U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Bulletin (SB05-215)

Summary of Security Items from July 27 through August 2, 2005

Original release date: August 05, 2005

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.

Wireless

Vulnerabilities

The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

Alt-N Technologies

MDaemon prior to V8.1.0

An input validation vulnerability has been reported in MDaemon (attachment quarantine feature) that could let remote malicious users to traverse directories and write arbitrary files.

A vendor fix is available:
http://files2.altn.com/MDaemon/Release/

There is no exploit code required; however, Proof of Concept exploits have been published.

Alt-N MDaemon Directory Traversal and Arbitrary File Writing

Medium

Security Tracker, Alert ID: 1014589, July 28, 2005

Business Objects

Crystal Reports Server XI; Business Objects Enterprise Server XI

 

A vulnerability has been reported in Crystal Reports Server/ Business Objects Enterprise Server that could let remote malicious users cause a Denial of Service.

A vendor update is available:
http://support.businessobjects.com
/fix/hot/critical/bulletins/
security_bulletin_
june05.asp

Currently we are not aware of any exploits for this vulnerability.

Crystal Reports/ Business Objects Enterprise Server Denial of Service
Low Security Tracker Alert ID: 1014604 & 1014605, August 1, 2005

Cerulean Studios

Trillian Basic 3.1

A vulnerability has been reported in Trillian that could let local malicious users disclose other user's information.

No workaround or patch available at time of publishing.

There is no exploit code required.

Trillian User Information Disclosure Medium Secunia, Advisory: SA16289, August 1, 2005

Filezilla

Filezilla Server prior to V0.9.9

A zlib vulnerability has been reported in FileZilla Server which could let remote malicious users perform a Denial of Service.

Upgrade to V0.9.9:
http://sourceforge.net/
project/showfiles.php?
group_id=21558

Currently we are not aware of any exploits for this vulnerability.

FileZilla Server Denial of Service Low Secunia, Advisory: SA16251, July 28, 2005

Microsoft

Microsoft Office 2000

A shared section permissions vulnerability has been reported in Microsoft Office that could let local malicious users cause a Denial of Service.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Microsoft Office Denial of Service Low Secunia, Advisory: SA16256, July 29, 2005

NetCPlus

BusinessMail Server V4.6

An SMTP command validation vulnerability has been reported in BusinessMail Server that could let remote malicious users crash the server.

No workaround or patch available at time of publishing.

Proof of Concept exploits have been published.

BusinessMail Server SMTP Command Validation Error Remote Denial of Service
Low Secunia AdvusirtL SA16306, August 1, 2005

Novell

eDirectory V8.x

A password challenge vulnerability has been reported in eDirectory (NMAS) that could let local malicious users bypass security restrictions to change another user's password.

Upgrade to NMAS V2.3.8:
http://support.novell.com/
cgi-bin/search/searchtid.cgi?/
2971485.htm

There is no exploit code required.

Novell eDirectory Security Bypassing Medium Secunia, Advisory: SA16267, July 29, 2005

TrendMicro

OfficeScan V5.58 POP3 Module

A shared section permissions vulnerability has been reported in Access Connections that could let local malicious users disclose information.

No workaround or patch available at time of publishing.

There is no exploit code required.

Trend Micro OfficeScan Information Disclosure Medium Security Focus, 14448, August 1, 2005

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

Apple

Mac OS X Server 10.4-10.4.2, 10.3-10.3.9, 10.2-10.2.8, 10.0, 10.1-10.1.5, OS X 10.4-10.4.2, 10.3 -10.3.9, 10.2 -10.2.8, 10.1-10.1.5, 10.0-10.0.4

A buffer overflow vulnerability has been reported in Apple Font Book when handling font collection files due to insufficient bounds checking, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Apple Mac OS X Font Book Font Collection Buffer Overflow High Security Focus, 14445, August 1, 2005

FreeBSD

IPSec AES-XCBC-MAC Algorithm V5.3, 5.4, 6.0Beta

A vulnerability has been reported in FreeBSD's IPSec AES-XCBC-MAC Algorithm, which could allow for incorrect key usage, and consequently allow remote malicious users to connect via unauthorized IPSec connections.

A vendor patch is available:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:19/

There is no exploit code required.

FreeBSD IPSec AES-XCBC-MAC Algorithm Unauthorized Connections

CAN-2005-2359

Medium FreeBSD Security Advisory FreeBSD-SA-05:19, July 27, 2005

Info-ZIP

UnZip 5.52

A vulnerability has been reported due to a security weakness when extracting an archive to a world or group writable directory, which could let a malicious user modify file permissions.

No workaround or patch available at time of publishing.

There is no exploit code required.

Info-ZIP UnZip File Permission Modification Medium Security Focus, 14450, August 2, 2005

Kadu

Kadu V0.4.0

An integer overflow vulnerability has been reported in Kadu (libgadu) which could let remote malicious users cause a Denial of Service.

Upgrade to version 0.4.1:
http://www.kadu.net/wiki/
index.php/English:Main_Page

Gentoo:
http://www.gentoo.org/
security/en/glsa/
glsa-200507-26.xml

Currently we are not aware of any exploits for this vulnerability.

Kadu Denial of Service

CAN-2005-1852

Low

Secunia, Advisory: SA16238, July 27, 2005

Gentoo Security Advisory, GLSA 200507-26, July 27, 2005

Multiple Vendors

zlib 1.2.2, 1.2.1; Ubuntu Linux 5.04 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
Debian Linux 3.1 sparc
Debian Linux 3.1, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha

A remote Denial of Service vulnerability has been reported due to a failure of the library to properly handle unexpected compression routine input.

Zlib:
http://www.zlib.net/
zlib-1.2.3.tar.gz

Debian:
http://security.debian.org/
pool/updates/main/z/zlib/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/z/zlib/

OpenBSD:
http://www.openbsd.org/
errata.html#libz2

Mandriva:
http://www.mandriva.com/
security/ advisories?name=
MDKSA-2005:124

Fedora:
http://download.fedora.
redhat.com/ pub/fedora
/linux/core/updates/

Slackware:
http://slackware.com/
security/viewer.php?
l=slackware-security&y=2005&
m=slackware-security.323596

FreeBSD:
ftp://ftp.freebsd.org/
pub/FreeBSD/CERT/advisories
/FreeBSD-SA-05:18.zlib.asc

SUSE:
http://lists.suse.com/
archive/suse-security-announce
/2005-Jul/0007.html

Gentoo:
http://security.gentoo.org/
glsa/glsa-200507-28.xml

http://security.gentoo.org/
glsa/glsa-200508-01.xml

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendor Zlib Compression Library Decompression Remote Denial of Service

CAN-2005-1849

Low

Security Focus, 14340, July 21, 2005

Debian Security Advisory DSA 763-1, July 21, 2005

Ubuntu Security Notice, USN-151-1, July 21, 2005

OpenBSD, Release Errata 3.7, July 21, 2005

Mandriva Security Advisory, MDKSA-2005:124, July 22, 2005

Secunia, Advisory: SA16195, July 25, 2005

Slackware Security Advisory, SSA:2005-203-03, July 22, 2005

FreeBSD Security Advisory, SA-05:18, July 27, 2005

SUSE Security Announcement, SUSE-SA:2005:043, July 28, 2005

Gentoo Linux Security Advisory, GLSA 200507-28, July 30, 2005

Gentoo Linux Security Advisory, GLSA 200508-01, August 1, 2005

Multiple Vendors

dhcpcd 1.3.22

A vulnerability has been reported in dhcpcd that could let a remote user perform a Denial of Service.

