advisory, RHSA-2004:537-17, December 2, 2004

Mandrakesoft: MDKSA-2004:137: libxpm4; MDKSA-2004:138: XFree86, November 22, 2004

Debian Security Advisory
DSA-607-1 xfree86 -- several vulnerabilities, December 10, 2004

Multiple Vendors

iproute2

A vulnerability exists because iproute can accept spoofed messages sent via the kernel netlink interface by other users on the local machine. This could lead to a local Denial of Service attack.

Updates available:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:148

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors iproute Denial of Service
Low
Mandrakesoft Security Advisory, MDKSA-2004:148, December 13, 2004

Multiple Vendors

Linux Kernel

A vulnerability exists in the Linux kernel io_edgeport driver. A local user with a USB dongle can cause the kernel to crash or may be able to gain elevated privileges on the target system. The flaw resides in the edge_startup() function in 'drivers/usb/serial/io_edgeport.c'.

Red Hat:
https://bugzilla.redhat.com/bugzilla
/attachment.cgi?id=107493&action=view

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Linux Kernel USB io_edgeport Driver Integer Overflow

Low/ Medium

(Medium if elevated privileges can be obtained)

SecurityTracker Alert ID: 1012477, December 10, 2004

Multiple Vendors

Linux Kernel 2.6 -test1-test11, 2.6, l 2.6.1 -rc1&rc2, 2.6.1- 2.6.9;
SuSE Linux 8.2, 9.0-9.2

A Denial of Service vulnerability exists due to a failure by 'aio_free_ring' to handle exceptional conditions.

No workaround or patch available at time of publishing.

An exploit script has been published.

Linux Kernel AIO_Free_Ring Denial of Service

Low
SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004

Multiple Vendors

Linux kernel 2.4 .0-test1-test12, 2.4-2.4.27

A vulnerability exists in the 'AF_UNIX' address family due to a serialization error, which could let a malicious user obtain elevated privileges or possibly execute arbitrary code.

Upgrades available at:
http://kernel.org/pub/linux/kernel/v2.4/linux-2.4.28.tar.bz2

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Currently we are not aware of any exploits for this vulnerability.

 

Linux Kernel AF_UNIX Arbitrary Kernel Memory Modification

CVE Name:
CAN-2004-1068

Medium/ High

(High if arbitrary code can be executed)

Bugtraq, November 19, 2004

SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004

Multiple Vendors

Linux Kernel 2.6 - 2.6.10 r2

An unspecified buffer overflow vulnerability reportedly affects the 'sys_ia32.c' file of the Linux kernel. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into finite kernel buffers. A malicious user might leverage this issue to overflow the affected buffer.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Linux Kernel SYS_IA32.C Buffer Overflow
High
SecurityFocus, December 9, 2004

Multiple Vendors

Linux Kernel 2.6 - 2.6.9

A local Denial of Service vulnerability affects the ELF header processing functionality on 64 bit systems of the Linux kernel. This issue is due to a failure of the affected kernel to properly handle malformed ELF headers. A local attacker may leverage this issue to cause a computer running the affected kernel to crash, denying service to legitimate users.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

 

Multiple Vendors Linux Kernel 64 Bit ELF Header Local Denial of Service
Low
SecurityFocus, Bugtraq ID 11846, December 7, 2004

Multiple Vendors

nfs-utils

A vulnerability exists which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the function "getquotainfo()" in "rquota_server.c" and can be exploited to cause a buffer overflow. Successful exploitation may lead to execution of arbitrary code on 64-bit architectures.

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-08.xml

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors nfs-utils 'getquotainfo()' Buffer Overflow
High

Secunia Advisory ID: SA13440, December 14, 2004

Multiple Vendors

Unix OpenBSD 3.3, 3.4;
XFree86 X11R6 4.1 .0, 4.1–12,
4.1–11, 4.2 .0, 4.2 1, 4.2.1 Errata, 4.3

A buffer overflow vulnerability exists due to insufficient bounds checking when parsing the ‘font.alias’ file, which could let a remote malicious user execute arbitrary code with ROOT privileges.

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/1/

Immunix:
http://download.immunix.org/
ImmunixOS/7.3/Updates/RPMS/

Mandrake:
http://www.mandrakesecure.net/en/advisories/

OpenBSD:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/

RedHat:
ftp://updates.redhat.com/9/en/os/

Slackware:
ftp://ftp.slackware.com/pub/slackware/

TurboLinux:
ftp://ftp.turbolinux.com/pub/TurboLinux/
TurboLinux/ia32/Desktop/10/updates/

Xfree86:
ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff

A Proof of Concept exploit has been published.

Multiple Vendors Xfree86 Font_Name Buffer Overflow

CVE Name:
CAN-2004-0084

High

iDEFENSE Security Advisory, February 12, 2004

Slackware Security Advisory, SSA:2004-043-02, February 12, 2004

Fedora Update Notification, FEDORA-2004-069, February 13, 2004

Immunix Secured OS Security Advisory, IMNX-2004-73-002-01, February 13, 2004.

