U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Bulletin (SB05-012)

Summary of Security Items from January 5 through January 11, 2005

Original release date: January 12, 2005

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.


Bugs, Holes, & Patches The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

3Com

3CDaemon 2.0 revision 10

Multiple vulnerabilities exist: a buffer overflow vulnerability exists when a remote malicious user submits a specially crafted FTP username, which could lead to the execution of arbitrary code; a buffer overflow vulnerability exists in several FTP commands, including cd, send, ls, put, delete, rename, rmdir, literal, stat, and cwd, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability exists when a malicious user submits an FTP user command with format string characters; a format string vulnerability exists in the cd, delete, rename, rmdir, literal, stat, and cwd [and others] commands, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability exists when a malicious user connects to the TFTP service and requests an MS-DOS device name; a vulnerability exists when the directory to an MS-DOS device name or a filename is changed, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

3Com 3CDaemon Multiple Remote Vulnerabilities

Low/Medium/ High

(Low if a DoS; Medium if sensitive information can be obtained; and High if arbitrary code can be executed)

[I.T.S] Security Research Team Advisory, January 4, 2005

Amp

Amp II 3D Game Engine

A remote Denial of Service vulnerability exists due to a failure to handle exceptional conditions.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Amp II 3D Game Engine Remote Denial of Service
Low
Secunia Advisory, SA13754, January 7, 2005

Jeuce.com

Jeuce Personal Web Server 2.13

Multiple vulnerabilities exist: a Directory Traversal vulnerability exists due to insufficient sanitization of user-supplied input data, which could let a remote malicious user obtain sensitive information; and a remote Denial of Service vulnerability exists when handling certain URLs.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Jeuce Personal Web Server Directory Traversal & Denial of Service

Low/Medium

(Medium if sensitive information can be obtained)

GSSIT - Global Security Solution IT Advisory, January 6, 2005

JoWood Productions

Soldner Secret Wars 30830

Several vulnerabilities exist: a remote Denial of Service vulnerability exists when a malicious user submits a UDP packet that contains 1402 or more bytes; a format string vulnerability exists which could let a remote malicious user cause a Denial of Service or execute arbitrary code; and a Cross-Site Scripting vulnerability exists in the administrative web interface log display, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

An exploit script has been published.

Soldner Secret Wars Multiple Remote Vulnerabilities

Low/High

(High if arbitrary code can be executed)

SecurityTracker Alert ID, 1012790, January 6, 2005

Microsoft

FrontPage 2000

A vulnerability exists in the DATA Access Internet Publishing Service Provider Distributed Versioning and Authoring (DAV) functionality, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Microsoft FrontPage 2000 DAV File Upload

High

SecurityFocus, December 31, 2004

Microsoft

Internet Explorer 6.0, SP1&SP2

A vulnerability exists in the DHTML Edit ActiveX control, which could let a remote malicious user inject arbitrary scripting code into a different window on the target user's system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Microsoft Internet Explorer DHTML Edit Control Script

CVE Name:
CAN-2004-1319

High

Bugtraq, December 15, 2004

US-CERT Vulnerability Note, VU#356600, January 6, 2005

Microsoft

Windows (XP SP2 is not affected)

A Denial of Service vulnerability exists in the parsing of ANI files. A remote user can cause the target user's system to hang or crash. A remote user can create a specially crafted Windows animated cursor file (ANI file) that, when loaded by the target user, will cause the target system to crash. The malicious file can be loaded via HTML, for example.

Updates available at: http://www.microsoft.com/technet/security/bulletin/
ms05-002.mspx

A Proof of Concept exploit has been published.

Microsoft Windows ANI File Parsing Errors

CVE Name:
CAN-2004-1305

Low

VENUSTECH Security Lab, December 23, 2004

Microsoft Security Bulletin MS05-002, January 11, 2005

US-CERT Vulnerability Notes, VU#177584 & VU#697136, January 11, 2005

Microsoft

Windows (XP SP2 is not affected)

An integer overflow vulnerability was reported in the LoadImage API. A remote user can execute arbitrary code. A remote user can create a specially crafted image file that, when processed by the target user, will trigger an overflow in the USER32 library LoadImage API and execute arbitrary code. The code will run with the privileges of the target user.

Updates available at: http://www.microsoft.com/technet/security/bulletin/
ms05-002.mspx

A Proof of Concept exploit has been published.

Microsoft Windows LoadImage API Buffer Overflow

CVE Names:
CAN-2004-1049

High

VENUSTECH Security Lab. December 23, 2004

Microsoft Security Bulletin MS05-002, January 11, 2005

US-CERT Vulnerability Note, VU#625856, January 11, 2005

Microsoft

WindowsXP SP1 & prior service packs, 2003

A buffer overflow vulnerability exists in the Indexing Service due to the way query validation is handled, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

Updates available at: http://www.microsoft.com/technet/security/bulletin/ms05-003.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Windows Indexing Service Buffer Overflow

CVE Name:
CAN-2004-0897

Low/High

(High if arbitrary code can be executed)

Microsoft Security Bulletin MS05-003, January 11, 2005

Microsoft

Windows 2000 SP3 & SP4, XP SP1 & SP2, XP 64-Bit Edition SP1, XP 64-Bit Edition Version 2003, Windows Server 2003, Windows Server 2003 64-Bit Edition, Windows 98, 98SE, ME

A cross-domain vulnerability exists in the HTML Help ActiveX control, which could let a remote malicious user execute arbitrary code.

Updates available at: http://www.microsoft.com/technet/security/bulletin/
MS05-001.mspx

Exploits have been published.

Microsoft Windows HTML Help ActiveX Control

CVE Name:
CAN-2004-1043

High
Microsoft Security Bulletin MS05-001, January 11, 2005

Symantec

Norton AntiVirus 2004, 2004 Professional Edition

A remote Denial of Service vulnerability exists due to a buffer overflow in the 'CcErrDsp.ErrorDisplay.1' ActiveX object.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Symantec 'CcErrDsp.ErrorDisplay.1' ActiveX Buffer Overflow
Low
Bugtraq, January 6, 2005

Winace.com

Winace 2.5, 2.6 Beta 4

A Directory Traversal vulnerability exists due to an input validation error when extracting files compressed with GZIP (.gz) or ZIP (.zip), which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

Proofs of Concept exploit scripts have been published.

Winace Remote Directory Traversal

Medium
Secunia Advisory,
SA13734, January 6, 2005

winace.com

WinHKI 1.4 d

Several vulnerabilities exist: a remote Denial of Service vulnerability exists when a malicious user creates a BH compressed file with a specially crafted header; a remote Denial of Service vulnerability exists when processing LHA files; and a Directory Traversal vulnerability exists when the application processes malformed BH, CAB, and ZIP compressed files, which could let a remote malicious user modify information.

No workaround or patch available at time of publishing.

There is no exploit required; however, Proofs of Concept exploits have been published.

WinHKI Multiple Remote Vulnerabilities

Low/Medium

(Medium if information can be modified)

SecurityTracker Alert ID, 1012798, January 6, 2005

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Alexander Palmo

Simple PHP Blog 0.3.7 c

A Directory Traversal vulnerability exists in the 'entry' parameter due to insufficient sanitization of user-supplied input data, which could let a remote malicious user obtain sensitive information.

Patch available at:
http://www.bigevilbrain.com/sphpblog/development/files/
patches_0.3.7r2.tgz

There is no exploit code required; however, a Proof of Concept exploit has been published.

Alexander Palmo
Simple PHP Blog Remote Directory Traversal
Medium
Bugtraq, January 7, 2005

Andrew W. Rogers

pcal 0.7.1

Two vulnerabilities were reported in pcal. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted calendar file that, when processed by the target user with pcal, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflows reside in the getline() function in 'pcalutil.c' and the get_holiday() function in 'readfile.c'.

Debian:
http://www.debian.org/security/2005/dsa-625

A Proof of Concept exploit script has been published.

Andrew W. Rogers
pcal Buffer Overflows

CVE Name:
CAN-2004-1289

High

SecurityTracker Alert ID, 1012592, December 16, 2004

Debian Security Advisory,
DSA-625-1 pcal, January 5, 2005

Christoph Dalitz

abctab2ps 1.6.3

A vulnerability was reported in abctab2ps. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted ABC file that, when processed by the target user with abctab2ps, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflows reside in the write_heading() function in 'subs.cpp' and the trim_title() function in 'parse.cpp.'

Upgrade available at:
http://www.lautengesellschaft.de/cdmm/#Download

A Proof of Concept exploit script has been published.

Christoph Dalitz abctab2ps Buffer Overflows
High

SecurityTracker Alert ID, 1012578, December 16, 2004

SecurityFocus, January 5, 2005

dillo.org

Dillo 0.8.3 a& prior

A format string vulnerability exists in 'capi.c' in the 'a_interface_msg()' function, which could let a remote malicious user execute arbitrary code.

Update available at: http://www.dillo.org/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-11.xml

A Proof of Concept exploit has been published.

Dillo
'a_Interface_msg()' Format String
High
Gentoo Linux Security Advisory, GLSA 200501-11, January 9, 2005

Easy Software Products

CUPS 1.1.21, 1.1.22 rc1, 1.1.22

A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted HTTP GET request.

Upgrades available at:
http://www.cups.org/software.php?SOFTWARE=v1_2

A Proof of Concept exploit has been published.

CUPS HTTP
GET Denial of Service
Low
SecurityTracker Alert ID, 1012811, January 7, 2005

GNU / GPL
  Conectiva
  Gentoo
  Mandrake
  RedHat
  SuSE
  Trustix

Samba 3.0.0 - 3.0.4 and 2.2.9 and prior

 

Multiple buffer overflow vulnerabilities exist in Samba that could allow a remote user to execute arbitrary code on the target system. These are caused by boundary errors when decoding base64 data and when handling 'mangling method = hash.'

Upgrade to version 3.0.5 or 2.2.10 available at: http://us2.samba.org/samba/ftp/

Conectiva:
ftp://atualizacoes.conectiva.com.br

RedHat: RedHat Enterprise Linux AS 3, ES 3, WS 3:
http://rhn.redhat.com/

Gentoo:
http://security.gentoo.org/glsa/glsa-200407-21.xml

Mandrakesoft: Mandrake Multi Network Firewall 8.x, 9.x; Mandrake Corporate Server 2.x
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:071

SuSE: SuSE Linux, Email, Database, and Enterprise Servers
http://www.suse.de/de/security/2004_22_samba.html

Trustix:
http://http.trustix.org/pub/trustix/updates/

Sun: http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57664-1&searchclause=

Sun:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57664-1&searchclause=

A working exploit has been published.

Samba Buffer Overflow Vulnerabilities

CVE Names:
CAN-2004-0600
CAN-2004-0686
High

Samba Release Notes 3.0.5, July 20, 2004

Gentoo, RedHat, Mandrakesoft, SuSE, Trustix, Conectiva Advisories

Sun(sm) Alert Notification, 57664, October 25, 2004

Sun(sm) Alert Notification, 57664, January 26, 2005 updated

GNU

a2ps 4.13b

Two vulnerabilities exist in GNU a2ps, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerabilities are caused due to the fixps.in and psmandup.in scripts creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running a vulnerable script.

Debian:
http://security.debian.org/pool/updates/main/a/a2ps/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-02.xml

Currently we are not aware of any exploits for these vulnerabilities.

GNU a2ps
Two Scripts Insecure Temporary File
Creation
Medium

Secunia SA13641, December 27, 2004

Gentoo Linux Security Advisory, GLSA 200501-02, January 4, 2005

GNU

a2ps 4.13

A vulnerability exists that could allow a malicious user to execute arbitrary shell commands on the target system. a2ps will execute shell commands contained within filenames. A user can create a specially crafted filename that, when processed by a2ps, will execute shell commands with the privileges of the a2ps process.

A patch for FreeBSD is available at:
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/
print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain

Debian:
http://www.debian.org/security/2004/dsa-612

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-02.xml

A Proof of Concept exploit has been published.

GNU a2ps Filenames Shell Commands Execution
High

SecurityTracker Alert ID, 1012475, December 10, 2004

Debian Security Advisory
DSA-612-1 a2ps, December 20, 2004

Gentoo GLSA 200501-02, January 5, 2005

GNU

MPlayer 1.0pre5

A vulnerability was reported in MPlayer in the processing of ASF streams. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted ASF video stream that, when viewed by the target user with MPlayer, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.

Gentoo:
http://www.gentoo.org/security/en/glsa
/glsa-200412-21.xml

Conectiva:
http://distro.conectiva.com.br/atualizacoes/
index.php?id=a&anuncio=000910

A Proof of Concept exploit script has been published.

GNU MPlayer ASF Streams Processing Buffer Overflow
High

SecurityTracker Alert ID, 1012562, December 16, 2004

Gentoo GLSA 200412-21 / MPlayer, December 12, 2004

Conectiva Advisory, CLSA-2005:910, January 5, 2005

GNU

Vim 6.x, GVim 6.x

Multiple vulnerabilities exist which can be exploited by local malicious users to gain escalated privileges. The vulnerabilities are caused due to some errors in the modelines options. This can be exploited to execute shell commands when a malicious file is opened. Successful exploitation can lead to escalated privileges but requires that modelines is enabled.

Apply patch for vim 6.3: f
tp://ftp.vim.org/pub/vim/patches/6.3/6.3.045

Gentoo:
http://www.gentoo.org/security/en/
glsa/glsa-200412-10.xml

Red Hat:
http://rhn.redhat.com/errata/RHSA-2005-010.html

Mandrake:
http://www.mandrakesoft.com/security/advisories

Currently we are not aware of any exploits for these vulnerabilities.

GNU Vim / Gvim Modelines Command Execution Vulnerabilities

CVE Name:
CAN-2004-1138

Medium

Gentoo Linux Security Advisory, GLSA 200412-10 / vim, December 15, 2004

Red Hat Advisory RHSA-2005:010-05, January 5, 2005

Mandrakelinux Security Update Advisory, MDKSA-2005:003, January 6, 2005

GNU

xine prior to 0.99.3

Multiple vulnerabilities exist that could allow a remote user to execute arbitrary code on the target user's system. There is a buffer overflow in pnm_get_chunk() in the processing of the RMF_TAG, DATA_TAG, PROP_TAG, MDPR_TAG, and CONT_TAG parameters.

The vendor has issued a fixed version of xine-lib (1-rc8), available at: http://xinehq.de/index.php/releases

A patch is also available at:
http://cvs.sourceforge.net/viewcvs.py/xine/
xine-lib/src/input/pnm.c?r1=
1.20&r2=1.21

Gentoo:
http://www.gentoo.org/security/en/glsa/glsa-200501-07.xml

A Proof of Concept exploit has been published.

GNU xine Buffer
Overflow in pnm_get_chunk()

CVE Name:
CAN-2004-1187
CAN-2004-1188

High

iDEFENSE Security Advisory 12.21.04

Gentoo, GLSA 200501-07, January 6, 2005

GNU

xine-lib 1.x

Multiple vulnerabilities with unknown impacts exist due to errors in the PNM and Real RTSP clients.

Update to version 1-rc8:
http://xinehq.de/index.php/download

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-07.xml

Currently we are not aware of any exploits for these vulnerabilities.

GNU xine-lib
Unspecified PNM &
Real RTSP Clients Vulnerabilities

CVE Name:
CAN-2004-1300

Not Specified

Secunia Advisory, SA13496, December 16, 2004

Gentoo Linux Security Advisory, GLSA 200501-07, January 6, 2005

GNU

Xpdf prior to 3.00pl2

A buffer overflow vulnerability exists that could allow a remote user to execute arbitrary code on the target user's system. A remote user can create a specially crafted PDF file that, when viewed by the target user, will trigger an overflow and execute arbitrary code with the privileges of the target user.

A fixed version (3.00pl2) is available at: http://www.foolabs.com/xpdf/download.html

A patch is available:
ftp://ftp.foolabs.com/pub/xpdf/
xpdf-3.00pl2.patch

KDE:
http://www.kde.org/info/security/advisory-20041223-1.txt

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-24.xml

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/

Mandrakesoft (update for koffice):
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:165

Mandrakesoft (update for kdegraphics): http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:163

Mandrakesoft (update for gpdf):
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:162

Mandrakesoft (update for xpdf):
http://www.mandrakesoft.com/security
/advisories?name=MDKSA-2004:161

Mandrakesoft (update for tetex):
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:166

Debian:
http://www.debian.org/security/2004/dsa-619

Fedora (update for tetex):
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

Fedora: http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/3/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-13.xml

Currently we are not aware of any exploits for this vulnerability.

GNU Xpdf Buffer Overflow in doImage()

CVE Name:
CAN-2004-1125

High

iDEFENSE Security Advisory 12.21.04

KDE Security Advisory, December 23, 2004

Mandrakesoft, MDKSA-2004:161,162,163,165, 166, December 29, 2004

Fedora Update Notification,
FEDORA-2004-585, January 6, 2005

Gentoo Linux Security Advisory, GLSA 200501-13, January 10, 2005

Info-ZIP

Zip 2.3

A buffer overflow vulnerability exists due to a boundary error when doing recursive compression of directories with 'zip,' which could let a remote malicious user execute arbitrary code.

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/z/zip/

Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates/

Gentoo:
http://security.gentoo.org/glsa/
glsa-200411-16.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-634.html

Debian:
http://www.debian.org/security/2005/dsa-624

Currently we are not aware of any exploits for this vulnerability.