Debian:
http://security.debian.org/
pool/updates/main/d/dhcpcd/

Mandriva:
http://www.mandriva.com/
security/advisories

Gentoo:
http://security.gentoo.org/
glsa/glsa-200507-16.xml

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/ index.php?id=a&
anuncio=000983

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-603.html

Currently we are not aware of any exploits for this vulnerability.

dhcpcd Denial of Service

CAN-2005-1848

Low

Secunia, Advisory: SA15982, July 11, 2005

Debian Security Advisory, DSA 750-1, July 11, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:117, July 13, 2005

Gentoo Linux Security Advisory, GLSA 200507-16, July 15, 2005

Conectiva, CLSA-2005:983, July 25, 2005

RedHat Security Advisory, RHSA-2005:603-07, July 27, 2005

Multiple Vendors

KDE kopete 0.9-0.9.3, 3.4, 3.4.1, 3.3-3.3.2, 3.2.3; Wojtek Kaniewski ekg 1.1-1.6 rc1&rc2, 2005-06-05 22:03, 2005-04-11

 

Multiple vulnerabilities have been reported in 'libgadu.c' due to input validation errors and an integer overflow, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

EKG
http://dev.null.pl/ekg/
download.php

KDE:
ftp://ftp.kde.org/pub/
kde/security_patches/

Fedora:
http://download.fedora.
redhat.com/ pub/fedora
/linux/core/updates/

Slackware:
http://slackware.com/security/
viewer.php?l=
slackware-security&
y=2005&m=slackware-
security.355986

Gentoo:
http://www.gentoo.org/security/
en/glsa/glsa-200507-23.xml

Debian:
http://www.debian.org/
security/2005/dsa-767

Currently we are not aware of any exploits for these vulnerabilities.

EKG 'LIbGadu' Multiple Vulnerabilities

CAN-2005-1852

High

Security Tracker Alert ID: 1014539, July 21, 2005

Secunia, Advisory: SA16194, July 25, 2005

Slackware Security Advisory, SSA:2005-203-02, July 22, 2005

Gentoo Security Advisory, GLSA 200507-23 kopete, July 25, 2005

Debain Security Advisory, DSA-767-1, July 27, 2005

Multiple Vendors

Novell Evolution 2.0.2-2.0.4; LibTIFF 3.6.1; sy Software Products CUPS 1.1.12-1.1.23, 1.1.10, 1.1.7, 1.1.6, 1.1.4 -5, 1.1.4-3, 1.1.4 -2, 1.1.4, 1.1.1, 1.0.4 -8, 1.0.4; Ubuntu 4.10, 5.04

A remote Denial of Service vulnerability has been reported due to insufficient validation of specific header values.

Libtiff:
http://freshmeat.net/redir/
libtiff/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/t/tiff/

A Proof of Concept exploit has been published.

LibTiff Tiff Image Header Remote Denial of Service Low

Security Focus 14417, July 29, 2005

Ubuntu Security Notice, USN-156-1, July 29, 2005

MySQL AB

Eventum 1.5.5, 1.5.4, 1.4, 1.3.1, 1.3, 1.2-1.2.2, 1.1

Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'view.php' due to insufficient sanitization of the 'id' parameter, in 'list.php' due to insufficient sanitization of the 'release' parameter, and in 'get_jrs_data.php' due to insufficient sanitization of the 'F' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported due to insufficient sanitization of input to the release, report, and authentication classes before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

Updates available at:
http://dev.mysql.com/get/
Downloads/eventum/

There is no exploit code required; however, a Proof of Concept exploit has been published.

MySQL Eventum Cross-Site Scripting & SQL Injection High Securiteam, August 2, 2005
Netquery V3.1

Multiple vulnerabilities have been reported in Netquery that could allow a remote malicious user to perform cross site scripting, execute arbitrary code, or disclose information.

No workaround or patch available at time of publishing.

Another exploit script has been published.

Netquery Multiple Vulnerabilities High

Security Focus, 14373, July 25, 2005

Security Focus, 14373, August 1,2005

ProFTPd

Multiple format string vulnerabilities have been reported in ProFTPd that could let remote malicious users cause a denial of service or disclose information.

Upgrade to version 1.3.0rc2:
http://www.proftpd.org/

Gentoo:
http://www.gentoo.org/
security/en/glsa/
glsa-200508-02.xml

Currently we are not aware of any exploits for this vulnerability.

ProFTPD Denial of Service or Information Disclosure

CAN-2005-2390

Medium

Secunia, Advisory: SA16181, July 26, 2005

Gentoo Linux Security Advisory, GLSA 200508-02, August 1, 2005

Sun Micro-systems, Inc.

Solaris 10.0, 9.0 _x86, 9.0

A vulnerability has been reported in LD_AUDIT,' which could let a malicious user obtain superuser privileges.

Workaround and patch information available at:
http://sunsolve.sun.com/
search/document.do?
assetkey=1-26-101794-1

Avaya:
http://support.avaya.com/
elmodocs2/security/
ASA-2005-162.pdf

An exploit script has been published.

Sun Solaris Runtime Linker 'LD_AUDIT' Elevated
Privileges

CAN-2005-2072

High

Security Focus, 14074, June 28, 2005

Sun(sm) Alert Notification, 101794, June 28, 2005

Sun(sm) Alert Notification, 101794, Updated July 12, 13, 15, 2005

Avaya Security Advisory, ASA-2005-162, August 2, 2005

University of Minnesota

gopherd 3.0.9, 3.0.7, 3.0.3

A vulnerability has been reported in 'gopher.c' due to the failure to verify a file's existence before writing to it, which could let a malicious user obtain elevated privileges.

Debian:
http://security.debian.org/
pool/updates/main/g/gopher

There is no exploit code required.

Gopher Insecure Temporary File Creation

CAN-2005-1853

Medium Debian Security Advisory, DSA 770-1, July 29, 2005
Vim V6.3.082

A vulnerability has been reported in Vim that could let remote malicious users execute arbitrary code.

Vendor patch available:
ftp://ftp.vim.org/pub/vim/
patches/6.3/6.3.082

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/v/vim/

Trustix:
http://http.trustix.org/
pub/trustix/updates/

There is no exploit code required; however, Proof of Concept exploits have been published.

Vim Arbitrary Code Execution

CAN-2005-2368

High

Security Focus, 14374, July 25, 2005

Ubuntu Security Notice, USN-154-1, July 26, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0038, July 29, 2005

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

AderSoftware

CFBB 1.1

A Cross-Site Scripting vulnerability has been reported in 'Index.cfm' due to insufficient sanitization of the 'page' parameter, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

AderSoftware CFBB Index.CFM Cross-Site Scripting High Security Focus, 14440, August 1, 2005

Azndragon

Ragnarok Online Control Panel
4.3.4 a

A vulnerability has been reported due to the way PHP variables are handled, which could let a remote malicious user bypass user authentication.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Ragnarok Online Control Panel Authentication Bypass Medium Secunia Advisory: SA16287, August 2, 2005

Blue Magic
Board

BMForum Plus!
V2.61, 3.0RC1, 3.0RC4

An input validation vulnerability has been reported in BMForum Plus! that could let remote malicious users perform Cross-Site Scripting.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

BMForum Plus! Cross-Site Scripting High Secunia, Advisory: SA16224, July 27, 2005

Calacode

@Mail V4.03Win, 4.11Unix

Multiple vulnerabilities have been reported in @Mail that could allow remote malicious users to perform Cross-Site Scripting.