Mandrake Linux Security Update Advisory, MDKSA-2004:012, February 13, 2004.

Red Hat Security Advisories, RHSA-2004:059-01& RHSA-2004:060-16, February 13, 2004.

TurboLinux Security Advisory, TLSA-2004-5, February 17, 2004.

US-CERT Vulnerability Note VU#667502, December 7, 2004

MySQL AB

MySQL 3.20 .x, 3.20.32 a, 3.21 .x, 3.22 .x, 3.22.26-3.22.30, 3.22.32, 3.23 .x, 3.23.2-3.23.5, 3.23.8-3.23.10, 3.23.22-3.23.34, 3.23.36-3.23.56, 3.23.58, 4.0.0-4.0.15, 4.0.18, 4.0.20, 4.1 .0-alpha, 4.1 .0-0, 4.1.2 -alpha, 4.1.3 -beta, 4.1.3 -0, 5.0 .0-alpha, 5.0 .0-0

A buffer overflow vulnerability exists in the 'mysql_real_connect' function due to insufficient boundary checking, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code. Note: Computers using glibc on Linux and BSD platforms may not be vulnerable to this issue.

Debian:
http://security.debian.org/pool/updates/main/m/mysql/

Trustix:
http://http.trustix.org/pub/trustix/updates/

OpenPKG:
ftp://ftp.openpkg.org/release/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Conectiva:
ftp://atualizacoes.conectiva.com.br/

SUSE:
ftp://ftp.suse.com/pub/suse

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

We are not aware of any exploits for this vulnerability.

MySQL Mysql_real_connect Function Remote Buffer Overflow

CVE Name:
CAN-2004-0836

Low/High

(Low if a DoS)

Secunia Advisory,
SA12305, August 20, 2004

Debian Security Advisory, DSA 562-1, October 11, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:119, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:892, November 18, 2004

Fedora Update Notification,
FEDORA-2004-530, December 8, 2004

MySQL AB

MySQL 3.23.49, 4.0.20

A vulnerability exists in the 'mysqlhotcopy' script due to predictable files names of temporary files, which could let a malicious user obtain elevated privileges.

Debian:
http://security.debian.org/pool/updates/main/m/

Gentoo:
http://security.gentoo.org/glsa/glsa-200409-02.xml

SuSE:
ftp://ftp.suse.com/pub/suse/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-569.html

OpenPKG:
ftp://ftp.openpkg.org/release/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

There is no exploit code required.

MySQL
'Mysqlhotcopy' Script Elevated Privileges

CVE Name:
CAN-2004-0457

Medium

Debian Security Advisory, DSA 540-1, August 18, 2004

Gentoo Linux Security Advisory GLSA 200409-02, September 1, 2004

SUSE Security Announcement, SUSE-SA:2004:030, September 6, 2004

RedHat Security Advisory, ,RHSA-2004:569-16, October 20, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:119, November 1, 2004

SUSE Security Summary Report, USE-SR:2004:001, November 24, 2004

Fedora Update Notification,
FEDORA-2004-530, December 8, 2004

MySQL AB

MySQL 3.x, 4.x

 

Two vulnerabilities exist: a vulnerability exists due to an error in 'ALTER TABLE ... RENAME' operations because the 'CREATE/INSERT' rights of old tables are checked, which potentially could let a remote malicious user bypass security restrictions; and a remote Denial of Service vulnerability exists when multiple threads issue 'alter' commands against 'merge' tables to modify the 'union.'

Updates available at:
http://dev.mysql.com/downloads/mysql/

Debian:
http://security.debian.org/pool/updates/main/m/mysql

Trustix:
http://http.trustix.org/pub/trustix/updates/

Mandrake:
http://www.mandrakesoft.com/security/advisories

Conectiva:
ftp://atualizacoes.conectiva.com.br/

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/m/mysql-dfsg/

SuSE:
ftp://ftp.suse.com/pub/suse

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/2/

We are not aware of any exploits for these vulnerabilities.

MySQL Security Restriction Bypass & Remote Denial of Service

CVE Names:
CAN-2004-0835
CAN-2004-0837

Low/ Medium

(Low if a DoS; and Medium if security restrictions can be bypassed)

Secunia Advisory, SA12783, October 11, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:119, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:892, November 18, 2004

Ubuntu Security Notice, USN-32-1, November 25, 2004

SUSE Security Summary Report, SUSE-SR:2004:001, November 24, 2004

Fedora Update Notification,
FEDORA-2004-530, December 8, 2004

Netatalk

Netatalk Open Source Apple File Share Protocol Suite 1.5 pre6, 1.6.1, 1.6.4

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-25.xml

Mandrake:
http://www.mandrakesoft.com/security/advisories

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

There is no exploit code required.