 

Info-ZIP Zip Remote Recursive Directory Compression Buffer Overflow

CVE Name:
CAN-2004-1010

High

Bugtraq, November 3, 2004

Ubuntu Security Notice, USN-18-1, November 5, 2004

Fedora Update Notification,
FEDORA-2004-399 & FEDORA-2004-400, November 8 & 9, 2004

Gentoo Linux Security Advisory, GLSA 200411-16, November 9, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:141, November 26, 2004

SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004

Red Hat Advisory, RHSA-2004:634-08, December 16, 2004

Debian DSA-624-1, January 5, 2005

 

J Whitham

HTGET 0.93

A buffer overflow vulnerability was reported in HTGET. A remote malicious user can cause arbitrary code to be executed. A remote user can create a specially crafted URL that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code.

Debian:
http://www.debian.org/security/2004/dsa-611

An exploit script has been published.

J Whitham HTGET
Buffer Overflow

CVE Name:
CAN-2004-0852

High

Debian Security Advisory
DSA-611-1 htget, December 20, 2004

PacketStorm, January 6, 2005

KDE

KDE 3.x, 2.x

A vulnerability exists in kio_ftp, which can be exploited by malicious people to conduct FTP command injection attacks.

The vulnerability has been fixed in the CVS repository.

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:160

Debian:
http://security.debian.org/pool/updates/main/k/kdelibs/

Currently we are not aware of any exploits for this vulnerability.

KDE kio_ftp FTP Command Injection Vulnerability

CVE Name:
CAN-2004-1165

Medium

KDE Advisory Bug 95825, December 26, 2004

Debian Security Advisory, DSA 631-1, January 10, 2005

KDE

Konqueror prior to 3.32

Two vulnerabilities exist in KDE Konqueror, which can be exploited by malicious people to compromise a user's system.The vulnerabilities are caused due to some errors in the restriction of certain Java classes accessible via applets and Javascript. This can be exploited by a malicious applet to bypass the sandbox restriction and read or write arbitrary files.

Update to version 3.3.2:
http://kde.org/download/

Apply patch for 3.2.3:
ftp://ftp.kde.org/pub/kde/security_
patches/post-3.2.3-kdelibs-khtml-java.tar.bz2

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:154

Currently we are not aware of any exploits for these vulnerabilities.

KDE Konqueror
Java Sandbox Vulnerabilities

CVE Name:
CAN-2004-1145

High

KDE Security Advisory, December 20, 2004

Mandrakesoft MDKSA-2004:154, December 22, 2004

US-CERT Vulnerability Note, VU#420222, January 5, 2005

Larry Wall

Perl 5.8.3

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/p/perl/

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-04.xml

Debian:
http://security.debian.org/pool/updates/main/p/perl/

There is no exploit code required.

Perl
Insecure Temporary
File Creation

CVE Name:
CAN-2004-0976

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Ubuntu Security Notice, USN-16-1, November 3, 2004

Gentoo Linux Security Advisory, GLSA 200412-04, December 7, 2004

Debian Security Advisory, DSA 620-1, December 30, 2004

LGPL

NASM 0.98.38

A vulnerability was reported in NASM. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted asm file that, when processed by the target user with NASM, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflow resides in the error() function in 'preproc.c.'

Gentoo:
http://www.gentoo.org/security/en/
glsa/glsa-200412-20.xml

Debian:
http://www.debian.org/security/2005/dsa-623

Mandrake:
http://www.mandrakesoft.com/security/advisories

A Proof of Concept exploit script has been published.

LGPL NASM error() Buffer Overflow

CVE Name:
CAN-2004-1287

High

Secunia Advisory ID, SA13523, December 17, 2004

Debian Security Advisory
DSA-623-1 nasm, January 4, 2005

Mandrakelinux Security Update Advisory, MDKSA-2005:004, January 6, 2005

libtiff.org

LibTIFF 3.6.1

Avaya MN100 (All versions), Avaya Intuity LX (version 1.1-5.x), Avaya Modular Messaging MSS (All versions)

 

Several buffer overflow vulnerabilities exist: a vulnerability exists because a specially crafted image file can be created, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; a remote Denial of Service vulnerability exists in 'libtiff/tif_dirread.c' due to a division by zero error; and a vulnerability exists in the 'tif_next.c,' 'tif_thunder.c,' and 'tif_luv.c' RLE decoding routines, which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/t/tiff/

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-11.xml

Fedora:
http://download.fedora.redhat.com/pub/fedora/
linux/core/updates/2/

OpenPKG:
ftp://ftp.openpkg.org/release/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-577.html

Slackware:
ftp://ftp.slackware.com/pub/slackware/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

KDE: Update to version 3.3.2:
http://kde.org/download/

Apple Mac OS X:
http://www.apple.com/swupdates/

Gentoo: KDE kfax:
http://www.gentoo.org/security
/en/glsa/glsa-200412-17.xml

Avaya: No solution but workarounds available at: http://support.avaya.com/elmodocs2/security/ASA-2005-002_RHSA-2004-577.pdf

Proofs of Concept exploits have been published.

LibTIFF Buffer
Overflows

CVE Name:
CAN-2004-0803
CAN-2004-0804
CAN-2004-0886

Low/High

(High if arbitrary code can be execute)

Gentoo Linux Security Advisory, GLSA 200410-11, October 13, 2004

Fedora Update Notification,
FEDORA-2004-334, October 14, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.043, October 14, 2004

Debian Security Advisory, DSA 567-1, October 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:109 & MDKSA-2004:111, October 20 & 21, 2004

SuSE Security Announcement, SUSE-SA:2004:038, October 22, 2004

RedHat Security Advisory, RHSA-2004:577-16, October 22, 2004

Slackware Security Advisory, SSA:2004-305-02, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:888, November 8, 2004

US-CERT Vulnerability Notes VU#687568 & VU#948752, December 1, 2004

Gentoo Linux Security Advisory, GLSA 200412-02, December 6, 2004

KDE Security Advisory, December 9, 2004

Apple Security Update SA-2004-12-02

Gentoo Security Advisory, GLSA 200412-17 / kfax, December 19, 2004

Avaya Advisory ASA-2005-002, January 5, 2005

Conectiva Linux Security Announcement, CLA-2005:914, January 6, 2005

Little Igloo

LinPopUp 1.2.0

A buffer overflow vulnerability exists that could allow a remote malicious user to execute arbitrary code on the target system. A remote user can send a specially crafted message to LinPopUp to trigger a buffer overflow in strexpand() in 'string.c' and execute arbitrary code. The code will run with the privileges of the LinPopUp process.

Debian:
http://security.debian.org/pool/updates/main/l/linpopup/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-01.xml

A Proof of Concept exploit script has been published.

Little Igloo LinPopUp strexpand() Buffer Overflow
High

SecurityTracker Alert ID, 1012542, December 16, 2004

Gentoo GLSA 200501-01, January 5, 2005

Debian Security Advisory, DSA 632-1, January 10, 2005

MIT

Kerberos 5 krb5-1.3.5 and prior

A buffer overflow exists in the libkadm5srv administration library. A remote malicious user may be able to execute arbitrary code on an affected Key Distribution Center (KDC) host. There is a heap overflow in the password history handling code.

A patch is available at:
http://web.mit.edu/kerberos/advisories/
2004-004-patch_1.3.5.txt

Gentoo:
http://www.gentoo.org/security/en/glsa/glsa-200501-05.xml

Currently we are not aware of any exploits for this vulnerability.

Kerberos
libkadm5srv Heap Overflow

CVE Name:
CAN-2004-1189

High

SecurityTracker Alert ID, 1012640, December 20, 2004

Gentoo GLSA 200501-05, January 5, 2005

 

Mozilla.org

Mozilla Browser 1.7, rc1-rc3, beta, alpha, 1.7.1-1.7.3, 1.8 Alpha 1-4, Firefox Preview Release
Mozilla Firefox 0.9, rc, 0.9.1-0.9.3, 0.10, 0.10.1, Thunderbird 0.6, 0.7-0.7.3, 0.8

A vulnerability exists in the 'Open with' option because the software saves the file in the '/tmp' directory with world-readable permissions, which could let a malicious user obtain sensitive information.

Fixes are available in the CVS repository.

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-03.xml

There is no exploit code required.

Mozilla Temporary File Insecure Permissions Information Disclosure
Medium

Secunia Advisory,
SA12956, October 25, 2004

Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005

Multiple Vendors

Linux kernel 2.6.10, 2.6.9

A Denial of Service vulnerability exists in the 'mlockall()' system call due to a failure to properly enforce defined limits.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Linux Kernel Local RLIMIT_MEMLOCK Bypass Denial
of Service
Low
Bugtraq, January 7, 2005

Multiple Vendors

Exim 4.43 & prior

Multiple vulnerabilities exist that could allow a local user to obtain elevated privileges. There are buffer overflows in the host_aton() function and the spa_base64_to_bits() functions. It may be possible to execute arbitrary code with the privileges of the Exim process.

The vendor has issued a fix in the latest snapshot:

ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/
Testing/exim-snapshot.tar.gz

ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/
Testing/exim-snapshot.tar.gz.sig

Also, patches for 4.43 are available at:
http://www.exim.org/mail-archives/
exim-announce/2005/msg00000.html

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/

Currently we are not aware of any exploits for these vulnerabilities.

GNU Exim Buffer Overflows

CVE Names:
CAN-2005-0021
CAN-2005-0022

High
SecurityTracker Alert ID: 1012771, January 5, 2005

Multiple Vendors

Linux kernel 2.,6 -test9-CVS, -test1-test11,
Linux kernel 2.6.1, rc1&rc2, 2.6.2-2.6.9, 2.6.10 rc2;
RedHat Fedora Core2 & Core3

A vulnerability exists which could let a malicious user obtain sensitive information.

Upgrades available at:
http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.10.tar.bz2

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel
SYSENTER Thread Information Pointer
Local Information Disclosure

Medium
Fedora Update Notifications
FEDORA-2004-581 & 582, January 3, 2005

Multiple Vendors

Linux kernel 2.,6 -test9-CVS, -test1-test11,
Linux kernel 2.6.1, rc1&rc2, 2.6.2-2.6.9, 2.6.10 rc2;
RedHat Fedora Core2 & Core3

A vulnerability exists in the SCM system due to a failure to properly call defined security module functions, which could let a malicious user bypass security measures.

Upgrades available at:
http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.10.tar.bz2

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel Local
File Descriptor Passing Security Module
Bypass

Medium
Fedora Update Notifications
FEDORA-2004-581 & 582, January 3, 2005

Multiple Vendors

Perl

A race condition vulnerability was reported in the 'File::Path::rmtree()' function. A remote user may be able to obtain potentially sensitive information. A remote user may be able to obtain potentially sensitive information or modify files.

The vendor has released Perl version 5.8.4-5 to address this vulnerability. Customers are advised to contact the vendor for information regarding update availability.

Debian:
http://security.debian.org/pool/updates/main/p/perl/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/p/perl/

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Perl File::Path::rmtree() Permission
Modification
Vulnerability

CVE Name:
CAN-2004-0452

Medium

Ubuntu Security Notice, USN-44-1, December 21, 2004

Debian Security Advisory, DSA 620-1, December 30, 2004

Multiple Vendors

Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha;
Gentoo Linux;
LibTIFF LibTIFF 3.4, 3.5.1-3.5.5, 3.5.7, 3.6 .0, 3.6.1, 3.7, 3.7.1;
RedHat Fedora Core2& Core 3;
Ubuntu Ubuntu Linux 4.1 ppc, ia64, ia32

A vulnerability exists in the tiffdump utility, which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/t/tiff/

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-06.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/

Currently we are not aware of any exploits for this vulnerability.

LibTIFF TIFFDUMP Heap Corruption
Integer Overflow

CVE Name:
CAN-2004-1183

High
SecurityTracker Alert ID, 1012785, January 6, 2005

Multiple Vendors

Linux Kernel

A vulnerability exists in the Linux kernel io_edgeport driver. A local user with a USB dongle can cause the kernel to crash or may be able to gain elevated privileges on the target system. The flaw resides in the edge_startup() function in 'drivers/usb/serial/io_edgeport.c'.

Red Hat:
https://bugzilla.redhat.com/bugzilla
/attachment.cgi?id=107493&action=view

Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates/

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Linux Kernel
USB io_edgeport
Driver Integer Overflow

CVE Name:
CAN-2004-1017

Low/ Medium

(Medium if elevated privileges can be obtained)

SecurityTracker Alert ID: 1012477, December 10, 2004

Fedora Update Notifications,
FEDORA-2004-581 & 582, January 3, 2005

Multiple Vendors

Linux kernel 2.2-2.2.25, 2.3, 2.3.99, pre1-pre7, 2.4 .0, test1-test12, 2.4-2.4.28, 2.4.29 -rc2, 2.5 .0-2.5.65

Multiple buffer overflow vulnerabilities exist in the 'drivers/char/moxa.c' file due to insufficient bounds checks prior to copying user-supplied data to fixed-size memory buffers, which could let a malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for these vulnerabilities.

Linux Kernel Multiple Local MOXA Serial Driver Buffer Overflows
High
Bugtraq, January 7, 2005

Multiple Vendors

Linux kernel 2.4 .0-test1-test12, 2.4-2.4.27

A vulnerability exists in the 'AF_UNIX' address family due to a serialization error, which could let a malicious user obtain elevated privileges or possibly execute arbitrary code.

Upgrades available at:
http://kernel.org/pub/linux/kernel/
v2.4/linux-2.4.28.tar.bz2

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main

Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-504.html

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates

Currently we are not aware of any exploits for this vulnerability.

 

Multiple Vendors Linux Kernel AF_UNIX Arbitrary Kernel
Memory Modification

CVE Name:
CAN-2004-1068

Medium/ High

(High if arbitrary code can be executed)

Bugtraq, November 19, 2004

SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004

SecurityFocus, December 14, 2004

Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005

Multiple Vendors

Linux kernel 2.4, 2.4 .0 test1-test 12, 2.4-2.4.28, 2.4.29 -rc2, 2.6 .10, 2.6, test1-test11, 2.6.1-2.6.10, 2.6.10 rc2

An integer overflow vulnerability exists in the 'random.c' kernel driver due to insufficient sanitization of the 'poolsize_strategy' function, which could let a malicious user cause a Denial of Service or execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Linux Kernel Random Poolsize SysCTL Handler Integer
Overflow

Low/High

(High if arbitrary code can be executed)

Bugtraq, January 7, 2005

Multiple Vendors

Linux Kernel 2.4.0 test1-test12, 2.4-2.4.28, 2.4.29 -rc2, 2.6, test1-test11, 2.6.1, rc1-rc2, 2.6.2-2.6.9, 2.6.10 rc2

A vulnerability exists in the 'load_elf_library()' function in 'binfmt_elf.c' because memory segments are properly processed, which could let a remote malicious user execute arbitrary code with root privileges.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Linux Kernel uselib() Root Privileges

CVE Name:
CAN-2004-1235

High
iSEC Security Research Advisory, January 7, 2005

Multiple Vendors

Linux Kernel 2.6 - 2.6.10 rc2

The Linux kernel is prone to a local Denial of Service vulnerability. This vulnerability is reported to exist when 'CONFIG_SECURITY_NETWORK=y' and 'CONFIG_SECURITY_SELINUX=y' options are set in the Linux kernel. A local attacker may exploit this vulnerability to trigger a kernel panic and effectively deny service to legitimate users.

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main

Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Linux Kernel Sock_DGram_SendMsg Local Denial of Service

CVE Name:
CAN-2004-1069

Low

Ubuntu Security Notice USN-38-1 December 14, 2004

Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005

Multiple Vendors

Linux Kernel 2.6 - 2.6.9, 2.4 - 2.4.28

Integer overflow vulnerabilities exist that could allow a local user to cause Denial of Service conditions. These overflows exist in ip_options_get() and vc_resize() and a memory leak in ip_options_get().

The vendor has issued a fix in 2.6.10rc3bk5 and possibly also in the 2.4 release candidate.

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/l/linux-source-2.6.8.1/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates

A Proof of Concept exploit has been published.

Multiple Vendors Linux Kernel ip_options_get() and vc_resize() Integer Overflows
Low

Georgi Guninski Security Advisory #72, December 15, 2004

Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005

Multiple Vendors

Linux Kernel 2.6 .10, 2.6, test-test11, 2.6.1-2.6.10, 2.6.10 rc2

An integer overflow vulnerability exists in the 'scsi_ioctl.c' kernel driver due to insufficient sanitization of the 'sg_scsi_ioctl' function, which could let a malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel
SCSI IOCTL Integer Overflow
High
Bugtraq, January 7, 2005

Multiple Vendors

Samba 2.2.9, 3.0.8 and prior

An integer overflow vulnerability in all versions of Samba's smbd 0.8 could allow an remote malicious user to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges.