Vendor patch available:
http://calacode.com/patch.pl

There is no exploit code required; however, Proof of Concept exploits have been published.

Calacode @Mail Cross-Site Scripting High Secunia, Advisory: SA16252, July 29, 2005

ChurchInfo

ChurchInfo 1.2.2

SQL injection vulnerabilities have been reported in 'WhyCameEditor.php' due to insufficient sanitization of the 'PersonID' parameter, in 'DepositSlipEditor.php' due to insufficient sanitization of the 'DepositSlipID' parameter, and in 'AutoPaymentEditor.php,' 'CanvassEditor.php,' and Canvas05Editor.php' due to insufficient sanitization of the 'FamilyID' parameter, which could let a remote malicious user execute arbitrary SQL code; and a vulnerability was reported because the full path to certain scripts can be obtained by accessing them directly. Note: Successful exploitation requires that the user has been authenticated.

No workaround or patch available at time of publishing.

There is no exploit code required.

ChurchInfo SQL Injections & Path Disclosure High Security Focus, 14438, August 1, 2005

Cisco

Cisco IOS
12.4 & prior 12.x versions

An IPv6 packet handling vulnerability has been reported in Cisco IOS that could let local malicious users cause a remote Denial of Service or potentially execute arbitrary code.

Vendor fix available:
http://www.cisco.com/warp
/public/707/cisco-sa-20050729-
ipv6.shtml#software

A working Proof of Concept exploit has been developed; however, it is currently not publicly available.

Cisco IOS Remote Denial of Service or Arbitrary Code Execution High

Cisco Security Advisory, Document ID: 65783 Revision 1.5, August 1, 2005

US-CERT VU#930892

Cisco Systems

IOS 11.1-12.0

A buffer overflow vulnerability exists when a malformed OSPF (Open Shortest Path First) packet is submitted, which could let a malicious user cause a Denial of Service or execute arbitrary code.

Cisco customers should contact the vendor for details on obtaining fixes.

An exploit script has been published.

Cisco IOS OSPF Neighbor Buffer Overflow

CAN-2003-0100

High

Security Focus, February 21, 2003

US-CERT VU#959203

Clever Copy

Clever Copy
V2.0 & 2.0a

Multiple vulnerabilities have been reported in Clever Copy which could let remote malicious users disclose information or perform Cross-Site Scripting.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

Clever Copy Information Disclosure or Cross-Site Scripting High Secunia, Advisory: SA16236, July 27, 2005

Ethereal

Ethereal
V0.10.11

Multiple dissector and zlib vulnerabilities have been reported in Ethereal that could let remote malicious users cause a denial of service or execute arbitrary code.

Upgrade to version 0.10.12:
http://www.ethereal.com/
download.html

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

Currently we are not aware of any exploits for these vulnerabilities.

High

Secunia, Advisory: SA16225, July 27, 2005

 

Hewlett Packard Company

DCE Core Services T8403 ABH

A remote Denial of Service vulnerability has been reported due to an unspecified error in the DCE daemon (DCED) when processing requests.

Contack the vendor for updates.

Currently we are not aware of any exploits for this vulnerability.

HP NonStop Server DCE Core Services Daemon Remote Denial of Service
Low
HP Security Bulletin,
HPSBNS01213 , July 29, 2005

Hewlett Packard Company

Radia
Management
Portal 1.0, 2.0

A vulnerability has been reported in the Radia Management Agent due to an unspecified flaw, which could let a remote malicious user cause a Denial of Service or execute arbitrary code with SYSTEM privileges on a Windows platform and elevated privileges on UNIX-based platforms.

Updates available at: http://support.openview.hp.com

An exploit script has been published.

HP OpenView Radia Management Portal Remote Command Execution

CAN-2005-1370

Low/ High

(High if arbitrary code can be executed)

HP Security Bulletin,
HPSBMA01138, April 28, 2005

PacketStorm July 28, 2005

IBM

Lotus Domino
VR5, R6

A vulnerability has been reported in Lotus Domino that could let malicious users disclose passwords and information.

No workaround or patch available at time of publishing.

There is no exploit code required.

Lotus Domino Information Disclosure

Medium
Security Tracker, Alert ID: 1014584, July 27, 2005

Jabber Software Foundation

Jabber Server
2.0 s8, 2.0

Several buffer overflow vulnerabilities have been reported in 'jid.c' due to boundary errors when parsing 'JID' strings that contain overly long user, host, or resource components, which could let a remote malicious user cause a Denial of Service or potentially execute arbitrary code.

Upgrades available at:
http://jabberstudio.org/projects/
jabberd2/releases/download.
php?file=j abberd-2.0s9.tar.gz

Currently we are not aware of any exploits for this vulnerability.

jabberd 'jid.c' Remote Buffer Overflows High Secunia Advisory: SA16291, August 1, 2005

Kayako Web Solutions

LiveResponse 2.0

Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'index.php' due to insufficient sanitization of the 'username' parameter, which could let a remote malicious user execute arbitrary HTML and script code; an SQL injection vulnerability was reported in 'index.php' due to insufficient sanitization of the 'year' and 'date' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a vulnerability was reported due to insufficient sanitization of input passed to the name in sessions and support messages, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability was reported because passwords are sent in clear text when logging in, which could let a remote malicious user obtain sensitive information; and a vulnerability was reported because the full path to certain scripts can be obtained when accessed directly.

No workaround or patch available at time of publishing.

here no exploit code required; however, Proofs of Concept exploits have been published.

Kayako LiveResponse Multiple Input Validation High Secunia Advisory: SA16286, August 1, 2005

KDE

KDE 3.4,
3.3-3.3.2,
3.2-3.2.3

A vulnerability has been reported in KDE Kate and KWrite because backup files are created with default permissions even if the original file had more restrictive permissions set, which could let a local/remote malicious user obtain sensitive information.

Patches available at:
ftp://ftp.kde.org/pub/kde/
security_patches/

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/3/

Mandriva:
http://www.mandriva.com/
security/advisories

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-612.html

There is no exploit code required.

KDE Kate, KWrite Local Backup File Information Disclosure

CAN-2005-1920

Medium

Security Tracker Alert ID: 1014512, July 18, 2005

Fedora Update Notification,
FEDORA-2005-594, July 19, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:122, July 20, 2005

RedHat Security Advisory, RHSA-2005:612-07, July 27, 2005

Metasploit
Project

Metasploit Framework
2.0-2.4, 1.0

An unspecified vulnerability has been reported which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Metasploit Framework Unspecified Remote Vulnerability High Security Focus, 14431, July 30, 2005

Mozilla.org

Firefox 0.x, 1.x

Multiple vulnerabilities have been reported: a vulnerability was reported due to an error because untrusted events generated by web content are delivered to the browser user interface; a vulnerability was reported because scripts in XBL controls can be executed even when JavaScript has been disabled; a vulnerability was reported because remote malicious users can execute arbitrary code by tricking the user into using the 'Set As Wallpaper' context menu on an image URL that is really a javascript; a vulnerability was reported in the 'InstallTrigger.install()' function due to an error in the callback function, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to an error when handling 'data:' URL that originates from the sidebar, which could let a remote malicious user execute arbitrary code; an input validation vulnerability was reported in the 'InstallVersion.compareTo()' function when handling unexpected JavaScript objects, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because it is possible for remote malicious user to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL; a vulnerability was reported due to an error when handling DOM node names with different namespaces, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported due to insecure cloning of base objects, which could let a remote malicious user execute arbitrary code.