NetaTalk Insecure Temporary File Creation

CVE Name:
CAN-2004-0974

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Gentoo Linux Security Advisory GLSA 200410-25, October 25, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:121, November 2, 2004

Fedora Update Notifications,
FEDORA-2004-505 & 506, December 6, 2004

Omni Group

OmniWeb 5.0.1

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

Omni Group OmniWeb Browser Remote Window Hijacking
Medium
Secunia Advisory, SA13418, December 10, 2004

Opera Software

Opera 7.54 on Linux with KDE 3.2.3

A vulnerability exists that could permit a remote user to cause the target user to execute arbitrary commands. KDE uses 'kfmclient exec' as the default application for processing saved files. A remote user can cause arbitrary shell commands to be executed on the target system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Opera Default 'kfmclient exec' Configuration
High
Zone-H Advisory, ZH2004-19SA, December 12, 2004

PHP Group
  Debian
  Slackware
  Fedora

pp 4.3.7 and prior

Updates to fix multiple vulnerabilities with php4 which could allow remote code execution.

Debian:
Update to Debian GNU/Linux 3.0 alias woody at
http://www.debian.org/releases/stable/

Slackware:
http://www.slackware.com/security/viewer.
php?l=slackware- security&y=2004&m=
slackware-security.406480

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/

An exploit script has been published.

PHP 'memory_limit' and strip_tags() Remote Vulnerabilities

CVE Names:
CAN-2004-0594
CAN-2004-0595

High

Secunia, SA12113 and SA12116, July 21, 2004

Debian, Slackware, and Fedora Security Advisories

Turbolinux Security Advisory TLSA-2004-23, September 15, 2004

PacketStorm, December 11, 2004

PHPNews

PHPNews 1.2.3

A vulnerability exists in 'sendtofriend.php' due to insufficient sanitization of the 'mid' parameter, which could let a remote malicious user manipulate data.

Upgrade available at:
http://prdownloads.sourceforge.net/
newsphp/phpnews_1-2-4.zip?download

An exploit script has been published.

PHPNews SQL Injection

Medium

Secunia Advisory,
SA13300, November 24, 2004

PacketStorm, December 11, 2004

PostgreSQL

PostgreSQL 7.4.5

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-16.xml

Debian:
http://security.debian.org/pool/updates/
main/p/postgresql/

OpenPKG:
ftp://ftp.openpkg.org/release/

Mandrakesoft:
http://www.mandrakesoft.com/security
/advisories?name=MDKSA-2004:149

There is no exploit code required.

PostgreSQL Insecure Temporary File Creation

CVE Name:
CAN-2004-0977

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Gentoo Linux Security Advisory, GLSA 200410-16, October 18, 2004

Debian Security Advisory, DSA 577-1, October 29, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.046, October 29, 2004

Mandrakesoft Security Advisory, MDKSA-2004:149, December 13, 2004

 

ProFTPD Project

ProFTPD 1.2.9

A vulnerability exists that could permit a remote authenticated user to change the group ownership of FTP-accessible files and directories. A remote authenticated user can issue the SITE CHGRP command to change the group permissions on files and directories. The server does not check the user's privileges when executing the command.

No vendor solution available at this time.

A Proof of Concept exploit has been published.

ProFTPD SITE CHGRP CommandFile/Directory Group Ownership Modification
Medium
SecurityTracker Alert ID: 1012488, December 13, 2004

Red Hat

Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), Advanced Workstation 2.1 for the Itanium Processor

A vulnerability exists in the way ncompress handles long filenames has been discovered. It is possible that an attacker could execute arbitrary code on a victims machine by tricking the user into decompressing a carefully crafted filename.

Updates available at: http://rhn.redhat.com/errata/RHSA-2004-536.html

Currently we are not aware of any exploits for this vulnerability.

 

Red Hat ncompress Buffer Overflow

CVE Name:
CAN-2001-1413

High
Red Hat Advisory: RHSA-2004:536-05, December 13, 2004

Redhat

GNOME VFS

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64;
Red Hat Linux Advanced Workstation 2.1 - ia64;
Red Hat Enterprise Linux ES version 2.1 - i386;
Red Hat Enterprise Linux WS version 2.1 - i386;
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64;
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64;
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

Multiple vulnerabilities exist in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. A malicious user who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts.

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/

Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

SUSE: http://www.suse.com/en/private/download/updates/92_i386.html

Avaya: http://support.avaya.com/japple/css/japple?temp.groupID=
128450&temp.selectedFamily=128451&temp.selectedProduct=
154235&temp.selectedBucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=198525&PAGE=
avaya.css.CSSLvl1Detail&executeTransaction= avaya.css.UsageUpdate()

SGI: ftp://patches.sgi.com/support/free/security/patches/ProPack/3/

We are not aware of any exploits for these vulnerabilities.

Red Hat GNOME VFS updates address extfs vulnerability

CVE Name:
CAN-2004-0494

High

Red Hat Security Advisory ID: RHSA-2004:373-01, August 4, 2004

Fedora Update Notification
FEDORA-2004-272 & 273, September 1, 2004

SecurityFocus, Bugtraq ID: 10864, December 7, 2004

Roaring Penguin Software

Roaring Penguin 3.5 & prior

A vulnerability exists in the pppoe driver, which could let a malicious user obtain elevated privileges.

Debian:
http://security.debian.org/pool/updates/main/r/rp-pppoe/

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:145

We are not aware of any exploits for this vulnerability.