Patches available at:
http://www.samba.org/samba/ftp/patches/
security/samba-3.0.9-CAN-2004-1154.patch

Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-670.html

Gentoo:
http://www.gentoo.org/security/en/glsa/glsa-200412-13.xml

Trustix:
http://www.trustix.net/errata/2004/0066/

Red Hat (Updated):
http://rhn.redhat.com/errata/RHSA-2004-670.html

Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates/

SUSE:
http://www.novell.com/linux/security/
advisories/2004_45_samba.html

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:158

Conectiva:
ftp://atualizacoes.conectiva.com.br/

RedHat:
http://rhn.redhat.com/errata/RHSA-2005-020.html

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Samba smbd Security
Descriptor

CVE Name:
CAN-2004-1154

High

iDEFENSE Security Advisory 12.16.04

Red Hat Advisory, RHSA-2004:670-10, December 16, 2004

Gentoo Security Advisory, GLSA 200412-13 / Samba, December 17, 2004

US-CERT, Vulnerability Note VU#226184, December 17, 2004

Trustix Secure Linux Advisory #2004-0066, December 17, 2004

Red Hat, RHSA-2004:670-10, December 16, 2004

SUSE, SUSE-SA:2004:045, December 22, 2004

RedHat Security Advisory, RHSA-2005:020-04, January 5, 2005

Conectiva Linux Security Announcement, CLA-2005:913,January 6, 2005

MySQL

Eventum 1.3.1

Multiple vulnerabilities exist which can be exploited by malicious people to conduct Cross-Site Scripting and script insertion attacks and potentially bypass certain security restrictions. 1) Input passed to the 'email' parameter in 'index.php' and 'forgot_password.php,' and the 'title' and 'outgoing_sender_name' parameters in 'projects.php' is not properly sanitized before being returned to users. 2) Input passed to the 'full_name,' 'sms_email,' 'list_refresh_rate,' and 'emails_refresh_rate' parameters in 'preferences.php' is not properly sanitized 3) Eventum has a undocumented default administrator account.

Upgrades available at:
http://dev.mysql.com/get/Downloads/
eventum/eventum-1.4.tar.gz/from/pick

Currently we are not aware of any exploits for theses vulnerabilities.

MySQL Eventum
Multiple Vulnerabilities
High

CIRT-200404 and CIRT-200405: December 28, 2004

SecurityFocus, January 5, 2005

 

Namazu Project

Namazu 2.0.13 and prior

A vulnerability exists which can be exploited by malicious people to conduct Cross-Site Scripting attacks. Input passed to 'namazu.cgi' isn't properly sanitized before being returned to the user if the query begins from a tab ('%09'). This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

Update to version 2.0.14:
http://namazu.org/#download

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Debian:
http://security.debian.org/pool/updates
/main/n/namazu2/

Currently we are not aware of any exploits for this vulnerability.

Namazu Cross-Site Scripting Vulnerability

CVE Name:
CAN-2004-1318

High

Namazu Security Advisory, December 15, 2004

Debian Security Advisory, DSA 627-1, January 6, 2005

Nuclear Elephant.com

mod_dosevasive 1.9 and prior

A vulnerability exists in 'mod_dosevasive' for Apache that could allow a local user to obtain elevated privileges. The software creates unsafe temporary files. A local user can create a symbolic link (symlink) from a non-existent file on the system to a predictably named temporary file in the '/tmp' directory. When mod_dosevasive is run, the symlinked file will be created with the privileges of the web service.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Nuclear Elephant mod_dosevasive Symlink Flaw
Medium
LSS Security Advisory #LSS-2005-01-01, January 4, 2005

Nullsoft

SHOUTcast 1.9.4

A format string vulnerability exists that could allow a remote user to execute arbitrary code on the target system. A remote user can supply a specially crafted request to the target server containing format string characters to cause the target service to crash or execute arbitrary code.

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-04.xml

Currently we are not aware of any exploits for this vulnerability.

Nullsoft SHOUTcast Format String Flaw
High

SecurityTracker Alert ID: 1012675, December 24, 2004

Gentoo GLSA 200501-04, January 5, 2005

 

Patric Müller

Vilistextum 2.6.6

A vulnerability was reported in Vilistextum that could allow a remote malicious user to cause arbitrary code to be executed by the target user. A remote user can create a specially crafted HTML file that, when processed by the target user with Vilistextum, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflow resides in the get_attr() function in 'html.c.'

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-10.xml

A Proof of Concept exploit script has been published.

Patric Müller
Vilistextum get_attr()
Buffer Overflow

CVE Name:
CAN-2004-1299

High

SecurityTracker Alert ID, 1012558, December 16, 2004

Gentoo Linux Security Advisor, GLSA 200501-10, January 6, 2005

PHPGroupWare

PHPGroupWare 0.9.16.03

PHPGroupWare contains multiple input validation vulnerabilities; it is prone to multiple SQL injection and Cross-Site Scripting issues. These issues are all due to a failure of the application to properly sanitize user-supplied input. A malicious user could exploit these vulnerabilities to execute arbitrary code.

Upgrade available at: http://download.phpgroupware.org/now

A Proof of Concept exploit has been published.

PHPGroupWare
Multiple Cross-Site Scripting and SQL Injection
High

GulfTech Security Research December 14th, 2004

SecurityFocus, January 6, 2005

Redhat

GNOME VFS

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64;
Red Hat Linux Advanced Workstation 2.1 - ia64;
Red Hat Enterprise Linux ES version 2.1 - i386;
Red Hat Enterprise Linux WS version 2.1 - i386;
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64;
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64;
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

Multiple vulnerabilities exist in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. A malicious user who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts.

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

SUSE:
http://www.suse.com/en/private/download/
updates/92_i386.html

Avaya:
http://support.avaya.com/japple/css/japple?temp.groupID=
128450&temp.selectedFamily=128451&temp.selectedProduct=
154235&temp.selectedBucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=198525&PAGE=
avaya.css.CSSLvl1Detail&executeTransaction= avaya.css.UsageUpdate()

SGI:
ftp://patches.sgi.com/support/free/security
/patches/ProPack/3/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-464.html

We are not aware of any exploits for these vulnerabilities.

Red Hat GNOME VFS updates address
extfs vulnerability

CVE Name:
CAN-2004-0494

High

Red Hat Security Advisory ID: RHSA-2004:373-01, August 4, 2004

Fedora Update Notification
FEDORA-2004-272 & 273, September 1, 2004

SecurityFocus, Bugtraq ID: 10864, December 7, 2004

RedHat Security Advisory, RHSA-2004:464-09, January 5, 2005

Remote Sensing

LibTIFF 3.x

A vulnerability exists potentially can be exploited by malicious people to execute arbitrary code on the target system. The vulnerability is caused due to an unspecified integer overflow in the tiffdump utility.

Gentoo:
http://www.gentoo.org/security/en/glsa/
glsa-200501-06.xml

Currently we are not aware of any exploits for this vulnerability.

Remote Sensing LibTIFF Integer Overflow Vulnerability
in tiffdump
High
Secunia SA13728, January 6, 2005

Russell Marks

zgv Image Viewer 5.5

Several vulnerabilities exist due to various integer overflows when processing images, which could let a remote malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-12.xml

Debian:
http://www.debian.org/security/2004/dsa-608

The vendor has issued a patch, available at:
| http://www.svgalib.org/rus/zgv
/zgv-5.8-integer-overflow-fix.diff

Gentoo:
http://security.gentoo.org/glsa/
glsa-200501-09.xml

Currently we are not aware of any exploits for these vulnerabilities.

Russell Marks ZGV Image Viewer Multiple Remote Integer
Overflow

CVE Name:
CAN-2004-1095
CAN-2004-0999

High

Bugtraq, October 26, 2004

Gentoo Linux Security Advisory, GLSA 200411-12:01, November 7, 2004

Debian Security Advisory, DSA-608-1 zgv, December 14, 2004

SecurityTracker Alert ID: 1012546, December 16, 2004

Gentoo Linux Security Advisory, GLSA 200501-09, January 6, 2005

Squid-cache.org

Squid 2.x

A remote Denial of Service vulnerability exists in the NTLM fakeauth_auth helper when running under a high load or for a long period of time, and a specially crafted NTLM type 3 message is submitted.

Patch available at:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-fakeauth_auth.patch

Currently we are not aware of any exploits for this vulnerability.

Squid NTLM fakeauth_auth Helper Remote Denial of Service
Low
Secunia Advisory,
SA13789, January 11, 2005

Virtual Hosting Control System

Virtual Hosting Control System 2.2

A vulnerability exists due to a file include vulnerability, which could let a remote malicious user execute arbitrary PHP code.

No workaround or patch available at time of publishing.

There is no exploit code required.

Virtual Hosting Control System SQL.PHP Remote File Include

High
SecurityFocus, January 6, 2005

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

All Enthusiast, Inc.

PhotoPost PHP Pro 4.x

Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. 1) Input passed to the "page", "cat", and "si" parameters in "showgallery.php" isn't properly sanitized before being returned to the user. 2) Input passed to the "cat" and "ppuser" parameters in "showgallery.php" isn't sanitized properly before being used in a SQL query.

Update to version 4.86:
http://www.photopost.com/

An exploit script has been published.

All Enthusiast PhotoPost PHP Pro Cross-Site Scripting and SQL Injection
High

GulfTech Security Research Team, January 3, 2005

PacketStorm, January 5, 2005

All Enthusiast, Inc.

ReviewPost PHP Pro 2.x

Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and compromise a vulnerable system. 1) Input passed to the "si" parameter in "showcat.php", "cat" and "page" parameters in "showproduct.php", and "report" parameter in "reportproduct.php" isn't properly sanitized before being returned to the user. 2) Input passed to the "cat" parameter in "showcat.php" and "product" parameter in "addfav.php" isn't properly sanitized before being used in a SQL query. 3) An error in the handling of file uploads for filenames with multiple extensions (e.g. "test.jpg.php.jpg.php") can be exploited.

Update to version 2.84:
http://www.photopost.com/

An exploit script has been published.

All Enthusiast ReviewPost PHP Pro Multiple Vulnerabilities
High

GulfTech Security Research Team, January 3, 2005

PacketStorm, January 5, 2005

Apache Software Foundation

Tomcat 5.x

A Cross-Site Scripting vulnerability exists due to insufficient sanitization of various input passed to the 'Tomcat Manager,' which could let a remote malicious user execute arbitrary HTML and script code.

Patch available at:
http://www.mail-archive.com/tomcat-dev@
jakarta.apache.org/msg66978.html

Proofs of Concept exploits have been published.

Apache Tomcat 'Tomcat Manager' Cross-Site Scripting
High
Secunia Advisory,
SA13737, January 6, 2005

Apple

AirPort Express Firmware 6.1, AirPort Extreme Firmware 5.5

A remote Denial of Service vulnerability exists when used in the Wireless Distribution System (WDS) mode. This issue could allow a remote attacker to cause the base station to stop processing traffic.

Upgrades available at:
http://www.apple.com/support/downloads/

There is no exploit code required.

Apple AirPort Wireless Distribution System Remote Denial of Service

Low
SecurityFocus January 3, 2004

b2evolution.net

b2evolution 0.8.2 .2, 0.8.2, 0.8.6 .2, 0.8.6 .1, 0.8.6, 0.8.7, 0.8.9, 0.9 .0.11, 0.9 .0.10, 0.9 .0.09, 0.9 .0.0, 0.9 .0.05, 0.9 .0.03

A vulnerability exists the '_class_itemlist.php' script due to insufficient sanitization of 'title' parameter, which could let a remote malicious user execute arbitrary code.

Workaround available at:
http://forums.b2evolution.net/viewtopic.php?t=2695

There is no exploit code required.

b2evolution '_class_itemlist.php' Script Input Validation
High
Securiteam, January 9, 2005

Ben3W

2Bgal 2.4 and 2.5.1

A vulnerability exists that can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "id_album" parameter is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Upgrade available at:
http://www.ben3w.com/multimedia/
dlcounter.php?selfile=2bgal.zip

A Proof of Concept exploit has been published.

Ben3W 2Bgal "id_album" SQL Injection Vulnerability
High

Secunia SA13620, December 23, 2004

Packetstorm, December 31, 2004

SecurityFocus, January 7, 2005

Cisco Systems

IOS 12.2 ZA, SY, SXB, SXA, (17a) SXA, (14)ZA2, (14)ZA, (14)SY

A remote Denial of Service vulnerability exists when processing Internet Key Exchange (IKE) packets.

Revision 1.2: Updated the 12.2(14)SY03 Release Notes URL in the Software Fixes and Versions section.

Updates available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040408-vpnsm.shtml

Currently we are not aware of any exploits for this vulnerability.

Cisco IOS Malformed IKE Packet Remote
Denial of Service
Low

Cisco Security Advisory 50430, April 8, 2004

Cisco Security Advisory 50430 Rev. 1.2, January 5, 2005

Cisco Systems

IOS R12.x, 12.x

 

A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted TCP connection to a telnet or reverse telnet port.

Revision 2.4: Updated availability information for IOS releases. Corrected fixed software version for 12.1E Maintenance release.

Potential workarounds available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040827-
telnet.shtml

Currently we are not aware of any exploits for this vulnerability.

Cisco IOS Telnet Service Remote Denial of Service
Low

Cisco Security Advisory, cisco-sa-20040827, August 27, 2004

US-CERT Vulnerability Note VU#384230

Cisco Security Advisory, 61671 Rev 2.2, October 20, 2004

Cisco Security Advisory, 61671 Rev 2.3, October 31, 2004

Cisco Security Advisory, 61671 Rev 2.4, December 31, 2004

David Barrett

QwikiWiki 1.4.1

A Directory Traversal vulnerability exists due to insufficient validation of the 'page' parameter, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

David Barrett QwikiWiki Remote Directory Traversal
Medium
Securiteam, January 5, 2005

IBM

DB2 Universal Database for AIX 7.0-7.2, 8.0, 8.1, DB2 Universal Database for HP-UX 7.0-7.2. 8.0, 8.1, DB2 Universal Database for Linux 7.0-7.2, 8.0, 8.1, DB2 Universal Database for Solaris 7.0-7.2, 8.0, 8.1, IBM DB2 Universal Database for Windows 7.0-7.2, 8.0, 8.1

A vulnerability exists in the XMLVarcharFromFile and XMLClobFromFile functions, which could let a remote malicious user corrupt data, obtain sensitive information, and ultimately execute arbitrary code.

Patches available at:
http://www-306.ibm.com/software/data/db2/udb/
support/downloadv8.htm

Currently we are not aware of any exploits for this vulnerability.

IBM DB2 XML Function

Medium/ High

(High if arbitrary code can be executed)

NGSSoftware Insight Security Research Advisory, NISR05012005I, January 5, 2005

Invision Power Services

Invision Community Blog 1.0

A vulnerability exists in the 'eid' parameter due to insufficient input validation, which could let a remote malicious user inject SQL commands.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

Invision Community Blog Input Validation
Medium
Bugtraq, January 9, 2005

Mozilla,.org

Firefox 0.8, 0.9-0.9.3, 0.10, 0.10.1

Multiple vulnerabilities exist: a vulnerability exists because web sites may include images from local resources, which could let a malicious user obtain sensitive information, cause a Denial of Service, and potentially steal passwords from Windows systems; a vulnerability exists in the file download dialog box because filenames are truncated, which could let a malicious user spoof downloaded file names; and a vulnerability exists on MacOSx because Firefox is installed with world-writable permissions, which could let a malicious user obtain elevated privileges.

Upgrades available at:
http://www.mozilla.org/products/firefox/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-03.xml

An exploit script is not required

Mozilla Firefox Multiple Vulnerabilities

Low/ Medium

(Low if a DoS)

Secunia Advisory,
SA13144, November 10, 2004

Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005

Mozilla

Mozilla 1.7.3

A heap overflow vulnerability exists in the processing of NNTP URLs. A remote user can execute arbitrary code on the target system. A remote user can create a specially crafted 'news://' URL that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The flaw resides in the *MSG_UnEscapeSearchUrl() function in 'nsNNTPProtocol.cpp'.

The vendor has issued a fixed version (1.7.5), available at: http://www.mozilla.org/products/mozilla1.x/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-03.xml

A Proof of Concept exploit has been published.

Mozilla Buffer Overflow in Processing NNTP URLs
High

iSEC Security ResearchAdvisory, December 29, 2004

Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005

Multiple Vendors

Ericsson T610;
Motorola V600, V80; Nokia 6310i

A vulnerability exists in the application layer, and not in the actual Bluetooth protocol layer, which could let a remote malicious user utilize the mobile device to act as a modem.

No workaround or patch available at time of publishing.

There is no exploit code required.

Multiple Vendor Bluetooth Device Unauthorized Serial Command Access
Medium
SecurityFocus, January 4, 2005

Multiple Vendors

Microsoft Internet Explorer 6.0, SP1&SP2; Mozilla Firefox 0.8, 0.9 rc, 0.9-0.9.3, 0.10, 0.10.1;
Netscape Navigator 7.0, 7.0.2, 7.1, 7.2, Netscape 7.0

Multiple vulnerabilities exist in the image handling functionality through the <IMG> tag, which could let a remote malicious user cause a Denial of Service, and obtain sensitive information.

Mozilla:
http://www.mozilla.org/products/firefox/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-03.xml

A Proof of Concept exploit has been published.

Multiple Browser IMG Tag Multiple Vulnerabilities

Low/ Medium

(Medium if sensitive information can be obtained)

SecurityFocus, November 10, 2004

Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005

MyBB Group

MyBulletinBoard RC4

A vulnerability exists in the 'member.php' script due to insufficient validation of the 'uid' parameter, which could let al remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

MyBulletinBoard MEMBER.PHP SQL Injection
High
Securiteam, January 5, 2005

Noah Grey

Greymatter 1.1 b, 1.2, 1.3, 1.21 a-1.21d, 1.21

A vulnerability exists in the 'gm-comments.cgi' script due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however a Proof of Concept exploit has been published.