Updates available at:
http://www.mozilla.org/
products/firefox/

Gentoo:
ftp://security.gentoo.org/
glsa/

Mandriva:
http://www.mandriva.com/
security/advisories

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-
586.html

Slackware:
http://slackware.com/
security/viewer.php?
l=slackware-security
&y=2005& m=
slackware-security
.418880

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/
e/epiphany-browser/

http://security.ubuntu.com/
ubuntu/pool/main/e/enigmail/

http://security.ubuntu.com/
ubuntu/pool/main/
m/mozilla-thunderbird/

Exploits have been published.

Firefox Multiple Vulnerabilities

CAN-2005-2260
CAN-2005-2261
CAN-2005-2262
CAN-2005-2263
CAN-2005-2264
CAN-2005-2265
CAN-2005-2267
CAN-2005-2269
CAN-2005-2270

High

Secunia Advisory: SA16043, July 13, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:120, July 13, 2005

Gentoo Linux Security Advisory, GLSA 200507-14, July 15, 2005

Gentoo Linux Security Advisory, GLSA 200507-17, July 18, 2005

Fedora Update Notifications,
FEDORA-2005-603 & 605, July 20, 2005

RedHat Security Advisory, RHSA-2005:586-11, July 21, 2005

Slackware Security Advisory, SSA:2005-203-01, July 22, 2005

US-CERT VU#652366

US-CERT VU#996798

Ubuntu Security Notices, USN-155-1 & 155-2 July 26 & 28, 2005

Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005

Mozilla.org

Mozilla
Browser 1.0-1.0.2, 1.1-1.7.6;
Firefox 0.8-0.10.1, 1.0.1, 1.0.2; Netscape Navigator 7.0, 7.0.2, 7.1, 7.2, 7.0-7.2

Multiple vulnerabilities have been reported: a vulnerability was reported in the 'EMBED' tag for non-installed plugins when processing the 'PLUGINSPAGE' attribute due to an input validation error, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because blocked popups that are opened through the GUI incorrectly run with 'chrome' privileges, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because the global scope of a window or tab are not cleaned properly before navigating to a new web site, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because the URL of a 'favicons' icon for a web site isn't verified before changed via JavaScript, which could let a remote malicious user execute arbitrary code with elevated privileges; a vulnerability was reported because the search plugin action URL is not properly verified before used to perform a search, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to the way links are opened in a sidebar when using the '_search' target, which could let a remote malicious user execute arbitrary code; several input validation vulnerabilities were reported when handling invalid type parameters passed to 'InstallTrigger' and 'XPInstall' related objects, which could let a remote malicious user execute arbitrary code; and vulnerabilities were reported due to insufficient validation of DOM nodes in certain privileged UI code, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://www.mozilla.org/
products/firefox/

http://www.mozilla.org/
products/mozilla1.x/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-18.xml

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-383.html

http://rhn.redhat.com/errata/
RHSA-2005-386.html

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/
ia32/

SUSE:
ftp://ftp.SUSE.com/
pub/SUSE

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-384.html

SGI:
ftp://patches.sgi.com/
support/free/security/
advisories/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/m/
mozilla-firefox/

Mandriva:
http://www.mandriva.com/
security/advisories

FedoraLegacy:
http://download.
fedoralegacy.
org/redhat/

SCO:
ftp://ftp.sco.com/pub/
updates/UnixWare/
SCOSA-2005.29

Gentoo:
http://security.gentoo.org/
glsa/glsa-200507-17.xml

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/e/enigmail/

http://security.ubuntu.com/
ubuntu/pool/main/
m/mozilla-thunderbird/

An exploit script has been published.

Mozilla Suite / Firefox Multiple Vulnerabilities

CAN-2005-0752
CAN-2005-1153
CAN-2005-1154
CAN-2005-1155
CAN-2005-1156
CAN-2005-1157
CAN-2005-1158
CAN-2005-1159
CAN-2005-1160

 

High

Mozilla Foundation Security Advisories, 2005-35 -
2005-41,
April 16, 2005

Gentoo Linux Security Advisory, GLSA 200504-18, April 19, 2005

US-CERT VU#973309

RedHat Security Advisories, RHSA-2005:383-07 & RHSA-2005-386., April 21 & 26, 2005

Turbolinux Security Advisory,
TLSA-2005-49, April 21, 2005

US-CERT VU#519317

SUSE Security Announcement, SUSE-SA:2005:028, April 27, 2005

RedHat Security Advisory, RHSA-2005:384-11, April 28, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Ubuntu Security Notice, USN-124-1 & USN-124-2, May 11 & 12, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:088,
May 14, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:088-1,
May 17, 2005

Fedora Legacy Update Advisory, FLSA:152883, May 18, 2005

PacketStorm, May 23, 2005

SCO Security Advisory, SCOSA-2005.29, July 1, 2005

Gentoo Linux Security Advisory, GLSA 200507-17, July 18, 2005

Fedora Update Notifications,
FEDORA-2005-604 & 605, July 20, 2005

Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005

Mozilla.org

Mozilla Browser prior to 1.7.8;
Mozilla Suite prior to 1.7.8; Firefox prior to 1.0.4; Firebird 0.5, 0.6.1, 0.7

A vulnerability was reported due to a failure in the application to properly verify Document Object Model (DOM) property values, which could let a remote malicious user execute arbitrary code.

Firefox:
http://www.mozilla.org/
products/firefox/

Mozilla Browser Suite:
http://www.mozilla.org/
products/mozilla1.x/

TurboLinux::
ftp://ftp.turbolinux.co.jp/
pub/ TurboLinux/
TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-
434.html

http://rhn.redhat.com/
errata/RHSA-2005-
435.html

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/m/
mozilla-firefox/

SUSE:
ftp://ftp.SUSE.com/
pub/SUSE

SGI:
ftp://patches.sgi.com/
support/ free/security
/advisories/

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/e/enigmail/

http://security.ubuntu.com/
ubuntu/pool/main/
m/mozilla-thunderbird/

Currently we are not aware of any exploits for this vulnerability.

Mozilla Suite And Firefox DOM Property Overrides

CAN-2005-1532

High

Mozilla Foundation Security Advisory,
2005-44,
May 12, 2005

Turbolinux Security Advisory,
TLSA-2005
-56, May 16, 2005

RedHat Security Advisories, RHSA-2005:434-10 & RHSA-2005:435-10, May 23 & 24, 2005

Ubuntu Security Notice, USN-134-1, May 26, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

SUSE Security Announcement, SUSE-SA:2005:030, June 9, 2005

Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005

Multiple Vendors

Mozilla.org Mozilla Browser 1.7.6, Firefox 1.0.1, 1.0.2; K-Meleon 0.9; Netscape 7.2

A vulnerability has been reported in the javascript implementation due to improper parsing of lamba list regular expressions, which could a remote malicious user obtain sensitive information.

The vendor has issued a fix, available via CVS.

RedHat:
http://rhn.redhat.com/
errata/ RHSA-2005-
383.html

http://rhn.redhat.com/errata/
RHSA-2005-386.html

Slackware:
http://www.mozilla.org
/projects/security/known-
vulnerabilities.html

TurboLinux:
ftp://ftp.turbolinux.co.jp/
pub/ TurboLinux/
TurboLinux/ia32/

SUSE:
ftp://ftp.SUSE.com
/pub/SUSE

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-
384.html

SGI:
ftp://patches.sgi.com/
support/ free/security
/advisories/

Mandriva:
http://www.mandriva.com/
security/advisories

FedoraLegacy:
http://download.
fedoralegacy.
org/redhat/

SCO:
ftp://ftp.sco.com/pub/
updates/ UnixWare/
SCOSA-2005.29

Gentoo:
http://security.gentoo.org/
glsa/glsa-200507-17.xml

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/e/enigmail/

http://security.ubuntu.com/
ubuntu/pool/main/
m/mozilla-thunderbird/

There is no exploit code required; however, a Proof of Concept exploit has been published.