Roaring Penguin pppoe Elevated Privileges

CVE Name:
CAN-2004-0564

Medium

Debian Security Advisory, DSA 557-1 , October 4, 2004

Mandrakesoft, MDKSA-2004:145, December 6th, 2004

Russell Marks

xzgv .8

An integer overflow vulnerability exists in the processing of PRF files. A remote malicious user may be able to cause arbitrary code to be executed on the target user's computer. A remote user can create a specially crafted image file that, when processed by the target user, will trigger an overflow in the read_prf_file() function. The flaw resides in 'src/readprf.c', where image height and width parameters are not properly limited.

A patch is available at:
http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff

Currently we are not aware of any exploits for this vulnerability.

 

Russell Marks xzgv Integer Overflow

CVE Name:
CAN-2004-0994

High

iDEFENSE Security Advisory, December 13, 2004

SGI

Samba on SGI IRIX 6.5.x

Multiple vulnerabilities exist which can be exploited to cause a DoS or compromise a vulnerable system.

Apply patch 5798 for Samba 3.0.7:
ftp://patches.sgi.com/support/free/
security/advisories/20041201-01-P.asc

Currently we are not aware of any exploits for these vulnerabilities.

SGI Multiple Samba Vulnerabilities

CVE Names:
CAN-2004-0807
CAN-2004-0882
CAN-2004-0930

Low/High

(High if arbitrary code can be executed)

Samba Security Vulnerability
Number : 20041201-01-P, December 7, 2004

Sun Java Plugin

A privilege escalation problem was found in the Sun Java Plugin which could have a remote attacker reading and writing files of a local user browsing websites. This bug affects all SUSE versions on the Intel x86 and AMD64 / Intel Extended Memory Architecture (EM64T) platforms.

SUSE is in the process of releasing updated Java packages.

Currently we are not aware of any exploits for this vulnerability.

Sun Java Plugin Privilege Escalation
Medium
SUSE Security Summary Report SUSE-SR:2004:003, December 7, 2004

Sun Microsystems

sendmail on Sun Solaris 9

A vulnerability exists in sendmail included in Solaris 9, which can be exploited by malicious people to cause a Denial of Service and potentially compromise a vulnerable system. The vulnerability is caused due to a boundary error when processing DNS responses. This can be exploited to cause a buffer overflow by returning a specially crafted DNS response.

Apply patch:
http://sunsolve.sun.com/search/document.do
?assetkey=urn:cds:docid:1-21-113575-01-1

Currently we are not aware of any exploits for this vulnerability.

Sun Solaris Sendmail DNS TXT Records Buffer Overflow

 

Low/High

(High if arbitrary code can be executed)

Sun Alert ID: 57696, December 12, 2004

US-CERT VU#814627, March 10, 2003

Sun Microsystems

Solaris 7, 8, 9

A security vulnerability in the in.rwhod(1M) daemon may allow a remote malicious privileged user to execute arbitrary code with "root" privileges when the in.rwhod(1M) daemon is enabled on the system.

Updates available at:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57659-1

Currently we are not aware of any exploits for this vulnerability.

Sun Solaris IN.RWHOD(1M) Daemon
High
Sun Alert ID: 57659, December 6, 2004

Yukihiro Matsumoto

Ruby 1.8.x

A remote Denial of Service vulnerability exists due to an input validation error in 'cgi.rb.'

Debian:
http://security.debian.org/pool/updates/main/r/ruby

Mandrake:
http://www.mandrakesoft.com/security/advisories

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/universe/r/ruby1.8/l

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

Gentoo:
http://security.gentoo.org/glsa/
glsa-200411-23.xml

Red Hat:
http://rhn.redhat.com/errata/
RHSA-2004-635.html

Currently we are not aware of any exploits for this vulnerability.

Yukihiro Matsumoto Ruby Infinite Loop Remote Denial of Service

CVE Name:
CAN-2004-0983

Low

Secunia Advisory,
SA13123, November 8, 2004

Ubuntu Security Notice, USN-20-1, November 9, 2004

Fedora Update Notification,
FEDORA-2004-402 & 403, November 11 & 12, 2004

Gentoo Linux Security Advisory, GLSA 200411-23, November 16, 2004

Red Hat Advisory, RHSA-2004:635-03, December 13, 2004

 

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Albrecht Guenther

PHProjekt 2.0, 2.0.1, 2.1 a, 2.1-2.4, 3.0-3.2, 4.2

A vulnerability exists in 'setup.php' because arbitrary PHP scripts can be uploaded, including operating system commands, which could let a remote malicious user modify the configuration and execute arbitrary scripts.

Patch available at:
http://phprojekt.com/files/4.2/setup.zip

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-06.xml

Currently we are not aware of any exploits for this vulnerability.

PHProjekt 'setup.php' File Upload
High

Secunia Advisory,
SA13355, December 2, 2004

Gentoo Linux Security Advisory, GLSA 200412-06, December 10, 2004

Codestriker

Codestriker 1.7-1.7.8, 1.8-1.8.4

A vulnerability exists in the Codestriker repository because the repository is not correctly checked against the configuration list, which could let a remote malicious user bypass certain security restrictions.