Noah Grey Greymatter 'GM-Comments.CGI' HTML Injection
High
SecurityFocus, January 6, 2005

Noah Grey

Greymatter 1.3

Several vulnerabilities exist: a vulnerability exists in the main entry pages' section because a temporary file is created that contained the username and plaintext password when rebuilding the section, which could let a remote malicious user obtain sensitive information; and a vulnerability exists in 'GM-CPLog.CGI' due to insufficient sanitization of user-supplied input during login, which could let a malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however a Proof of Concept exploit has been published for the HTML injection vulnerability.

Noah Grey Greymatter Password Disclosure & HTML Injection

Medium/ High

(High if arbitrary code can be executed)

SecurityFocus, January 6, 2005

Novell

Netware 5.1, SP4-SP6, 6.0 , SP1-SP3

A remote Denial of Service vulnerability exists in 'CIFS.MLM.'

Patches available at:
http://support.novell.com/servlet/filedownload/sec/
pub/cifspt6.exe

There is no exploit code required.

Novell Netware CIFS.NLM Remote Denial of Service
Low
Novell Technical Information Document, TID2970488, January 5, 2005

NZEO

Zeroboard 4.x

A vulnerability exists in 'error.php' due to insufficient verification of the 'dir' parameter, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Zeroboard 'error.php' Include File
High
Secunia Advisory,
SA13769, January 10, 2005

SugarCRM Inc.

SugarCRM 1.0 g, 1.0 f, 1.0, 1.1 a-1.1 f, 1.1, 1.5 d, 2.0.1 a, 2.0.1, SugarSales 2.0.1 c

A vulnerability exists in the 'moduleDefaultFile' array due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however a Proof of Concept exploit has been published.

SugarCRM/SugarSales 'moduleDefaultFile' array
High
Securiteam, January 9, 2005

Sun Microsystems, Inc.

Sun Java JRE 1.3.x, 1.4.x,
Sun Java SDK 1.3.x, 1.4.x; Conectiva Linux 10.0; Gentoo Linux;
HP HP-UX B.11.23, B.11.22, B.11.11, B.11.00,
HP Java SDK/RTE for HP-UX PA-RISC 1.3,
HP Java SDK/RTE for HP-UX PA-RISC 1.4; Symantec Gateway Security 5400 Series v2.0.1, v2.0, Enterprise Firewall v8.0

A vulnerability exists due to a design error because untrusted applets for some private and restricted classes used internally can create and transfer objects, which could let a remote malicious user turn off the Java security manager and disable the sandbox restrictions for untrusted applets.

Updates available at:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57591-1

Conectiva:
ftp://atualizacoes.conectiva.com.br/10/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-38.xml

HP:
http://www.hp.com/go/java

Symantec:
http://securityresponse.symantec.com/avcenter/
security/Content/2005.01.04.html

Currently we are not aware of any exploits for this vulnerability.

Sun Java Plug-in Sandbox Security Bypass

CVE Name:
CAN-2004-1029

Medium

Sun(sm) Alert Notification, 57591, November 22, 2004

US-CERT Vulnerability Note, VU#760344, November 23, 2004

Conectiva Linux Security Announcement, CLA-2004:900, November 26, 2004

Gentoo Linux Security Advisory, GLSA 200411-38, November 29, 2004

HP Security Bulletin,
HPSBUX01100, December 1, 2004

Sun(sm) Alert Notification, 57591, January 6, 2005 (Updated)

Symantec Security Response, SYM05-001,
January 4, 2005

 

 

 

Symantec

Brightmail Anti-Spam 6.0.1

Two vulnerabilities exist: a remote Denial of Service vulnerability exists because the Sieve module fails to recognize malformed RFC 822 MIME attachment boundaries; and a remote Denial of Service vulnerability exists because Spamhunter fails to convert certain valid character encoding sets to UTF.

Patch available at:
ftp://ftp.symantec.com/public/english_us_
canada/products/sba/sba_60x/updates/Patch134.zip

Currently we are not aware of any exploits for these vulnerabilities.

Symantec Brightmail Remote Denials of Service
Low

SecurityTracker Alert ID, 1012612, December 17, 2004

US-CERT Vulnerability Note, VU#697598, January 6, 2005

Vayris

Amphora Gate

A vulnerability exists in the 'free_loginpage.php' page because the '/validacion.php' page can be loaded using the previously assigned authentication credentials, which could let a remote malicious user obtain administrative access.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vayris Amphora Gate Administrative Access
High
SecurityTracker Alert, 1012825, January 10, 2005

WoltLab

Burning Board Lite 1.0.0, 1.0.1 e

A Cross-Site Scripting vulnerability exists in 'formmail.php' due to insufficient sanitization of the 'userid' parameter, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

WoltLab Burning Board Lite Form Mail Script Cross-Site Scripting
High
Secunia Advisory,
SA13782, January 11, 2005

xisc.com

PRADO Framework version 1.5 & prior

A vulnerability exists in the 'phonebook.php' script due to insufficient validation of the 'page' parameter, which could let a remote malicious user execute arbitrary code.

Update available at:
http://sourceforge.net/project/showfiles.php?group_id=118087

A Proof of Concept exploit has been published.

PRADO 'phonebook.php' Include File
High
Securiteam, January 9, 2005

yahoopops.sourceforge.
net

YPOPs! 0.x

Several buffer overflow vulnerabilities exist in the POP3 and SMTP services, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://home.comcast.net/~dbeusee/yahoopops_0_6_050104.zip

Proofs of Concept exploit scripts have been published.

YPOPs! Buffer Overflows
High

Hat-Squad Advisory, September 27, 2004

SecurityFocus, October 18, 2004

SecurityFocus, January 6, 2005

Recent Exploit Scripts/Techniques The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
January 11, 2005 tcpick-0.2.0.tar.gz
N/A
A textmode sniffer that can track TCP streams and saves the data captured in files or displays them in the terminal.
January 7, 2005 amp2zero.zip
No
Proof of Concept for the Amp II 3D game engine Remote Denial of Service vulnerability.
January 7, 2005 gr_poolsize.c
No
Proof of Concept Denial of Service exploit for the Linux Kernel Random Poolsize SysCTL Handler Integer Overflow vulnerability.
January 7, 2005 isec-0021-uselib.txt
binfmt_elf.c
No
Exploits for the Linux Kernel uselib() Root Privileges vulnerability.
January 7, 2005 libvg-0.3.0.tar.gz
N/A
First public released of libvg, a runtime process manipulation library that was designed to provide a powerful and portable interface for writing non-complex programs that can get or change information of processes on the system.
January 7, 2005 mlock-dos.tgz
No
Proof of Concept exploit for the Linux Kernel Local RLIMIT_MEMLOCK Bypass Denial of Service vulnerability.
January 7, 2005 phpbb.ssh.D.tx
N/A
New version of the phpBB worm with bot install that makes use of Altavista.
January 6, 2005 sql-injection.html
N/A
Whitepaper discussing SQL injection attacks that gives an illustrated overview showing the process of how these attacks are performed.
January 6, 2005 un-htget_0.9x.txt
Yes
Exploit for the J Whitham HTGET Buffer Overflow vulnerability.
January 6, 2005 WINACE-WINHKI ZIP TRANSVERSAL.zip
winace gz file transversal.gz
No
Proof of Concept exploits for the Winace Remote Directory Traversal vulnerability.
January 5, 2005 firewallbypass.tgz
N/A
A generic problem of common personal firewall products is the allowance of shortcuts or interfaces for controlling traffic. Manipulation of these functions can allow for firewall bypass altogether. Various proof of concepts are included for products such as Zone Alarm, Kerio, Agnitium Outpost firewall, Kaspersky Anti-Hacker, Symantec's Norton Personal Firewall, and more.
January 5, 2005 hydra-4.5-src.tar.gz
N/A
A high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more.
January 5, 2005 mybbSQL.txt
No
Exploit for the MyBulletinBoard MEMBER.PHP SQL Injection vulnerability.
January 5, 2005 PhotoPost.txt
Yes
Exploit for the All Enthusiast PhotoPost PHP Pro Cross-Site Scripting and SQL Injection vulnerabilities.
January 5, 2005 QWikiwiki.txt
No
Exploit for the QwikiWiki Remote Directory Traversal vulnerability.
January 5, 2005 ReviewPost.txt
Yes
Exploit for the All Enthusiast ReviewPost PHP Pro vulnerability.
January 5, 2005 scanner_ndde.c
N/A
NetDDE scanner that makes use of a remote code execution vulnerability due to an unchecked buffer.
January 5, 2005 thc-pptp-bruter-0.1.4.tar.gz
N/A
A brute force program that works against pptp vpn endpoints (tcp port 1723). It is fully standalone and supports the latest MSChapV2 authentication and exploits a weakness in Microsoft's anti-brute force implementation which makes it possible to try 300 passwords the second.
January 5, 2005 top_ex.pl
Yes
Proof of concept exploit for an old format string vulnerability in setuid versions of top. This vulnerability has popped back up in the Solaris 10 Companion CD.
January 4, 2005 SInAR-0.1.tar.gz
N/A
SInAR Solaris rootkit that was released at the 21st Chaos Communication Congress.
January 4, 2005 soldnersock.tar
soldnersock.zip
No
Script that exploits the Soldner Secret Wars Denial of Service vulnerability.
December 31, 2004 DAV1.1-PoC.pl
No
A Proof of Concept exploit for the Microsoft FrontPage 2000 Internet Publishing Service Provider DAV File Upload Vulnerability.

[back to top]

Trends
  • The US-CERT has received reports of new phishing scams targeting users sympathetic to the Tsunami tragedy that occurred in Southeast Asia. The US-CERT recommends using caution when reviewing solicitations for donations to help with the disaster and to only donate to reputable charities. A list of reputable charities working to help the victims of the Tsunami can be found here:
    http://www.cnn.com/2004/WORLD/asiapcf/12/28/tsunami.aidsites/
  • Cyota, the leading provider of anti-fraud solutions for financial institutions, announced some of the key findings from its second annual Financial Institution Online Fraud Survey, conducted in November 2004.
    • 50% of Accountholders Have Received Phishing Emails;
    • Over 40% of Online Bankers Share Passwords Between Banks
    • 37% of online bankers use their online banking password at other, less secure sites
    • 79% of accountholders check for the little lock on the bottom of a secure web page, however less than 40% actually click on the lock to view the security certificate
    • 70% of accountholders are less likely to respond to an email from their bank, and more than half are less likely to sign-up or continue to use their bank’s online services due to phishing. For more information, see http://www.cyota.com/viewReleases.cfm?id=78

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trends
Date
1
Netsky-P Win32 Worm Stable March 2004
2
Zafi-B Win32 Worm Slight Increase June 2004
3
Bagle-AU Win32 Worm Slight Increase October 2004
4
Sober-I Win32 Worm Decrease November 2004
5
Bagle-AA Win32 Worm Stable April 2004
6
Bagle.AT Win32 Worm Increase October 2004
7
Netsky-D Win32 Worm Slight Decrease March 2004
8
Bagle.BB Win32 Worm Increase September 2004
9
Netsky-Q Win32 Worm Decrease March 2004
10
Netsky-B Win32 Worm Return to Table February 2004

Table Updated January 11, 2005

Viruses or Trojans Considered to be a High Level of Threat

  • Viruses or Trojans Considered to be a High Level of Threat

    • LNK_ACESPADES.A: This is the first known .LNK file infector and is designed as a Proof of Concept virus. This file infector arrives as an .LNK file. Upon execution by a user, it overwrites all .LNK files in the folder where it is executed. These type of files are shortcut files, which are usually placed on the desktop for easy access to programs.
    • Lasco.A spreads itself by searching all SIS installation files in the infected device, and inserts itself as embedded SIS file into them. Therefore any SIS file in the device that gets copied to another phone, as frequently happens as people swap software, will also contain a copy of Lasco.A. In addition to spreading in infected SIS files, Lasco.A will also spread by sending itself directly via bluetooth like Cabir worms do, and Lasco.A will be able to spread from one device to another without a reboot.

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name
Aliases
Type
32/Sdbot-TB   Win32 Worm
32/Woned-A   Win32 Worm
Backdoor.Alets.B   Trojan
Backdoor.Berbew.N   Trojan
Backdoor.Sdbot.AJ   Network Worm
Backdoor.Tjserv.B TrojanProxy.Win32.Agent.br
Proxy-TJServ
Trojan
Backdoor.Tjserv.C   Trojan
Backdoor.XTS.B   Trojan
Bloodhound.Exploit.22   Trojan
CiaDoor Backdoor.CiaDoor Trojan
Gaobot.CKP   Worm
HTML.HelpControl!exploit HTMLHelpControl.Exploit.Trojan Trojan
Lasco.A SymbOS/Lasco.A
EPOC/Lasco.A
Symbian OS Worm
LNK_ACESPADES.A   .LNK file infector
PE_VLASCO.A  

File Infector

Sdbot-SW   Win32 Worm
SYMBOS_VLASCO.B Worm.SymbOS.Cabir.f
Worm.SymbOS.Lasco.a
Symbian OS virus
Troj/Feutel-A Backdoor.Win32.Feutel.a
BackDoor-AWQ.b
Trojan
TROJ_CLICKER.S Trojan-Clicker.Win32.Small.br
Trj/Clicker.AE
Troj/AdClick-BR
Trojan
Trojan.Dimi   Trojan
Trojan.Feutel   Trojan
Trojan.Goldun   Trojan
Trojan.Hako   Trojan
Trojan.Minit   Trojan
TrojanDownloader.Win32.Krepper.i TR/Dldr.Krepper.I.2
Downloader.Krepper.L
Trojan.Downloader.Krepper.I
Adware/Replace
Trojan
VBS/Mcon-G VBS/Pica.worm.gen
VBS_MCON.A
VBS.Sorry.A, VBS.Mcon.c
Visual Basic Script Worm
W32.Kobot.B W32/Danshbot.worm Win32 Worm
W32.Looked.B   Win32 Worm
W32.Rahack Backdoor.Win32.Agent.go
W32/RAHack
Win32 Worm
W32.Spybot.HUR   Win32 Worm
W32/Agobot-ADH WORM_AGOBOT.ADH Win32 Worm
W32/Agobot-OT   Win32 Worm
W32/Agobot-OU   Win32 Worm
W32/Agobot-OV Backdoor.Win32.Agobot.gen Win32 Worm
W32/Forbot-DK   Win32 Worm
W32/Mirsa@MM   Win32 Worm
W32/Mugly.d@MM   Win32 Worm
W32/Pikis-B I-Worm.Pikis.c
W32/Pikis!p2p
Win32 Worm
W32/Rbot-SQ   Win32 Worm
W32/Rbot-SX   Win32 Worm
W32/Rbot-TD   Win32 Worm
W32/Rbot-TE   Win32 Worm
W32/Sdbot-TA Backdoor.Win32.IRCBot.j
W32/Sdbot.worm.gen.t
Win32 Worm
W32/Wurmark-D W32/Mugly.gen@MM Win32 Worm
Win32.Benuti.K ROJ_AGENT.IV
Troj/Bdoor-AY
Win32/Life4.Downloader.Trojan
Backdoor.Lifefournow
Trojan-Proxy.Win32.Agent.l
Win32 Worm

Win32.Bloon.A

Win32/Bloon.A.Trojan Trojan
Win32.Chopemail HotWorld
Win32.Chopemail.A
HTML.Chopemail.A
HTML.Chopemail.B
Win32.Chopemail.B
HTML/Chopemail.B.Trojan
HTML_CONYC.A
Troj/ConycSp-A
TROJ_CONYCSPA.A
Win32/Conycspa.A.Trojan
W32.Conycspa@mm
Trojan.Win32.Conycspa.a
Trojan.Win32.Delf.gq
Trojan
Win32.ForBot.KW Backdoor.Win32.Wootbot.ai Win32 Worm
Win32.OutsBot.C BackDoor-AZV
W32/Backdoor.LY
Win32/OutsBot.C.Trojan
Troj/Santabot-A
Backdoor.Sdbot
Backdoor.Win32.Small.ct
Win32 Worm
Winxor.A Bck/Winxor.A Trojan
WmvDown.A Trj/WmvDownloader.A Trojan
WmvDown.B Trj/WmvDownloader.B Trojan
WORM_GIFT.C W32.Gift.32768
W32/Gift@mm
Win32/HLLW.Gift
I-Worm.Gift
Win32 Worm
WORM_SDBOT.CCD   Internet Worm
WORM_SPYBOT.AAR W32.Spybot.Worm Win32 Worm

[back to top]

 

 

 

Last updated

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.