Mozilla Suite/Firefox JavaScript Lambda Information Disclosure

CAN-2005-0989

Medium

Security Tracker Alert, 1013635, April 4, 2005

Security Focus, 12988, April 16, 2005

RedHat Security Advisories, RHSA-2005:383-07 & RHSA-2005:386-08,
April 21 & 26, 2005

Turbolinux
Security Advisory, TLSA-2005-49, April 21, 2005

Slackware Security Advisory, SSA:2005-111-04, April 22, 2005

SUSE Security Announcement, SUSE-SA:2005:028, April 27, 2005

RedHat Security Advisory, RHSA-2005:384-11, April 28, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:088,
May 14, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:088-1,
May 17, 2005

Fedora Legacy Update Advisory, FLSA:152883, May 18, 2005

SCO Security Advisory, SCOSA-2005.29, July 1, 2005

Gentoo Linux Security Advisory, GLSA 200507-17, July 18, 2005

Fedora Update Notifications,
FEDORA-2005-604 & 605, July 20, 2005

Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005

Multiple Vendors

ALT Linux
Compact 2.3,
Junior 2.3;
Apple Mac OS X 10.0-10.0.4,
10.1-10.1.5,
10.2-10.2.8,
10.3-10.3.8,
Mac OS X Server 10.0, 10.1-10.1.5, 10.2-10.2.8,
10.3-10.3.8; MIT Kerberos 5 1.0, 5 1.0.6, 5 1.0.8,
51.1-5 1.4; Netkit Linux Netkit
0.9-0.12,
0.14-0.17,
0.17.17; Openwall
GNU/*/Linux
(Owl)-current,
1.0, 1.1; FreeBSD 4.10-
PRERELEASE,
2.0, 4.0 .x,
-RELENG,
alpha, 4.0, 4.1,
4.1.1 -STABLE, -RELEASE, 4.1.1,
4.2, -STABLE
pre122300, -STABLE
pre050201, 4.2 -STABLE,
-RELEASE,
4.2, 4.3 -
STABLE,
-RELENG, 4.3 -RELEASE
-p38, 4.3 -RELEASE, 4.3, 4.4
-STABLE,
-RELENG,
-RELEASE-p42,
4.4, 4.5
-STABLE
pre2002-
03-07, 4.5 -STABLE,
-RELENG, 4.5 -RELEASE-p32, 4.5 -RELEASE, 4.5, 4.6 -STABLE, -RELENG, 4.6 -RELEASE
-p20, 4.6 -RELEASE, 4.6, 4.6.2, 4.7 -STABLE, 4.7 -RELENG, 4.7 -RELEASE-p17, 4.7 -RELEASE, 4.7, 4.8 -RELENG,
4.8 -RELEASE-p7, 4.8 -PRE
RELEASE,
4.8, 4.9 -RELENG, 4.9 -PRE
RELEASE, 4.9, 4.10 -RELENG, 4.10 -RELEASE,
4.10, 4.11 -STABLE, 5.0 -RELENG, 5.0, 5.1 -RELENG, 5.1 -RELEASE-p5, 5.1 -RELEASE, 5.1, 5.2 -RELENG, 5.2 -RELEASE, 5.2,
5.2.1 -RELEASE, 5.3 -STABLE, 5.3 -RELEASE, 5.3, 5.4 -PRE
RELEASE; SuSE Linux 7.0, sparc, ppc, i386, alpha, 7.1, x86, sparc, ppc, alpha, 7.2, i386; SGI IRIX 6.5.24-6.5.27

Two buffer overflow vulnerabilities have been reported in Telnet: a buffer overflow vulnerability has been reported in the 'slc_add_reply()' function when a large number of specially crafted LINEMODE Set Local Character (SLC) commands is submitted, which could let a remote malicious user execute arbitrary code; and a buffer overflow vulnerability has been reported in the 'env_opt_add()' function, which could let a remote malicious user execute arbitrary code.

ALTLinux:
http://lists.altlinux.ru/
pipermail /security
-announce/2005-
March/000287.html

Apple:
http://wsidecar.apple.com/
cgi-bin/ nph-reg3rdpty1.pl/
product=05529& platform=
osx&method=sa/
SecUpd 2005-003Pan.dmg

Debian:
http://security.debian.
org/pool/ updates/main
/n/netkit-telnet/

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:01/

MIT Kerberos:
http://web.mit.edu/kerberos/|
advisories/2005-001-patch
_1.4.txt

Netkit:
ftp://ftp.uk.linux.org/
pub/linux/
Networking/netkit/

Openwall:
http://www.openwall.com/
Owl/ CHANGES-
current.shtml

RedHat:
http://rhn.redhat.com/errata/
RHSA-2005-327.html

Sun:
http://sunsolve.sun.com/
search/ document.do?
assetkey= 1-26-57755-1

SUSE:
ftp://ftp.SUSE.com/
pub/SUSE

Ubuntu:
http://security.ubuntu.com/
ubuntu/ pool/main/n/
netkit-telnet/

OpenBSD:
http://www.openbsd.org/
errata.html#telnet

Mandrake:
http://www.mandrakesecure
.net/ en/ftp.php

Gentoo:
http://security.gentoo.org/
glsa/glsa-200503-36.xml

http://security.gentoo.org/
glsa/glsa-200504-01.xml

Debian:
http://security.debian.org/
pool/updates/main/k/krb5/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-04.xml

SGI:
ftp://oss.sgi.com/projects/
sgi_propack/download
/3/updates/

SCO:
ftp://ftp.sco.com/pub/
updates/ UnixWare/
SCOSA-2005.21

Sun:
http://sunsolve.sun.com/
search/document.do?
assetkey=1-26-57761-1

Openwall:
http://www.openwall.com/
Owl/CHANGES-
current.shtml

Avaya:
http://support.avaya.com/
elmodocs2/security/
ASA-2005-088_
RHSA-2005-330.pdf

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-28.xml

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/
ia32/

Sun:
http://sunsolve.sun.com/
search/ document.do?
assetkey=1-26-57761-1

OpenWall:
http://www.openwall.com/
Owl/CHANGES-
current.shtml

SCO:
ftp://ftp.sco.com/pub/
updates/ OpenServer/
SCOSA-2005.23

SGI IRIX:
Apply patch 5892 for IRIX 6.5.24-6.5.27:
ftp://patches.sgi.com/
support/free/security/
patches/

Debian:
http://security.debian.org/
pool/updates/main/k/krb4/

Conectiva:
http://distro.conectiva.com
.br/ atualizacoes/
index.php?id=
a&anuncio=000962

Trustix:
ftp://ftp.trustix.org/pub/
trustix/ updates/

Avaya:
http://support.avaya.com/
elmodocs2/security/
ASA-2005-132_
RHSA-2005-327.pdf

FedoraLegacy:
http://download.
fedoralegacy.
org/redhat/

Slackware:
ftp://ftp.slackware.com/
pub/slackware/

Currently we are not aware of any exploits for these vulnerabilities.