Upgrades available at:
http://prdownloads.sourceforge.net/codestriker/codestriker-1.8.5.tar.gz?download

Currently we are not aware of any exploits for this vulnerability.

Codestriker Repository Access Control Bypass
Medium
Secunia Advisory,
SA13393, December 8, 2004

Darryl Burgdorf

WebLibs 1.0

A Directory Traversal vulnerability exists in 'weblibs.pl' due to insufficient validation, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is not exploit required; however, a Proof of Concept exploit script has been published.

Darryl Burgdorf WebLibs Directory Traversal
Medium
SecurityTracker Alert ID, 1012451, December 7, 2004

Digital Illusions

Battlefield 1942 1.6.19, Battlefield Vietnam 1.2

A remote Denial of Service vulnerability exists due to insufficient validation of the server-supplied 'numplayers' field.

This issue has been addresses in Battlefield 1942 1.61b and Battlefield Vietnam 1.21.

A Proof of Concept exploit script has been published.

Digital Illusions Multiple Games Remote Denial of Service
Low
Secunia Advisory,
SA13368, December 7, 2004

F-Secure

Policy Manager 5.11

A vulnerability exists in the 'fsmsh.dll' CGI application, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

F-Secure Policy Manager FSMSH.DLL CGI Path Disclosure
Medium
Securiteam, December 12, 2004

GameSpy Industries

GameSpy Software Development Kit

A buffer overflow vulnerability exists in the CD-key validation functionality due to insufficient validation, which could let a remote malicious user execute arbitrary code.

The vendor issued a fix on November 19, 2004.

An exploit script has been published.

Gamespy Software Development Kit CD-Key Validation Buffer Overflow
High
Securiteam, December 13, 2004

iCab

iCab 2.9.8

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

ICab Web Browser Remote Window Hijacking
Medium
Secunia Advisory,
SA13412, December 10, 2004

Infopop

UBBThreads 6.2.3, 6.5

A Cross-Site Scripting vulnerability exists in several scripts due to insufficient validation of the 'Cat' parameter, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Infopop UBBThreads Cross-Site Scripting
High
SecurityTracker Alert ID, 1012503, December 14, 2004

Last 10 Posts

Last 10 Posts 2.0.1

A vulnerability exists in the 'Last 10 Posts' script for vBulletin due to insufficient sanitization of user-supplied input prior to using in an SQL query, which could let a remote malicious user manipulate and inject SQL queries into the database.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Last 10 Posts Add-On Script For VBulletin SQL Injection

Medium
SecurityFocus, December 6, 2004

Mozilla.org

Firefox 1.x, 0.x,
Mozilla 1.7.x, 1.6, 1.5, 1.4, 1.3, 1.2, 1.1, 1.0, 0.x

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

Mozilla Browser and Mozilla Firefox Remote Window Hijacking

CVE Name:
CAN-2004-1156

Medium
SECUNIA ADVISORY ID:
SA13129, December 8, 2004

Multiple Vendors

Mozilla Browser M16, M15, 0.8, 0.9.2 .1, 0.9.2-0.9.9, 0.9.35, 0.9.48, 1.0 RC1&RC2, 1.0-1.0.2, 1.1 Beta, Alpha, 1.1, 1.2 Beta, Alpha, 1.2, 1.2.1, 1.3, 1.3.1, 1.4 b, 1.4 a, 1.4-1.4.2, 1.5, 1.5.1, 1.6, 1.7 rc1-rc3, beta, alpha, 1.7-1.7.3, 1.8 Alpha 1-Alpha 4, Firebird 0.5, 0.6.1, 0.7, Firefox Preview Release, 0.8, 0.9 rc, 0.9-0.9.3, 0.10, 0.10.1, 1.0;
Netscape Navigator 3.0 4, 4.0 x, 4.0 7, 4.06, 4.0.8, 6.0, 7.0, 7.0.2, 7.1, 7.2

A remote Denial of Service vulnerability exists due to a NULL pointer dereference when a JavaScript functions attempts to print an IFRAME that is embedded on the page.

Patch available at: https://bugzilla.mozilla.org/show_bug.cgi?id=272381

A Proof of Concept exploit has been published.

Mozilla/Netscape/ Firefox Browsers JavaScript IFRAME Rendering Denial of Service

Low
SecurityFocus, December 6, 2004

MySQL AB

MaxDB 7.5 .00.18, 7.5 .00.11-7.5.00.16, 7.5.00.08

Two vulnerabilities exist: a vulnerability exists due to a boundary error in the WebDAV handler when an overly long 'Overwrite' header is submitted, which could let a remote malicious user execute arbitrary code; and a remote Denial of Service vulnerability exist due to a NULL pointer dereference error in 'WAHTTP.'

Updates available at: http://dev.mysql.com/downloads/maxdb/7.5.00.html

There is no exploit required for the Denial of Service vulnerability; however, a Proof of Concept exploit has been published.