Bugs, Holes, & Patches The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

3Com

3CDaemon 2.0 revision 10

Multiple vulnerabilities exist: a buffer overflow vulnerability exists when a remote malicious user submits a specially crafted FTP username, which could lead to the execution of arbitrary code; a buffer overflow vulnerability exists in several FTP commands, including cd, send, ls, put, delete, rename, rmdir, literal, stat, and cwd, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability exists when a malicious user submits an FTP user command with format string characters; a format string vulnerability exists in the cd, delete, rename, rmdir, literal, stat, and cwd [and others] commands, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability exists when a malicious user connects to the TFTP service and requests an MS-DOS device name; a vulnerability exists when the directory to an MS-DOS device name or a filename is changed, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

3Com 3CDaemon Multiple Remote Vulnerabilities

Low/Medium/ High

(Low if a DoS; Medium if sensitive information can be obtained; and High if arbitrary code can be executed)

[I.T.S] Security Research Team Advisory, January 4, 2005

Amp

Amp II 3D Game Engine

A remote Denial of Service vulnerability exists due to a failure to handle exceptional conditions.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Amp II 3D Game Engine Remote Denial of Service
Low
Secunia Advisory, SA13754, January 7, 2005

Jeuce.com

Jeuce Personal Web Server 2.13

Multiple vulnerabilities exist: a Directory Traversal vulnerability exists due to insufficient sanitization of user-supplied input data, which could let a remote malicious user obtain sensitive information; and a remote Denial of Service vulnerability exists when handling certain URLs.

No workaround or patch available at time of publishing.

Proofs of Concept exploits have been published.

Jeuce Personal Web Server Directory Traversal & Denial of Service

Low/Medium

(Medium if sensitive information can be obtained)

GSSIT - Global Security Solution IT Advisory, January 6, 2005

JoWood Productions

Soldner Secret Wars 30830

Several vulnerabilities exist: a remote Denial of Service vulnerability exists when a malicious user submits a UDP packet that contains 1402 or more bytes; a format string vulnerability exists which could let a remote malicious user cause a Denial of Service or execute arbitrary code; and a Cross-Site Scripting vulnerability exists in the administrative web interface log display, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

An exploit script has been published.

Soldner Secret Wars Multiple Remote Vulnerabilities

Low/High

(High if arbitrary code can be executed)

SecurityTracker Alert ID, 1012790, January 6, 2005

Microsoft

FrontPage 2000

A vulnerability exists in the DATA Access Internet Publishing Service Provider Distributed Versioning and Authoring (DAV) functionality, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Microsoft FrontPage 2000 DAV File Upload

High

SecurityFocus, December 31, 2004

Microsoft

Internet Explorer 6.0, SP1&SP2

A vulnerability exists in the DHTML Edit ActiveX control, which could let a remote malicious user inject arbitrary scripting code into a different window on the target user's system.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Microsoft Internet Explorer DHTML Edit Control Script

CVE Name:
CAN-2004-1319

High

Bugtraq, December 15, 2004

US-CERT Vulnerability Note, VU#356600, January 6, 2005

Microsoft

Windows (XP SP2 is not affected)

A Denial of Service vulnerability exists in the parsing of ANI files. A remote user can cause the target user's system to hang or crash. A remote user can create a specially crafted Windows animated cursor file (ANI file) that, when loaded by the target user, will cause the target system to crash. The malicious file can be loaded via HTML, for example.

Updates available at: http://www.microsoft.com/technet/security/bulletin/
ms05-002.mspx

A Proof of Concept exploit has been published.

Microsoft Windows ANI File Parsing Errors

CVE Name:
CAN-2004-1305

Low

VENUSTECH Security Lab, December 23, 2004

Microsoft Security Bulletin MS05-002, January 11, 2005

US-CERT Vulnerability Notes, VU#177584 & VU#697136, January 11, 2005

Microsoft

Windows (XP SP2 is not affected)

An integer overflow vulnerability was reported in the LoadImage API. A remote user can execute arbitrary code. A remote user can create a specially crafted image file that, when processed by the target user, will trigger an overflow in the USER32 library LoadImage API and execute arbitrary code. The code will run with the privileges of the target user.

Updates available at: http://www.microsoft.com/technet/security/bulletin/
ms05-002.mspx

A Proof of Concept exploit has been published.

Microsoft Windows LoadImage API Buffer Overflow

CVE Names:
CAN-2004-1049

High

VENUSTECH Security Lab. December 23, 2004

Microsoft Security Bulletin MS05-002, January 11, 2005

US-CERT Vulnerability Note, VU#625856, January 11, 2005

Microsoft

WindowsXP SP1 & prior service packs, 2003

A buffer overflow vulnerability exists in the Indexing Service due to the way query validation is handled, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

Updates available at: http://www.microsoft.com/technet/security/bulletin/ms05-003.mspx

Currently we are not aware of any exploits for this vulnerability.

Microsoft Windows Indexing Service Buffer Overflow

CVE Name:
CAN-2004-0897

Low/High

(High if arbitrary code can be executed)

Microsoft Security Bulletin MS05-003, January 11, 2005

Microsoft

Windows 2000 SP3 & SP4, XP SP1 & SP2, XP 64-Bit Edition SP1, XP 64-Bit Edition Version 2003, Windows Server 2003, Windows Server 2003 64-Bit Edition, Windows 98, 98SE, ME

A cross-domain vulnerability exists in the HTML Help ActiveX control, which could let a remote malicious user execute arbitrary code.

Updates available at: http://www.microsoft.com/technet/security/bulletin/
MS05-001.mspx

Exploits have been published.

Microsoft Windows HTML Help ActiveX Control

CVE Name:
CAN-2004-1043

High
Microsoft Security Bulletin MS05-001, January 11, 2005

Symantec

Norton AntiVirus 2004, 2004 Professional Edition

A remote Denial of Service vulnerability exists due to a buffer overflow in the 'CcErrDsp.ErrorDisplay.1' ActiveX object.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Symantec 'CcErrDsp.ErrorDisplay.1' ActiveX Buffer Overflow
Low
Bugtraq, January 6, 2005

Winace.com

Winace 2.5, 2.6 Beta 4

A Directory Traversal vulnerability exists due to an input validation error when extracting files compressed with GZIP (.gz) or ZIP (.zip), which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

Proofs of Concept exploit scripts have been published.

Winace Remote Directory Traversal

Medium
Secunia Advisory,
SA13734, January 6, 2005

winace.com

WinHKI 1.4 d

Several vulnerabilities exist: a remote Denial of Service vulnerability exists when a malicious user creates a BH compressed file with a specially crafted header; a remote Denial of Service vulnerability exists when processing LHA files; and a Directory Traversal vulnerability exists when the application processes malformed BH, CAB, and ZIP compressed files, which could let a remote malicious user modify information.

No workaround or patch available at time of publishing.

There is no exploit required; however, Proofs of Concept exploits have been published.

WinHKI Multiple Remote Vulnerabilities

Low/Medium

(Medium if information can be modified)

SecurityTracker Alert ID, 1012798, January 6, 2005

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

Alexander Palmo

Simple PHP Blog 0.3.7 c

A Directory Traversal vulnerability exists in the 'entry' parameter due to insufficient sanitization of user-supplied input data, which could let a remote malicious user obtain sensitive information.

Patch available at:
http://www.bigevilbrain.com/sphpblog/development/files/
patches_0.3.7r2.tgz

There is no exploit code required; however, a Proof of Concept exploit has been published.

Alexander Palmo
Simple PHP Blog Remote Directory Traversal
Medium
Bugtraq, January 7, 2005

Andrew W. Rogers

pcal 0.7.1

Two vulnerabilities were reported in pcal. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted calendar file that, when processed by the target user with pcal, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflows reside in the getline() function in 'pcalutil.c' and the get_holiday() function in 'readfile.c'.

Debian:
http://www.debian.org/security/2005/dsa-625

A Proof of Concept exploit script has been published.

Andrew W. Rogers
pcal Buffer Overflows

CVE Name:
CAN-2004-1289

High

SecurityTracker Alert ID, 1012592, December 16, 2004

Debian Security Advisory,
DSA-625-1 pcal, January 5, 2005

Christoph Dalitz

abctab2ps 1.6.3

A vulnerability was reported in abctab2ps. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted ABC file that, when processed by the target user with abctab2ps, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflows reside in the write_heading() function in 'subs.cpp' and the trim_title() function in 'parse.cpp.'

Upgrade available at:
http://www.lautengesellschaft.de/cdmm/#Download

A Proof of Concept exploit script has been published.

Christoph Dalitz abctab2ps Buffer Overflows
High

SecurityTracker Alert ID, 1012578, December 16, 2004

SecurityFocus, January 5, 2005

dillo.org

Dillo 0.8.3 a& prior

A format string vulnerability exists in 'capi.c' in the 'a_interface_msg()' function, which could let a remote malicious user execute arbitrary code.

Update available at: http://www.dillo.org/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-11.xml

A Proof of Concept exploit has been published.

Dillo
'a_Interface_msg()' Format String
High
Gentoo Linux Security Advisory, GLSA 200501-11, January 9, 2005

Easy Software Products

CUPS 1.1.21, 1.1.22 rc1, 1.1.22

A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted HTTP GET request.

Upgrades available at:
http://www.cups.org/software.php?SOFTWARE=v1_2

A Proof of Concept exploit has been published.

CUPS HTTP
GET Denial of Service
Low
SecurityTracker Alert ID, 1012811, January 7, 2005

GNU / GPL
  Conectiva
  Gentoo
  Mandrake
  RedHat
  SuSE
  Trustix

Samba 3.0.0 - 3.0.4 and 2.2.9 and prior

 

Multiple buffer overflow vulnerabilities exist in Samba that could allow a remote user to execute arbitrary code on the target system. These are caused by boundary errors when decoding base64 data and when handling 'mangling method = hash.'

Upgrade to version 3.0.5 or 2.2.10 available at: http://us2.samba.org/samba/ftp/

Conectiva:
ftp://atualizacoes.conectiva.com.br

RedHat: RedHat Enterprise Linux AS 3, ES 3, WS 3:
http://rhn.redhat.com/

Gentoo:
http://security.gentoo.org/glsa/glsa-200407-21.xml

Mandrakesoft: Mandrake Multi Network Firewall 8.x, 9.x; Mandrake Corporate Server 2.x
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:071

SuSE: SuSE Linux, Email, Database, and Enterprise Servers
http://www.suse.de/de/security/2004_22_samba.html

Trustix:
http://http.trustix.org/pub/trustix/updates/

Sun: http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57664-1&searchclause=

Sun:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57664-1&searchclause=

A working exploit has been published.

Samba Buffer Overflow Vulnerabilities

CVE Names:
CAN-2004-0600
CAN-2004-0686
High

Samba Release Notes 3.0.5, July 20, 2004

Gentoo, RedHat, Mandrakesoft, SuSE, Trustix, Conectiva Advisories

Sun(sm) Alert Notification, 57664, October 25, 2004

Sun(sm) Alert Notification, 57664, January 26, 2005 updated

GNU

a2ps 4.13b

Two vulnerabilities exist in GNU a2ps, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerabilities are caused due to the fixps.in and psmandup.in scripts creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running a vulnerable script.

Debian:
http://security.debian.org/pool/updates/main/a/a2ps/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-02.xml

Currently we are not aware of any exploits for these vulnerabilities.

GNU a2ps
Two Scripts Insecure Temporary File
Creation
Medium

Secunia SA13641, December 27, 2004

Gentoo Linux Security Advisory, GLSA 200501-02, January 4, 2005

GNU

a2ps 4.13

A vulnerability exists that could allow a malicious user to execute arbitrary shell commands on the target system. a2ps will execute shell commands contained within filenames. A user can create a specially crafted filename that, when processed by a2ps, will execute shell commands with the privileges of the a2ps process.

A patch for FreeBSD is available at:
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/
print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain

Debian:
http://www.debian.org/security/2004/dsa-612

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-02.xml

A Proof of Concept exploit has been published.

GNU a2ps Filenames Shell Commands Execution
High

SecurityTracker Alert ID, 1012475, December 10, 2004

Debian Security Advisory
DSA-612-1 a2ps, December 20, 2004

Gentoo GLSA 200501-02, January 5, 2005

GNU

MPlayer 1.0pre5

A vulnerability was reported in MPlayer in the processing of ASF streams. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted ASF video stream that, when viewed by the target user with MPlayer, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.

Gentoo:
http://www.gentoo.org/security/en/glsa
/glsa-200412-21.xml

Conectiva:
http://distro.conectiva.com.br/atualizacoes/
index.php?id=a&anuncio=000910

A Proof of Concept exploit script has been published.

GNU MPlayer ASF Streams Processing Buffer Overflow
High

SecurityTracker Alert ID, 1012562, December 16, 2004

Gentoo GLSA 200412-21 / MPlayer, December 12, 2004

Conectiva Advisory, CLSA-2005:910, January 5, 2005

GNU

Vim 6.x, GVim 6.x

Multiple vulnerabilities exist which can be exploited by local malicious users to gain escalated privileges. The vulnerabilities are caused due to some errors in the modelines options. This can be exploited to execute shell commands when a malicious file is opened. Successful exploitation can lead to escalated privileges but requires that modelines is enabled.

Apply patch for vim 6.3: f
tp://ftp.vim.org/pub/vim/patches/6.3/6.3.045

Gentoo:
http://www.gentoo.org/security/en/
glsa/glsa-200412-10.xml

Red Hat:
http://rhn.redhat.com/errata/RHSA-2005-010.html

Mandrake:
http://www.mandrakesoft.com/security/advisories

Currently we are not aware of any exploits for these vulnerabilities.

GNU Vim / Gvim Modelines Command Execution Vulnerabilities

CVE Name:
CAN-2004-1138

Medium

Gentoo Linux Security Advisory, GLSA 200412-10 / vim, December 15, 2004

Red Hat Advisory RHSA-2005:010-05, January 5, 2005

Mandrakelinux Security Update Advisory, MDKSA-2005:003, January 6, 2005

GNU

xine prior to 0.99.3

Multiple vulnerabilities exist that could allow a remote user to execute arbitrary code on the target user's system. There is a buffer overflow in pnm_get_chunk() in the processing of the RMF_TAG, DATA_TAG, PROP_TAG, MDPR_TAG, and CONT_TAG parameters.

The vendor has issued a fixed version of xine-lib (1-rc8), available at: http://xinehq.de/index.php/releases

A patch is also available at:
http://cvs.sourceforge.net/viewcvs.py/xine/
xine-lib/src/input/pnm.c?r1=
1.20&r2=1.21

Gentoo:
http://www.gentoo.org/security/en/glsa/glsa-200501-07.xml

A Proof of Concept exploit has been published.

GNU xine Buffer
Overflow in pnm_get_chunk()

CVE Name:
CAN-2004-1187
CAN-2004-1188

High

iDEFENSE Security Advisory 12.21.04

Gentoo, GLSA 200501-07, January 6, 2005

GNU

xine-lib 1.x

Multiple vulnerabilities with unknown impacts exist due to errors in the PNM and Real RTSP clients.

Update to version 1-rc8:
http://xinehq.de/index.php/download

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-07.xml

Currently we are not aware of any exploits for these vulnerabilities.

GNU xine-lib
Unspecified PNM &
Real RTSP Clients Vulnerabilities

CVE Name:
CAN-2004-1300

Not Specified

Secunia Advisory, SA13496, December 16, 2004

Gentoo Linux Security Advisory, GLSA 200501-07, January 6, 2005

GNU

Xpdf prior to 3.00pl2

A buffer overflow vulnerability exists that could allow a remote user to execute arbitrary code on the target user's system. A remote user can create a specially crafted PDF file that, when viewed by the target user, will trigger an overflow and execute arbitrary code with the privileges of the target user.

A fixed version (3.00pl2) is available at: http://www.foolabs.com/xpdf/download.html

A patch is available:
ftp://ftp.foolabs.com/pub/xpdf/
xpdf-3.00pl2.patch

KDE:
http://www.kde.org/info/security/advisory-20041223-1.txt

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-24.xml

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/

Mandrakesoft (update for koffice):
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:165

Mandrakesoft (update for kdegraphics): http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:163

Mandrakesoft (update for gpdf):
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:162

Mandrakesoft (update for xpdf):
http://www.mandrakesoft.com/security
/advisories?name=MDKSA-2004:161

Mandrakesoft (update for tetex):
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:166

Debian:
http://www.debian.org/security/2004/dsa-619

Fedora (update for tetex):
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/

Fedora: http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/3/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-13.xml

Currently we are not aware of any exploits for this vulnerability.

GNU Xpdf Buffer Overflow in doImage()

CVE Name:
CAN-2004-1125

High

iDEFENSE Security Advisory 12.21.04

KDE Security Advisory, December 23, 2004

Mandrakesoft, MDKSA-2004:161,162,163,165, 166, December 29, 2004

Fedora Update Notification,
FEDORA-2004-585, January 6, 2005

Gentoo Linux Security Advisory, GLSA 200501-13, January 10, 2005

Info-ZIP

Zip 2.3

A buffer overflow vulnerability exists due to a boundary error when doing recursive compression of directories with 'zip,' which could let a remote malicious user execute arbitrary code.

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/z/zip/

Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates/

Gentoo:
http://security.gentoo.org/glsa/
glsa-200411-16.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-634.html

Debian:
http://www.debian.org/security/2005/dsa-624

Currently we are not aware of any exploits for this vulnerability.

 

Info-ZIP Zip Remote Recursive Directory Compression Buffer Overflow

CVE Name:
CAN-2004-1010

High

Bugtraq, November 3, 2004

Ubuntu Security Notice, USN-18-1, November 5, 2004

Fedora Update Notification,
FEDORA-2004-399 & FEDORA-2004-400, November 8 & 9, 2004

Gentoo Linux Security Advisory, GLSA 200411-16, November 9, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:141, November 26, 2004

SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004

Red Hat Advisory, RHSA-2004:634-08, December 16, 2004

Debian DSA-624-1, January 5, 2005

 

J Whitham

HTGET 0.93

A buffer overflow vulnerability was reported in HTGET. A remote malicious user can cause arbitrary code to be executed. A remote user can create a specially crafted URL that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code.