Telnet Client 'slc_add_reply()' & 'env_opt_add()'
Buffer Overflows

CAN-2005-0468
CAN-2005-0469

High

iDEFENSE Security Advisory,
March 28, 2005

US-CERT VU#291924

Mandrakelinux Security Update Advisory, MDKSA-2005:061,
March 30, 2005

Gentoo Linux Security Advisories, GLSA 200503-36 & GLSA 200504-01, March 31 &
April 1, 2005

Debian Security Advisory, DSA 703-1, April 1, 2005

US-CERT VU#341908

Gentoo Linux Security Advisory, GLSA 200504-04,
April 6, 2005

SGI Security Advisory, 20050401-01-U, April 6, 2005

Sun(sm) Alert Notification, 57761,
April 7, 2005

SCO Security Advisory, SCOSA-2005.21,
April 8, 2005

Avaya Security Advisory, ASA-2005-088, April 27, 2005

Gentoo Linux Security Advisory, GLSA 200504-28, April 28, 2005

Turbolinux Security Advisory, TLSA-2005-52, April 28, 2005

Sun(sm) Alert Notification, 57761, April 29, 2005

SCO Security Advisory, SCOSA-2005.23, May 17, 2005

SGI Security Advisory, 20050405-01-P, May 26, 2005

Debian Security Advisory, DSA 731-1, June 2, 2005

Conectiva Security Advisory, CLSA-2005:962, June 6, 2005

Trustix Secure Linux Security Advisory, TLSA-2005-0028, June 13, 2005

Avaya Security Advisory, ASA-2005-132, June 14, 2005

Fedora Legacy Update Advisory, FLSA:152583, July 11, 2005

Slackware Security Advisory, SSA:2005-210-01, August 1, 2005

nCipher

CHIL

A vulnerability has been reported in the CHIL library when obtaining random bytes from the hardware module, which could lead to a remote Denial of Service.

Update information available at:
http://www.ncipher.com/support/
advisories/advisory11.html

Currently we are not aware of any exploits for this vulnerability.

nCipher CHIL Random Cache Leakage Low nCipher Security Advisory No. 11, August 2, 2005

Opera Software

Opera V8.01

A image dragging vulnerability has been reported in Opera that could let remote malicious users perform Cross-Site Scripting.

Upgrade to V8.02:
http://www.opera.com/download/

There is no exploit code required.

Opera Cross-Site Scripting

CAN-2005-2406

High Secunia, Advisory: SA15756, July 28, 2005

Opera Software

Opera V8.01

A vulnerability has been reported in Opera that could let remote malicious users spoof dialogs and potentially execute arbitrary code.

Upgrade to V8.02:
http://www.opera.com/download/

There is no exploit code required.

Opera Dialog Spoofing

CAN-2005-2405

High Secunia, Advisory: SA15870, July 28, 2005

PHPFreeNews

PHPFreeNews 1.32 & prior

Multiple vulnerabilities have been reported: several Cross-Site Scripting vulnerabilities were reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability was reported because a remote malicious user can create a malicious URL that will redirect the target user to the attacker's site; a vulnerability was reported because the installation path can be obtained when certain URLs are followed; and an SQL injection vulnerability was reported which could lead to the execution of arbitrary SQL commands.

The vendor has issued a fixed version (1.40) available at:
http://www.phpfreenews.co.uk/
Download.php

There is no exploit code required; however, Proofs of Concept exploits have been published.

PHPFreeNews Multiple Vulnerabilities High Security Tracker Alert ID: 1014601, August 2, 2005
PHPlist V2.8.12

An input validation vulnerability has been reported in PHPlist the could let remote malicious users perform SQL injection.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

PHPlist SQL Injection High Secunia, Advisory: SA16274, July 29, 2005

PHPmyGallery

PHPmyGallery
prior to V1.5B2

An include file vulnerability has been reported in PHPmyGallery that could let remote malicious users execute arbitrary commands.

Vendor fix available:
http://phpmygallery.kapierich.net
/en/news/?file=2005-07-15

There is no exploit code required; however, Proof of Concept exploits have been published.

PHPmyGallery Arbitrary Command Execution High Security Tracker, Alert ID: 1014594, July 28, 2005

PHPSimplicity

Simplicity oF Upload V1.3

A vulnerability has been reported in Simplicity oF Upload that could let remote malicious users execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

Simplicity oF Upload Arbitrary Code Execution
High Security Tracker, Alert ID: 1014591, July 29, 2005

PluggedOut

CMS 0.4.8

Multiple Cross-Site Scripting and SQL injection vulnerabilities have been reported due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML, SQL and script code.

No workaround or patch available at time of publishing.

There no exploit code required; however, Proofs of Concept exploits have been published.
PluggedOut CMS Multiple Input Validation High Security Focus, 14426, July 30, 2005
Sophos AntiVirus prior to V4.5.4

A buffer overflow vulnerability has been reported in Sophos Anti-Virus that could let remote malicious users execute arbitrary code.

Vendor fix available:
http://www.sophos.com/support
/knowledgebase/article/
3409.html

Currently we are not aware of any exploits for this vulnerability.

Sophos Arbitrary Code Execution High Security Tracker, Alert ID: 1014588, July 27, 2005

UNG

UNG prior to V20050728.1

An input validation vulnerability has been reported in UNG that could let remote malicious users inject arbitrary mail headers.

Upgrade to V20050728.1:
http://terisolow.com/
programs.php?prog=UNG

There is no exploit code required.

UNG Arbitrary Mail Header Injection Low Secunia, Advisory: SA16270, July 29, 2005

VBZoom

VBZoom Forum

An input validation vulnerability has been reported in VBZoom ('show.php') that could let remote malicious users inject arbitrary SQL commands.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

VBZooM Forum SQL Injection
High Security Tracker, Alert ID: 1014585, July 27, 2005

[back to top] 

Wireless

The section below contains wireless vulnerabilities, articles, and viruses/trojans identified during this reporting period.

  • Hackers cash in on 802.1x confusion: According to a survey by security vendor nCipher, companies are leaving their wireless networks exposed to hackers because of widespread failure to understand or implement 802.11x security systems. Source: http://www.vnunet.com/vnunet/news/2140662/poor-802-1x.
  • Linux Bluetooth hackers hijack car audio: By using a directional antennal and a Linux laptop running a tool called Car Whisperer, Linux hackers have demonstrated a way to inject or record audio signals from passing cars running insecure Bluetooth hands-free units. Source: http://www.theregister.co.uk/2005/08/02/car_whisperer/.
  • Interference, Not Hacking, Said To Be Biggest Wireless Threat At DefCon: According to a company that specializes in wireless LAN security, the biggest wireless threat at the recent DefCon conference for hackers didn't come from individual hackers trying to break into wireless network but, from items like microwave ovens. Bruce Hubbert, an AirMagnet engineer attending the DefCon conference, said in a statement, "We were more surprised to find that an abundance of Bluetooth devices, microwave ovens, 802.11 frequency-hopping devices and Web cameras were more effective at knocking out the conference's wireless network." Source: http://www.securitypipeline.com/news/167100145.

Wireless Vulnerabilities

  • Nothing significant to report.

[back to top] 

Recent Exploit Scripts/Techniques

The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
August 2, 2005 testserver.pl No Script that exploits the Software Solutions Quick 'n Easy FTP Server User Command Buffer Overflow vulnerability.
August 1, 2005 BusMail_SMTPDOS.pl No Exploit for the BusinessMail Server SMTP Command Validation Error Remote Denial of Service vulnerability.
August 1, 2005 netquerypoc.html Yes Exploit for the Netquery Multiple Vulnerabilities.
July 28, 2005 apa-include.txt
No

Proof of Concept exploit for Atomic Photo Album Arbitrary File Inclusion vulnerability.