MaxDB WebTools Buffer Overflow & Denial of Service

CVE Names:
CAN-2004-1168
CAN-2004-1169

LowHigh

(High if arbitrary code can be executed)

Secunia Advisory,
SA13397, December 8, 2004

Novell

Netware 5, 5.1, 6.0, 6.5

A vulnerability exists because some hotkeys are still enabled when the password protected 'nlm' screensaver locks a console, which could let a malicious user bypass the authentication process.

The vendor has included a fix in the BorderManager ICSA Compliance Kit v5.0d, described at:

http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969741.htm

A Proof of Concept exploit has been published.

Novell NetWare Console Screen Saver Authentication
Medium
Secunia Advisory,
SA13434, December 14, 2004

opendchub.sourceforge. net

Open DC Hub Direct Connect Peer-to-peer Client 0.7.14

A buffer overflow vulnerability exists in the 'RedirectAll' command due to a boundary error, which could let a remote malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-37.xml

An exploit script has been published.

Open DC Hub Remote Buffer Overflow
High

Gentoo Linux Security Advisory, GLSA 200411-37, November 29, 2004

PacketStorm, December 11, 2004

Opera Software

Opera Web Browser 7.0 win32, Beta 1 & Beta2,
Opera Software Opera Web Browser 7.0 1win32-7.03win32, 7.10, 7.11 j, 7.11 b, 7.11, 7.20 Beta 1 build 2981, 7.20-7.23, 7.50-7.53

A vulnerability exists due to a design error that facilitates the spoofing of file names, which could let a remote malicious user spoof the download dialog box.

Upgrades available at: http://www.opera.com/download/

Currently we are not aware of any exploits for this vulnerability.

Opera Web Browser Name Spoofing
Medium
Opera Security Advisory, December 10, 2004

Opera Software

Opera Web Browser 7.54

A vulnerability exists because a website can inject content into another site's window if the target name of the window is known, which could let a remote malicious user spoof the content of websites

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vulnerability has appeared in the press and other public media.

Opera Web Browser Remote Window Hijacking

CVE Name:
CAN-2004-1157

Medium
Secunia Advisory, SA13253, December 13, 2004

OSI Codes Inc.

PHP Live! 2.8.1

A directory and configuration file include file vulnerability exists. The impact was not specified, except to indicate that it is a "major security problem."

Update available at: http://www.phplivesupport.com/index_source.php

Currently we are not aware of any exploits for this vulnerability.

PHP Live! Unspecified Remote Configuration File Include
Not Specified
Secunia Advisory,
SA13420, December 13, 2004

PhpGedView

PhpGedView 2.52.3, 2.60, 2.61, 2.61.1, 2.65 beta5

A Cross-Site Scripting vulnerability exists in 'Descendancy.php,' 'Index.PHP,' and 'Individual.PHP' due to insufficient sanitization of user-supplied URI input, which could let a remote malicious user execute arbitrary HTML and script code.

Upgrades available at:
http://prdownloads.sourceforge.net/phpgedview/phpGedView-2.65.2.zip?download

There is not exploit required; however, Proofs of Concept exploits have been published.

PhpGedView Cross-Site Scripting

CVE Name:
CAN-2004-0067

High
SecurityFocus, December 9, 2004

Ryan Walberg

PHP Gift Registry 1.3.5

Multiple Cross-Site Scripting vulnerabilities exist in 'event..php' and 'index.php' due to insufficient sanitization of the 'message' parameter, which could let a remote malicious user execute arbitrary HTML and script code.

Upgrade available at:
http://prdownloads.sourceforge.net/phpgiftreg/phpgiftreg-1.4.0.tar.gz?download

There is not exploit required.

PHP Gift Registry Multiple Cross-Site Scripting
High
Secunia Advisory,
SA13414, December 10, 2004

SugarCRM Inc.

Sugar Sales 2.0.1c & prior

Multiple vulnerabilities exist: a vulnerability exists when a remote malicious user submits specially crafted parameters to view the contents of files with the privileges of the target web service; a vulnerability exists due to a failure to remove or restrict access to the install script files after installation, which could let a remote malicious user cause a Denial of Service or obtain sensitive information; a vulnerability exists because a remote malicious user can inject SQL commands that will be executed by the underlying database; and a vulnerability exists because a remote malicious user can invoke certain scripts that will display the full installation path.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

SugarSales Input Validation

Low/ Medium

(Medium if sensitive information can be obtained)

SecurityTracker Alert ID, 1012490, December 13, 2004

Sun Microsystems, Inc.

Java System Web Server (Sun ONE/iPlanet) 6.x, Java System Application Server (Sun ONE) 7.x

A vulnerability was reported in the Sun Java System Web Server. A remote user may be able to access active sessions.

Sun reported that a remote user may be able to access active sessions by obtaining the session ID of a target user.
Impact: A remote user can access another user's active session.

Update available at: http://wwws.sun.com/software/download/products/415a094d.html

Currently we are not aware of any exploits for this vulnerability.