Debian:
http://www.debian.org/security/2004/dsa-611

An exploit script has been published.

J Whitham HTGET
Buffer Overflow

CVE Name:
CAN-2004-0852

High

Debian Security Advisory
DSA-611-1 htget, December 20, 2004

PacketStorm, January 6, 2005

KDE

KDE 3.x, 2.x

A vulnerability exists in kio_ftp, which can be exploited by malicious people to conduct FTP command injection attacks.

The vulnerability has been fixed in the CVS repository.

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:160

Debian:
http://security.debian.org/pool/updates/main/k/kdelibs/

Currently we are not aware of any exploits for this vulnerability.

KDE kio_ftp FTP Command Injection Vulnerability

CVE Name:
CAN-2004-1165

Medium

KDE Advisory Bug 95825, December 26, 2004

Debian Security Advisory, DSA 631-1, January 10, 2005

KDE

Konqueror prior to 3.32

Two vulnerabilities exist in KDE Konqueror, which can be exploited by malicious people to compromise a user's system.The vulnerabilities are caused due to some errors in the restriction of certain Java classes accessible via applets and Javascript. This can be exploited by a malicious applet to bypass the sandbox restriction and read or write arbitrary files.

Update to version 3.3.2:
http://kde.org/download/

Apply patch for 3.2.3:
ftp://ftp.kde.org/pub/kde/security_
patches/post-3.2.3-kdelibs-khtml-java.tar.bz2

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:154

Currently we are not aware of any exploits for these vulnerabilities.

KDE Konqueror
Java Sandbox Vulnerabilities

CVE Name:
CAN-2004-1145

High

KDE Security Advisory, December 20, 2004

Mandrakesoft MDKSA-2004:154, December 22, 2004

US-CERT Vulnerability Note, VU#420222, January 5, 2005

Larry Wall

Perl 5.8.3

A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/p/perl/

Gentoo:
http://security.gentoo.org/glsa/glsa-200412-04.xml

Debian:
http://security.debian.org/pool/updates/main/p/perl/

There is no exploit code required.

Perl
Insecure Temporary
File Creation

CVE Name:
CAN-2004-0976

Medium

Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004

Ubuntu Security Notice, USN-16-1, November 3, 2004

Gentoo Linux Security Advisory, GLSA 200412-04, December 7, 2004

Debian Security Advisory, DSA 620-1, December 30, 2004

LGPL

NASM 0.98.38

A vulnerability was reported in NASM. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted asm file that, when processed by the target user with NASM, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflow resides in the error() function in 'preproc.c.'

Gentoo:
http://www.gentoo.org/security/en/
glsa/glsa-200412-20.xml

Debian:
http://www.debian.org/security/2005/dsa-623

Mandrake:
http://www.mandrakesoft.com/security/advisories

A Proof of Concept exploit script has been published.

LGPL NASM error() Buffer Overflow

CVE Name:
CAN-2004-1287

High

Secunia Advisory ID, SA13523, December 17, 2004

Debian Security Advisory
DSA-623-1 nasm, January 4, 2005

Mandrakelinux Security Update Advisory, MDKSA-2005:004, January 6, 2005

libtiff.org

LibTIFF 3.6.1

Avaya MN100 (All versions), Avaya Intuity LX (version 1.1-5.x), Avaya Modular Messaging MSS (All versions)

 

Several buffer overflow vulnerabilities exist: a vulnerability exists because a specially crafted image file can be created, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; a remote Denial of Service vulnerability exists in 'libtiff/tif_dirread.c' due to a division by zero error; and a vulnerability exists in the 'tif_next.c,' 'tif_thunder.c,' and 'tif_luv.c' RLE decoding routines, which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/t/tiff/

Gentoo:
http://security.gentoo.org/glsa/glsa-200410-11.xml

Fedora:
http://download.fedora.redhat.com/pub/fedora/
linux/core/updates/2/

OpenPKG:
ftp://ftp.openpkg.org/release/

Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-577.html

Slackware:
ftp://ftp.slackware.com/pub/slackware/

Conectiva:
ftp://atualizacoes.conectiva.com.br/

KDE: Update to version 3.3.2:
http://kde.org/download/

Apple Mac OS X:
http://www.apple.com/swupdates/

Gentoo: KDE kfax:
http://www.gentoo.org/security
/en/glsa/glsa-200412-17.xml

Avaya: No solution but workarounds available at: http://support.avaya.com/elmodocs2/security/ASA-2005-002_RHSA-2004-577.pdf

Proofs of Concept exploits have been published.

LibTIFF Buffer
Overflows

CVE Name:
CAN-2004-0803
CAN-2004-0804
CAN-2004-0886

Low/High

(High if arbitrary code can be execute)

Gentoo Linux Security Advisory, GLSA 200410-11, October 13, 2004

Fedora Update Notification,
FEDORA-2004-334, October 14, 2004

OpenPKG Security Advisory, OpenPKG-SA-2004.043, October 14, 2004

Debian Security Advisory, DSA 567-1, October 15, 2004

Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004

Mandrakelinux Security Update Advisory, MDKSA-2004:109 & MDKSA-2004:111, October 20 & 21, 2004

SuSE Security Announcement, SUSE-SA:2004:038, October 22, 2004

RedHat Security Advisory, RHSA-2004:577-16, October 22, 2004

Slackware Security Advisory, SSA:2004-305-02, November 1, 2004

Conectiva Linux Security Announcement, CLA-2004:888, November 8, 2004

US-CERT Vulnerability Notes VU#687568 & VU#948752, December 1, 2004

Gentoo Linux Security Advisory, GLSA 200412-02, December 6, 2004

KDE Security Advisory, December 9, 2004

Apple Security Update SA-2004-12-02

Gentoo Security Advisory, GLSA 200412-17 / kfax, December 19, 2004

Avaya Advisory ASA-2005-002, January 5, 2005

Conectiva Linux Security Announcement, CLA-2005:914, January 6, 2005

Little Igloo

LinPopUp 1.2.0

A buffer overflow vulnerability exists that could allow a remote malicious user to execute arbitrary code on the target system. A remote user can send a specially crafted message to LinPopUp to trigger a buffer overflow in strexpand() in 'string.c' and execute arbitrary code. The code will run with the privileges of the LinPopUp process.

Debian:
http://security.debian.org/pool/updates/main/l/linpopup/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-01.xml

A Proof of Concept exploit script has been published.

Little Igloo LinPopUp strexpand() Buffer Overflow
High

SecurityTracker Alert ID, 1012542, December 16, 2004

Gentoo GLSA 200501-01, January 5, 2005

Debian Security Advisory, DSA 632-1, January 10, 2005

MIT

Kerberos 5 krb5-1.3.5 and prior

A buffer overflow exists in the libkadm5srv administration library. A remote malicious user may be able to execute arbitrary code on an affected Key Distribution Center (KDC) host. There is a heap overflow in the password history handling code.

A patch is available at:
http://web.mit.edu/kerberos/advisories/
2004-004-patch_1.3.5.txt

Gentoo:
http://www.gentoo.org/security/en/glsa/glsa-200501-05.xml

Currently we are not aware of any exploits for this vulnerability.

Kerberos
libkadm5srv Heap Overflow

CVE Name:
CAN-2004-1189

High

SecurityTracker Alert ID, 1012640, December 20, 2004

Gentoo GLSA 200501-05, January 5, 2005

 

Mozilla.org

Mozilla Browser 1.7, rc1-rc3, beta, alpha, 1.7.1-1.7.3, 1.8 Alpha 1-4, Firefox Preview Release
Mozilla Firefox 0.9, rc, 0.9.1-0.9.3, 0.10, 0.10.1, Thunderbird 0.6, 0.7-0.7.3, 0.8

A vulnerability exists in the 'Open with' option because the software saves the file in the '/tmp' directory with world-readable permissions, which could let a malicious user obtain sensitive information.

Fixes are available in the CVS repository.

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-03.xml

There is no exploit code required.

Mozilla Temporary File Insecure Permissions Information Disclosure
Medium

Secunia Advisory,
SA12956, October 25, 2004

Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005

Multiple Vendors

Linux kernel 2.6.10, 2.6.9

A Denial of Service vulnerability exists in the 'mlockall()' system call due to a failure to properly enforce defined limits.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Linux Kernel Local RLIMIT_MEMLOCK Bypass Denial
of Service
Low
Bugtraq, January 7, 2005

Multiple Vendors

Exim 4.43 & prior

Multiple vulnerabilities exist that could allow a local user to obtain elevated privileges. There are buffer overflows in the host_aton() function and the spa_base64_to_bits() functions. It may be possible to execute arbitrary code with the privileges of the Exim process.

The vendor has issued a fix in the latest snapshot:

ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/
Testing/exim-snapshot.tar.gz

ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/
Testing/exim-snapshot.tar.gz.sig

Also, patches for 4.43 are available at:
http://www.exim.org/mail-archives/
exim-announce/2005/msg00000.html

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/

Currently we are not aware of any exploits for these vulnerabilities.

GNU Exim Buffer Overflows

CVE Names:
CAN-2005-0021
CAN-2005-0022

High
SecurityTracker Alert ID: 1012771, January 5, 2005

Multiple Vendors

Linux kernel 2.,6 -test9-CVS, -test1-test11,
Linux kernel 2.6.1, rc1&rc2, 2.6.2-2.6.9, 2.6.10 rc2;
RedHat Fedora Core2 & Core3

A vulnerability exists which could let a malicious user obtain sensitive information.

Upgrades available at:
http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.10.tar.bz2

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel
SYSENTER Thread Information Pointer
Local Information Disclosure

Medium
Fedora Update Notifications
FEDORA-2004-581 & 582, January 3, 2005

Multiple Vendors

Linux kernel 2.,6 -test9-CVS, -test1-test11,
Linux kernel 2.6.1, rc1&rc2, 2.6.2-2.6.9, 2.6.10 rc2;
RedHat Fedora Core2 & Core3

A vulnerability exists in the SCM system due to a failure to properly call defined security module functions, which could let a malicious user bypass security measures.

Upgrades available at:
http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.10.tar.bz2

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel Local
File Descriptor Passing Security Module
Bypass

Medium
Fedora Update Notifications
FEDORA-2004-581 & 582, January 3, 2005

Multiple Vendors

Perl

A race condition vulnerability was reported in the 'File::Path::rmtree()' function. A remote user may be able to obtain potentially sensitive information. A remote user may be able to obtain potentially sensitive information or modify files.

The vendor has released Perl version 5.8.4-5 to address this vulnerability. Customers are advised to contact the vendor for information regarding update availability.

Debian:
http://security.debian.org/pool/updates/main/p/perl/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/p/perl/

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Perl File::Path::rmtree() Permission
Modification
Vulnerability

CVE Name:
CAN-2004-0452

Medium

Ubuntu Security Notice, USN-44-1, December 21, 2004

Debian Security Advisory, DSA 620-1, December 30, 2004

Multiple Vendors

Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha;
Gentoo Linux;
LibTIFF LibTIFF 3.4, 3.5.1-3.5.5, 3.5.7, 3.6 .0, 3.6.1, 3.7, 3.7.1;
RedHat Fedora Core2& Core 3;
Ubuntu Ubuntu Linux 4.1 ppc, ia64, ia32

A vulnerability exists in the tiffdump utility, which could let a remote malicious user execute arbitrary code.

Debian:
http://security.debian.org/pool/updates/main/t/tiff/

Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-06.xml

Mandrake:
http://www.mandrakesecure.net/en/ftp.php

SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/

Currently we are not aware of any exploits for this vulnerability.

LibTIFF TIFFDUMP Heap Corruption
Integer Overflow

CVE Name:
CAN-2004-1183

High
SecurityTracker Alert ID, 1012785, January 6, 2005

Multiple Vendors

Linux Kernel

A vulnerability exists in the Linux kernel io_edgeport driver. A local user with a USB dongle can cause the kernel to crash or may be able to gain elevated privileges on the target system. The flaw resides in the edge_startup() function in 'drivers/usb/serial/io_edgeport.c'.

Red Hat:
https://bugzilla.redhat.com/bugzilla
/attachment.cgi?id=107493&action=view

Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates/

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Linux Kernel
USB io_edgeport
Driver Integer Overflow

CVE Name:
CAN-2004-1017

Low/ Medium

(Medium if elevated privileges can be obtained)

SecurityTracker Alert ID: 1012477, December 10, 2004

Fedora Update Notifications,
FEDORA-2004-581 & 582, January 3, 2005

Multiple Vendors

Linux kernel 2.2-2.2.25, 2.3, 2.3.99, pre1-pre7, 2.4 .0, test1-test12, 2.4-2.4.28, 2.4.29 -rc2, 2.5 .0-2.5.65

Multiple buffer overflow vulnerabilities exist in the 'drivers/char/moxa.c' file due to insufficient bounds checks prior to copying user-supplied data to fixed-size memory buffers, which could let a malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for these vulnerabilities.

Linux Kernel Multiple Local MOXA Serial Driver Buffer Overflows
High
Bugtraq, January 7, 2005

Multiple Vendors

Linux kernel 2.4 .0-test1-test12, 2.4-2.4.27

A vulnerability exists in the 'AF_UNIX' address family due to a serialization error, which could let a malicious user obtain elevated privileges or possibly execute arbitrary code.

Upgrades available at:
http://kernel.org/pub/linux/kernel/
v2.4/linux-2.4.28.tar.bz2

SUSE:
ftp://ftp.SUSE.com/pub/SUSE

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main

Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-504.html

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates

Currently we are not aware of any exploits for this vulnerability.

 

Multiple Vendors Linux Kernel AF_UNIX Arbitrary Kernel
Memory Modification

CVE Name:
CAN-2004-1068

Medium/ High

(High if arbitrary code can be executed)

Bugtraq, November 19, 2004

SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004

SecurityFocus, December 14, 2004

Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005

Multiple Vendors

Linux kernel 2.4, 2.4 .0 test1-test 12, 2.4-2.4.28, 2.4.29 -rc2, 2.6 .10, 2.6, test1-test11, 2.6.1-2.6.10, 2.6.10 rc2

An integer overflow vulnerability exists in the 'random.c' kernel driver due to insufficient sanitization of the 'poolsize_strategy' function, which could let a malicious user cause a Denial of Service or execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Linux Kernel Random Poolsize SysCTL Handler Integer
Overflow

Low/High

(High if arbitrary code can be executed)

Bugtraq, January 7, 2005

Multiple Vendors

Linux Kernel 2.4.0 test1-test12, 2.4-2.4.28, 2.4.29 -rc2, 2.6, test1-test11, 2.6.1, rc1-rc2, 2.6.2-2.6.9, 2.6.10 rc2

A vulnerability exists in the 'load_elf_library()' function in 'binfmt_elf.c' because memory segments are properly processed, which could let a remote malicious user execute arbitrary code with root privileges.

No workaround or patch available at time of publishing.

A Proof of Concept exploit script has been published.

Linux Kernel uselib() Root Privileges

CVE Name:
CAN-2004-1235

High
iSEC Security Research Advisory, January 7, 2005

Multiple Vendors

Linux Kernel 2.6 - 2.6.10 rc2

The Linux kernel is prone to a local Denial of Service vulnerability. This vulnerability is reported to exist when 'CONFIG_SECURITY_NETWORK=y' and 'CONFIG_SECURITY_SELINUX=y' options are set in the Linux kernel. A local attacker may exploit this vulnerability to trigger a kernel panic and effectively deny service to legitimate users.

Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main

Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Linux Kernel Sock_DGram_SendMsg Local Denial of Service

CVE Name:
CAN-2004-1069

Low

Ubuntu Security Notice USN-38-1 December 14, 2004

Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005

Multiple Vendors

Linux Kernel 2.6 - 2.6.9, 2.4 - 2.4.28

Integer overflow vulnerabilities exist that could allow a local user to cause Denial of Service conditions. These overflows exist in ip_options_get() and vc_resize() and a memory leak in ip_options_get().

The vendor has issued a fix in 2.6.10rc3bk5 and possibly also in the 2.4 release candidate.

Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/l/linux-source-2.6.8.1/

Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates

A Proof of Concept exploit has been published.

Multiple Vendors Linux Kernel ip_options_get() and vc_resize() Integer Overflows
Low

Georgi Guninski Security Advisory #72, December 15, 2004

Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005

Multiple Vendors

Linux Kernel 2.6 .10, 2.6, test-test11, 2.6.1-2.6.10, 2.6.10 rc2

An integer overflow vulnerability exists in the 'scsi_ioctl.c' kernel driver due to insufficient sanitization of the 'sg_scsi_ioctl' function, which could let a malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Linux Kernel
SCSI IOCTL Integer Overflow
High
Bugtraq, January 7, 2005

Multiple Vendors

Samba 2.2.9, 3.0.8 and prior

An integer overflow vulnerability in all versions of Samba's smbd 0.8 could allow an remote malicious user to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges.