July 28, 2005 atmailXSS.txt Yes

Proof of Concept exploit for @Mail Cross-Site Scripting vulnerability.

July 28, 2005 beehiveVulns.txt No

Proof of Concept exploit for Beehive Forum SQL Injection or Cross-Site Scripting vulnerability.

July 28, 2005 bmforumXSS.txt No

Proof of Concept exploit for BMForum Plus! Cross-Site Scripting vulnerability.

July 28, 2005 c050503-001.txt No

Proof of Concept exploit for Internet Graphics Server Directory Traversal vulnerability.

July 28, 2005 cartWIZxss.txt No Proof of Concept exploit for CartWIZ Cross-Site Scripting vulnerability.
July 28, 2005 cleverNotSo.txt No

Proof of Concept exploit for Clever Copy Information Disclosure or Cross-Site Scripting vulnerabilities.

July 28, 2005 EClrouter.txt No

Proof of Concept exploit for B-FOCuS Router Unauthorized Access vulnerability.

July 28, 2005 flsearch.txt
flsearch.pl.txt
No

Proof of Concept exploits for FtpLocate Arbitrary Command Execution vulnerability.

July 28, 2005 FTPshellDoS.txt No

Exploit for FTPshell Server Denial of Service vulnerability.

July 28, 2005 HPRadiaManagement.txt Yes Exploit information for the HP OpenView Radia Management Portal Remote Command Execution vulnerability
July 28, 2005 kismet-2005-07-R1.tar.gz N/A An 802.11 layer 2 wireless network sniffer that can sniff 802.11b, 802.11a, and 802.11g traffic. It is capable of sniffing using almost any wireless card supported in Linux, which currently divide into cards handled by libpcap and the Linux-Wireless extensions (such as Cisco Aironet), and cards supported by the Wlan-NG project which use the Prism/2 chipset (such as Linksys, Dlink, and Zoom).
July 28, 2005 mu-imap4d_fsexp.c Yes Proof of Concept exploit for GNU Mailutils Buffer Overflow and Format String Bugs Let Remote Users Execute Arbitrary Code vulnerability.
July 28, 2005 phpFirstPost.txt No

Proof of Concept exploit for PHP FirstPost Arbitrary Command Execution vulnerability.

July 28, 2005 redslim-slimftpd.c Yes Proof of Concept exploit for SlimFTPd Arbitrary Code Execution vulnerability.
July 28, 2005 SiemensSANTIS50.txt No

Proof of Concept exploit for Siemens Wireless Router Denial Of Service vulnerability.

July 28, 2005 simplicityRemote.txt No

Proof of Concept exploit for Simplicity oF Upload Arbitrary Code Execution vulnerability.

July 27, 2005 ethereal-0.10.12.tar.gz N/A A GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames.

[back to top]

Trends

  • Google now a hacker's tool: A well-crafted Google query could allow a malicious user to use Google's massive database as a resource for intrusion. The problem is not with Google itself but with the fact that users often do not realize what Google's powerful search engine has been able to dig up.
    Source: http://www.pcworld.idg.com.au/index.php/id;1157771722;fp;2;fpid;1.
  • Phishers hack eBay: A flaw has been discovered on eBay's website that would have allowed fraudsters to successfully redirect the sign-on process to a phishing site. Source: http://www.pcworld.idg.com.au/index.php/id;282351067;fp;2;fpid;1.
  • DefCon Day 2: Patching Your Hacker Toolkit: New research released at the DefCon conference indicates that patch installation is also important for the tools malicious users and security professionals frequently use to break into (or test the security of) computer networks. Some of these tools used to infiltrate and test the security of targeted networks contain flaws that defenders could use to turn the tables on malicious users. Source: http://blogs.washingtonpost.com/securityfix/2005/07/patching_your_e.html.
  • Hackers race to expose Cisco Internet flaw: Computer hackers worked through the weekend to expose a flaw that could allow an attacker to take control of the Cisco Systems Inc. routers that direct traffic across much of the Internet. Source: http://news.yahoo.com/s/nm/20050731/wr_nm/cisco_dc;_
    ylt=AlZ0TA0N5ZZ7pynNYK84wfMjtBAF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
    .
  • Virus Writer Targets AV Vendors: According to Sophos Plc, a virus writer has has released malicious code that ridicules anti-virus vendors and Sasser worm author Sven Jaschan. The Lebreat-D virus creates in infected computers a JPEG image file of Jaschan, a German teenager recently convicted of authoring the widespread Sasser and Netsky worms that is spread through email attachments. It exploits a Microsoft security vulnerability, and opens a backdoor to an infected Windows computer, enabling a malicious user to gain control. The virus also indicates that a Denial of Service attack could be planned against security vendors Symantec Corp. and McAfee Inc., but doesn't say when, Sophos said. Source: http://www.techweb.com/showArticle.jhtml?articleID=166403862.

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trend
Date
Description
1 Netsky-P Win32 Worm Stable March 2004 A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared files.
2 Mytob.C Win32 Worm Slight Increase March 2004 A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
3 Zafi-D Win32 Worm Slight Decrease December 2004 A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.
4 Netsky-Q Win32 Worm Stable March 2004 A mass-mailing worm that attempts to launch Denial of Service attacks against several web pages, deletes the entries belonging to several worms, and emits a sound through the internal speaker.
5 Mytob-BE Win32 Worm Slight Decrease June 2005 A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling antivirus, and modifying data.
6 Mytob-AS Win32 Worm Stable June 2005 A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine.
7 Zafi-B Win32 Worm Increase June 2004 A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.
8 Netsky-D Win32 Worm Slight Increase March 2004 A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
9 Netsky-Z Win32 Worm Decrease April 2004 A mass-mailing worm that is very close to previous variants. The worm spreads in e-mails, but does not spread to local network and P2P and does not uninstall Bagle worm. The worm has a backdoor that listens on port 665.
10 Lovgate.w Win32 Worm Decrease April 2004 A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.

Table updated August 2, 2005

[back to top

 

 
Last updated

Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.

Wireless

Vulnerabilities

The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.

Note: All the information included in the following tables has been discussed in newsgroups and on web sites.

The Risk levels defined below are based on how the system may be impacted:

Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.

  • High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
  • Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
  • Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.

Windows Operating Systems Only

Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

Alt-N Technologies

MDaemon prior to V8.1.0

An input validation vulnerability has been reported in MDaemon (attachment quarantine feature) that could let remote malicious users to traverse directories and write arbitrary files.

A vendor fix is available:
http://files2.altn.com/MDaemon/Release/

There is no exploit code required; however, Proof of Concept exploits have been published.

Alt-N MDaemon Directory Traversal and Arbitrary File Writing

Medium

Security Tracker, Alert ID: 1014589, July 28, 2005

Business Objects

Crystal Reports Server XI; Business Objects Enterprise Server XI

 

A vulnerability has been reported in Crystal Reports Server/ Business Objects Enterprise Server that could let remote malicious users cause a Denial of Service.

A vendor update is available:
http://support.businessobjects.com
/fix/hot/critical/bulletins/
security_bulletin_
june05.asp

Currently we are not aware of any exploits for this vulnerability.

Crystal Reports/ Business Objects Enterprise Server Denial of Service
Low Security Tracker Alert ID: 1014604 & 1014605, August 1, 2005

Cerulean Studios

Trillian Basic 3.1

A vulnerability has been reported in Trillian that could let local malicious users disclose other user's information.