Sun Java System Web Server / Application Server Active Sessions Access
Medium
Sun Security Alert, Sun Alert ID: 57699, December 13, 2004

usemod.com

UseModWiki 1.0

A Cross-Site Scripting vulnerability exists in the 'wiki.pl' script due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

UseModWiki Cross-Site Scripting
High
STG Security Advisory, SSA-20041209-13, December 14, 2004

 

Recent Exploit Scripts/Techniques The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
December 12, 2004 AdobeMac.txt
No
Exploit for the Adobe Version Cue Start/Stop Scripts Arbitrary Script Execution vulnerability.
December 12, 2004 Absinthe-1.1.tar.gz
N/A
A gui-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection.
December 12, 2004 citadel_fsexp.c
No
Remote root exploit for Citadel/UX format string vulnerability.
December 12, 2004 mercury.c
Yes
Exploit for the Mercury Mail Multiple Remote IMAP Stack Buffer Overflow vulnerabilities.
December 12, 2004 orbzbof.zip
No
Remote Proof of Concept exploit for the 21-6 Productions Orbz Password Field Buffer Overflow vulnerability.
December 12, 2004 WebLibs10.txt
No
Exploit for the Darryl Burgdorf WebLibs Directory Traversal vulnerability.
December 11, 2004 phpkitSQLXSS.txt
No
Proof of Concept exploit for the PHP KIT SQL injection and Cross-Site Scripting vulnerabilities.
December 11, 2004 ipbSQL.txt
No
Exploit for the IPB Pro Arcade SQL injection vulnerability.
December 11, 2004 ezshopper.txt
No
Exploit for the EZshopper Directory Traversal vulnerability.
December 11, 2004 ssfakep.zip
No
Remote Denial of Service exploit for games using the Serious engine. Generates UDP packets that have fake players enter a room
December 11, 2004 mimedefang-2.49.tar.gz
N/A
A flexible MIME email scanner designed to protect Windows clients from viruses.
December 11, 2004 winfingerprint-0.5.13.zip
N/A
A Win32 Host/Network Enumeration Scanner. Winfingerprint is capable of performing SMB, TCP, UDP, ICMP, RPC, and SNMP scans.
December 11, 2004 bilbo-0.11.tar.gz
N/A
A wrapper for nmap that makes it easier to scan lots of machines or networks.
December 11, 2004 IPSWSFTP-exploit.c
No
Exploit for the IpSwitch WS_FTP Buffer Overflow vulnerability.
December 11, 2004 coffeecupbof.txt
No
Script that exploits the CoffeeCup Direct/Free FTP ActiveX Component Remote Buffer Overflow vulnerability.
December 11, 2004 OpenDcHub-poc.zip
Yes
Exploit for the Open DC Hub Remote Buffer Overflow vulnerability.
December 11, 2004 winampm3u.c
Yes
Script that exploits the Nullsoft Winamp 'IN_CDDA.dll' Buffer Overflow vulnerability.
December 11, 2004 atari800.txt
Yes
Exploit for the Atari800 Emulator Multiple Buffer Overflows vulnerabilities.
December 11, 2004 000102advisory.txt
Yes
Exploit for the MailEnable Stack Overflow & Pointer Overwrite vulnerability.
December 11, 2004 phpnolimit.c
Yes
Exploit for the PHP 'memory_limit' and strip_tags() Remote Vulnerabilities
December 11, 2004 phpnews.txt
Yes
Exploit for the PHPNews SQL Injection vulnerability.
December 11, 2004 wodftpcrash.txt
Yes
Denial of Service exploit for the WodFtpDLX buffer overflow vulnerability.
December 10, 2004 wgetTrapPOC.pl
No
Perl script that exploits the GNU WGet Multiple Remote Vulnerabilities.
December 10, 2004 goregsbof.zip
Yes
Exploit for the Gamespy Software Development Kit CD-Key Validation Buffer Overflow vulnerability.
December 9, 2004 ie6-file-detection.txt
No
Exploit for the Microsoft Internet Explorer Sysimage Protocol Handler Information Disclosure vulnerability,
December 8, 2004 keriodos.txt
No
Exploit for the Kerio Personal Firewall Local Denial of Service vulnerability.
December 7, 2004 md5_someday.pdf
N/A
Collision vulnerabilities in MD5 Checksums - It is possible to create different executables which have the same md5 hash. The attacks remain limited, for now. The attack allows blocks in the checksumm'd file to be swapped out for other blocks without changing the final hash. A tool to demonstrate these vulnerabilities is available here.
December 7, 2004 iosetup_crash.c
No
Script that exploits the Linux Kernel AIO_Free_Ring Local Denial of Service vulnerability.
December 7, 2004 bfcboom.tar
bfcboom.zip
Yes
Proof of Concept exploits for the Digital Illusions Multiple Games Remote Denial of Service vulnerability.