Patches available at:
http://www.samba.org/samba/ftp/patches/
security/samba-3.0.9-CAN-2004-1154.patch

Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-670.html

Gentoo:
http://www.gentoo.org/security/en/glsa/glsa-200412-13.xml

Trustix:
http://www.trustix.net/errata/2004/0066/

Red Hat (Updated):
http://rhn.redhat.com/errata/RHSA-2004-670.html

Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates/

SUSE:
http://www.novell.com/linux/security/
advisories/2004_45_samba.html

Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:158

Conectiva:
ftp://atualizacoes.conectiva.com.br/

RedHat:
http://rhn.redhat.com/errata/RHSA-2005-020.html

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendors Samba smbd Security
Descriptor

CVE Name:
CAN-2004-1154

High

iDEFENSE Security Advisory 12.16.04

Red Hat Advisory, RHSA-2004:670-10, December 16, 2004

Gentoo Security Advisory, GLSA 200412-13 / Samba, December 17, 2004

US-CERT, Vulnerability Note VU#226184, December 17, 2004

Trustix Secure Linux Advisory #2004-0066, December 17, 2004

Red Hat, RHSA-2004:670-10, December 16, 2004

SUSE, SUSE-SA:2004:045, December 22, 2004

RedHat Security Advisory, RHSA-2005:020-04, January 5, 2005

Conectiva Linux Security Announcement, CLA-2005:913,January 6, 2005

MySQL

Eventum 1.3.1

Multiple vulnerabilities exist which can be exploited by malicious people to conduct Cross-Site Scripting and script insertion attacks and potentially bypass certain security restrictions. 1) Input passed to the 'email' parameter in 'index.php' and 'forgot_password.php,' and the 'title' and 'outgoing_sender_name' parameters in 'projects.php' is not properly sanitized before being returned to users. 2) Input passed to the 'full_name,' 'sms_email,' 'list_refresh_rate,' and 'emails_refresh_rate' parameters in 'preferences.php' is not properly sanitized 3) Eventum has a undocumented default administrator account.

Upgrades available at:
http://dev.mysql.com/get/Downloads/
eventum/eventum-1.4.tar.gz/from/pick

Currently we are not aware of any exploits for theses vulnerabilities.

MySQL Eventum
Multiple Vulnerabilities
High

CIRT-200404 and CIRT-200405: December 28, 2004

SecurityFocus, January 5, 2005

 

Namazu Project

Namazu 2.0.13 and prior

A vulnerability exists which can be exploited by malicious people to conduct Cross-Site Scripting attacks. Input passed to 'namazu.cgi' isn't properly sanitized before being returned to the user if the query begins from a tab ('%09'). This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

Update to version 2.0.14:
http://namazu.org/#download

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

Debian:
http://security.debian.org/pool/updates
/main/n/namazu2/

Currently we are not aware of any exploits for this vulnerability.

Namazu Cross-Site Scripting Vulnerability

CVE Name:
CAN-2004-1318

High

Namazu Security Advisory, December 15, 2004

Debian Security Advisory, DSA 627-1, January 6, 2005

Nuclear Elephant.com

mod_dosevasive 1.9 and prior

A vulnerability exists in 'mod_dosevasive' for Apache that could allow a local user to obtain elevated privileges. The software creates unsafe temporary files. A local user can create a symbolic link (symlink) from a non-existent file on the system to a predictably named temporary file in the '/tmp' directory. When mod_dosevasive is run, the symlinked file will be created with the privileges of the web service.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Nuclear Elephant mod_dosevasive Symlink Flaw
Medium
LSS Security Advisory #LSS-2005-01-01, January 4, 2005

Nullsoft

SHOUTcast 1.9.4

A format string vulnerability exists that could allow a remote user to execute arbitrary code on the target system. A remote user can supply a specially crafted request to the target server containing format string characters to cause the target service to crash or execute arbitrary code.

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-04.xml

Currently we are not aware of any exploits for this vulnerability.

Nullsoft SHOUTcast Format String Flaw
High

SecurityTracker Alert ID: 1012675, December 24, 2004

Gentoo GLSA 200501-04, January 5, 2005

 

Patric Müller

Vilistextum 2.6.6

A vulnerability was reported in Vilistextum that could allow a remote malicious user to cause arbitrary code to be executed by the target user. A remote user can create a specially crafted HTML file that, when processed by the target user with Vilistextum, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflow resides in the get_attr() function in 'html.c.'

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-10.xml

A Proof of Concept exploit script has been published.

Patric Müller
Vilistextum get_attr()
Buffer Overflow

CVE Name:
CAN-2004-1299

High

SecurityTracker Alert ID, 1012558, December 16, 2004

Gentoo Linux Security Advisor, GLSA 200501-10, January 6, 2005

PHPGroupWare

PHPGroupWare 0.9.16.03

PHPGroupWare contains multiple input validation vulnerabilities; it is prone to multiple SQL injection and Cross-Site Scripting issues. These issues are all due to a failure of the application to properly sanitize user-supplied input. A malicious user could exploit these vulnerabilities to execute arbitrary code.

Upgrade available at: http://download.phpgroupware.org/now

A Proof of Concept exploit has been published.

PHPGroupWare
Multiple Cross-Site Scripting and SQL Injection
High

GulfTech Security Research December 14th, 2004

SecurityFocus, January 6, 2005

Redhat

GNOME VFS

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64;
Red Hat Linux Advanced Workstation 2.1 - ia64;
Red Hat Enterprise Linux ES version 2.1 - i386;
Red Hat Enterprise Linux WS version 2.1 - i386;
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64;
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64;
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

Multiple vulnerabilities exist in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. A malicious user who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts.

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/

Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/

SUSE:
http://www.suse.com/en/private/download/
updates/92_i386.html

Avaya:
http://support.avaya.com/japple/css/japple?temp.groupID=
128450&temp.selectedFamily=128451&temp.selectedProduct=
154235&temp.selectedBucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=198525&PAGE=
avaya.css.CSSLvl1Detail&executeTransaction= avaya.css.UsageUpdate()

SGI:
ftp://patches.sgi.com/support/free/security
/patches/ProPack/3/

RedHat:
http://rhn.redhat.com/errata/RHSA-2004-464.html

We are not aware of any exploits for these vulnerabilities.

Red Hat GNOME VFS updates address
extfs vulnerability

CVE Name:
CAN-2004-0494

High

Red Hat Security Advisory ID: RHSA-2004:373-01, August 4, 2004

Fedora Update Notification
FEDORA-2004-272 & 273, September 1, 2004

SecurityFocus, Bugtraq ID: 10864, December 7, 2004

RedHat Security Advisory, RHSA-2004:464-09, January 5, 2005

Remote Sensing

LibTIFF 3.x

A vulnerability exists potentially can be exploited by malicious people to execute arbitrary code on the target system. The vulnerability is caused due to an unspecified integer overflow in the tiffdump utility.

Gentoo:
http://www.gentoo.org/security/en/glsa/
glsa-200501-06.xml

Currently we are not aware of any exploits for this vulnerability.

Remote Sensing LibTIFF Integer Overflow Vulnerability
in tiffdump
High
Secunia SA13728, January 6, 2005

Russell Marks

zgv Image Viewer 5.5

Several vulnerabilities exist due to various integer overflows when processing images, which could let a remote malicious user execute arbitrary code.

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-12.xml

Debian:
http://www.debian.org/security/2004/dsa-608

The vendor has issued a patch, available at:
| http://www.svgalib.org/rus/zgv
/zgv-5.8-integer-overflow-fix.diff

Gentoo:
http://security.gentoo.org/glsa/
glsa-200501-09.xml

Currently we are not aware of any exploits for these vulnerabilities.

Russell Marks ZGV Image Viewer Multiple Remote Integer
Overflow

CVE Name:
CAN-2004-1095
CAN-2004-0999

High

Bugtraq, October 26, 2004

Gentoo Linux Security Advisory, GLSA 200411-12:01, November 7, 2004

Debian Security Advisory, DSA-608-1 zgv, December 14, 2004

SecurityTracker Alert ID: 1012546, December 16, 2004

Gentoo Linux Security Advisory, GLSA 200501-09, January 6, 2005

Squid-cache.org

Squid 2.x

A remote Denial of Service vulnerability exists in the NTLM fakeauth_auth helper when running under a high load or for a long period of time, and a specially crafted NTLM type 3 message is submitted.

Patch available at:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-fakeauth_auth.patch

Currently we are not aware of any exploits for this vulnerability.

Squid NTLM fakeauth_auth Helper Remote Denial of Service
Low
Secunia Advisory,
SA13789, January 11, 2005

Virtual Hosting Control System

Virtual Hosting Control System 2.2

A vulnerability exists due to a file include vulnerability, which could let a remote malicious user execute arbitrary PHP code.

No workaround or patch available at time of publishing.

There is no exploit code required.

Virtual Hosting Control System SQL.PHP Remote File Include

High
SecurityFocus, January 6, 2005

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name
Risk
Source

All Enthusiast, Inc.

PhotoPost PHP Pro 4.x

Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. 1) Input passed to the "page", "cat", and "si" parameters in "showgallery.php" isn't properly sanitized before being returned to the user. 2) Input passed to the "cat" and "ppuser" parameters in "showgallery.php" isn't sanitized properly before being used in a SQL query.

Update to version 4.86:
http://www.photopost.com/

An exploit script has been published.

All Enthusiast PhotoPost PHP Pro Cross-Site Scripting and SQL Injection
High

GulfTech Security Research Team, January 3, 2005

PacketStorm, January 5, 2005

All Enthusiast, Inc.

ReviewPost PHP Pro 2.x

Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and compromise a vulnerable system. 1) Input passed to the "si" parameter in "showcat.php", "cat" and "page" parameters in "showproduct.php", and "report" parameter in "reportproduct.php" isn't properly sanitized before being returned to the user. 2) Input passed to the "cat" parameter in "showcat.php" and "product" parameter in "addfav.php" isn't properly sanitized before being used in a SQL query. 3) An error in the handling of file uploads for filenames with multiple extensions (e.g. "test.jpg.php.jpg.php") can be exploited.

Update to version 2.84:
http://www.photopost.com/

An exploit script has been published.

All Enthusiast ReviewPost PHP Pro Multiple Vulnerabilities
High

GulfTech Security Research Team, January 3, 2005

PacketStorm, January 5, 2005

Apache Software Foundation

Tomcat 5.x

A Cross-Site Scripting vulnerability exists due to insufficient sanitization of various input passed to the 'Tomcat Manager,' which could let a remote malicious user execute arbitrary HTML and script code.

Patch available at:
http://www.mail-archive.com/tomcat-dev@
jakarta.apache.org/msg66978.html

Proofs of Concept exploits have been published.

Apache Tomcat 'Tomcat Manager' Cross-Site Scripting
High
Secunia Advisory,
SA13737, January 6, 2005

Apple

AirPort Express Firmware 6.1, AirPort Extreme Firmware 5.5

A remote Denial of Service vulnerability exists when used in the Wireless Distribution System (WDS) mode. This issue could allow a remote attacker to cause the base station to stop processing traffic.

Upgrades available at:
http://www.apple.com/support/downloads/

There is no exploit code required.

Apple AirPort Wireless Distribution System Remote Denial of Service

Low
SecurityFocus January 3, 2004

b2evolution.net

b2evolution 0.8.2 .2, 0.8.2, 0.8.6 .2, 0.8.6 .1, 0.8.6, 0.8.7, 0.8.9, 0.9 .0.11, 0.9 .0.10, 0.9 .0.09, 0.9 .0.0, 0.9 .0.05, 0.9 .0.03

A vulnerability exists the '_class_itemlist.php' script due to insufficient sanitization of 'title' parameter, which could let a remote malicious user execute arbitrary code.

Workaround available at:
http://forums.b2evolution.net/viewtopic.php?t=2695

There is no exploit code required.

b2evolution '_class_itemlist.php' Script Input Validation
High
Securiteam, January 9, 2005

Ben3W

2Bgal 2.4 and 2.5.1

A vulnerability exists that can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "id_album" parameter is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Upgrade available at:
http://www.ben3w.com/multimedia/
dlcounter.php?selfile=2bgal.zip

A Proof of Concept exploit has been published.

Ben3W 2Bgal "id_album" SQL Injection Vulnerability
High

Secunia SA13620, December 23, 2004

Packetstorm, December 31, 2004

SecurityFocus, January 7, 2005

Cisco Systems

IOS 12.2 ZA, SY, SXB, SXA, (17a) SXA, (14)ZA2, (14)ZA, (14)SY

A remote Denial of Service vulnerability exists when processing Internet Key Exchange (IKE) packets.

Revision 1.2: Updated the 12.2(14)SY03 Release Notes URL in the Software Fixes and Versions section.

Updates available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040408-vpnsm.shtml

Currently we are not aware of any exploits for this vulnerability.

Cisco IOS Malformed IKE Packet Remote
Denial of Service
Low

Cisco Security Advisory 50430, April 8, 2004

Cisco Security Advisory 50430 Rev. 1.2, January 5, 2005

Cisco Systems

IOS R12.x, 12.x

 

A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted TCP connection to a telnet or reverse telnet port.

Revision 2.4: Updated availability information for IOS releases. Corrected fixed software version for 12.1E Maintenance release.

Potential workarounds available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040827-
telnet.shtml

Currently we are not aware of any exploits for this vulnerability.

Cisco IOS Telnet Service Remote Denial of Service
Low

Cisco Security Advisory, cisco-sa-20040827, August 27, 2004

US-CERT Vulnerability Note VU#384230

Cisco Security Advisory, 61671 Rev 2.2, October 20, 2004

Cisco Security Advisory, 61671 Rev 2.3, October 31, 2004

Cisco Security Advisory, 61671 Rev 2.4, December 31, 2004

David Barrett

QwikiWiki 1.4.1

A Directory Traversal vulnerability exists due to insufficient validation of the 'page' parameter, which could let a remote malicious user obtain sensitive information.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

David Barrett QwikiWiki Remote Directory Traversal
Medium
Securiteam, January 5, 2005

IBM

DB2 Universal Database for AIX 7.0-7.2, 8.0, 8.1, DB2 Universal Database for HP-UX 7.0-7.2. 8.0, 8.1, DB2 Universal Database for Linux 7.0-7.2, 8.0, 8.1, DB2 Universal Database for Solaris 7.0-7.2, 8.0, 8.1, IBM DB2 Universal Database for Windows 7.0-7.2, 8.0, 8.1

A vulnerability exists in the XMLVarcharFromFile and XMLClobFromFile functions, which could let a remote malicious user corrupt data, obtain sensitive information, and ultimately execute arbitrary code.

Patches available at:
http://www-306.ibm.com/software/data/db2/udb/
support/downloadv8.htm

Currently we are not aware of any exploits for this vulnerability.

IBM DB2 XML Function

Medium/ High

(High if arbitrary code can be executed)

NGSSoftware Insight Security Research Advisory, NISR05012005I, January 5, 2005

Invision Power Services

Invision Community Blog 1.0

A vulnerability exists in the 'eid' parameter due to insufficient input validation, which could let a remote malicious user inject SQL commands.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

Invision Community Blog Input Validation
Medium
Bugtraq, January 9, 2005

Mozilla,.org

Firefox 0.8, 0.9-0.9.3, 0.10, 0.10.1

Multiple vulnerabilities exist: a vulnerability exists because web sites may include images from local resources, which could let a malicious user obtain sensitive information, cause a Denial of Service, and potentially steal passwords from Windows systems; a vulnerability exists in the file download dialog box because filenames are truncated, which could let a malicious user spoof downloaded file names; and a vulnerability exists on MacOSx because Firefox is installed with world-writable permissions, which could let a malicious user obtain elevated privileges.

Upgrades available at:
http://www.mozilla.org/products/firefox/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-03.xml

An exploit script is not required

Mozilla Firefox Multiple Vulnerabilities

Low/ Medium

(Low if a DoS)

Secunia Advisory,
SA13144, November 10, 2004

Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005

Mozilla

Mozilla 1.7.3

A heap overflow vulnerability exists in the processing of NNTP URLs. A remote user can execute arbitrary code on the target system. A remote user can create a specially crafted 'news://' URL that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The flaw resides in the *MSG_UnEscapeSearchUrl() function in 'nsNNTPProtocol.cpp'.

The vendor has issued a fixed version (1.7.5), available at: http://www.mozilla.org/products/mozilla1.x/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-03.xml

A Proof of Concept exploit has been published.

Mozilla Buffer Overflow in Processing NNTP URLs
High

iSEC Security ResearchAdvisory, December 29, 2004

Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005

Multiple Vendors

Ericsson T610;
Motorola V600, V80; Nokia 6310i

A vulnerability exists in the application layer, and not in the actual Bluetooth protocol layer, which could let a remote malicious user utilize the mobile device to act as a modem.

No workaround or patch available at time of publishing.

There is no exploit code required.

Multiple Vendor Bluetooth Device Unauthorized Serial Command Access
Medium
SecurityFocus, January 4, 2005

Multiple Vendors

Microsoft Internet Explorer 6.0, SP1&SP2; Mozilla Firefox 0.8, 0.9 rc, 0.9-0.9.3, 0.10, 0.10.1;
Netscape Navigator 7.0, 7.0.2, 7.1, 7.2, Netscape 7.0

Multiple vulnerabilities exist in the image handling functionality through the <IMG> tag, which could let a remote malicious user cause a Denial of Service, and obtain sensitive information.

Mozilla:
http://www.mozilla.org/products/firefox/

Gentoo:
http://security.gentoo.org/glsa/glsa-200501-03.xml

A Proof of Concept exploit has been published.

Multiple Browser IMG Tag Multiple Vulnerabilities

Low/ Medium

(Medium if sensitive information can be obtained)

SecurityFocus, November 10, 2004

Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005

MyBB Group

MyBulletinBoard RC4

A vulnerability exists in the 'member.php' script due to insufficient validation of the 'uid' parameter, which could let al remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit script has been published.

MyBulletinBoard MEMBER.PHP SQL Injection
High
Securiteam, January 5, 2005

Noah Grey

Greymatter 1.1 b, 1.2, 1.3, 1.21 a-1.21d, 1.21

A vulnerability exists in the 'gm-comments.cgi' script due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however a Proof of Concept exploit has been published.

Noah Grey Greymatter 'GM-Comments.CGI' HTML Injection
High
SecurityFocus, January 6, 2005

Noah Grey

Greymatter 1.3

Several vulnerabilities exist: a vulnerability exists in the main entry pages' section because a temporary file is created that contained the username and plaintext password when rebuilding the section, which could let a remote malicious user obtain sensitive information; and a vulnerability exists in 'GM-CPLog.CGI' due to insufficient sanitization of user-supplied input during login, which could let a malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however a Proof of Concept exploit has been published for the HTML injection vulnerability.

Noah Grey Greymatter Password Disclosure & HTML Injection

Medium/ High

(High if arbitrary code can be executed)

SecurityFocus, January 6, 2005

Novell

Netware 5.1, SP4-SP6, 6.0 , SP1-SP3

A remote Denial of Service vulnerability exists in 'CIFS.MLM.'

Patches available at:
http://support.novell.com/servlet/filedownload/sec/
pub/cifspt6.exe

There is no exploit code required.

Novell Netware CIFS.NLM Remote Denial of Service
Low
Novell Technical Information Document, TID2970488, January 5, 2005

NZEO

Zeroboard 4.x

A vulnerability exists in 'error.php' due to insufficient verification of the 'dir' parameter, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Zeroboard 'error.php' Include File
High
Secunia Advisory,
SA13769, January 10, 2005

SugarCRM Inc.

SugarCRM 1.0 g, 1.0 f, 1.0, 1.1 a-1.1 f, 1.1, 1.5 d, 2.0.1 a, 2.0.1, SugarSales 2.0.1 c

A vulnerability exists in the 'moduleDefaultFile' array due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however a Proof of Concept exploit has been published.

SugarCRM/SugarSales 'moduleDefaultFile' array
High
Securiteam, January 9, 2005

Sun Microsystems, Inc.

Sun Java JRE 1.3.x, 1.4.x,
Sun Java SDK 1.3.x, 1.4.x; Conectiva Linux 10.0; Gentoo Linux;
HP HP-UX B.11.23, B.11.22, B.11.11, B.11.00,
HP Java SDK/RTE for HP-UX PA-RISC 1.3,
HP Java SDK/RTE for HP-UX PA-RISC 1.4; Symantec Gateway Security 5400 Series v2.0.1, v2.0, Enterprise Firewall v8.0

A vulnerability exists due to a design error because untrusted applets for some private and restricted classes used internally can create and transfer objects, which could let a remote malicious user turn off the Java security manager and disable the sandbox restrictions for untrusted applets.

Updates available at:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57591-1

Conectiva:
ftp://atualizacoes.conectiva.com.br/10/

Gentoo:
http://security.gentoo.org/glsa/glsa-200411-38.xml

HP:
http://www.hp.com/go/java

Symantec:
http://securityresponse.symantec.com/avcenter/
security/Content/2005.01.04.html

Currently we are not aware of any exploits for this vulnerability.

Sun Java Plug-in Sandbox Security Bypass

CVE Name:
CAN-2004-1029

Medium

Sun(sm) Alert Notification, 57591, November 22, 2004

US-CERT Vulnerability Note, VU#760344, November 23, 2004

Conectiva Linux Security Announcement, CLA-2004:900, November 26, 2004

Gentoo Linux Security Advisory, GLSA 200411-38, November 29, 2004

HP Security Bulletin,
HPSBUX01100, December 1, 2004

Sun(sm) Alert Notification, 57591, January 6, 2005 (Updated)

Symantec Security Response, SYM05-001,
January 4, 2005

 

 

 

Symantec

Brightmail Anti-Spam 6.0.1

Two vulnerabilities exist: a remote Denial of Service vulnerability exists because the Sieve module fails to recognize malformed RFC 822 MIME attachment boundaries; and a remote Denial of Service vulnerability exists because Spamhunter fails to convert certain valid character encoding sets to UTF.

Patch available at:
ftp://ftp.symantec.com/public/english_us_
canada/products/sba/sba_60x/updates/Patch134.zip

Currently we are not aware of any exploits for these vulnerabilities.

Symantec Brightmail Remote Denials of Service
Low

SecurityTracker Alert ID, 1012612, December 17, 2004

US-CERT Vulnerability Note, VU#697598, January 6, 2005

Vayris

Amphora Gate

A vulnerability exists in the 'free_loginpage.php' page because the '/validacion.php' page can be loaded using the previously assigned authentication credentials, which could let a remote malicious user obtain administrative access.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Vayris Amphora Gate Administrative Access
High
SecurityTracker Alert, 1012825, January 10, 2005

WoltLab

Burning Board Lite 1.0.0, 1.0.1 e

A Cross-Site Scripting vulnerability exists in 'formmail.php' due to insufficient sanitization of the 'userid' parameter, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

WoltLab Burning Board Lite Form Mail Script Cross-Site Scripting
High
Secunia Advisory,
SA13782, January 11, 2005

xisc.com

PRADO Framework version 1.5 & prior

A vulnerability exists in the 'phonebook.php' script due to insufficient validation of the 'page' parameter, which could let a remote malicious user execute arbitrary code.

Update available at:
http://sourceforge.net/project/showfiles.php?group_id=118087

A Proof of Concept exploit has been published.

PRADO 'phonebook.php' Include File
High
Securiteam, January 9, 2005

yahoopops.sourceforge.
net

YPOPs! 0.x

Several buffer overflow vulnerabilities exist in the POP3 and SMTP services, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://home.comcast.net/~dbeusee/yahoopops_0_6_050104.zip

Proofs of Concept exploit scripts have been published.

YPOPs! Buffer Overflows
High

Hat-Squad Advisory, September 27, 2004

SecurityFocus, October 18, 2004

SecurityFocus, January 6, 2005

Recent Exploit Scripts/Techniques The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
January 11, 2005 tcpick-0.2.0.tar.gz
N/A
A textmode sniffer that can track TCP streams and saves the data captured in files or displays them in the terminal.
January 7, 2005 amp2zero.zip
No
Proof of Concept for the Amp II 3D game engine Remote Denial of Service vulnerability.
January 7, 2005 gr_poolsize.c
No
Proof of Concept Denial of Service exploit for the Linux Kernel Random Poolsize SysCTL Handler Integer Overflow vulnerability.
January 7, 2005 isec-0021-uselib.txt
binfmt_elf.c
No
Exploits for the Linux Kernel uselib() Root Privileges vulnerability.
January 7, 2005 libvg-0.3.0.tar.gz
N/A
First public released of libvg, a runtime process manipulation library that was designed to provide a powerful and portable interface for writing non-complex programs that can get or change information of processes on the system.
January 7, 2005 mlock-dos.tgz
No
Proof of Concept exploit for the Linux Kernel Local RLIMIT_MEMLOCK Bypass Denial of Service vulnerability.
January 7, 2005 phpbb.ssh.D.tx
N/A
New version of the phpBB worm with bot install that makes use of Altavista.
January 6, 2005 sql-injection.html
N/A
Whitepaper discussing SQL injection attacks that gives an illustrated overview showing the process of how these attacks are performed.
January 6, 2005 un-htget_0.9x.txt
Yes
Exploit for the J Whitham HTGET Buffer Overflow vulnerability.
January 6, 2005 WINACE-WINHKI ZIP TRANSVERSAL.zip
winace gz file transversal.gz
No
Proof of Concept exploits for the Winace Remote Directory Traversal vulnerability.
January 5, 2005 firewallbypass.tgz
N/A
A generic problem of common personal firewall products is the allowance of shortcuts or interfaces for controlling traffic. Manipulation of these functions can allow for firewall bypass altogether. Various proof of concepts are included for products such as Zone Alarm, Kerio, Agnitium Outpost firewall, Kaspersky Anti-Hacker, Symantec's Norton Personal Firewall, and more.
January 5, 2005 hydra-4.5-src.tar.gz
N/A
A high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more.
January 5, 2005 mybbSQL.txt
No
Exploit for the MyBulletinBoard MEMBER.PHP SQL Injection vulnerability.
January 5, 2005 PhotoPost.txt
Yes
Exploit for the All Enthusiast PhotoPost PHP Pro Cross-Site Scripting and SQL Injection vulnerabilities.
January 5, 2005 QWikiwiki.txt
No
Exploit for the QwikiWiki Remote Directory Traversal vulnerability.
January 5, 2005 ReviewPost.txt
Yes
Exploit for the All Enthusiast ReviewPost PHP Pro vulnerability.
January 5, 2005 scanner_ndde.c
N/A
NetDDE scanner that makes use of a remote code execution vulnerability due to an unchecked buffer.
January 5, 2005 thc-pptp-bruter-0.1.4.tar.gz
N/A
A brute force program that works against pptp vpn endpoints (tcp port 1723). It is fully standalone and supports the latest MSChapV2 authentication and exploits a weakness in Microsoft's anti-brute force implementation which makes it possible to try 300 passwords the second.
January 5, 2005 top_ex.pl
Yes
Proof of concept exploit for an old format string vulnerability in setuid versions of top. This vulnerability has popped back up in the Solaris 10 Companion CD.
January 4, 2005 SInAR-0.1.tar.gz
N/A
SInAR Solaris rootkit that was released at the 21st Chaos Communication Congress.
January 4, 2005 soldnersock.tar
soldnersock.zip
No
Script that exploits the Soldner Secret Wars Denial of Service vulnerability.
December 31, 2004 DAV1.1-PoC.pl
No
A Proof of Concept exploit for the Microsoft FrontPage 2000 Internet Publishing Service Provider DAV File Upload Vulnerability.

[back to top]

Trends
  • The US-CERT has received reports of new phishing scams targeting users sympathetic to the Tsunami tragedy that occurred in Southeast Asia. The US-CERT recommends using caution when reviewing solicitations for donations to help with the disaster and to only donate to reputable charities. A list of reputable charities working to help the victims of the Tsunami can be found here:
    http://www.cnn.com/2004/WORLD/asiapcf/12/28/tsunami.aidsites/
  • Cyota, the leading provider of anti-fraud solutions for financial institutions, announced some of the key findings from its second annual Financial Institution Online Fraud Survey, conducted in November 2004.
    • 50% of Accountholders Have Received Phishing Emails;
    • Over 40% of Online Bankers Share Passwords Between Banks
    • 37% of online bankers use their online banking password at other, less secure sites
    • 79% of accountholders check for the little lock on the bottom of a secure web page, however less than 40% actually click on the lock to view the security certificate
    • 70% of accountholders are less likely to respond to an email from their bank, and more than half are less likely to sign-up or continue to use their bank’s online services due to phishing. For more information, see http://www.cyota.com/viewReleases.cfm?id=78

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trends
Date
1
Netsky-P Win32 Worm Stable March 2004
2
Zafi-B Win32 Worm Slight Increase June 2004
3
Bagle-AU Win32 Worm Slight Increase October 2004
4
Sober-I Win32 Worm Decrease November 2004
5
Bagle-AA Win32 Worm Stable April 2004
6
Bagle.AT Win32 Worm Increase October 2004
7
Netsky-D Win32 Worm Slight Decrease March 2004
8
Bagle.BB Win32 Worm Increase September 2004
9
Netsky-Q Win32 Worm Decrease March 2004
10
Netsky-B Win32 Worm Return to Table February 2004

Table Updated January 11, 2005

Viruses or Trojans Considered to be a High Level of Threat

  • Viruses or Trojans Considered to be a High Level of Threat

    • LNK_ACESPADES.A: This is the first known .LNK file infector and is designed as a Proof of Concept virus. This file infector arrives as an .LNK file. Upon execution by a user, it overwrites all .LNK files in the folder where it is executed. These type of files are shortcut files, which are usually placed on the desktop for easy access to programs.
    • Lasco.A spreads itself by searching all SIS installation files in the infected device, and inserts itself as embedded SIS file into them. Therefore any SIS file in the device that gets copied to another phone, as frequently happens as people swap software, will also contain a copy of Lasco.A. In addition to spreading in infected SIS files, Lasco.A will also spread by sending itself directly via bluetooth like Cabir worms do, and Lasco.A will be able to spread from one device to another without a reboot.

The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.

NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.

Name
Aliases
Type
32/Sdbot-TB   Win32 Worm
32/Woned-A   Win32 Worm
Backdoor.Alets.B   Trojan
Backdoor.Berbew.N   Trojan
Backdoor.Sdbot.AJ   Network Worm
Backdoor.Tjserv.B TrojanProxy.Win32.Agent.br
Proxy-TJServ
Trojan
Backdoor.Tjserv.C   Trojan
Backdoor.XTS.B   Trojan
Bloodhound.Exploit.22   Trojan
CiaDoor Backdoor.CiaDoor Trojan
Gaobot.CKP   Worm
HTML.HelpControl!exploit HTMLHelpControl.Exploit.Trojan Trojan
Lasco.A SymbOS/Lasco.A
EPOC/Lasco.A
Symbian OS Worm
LNK_ACESPADES.A   .LNK file infector
PE_VLASCO.A  

File Infector

Sdbot-SW   Win32 Worm
SYMBOS_VLASCO.B Worm.SymbOS.Cabir.f
Worm.SymbOS.Lasco.a
Symbian OS virus
Troj/Feutel-A Backdoor.Win32.Feutel.a
BackDoor-AWQ.b
Trojan
TROJ_CLICKER.S Trojan-Clicker.Win32.Small.br
Trj/Clicker.AE
Troj/AdClick-BR
Trojan
Trojan.Dimi   Trojan
Trojan.Feutel   Trojan
Trojan.Goldun   Trojan
Trojan.Hako   Trojan
Trojan.Minit   Trojan
TrojanDownloader.Win32.Krepper.i TR/Dldr.Krepper.I.2
Downloader.Krepper.L
Trojan.Downloader.Krepper.I
Adware/Replace
Trojan
VBS/Mcon-G VBS/Pica.worm.gen
VBS_MCON.A
VBS.Sorry.A, VBS.Mcon.c
Visual Basic Script Worm
W32.Kobot.B W32/Danshbot.worm Win32 Worm
W32.Looked.B   Win32 Worm
W32.Rahack Backdoor.Win32.Agent.go
W32/RAHack
Win32 Worm
W32.Spybot.HUR   Win32 Worm
W32/Agobot-ADH WORM_AGOBOT.ADH Win32 Worm
W32/Agobot-OT   Win32 Worm
W32/Agobot-OU   Win32 Worm
W32/Agobot-OV Backdoor.Win32.Agobot.gen Win32 Worm
W32/Forbot-DK   Win32 Worm
W32/Mirsa@MM   Win32 Worm
W32/Mugly.d@MM   Win32 Worm
W32/Pikis-B I-Worm.Pikis.c
W32/Pikis!p2p
Win32 Worm
W32/Rbot-SQ   Win32 Worm
W32/Rbot-SX   Win32 Worm
W32/Rbot-TD   Win32 Worm
W32/Rbot-TE   Win32 Worm
W32/Sdbot-TA Backdoor.Win32.IRCBot.j
W32/Sdbot.worm.gen.t
Win32 Worm
W32/Wurmark-D W32/Mugly.gen@MM Win32 Worm
Win32.Benuti.K ROJ_AGENT.IV
Troj/Bdoor-AY
Win32/Life4.Downloader.Trojan
Backdoor.Lifefournow
Trojan-Proxy.Win32.Agent.l
Win32 Worm

Win32.Bloon.A

Win32/Bloon.A.Trojan Trojan
Win32.Chopemail HotWorld
Win32.Chopemail.A
HTML.Chopemail.A
HTML.Chopemail.B
Win32.Chopemail.B
HTML/Chopemail.B.Trojan
HTML_CONYC.A
Troj/ConycSp-A
TROJ_CONYCSPA.A
Win32/Conycspa.A.Trojan
W32.Conycspa@mm
Trojan.Win32.Conycspa.a
Trojan.Win32.Delf.gq
Trojan
Win32.ForBot.KW Backdoor.Win32.Wootbot.ai Win32 Worm
Win32.OutsBot.C BackDoor-AZV
W32/Backdoor.LY
Win32/OutsBot.C.Trojan
Troj/Santabot-A
Backdoor.Sdbot
Backdoor.Win32.Small.ct
Win32 Worm
Winxor.A Bck/Winxor.A Trojan
WmvDown.A Trj/WmvDownloader.A Trojan
WmvDown.B Trj/WmvDownloader.B Trojan
WORM_GIFT.C W32.Gift.32768
W32/Gift@mm
Win32/HLLW.Gift
I-Worm.Gift
Win32 Worm
WORM_SDBOT.CCD   Internet Worm
WORM_SPYBOT.AAR W32.Spybot.Worm Win32 Worm

[back to top]

 

 

 

Last updated

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top