[back to top]

Trends

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trends
Date
1
Netsky-P Win32 Worm Stable March 2004
2
Netsky-D Win32 Worm Stable March 2004
3
Zafi-B Win32 Worm Stable June 2004
4
Sober-I Win32 Worm Slight Increase November 2004
5
Netsky-Z Win32 Worm Slight Increase April 2004
6
Netsky-Q Win32 Worm Slight Increase March 2004
7
Bagle-AA Win32 Worm Slight Increase April 2004
8
Bagle-AT Win32 Worm Decrease October 2004
9
Bagle-AU Win32 Worm Stable October 2004
10
Netsky-B Win32 Worm Stable February 2004

Table Updated December 14, 2004

Viruses or Trojans Considered to be a High Level of Threat

  • Sophos, a leader in protecting businesses against viruses and spam, released a report revealing the hardest hitting viruses of 2004. In a year which saw a 51.8 percent increase in the number of new viruses, the Netsky-P worm has accounted for almost a quarter of all virus incidents reported, making it the hardest hitting virus of 2004. For more information, see: http://www.govtech.net/?pg=news/news&id=92407.
  • US-CERT has received reports of a new variant of the Zafi virus referred to as "W32/Zafi.D" or "W32.Erkez.D@mm". It arrives as an attachment to an email containing a holiday greeting message. For more information, see: http://www.us-cert.gov/current/current_activity.html.

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name
Aliases
Type
Backdoor.Ranky.N   Trojan
BackDoor-BAC.dll   Trojan
Cabir.C SymbOS/Cabir.c
EPOC/Cabir.c
Worm.Symbian.Cabir.c, MYTITI virus
Worm
Cabir.D SymbOS/Cabir.D
EPOC/Cabir.D Worm.Symbian.Cabir.D, [YUAN] virus
Worm
Cabir.Dropper SymbOS/Cabir.Dropper
Norton AntiVirus 2004 Professional.sis
Worm
Downloader-TA.dll BackDoor-BAC.dll Trojan
HotWorld   Trojan
Janx.A   Internet Worm
JS.Speth.Worm   JavaScript Worm
Troj/Brabot-A W32/Generic.worm!p2p
Backdoor.Win32.Brabot.a
Trojan
Trojan.Conycspa   Trojan
TrojanDropper.FakeSpamFighter Fake Lycos Screensave
FakeSpamFighter
Fake Spam Fighter
Trojan
VBS.Junkmail@mm   Visual Basic Script Worm
W32.Gaobot.BUU   Win32 Worm
W32.Janx   Win32 Worm
W32.Maslan.C@mm W32/Maslan.c@MM
Backdoor.Win32.SdBot.ts
Net-Worm.Win32.Maslan.b
PE_MASLAN.C
W32/Maslan-C
W32/Sdbot-RW
Win32.HLLM.Alaxala
Win32 Worm
W32.Qeds@mm   Win32 Worm
W32/Agobot-DAA   Win32 Worm
W32/Agobot-NX   Win32 Worm
W32/Anig-C W32/Anig.worm.gen
W32.HLLW.Anig
Win32 Worm
W32/Atak-F   Win32 Worm
W32/Atak-G   Win32 Worm
W32/Bagle.bf@MM   Win32 Virus
W32/Bagle.bg@MM I-Worm.Bagle.g
W32.Beagle.H@mm
Win32/Bagle.H.Worm
Win32 Virus
W32/Maslan-C Net-Worm.Win32.Maslan.b Win32 Worm
W32/Rbot-RJ   Win32 Worm
W32/Rbot-RN   Win32 Worm
W32/Sdbot-SB   Win32 Worm
W32/Sdbot-SG   Win32 Worm
W32/Zafi-D

WORM_ZAFI.D
W32/Zafi.d@MM
Email-Worm.Win32.Zafi.d
W32/Zafi.D.worm
W32.Erkez.D@mm
Win32.Zafi.D
Zafi.D

Win32 Worm
Win32.Lemoor.B 32.Lemoor.A
Win32/Lemoor.B.Worm
W32/Lemoor.gen
Worm.Win32.Lemoor.c
Win32 Worm
Win32.Lioten.GJ

Win32/Randex.45568.Worm
W32/Sdbot.ARW
WORM_SDBOT.ZW

Win32 Worm
Win32.Prutec.A Win32/Prutec.A.Trojan Trojan
Win32.Yanz.B W32/Favsin-A
Email-Worm.Win32.Yanz.b
Win32/Yaha.Variant.Worm
WORM_YANZ.B
W32/Yanz.b@MM
W32.Yanz.B@mm
W32/Yanzi.B@mm
Win32 Worm
WORM_BAGZ.I W32.Bagz@mm
W32/Bagz.b@MM
Win32/Bagz.B@mm
I-Worm.Bagz.b
W32/Bagz.A@mm
W32/Bagz-B
Worm/Bagz.B.1
I-Worm/Bagz.B
I-Worm.Win32.Bagz.163846
Win32 Worm
WORM_MASLAN.A Email-Worm.Win32.Maslan.a
W32.Maslan.A@mm
Maslan.A
Net-Worm.Win32.Maslan.a
W32/Maslan-A
Maslan.A
Win32 Worm
WORM_RBOT.AEF   Win32 Worm

[back to top]

 

 

 

Last updated

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top