No workaround or patch available at time of publishing.

There is no exploit code required.

Trillian User Information Disclosure Medium Secunia, Advisory: SA16289, August 1, 2005

Filezilla

Filezilla Server prior to V0.9.9

A zlib vulnerability has been reported in FileZilla Server which could let remote malicious users perform a Denial of Service.

Upgrade to V0.9.9:
http://sourceforge.net/
project/showfiles.php?
group_id=21558

Currently we are not aware of any exploits for this vulnerability.

FileZilla Server Denial of Service Low Secunia, Advisory: SA16251, July 28, 2005

Microsoft

Microsoft Office 2000

A shared section permissions vulnerability has been reported in Microsoft Office that could let local malicious users cause a Denial of Service.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Microsoft Office Denial of Service Low Secunia, Advisory: SA16256, July 29, 2005

NetCPlus

BusinessMail Server V4.6

An SMTP command validation vulnerability has been reported in BusinessMail Server that could let remote malicious users crash the server.

No workaround or patch available at time of publishing.

Proof of Concept exploits have been published.

BusinessMail Server SMTP Command Validation Error Remote Denial of Service
Low Secunia AdvusirtL SA16306, August 1, 2005

Novell

eDirectory V8.x

A password challenge vulnerability has been reported in eDirectory (NMAS) that could let local malicious users bypass security restrictions to change another user's password.

Upgrade to NMAS V2.3.8:
http://support.novell.com/
cgi-bin/search/searchtid.cgi?/
2971485.htm

There is no exploit code required.

Novell eDirectory Security Bypassing Medium Secunia, Advisory: SA16267, July 29, 2005

TrendMicro

OfficeScan V5.58 POP3 Module

A shared section permissions vulnerability has been reported in Access Connections that could let local malicious users disclose information.

No workaround or patch available at time of publishing.

There is no exploit code required.

Trend Micro OfficeScan Information Disclosure Medium Security Focus, 14448, August 1, 2005

[back to top]

UNIX / Linux Operating Systems Only
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

Apple

Mac OS X Server 10.4-10.4.2, 10.3-10.3.9, 10.2-10.2.8, 10.0, 10.1-10.1.5, OS X 10.4-10.4.2, 10.3 -10.3.9, 10.2 -10.2.8, 10.1-10.1.5, 10.0-10.0.4

A buffer overflow vulnerability has been reported in Apple Font Book when handling font collection files due to insufficient bounds checking, which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Apple Mac OS X Font Book Font Collection Buffer Overflow High Security Focus, 14445, August 1, 2005

FreeBSD

IPSec AES-XCBC-MAC Algorithm V5.3, 5.4, 6.0Beta

A vulnerability has been reported in FreeBSD's IPSec AES-XCBC-MAC Algorithm, which could allow for incorrect key usage, and consequently allow remote malicious users to connect via unauthorized IPSec connections.

A vendor patch is available:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:19/

There is no exploit code required.

FreeBSD IPSec AES-XCBC-MAC Algorithm Unauthorized Connections

CAN-2005-2359

Medium FreeBSD Security Advisory FreeBSD-SA-05:19, July 27, 2005

Info-ZIP

UnZip 5.52

A vulnerability has been reported due to a security weakness when extracting an archive to a world or group writable directory, which could let a malicious user modify file permissions.

No workaround or patch available at time of publishing.

There is no exploit code required.

Info-ZIP UnZip File Permission Modification Medium Security Focus, 14450, August 2, 2005

Kadu

Kadu V0.4.0

An integer overflow vulnerability has been reported in Kadu (libgadu) which could let remote malicious users cause a Denial of Service.

Upgrade to version 0.4.1:
http://www.kadu.net/wiki/
index.php/English:Main_Page

Gentoo:
http://www.gentoo.org/
security/en/glsa/
glsa-200507-26.xml

Currently we are not aware of any exploits for this vulnerability.

Kadu Denial of Service

CAN-2005-1852

Low

Secunia, Advisory: SA16238, July 27, 2005

Gentoo Security Advisory, GLSA 200507-26, July 27, 2005

Multiple Vendors

zlib 1.2.2, 1.2.1; Ubuntu Linux 5.04 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
Debian Linux 3.1 sparc
Debian Linux 3.1, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha

A remote Denial of Service vulnerability has been reported due to a failure of the library to properly handle unexpected compression routine input.

Zlib:
http://www.zlib.net/
zlib-1.2.3.tar.gz

Debian:
http://security.debian.org/
pool/updates/main/z/zlib/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/z/zlib/

OpenBSD:
http://www.openbsd.org/
errata.html#libz2

Mandriva:
http://www.mandriva.com/
security/ advisories?name=
MDKSA-2005:124

Fedora:
http://download.fedora.
redhat.com/ pub/fedora
/linux/core/updates/

Slackware:
http://slackware.com/
security/viewer.php?
l=slackware-security&y=2005&
m=slackware-security.323596

FreeBSD:
ftp://ftp.freebsd.org/
pub/FreeBSD/CERT/advisories
/FreeBSD-SA-05:18.zlib.asc

SUSE:
http://lists.suse.com/
archive/suse-security-announce
/2005-Jul/0007.html

Gentoo:
http://security.gentoo.org/
glsa/glsa-200507-28.xml

http://security.gentoo.org/
glsa/glsa-200508-01.xml

Currently we are not aware of any exploits for this vulnerability.

Multiple Vendor Zlib Compression Library Decompression Remote Denial of Service

CAN-2005-1849

Low

Security Focus, 14340, July 21, 2005

Debian Security Advisory DSA 763-1, July 21, 2005

Ubuntu Security Notice, USN-151-1, July 21, 2005

OpenBSD, Release Errata 3.7, July 21, 2005

Mandriva Security Advisory, MDKSA-2005:124, July 22, 2005

Secunia, Advisory: SA16195, July 25, 2005

Slackware Security Advisory, SSA:2005-203-03, July 22, 2005

FreeBSD Security Advisory, SA-05:18, July 27, 2005

SUSE Security Announcement, SUSE-SA:2005:043, July 28, 2005

Gentoo Linux Security Advisory, GLSA 200507-28, July 30, 2005

Gentoo Linux Security Advisory, GLSA 200508-01, August 1, 2005

Multiple Vendors

dhcpcd 1.3.22

A vulnerability has been reported in dhcpcd that could let a remote user perform a Denial of Service.

Debian:
http://security.debian.org/
pool/updates/main/d/dhcpcd/

Mandriva:
http://www.mandriva.com/
security/advisories

Gentoo:
http://security.gentoo.org/
glsa/glsa-200507-16.xml

Conectiva:
http://distro.conectiva.com.br/
atualizacoes/ index.php?id=a&
anuncio=000983

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-603.html

Currently we are not aware of any exploits for this vulnerability.

dhcpcd Denial of Service

CAN-2005-1848

Low

Secunia, Advisory: SA15982, July 11, 2005

Debian Security Advisory, DSA 750-1, July 11, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:117, July 13, 2005

Gentoo Linux Security Advisory, GLSA 200507-16, July 15, 2005

Conectiva, CLSA-2005:983, July 25, 2005

RedHat Security Advisory, RHSA-2005:603-07, July 27, 2005

Multiple Vendors

KDE kopete 0.9-0.9.3, 3.4, 3.4.1, 3.3-3.3.2, 3.2.3; Wojtek Kaniewski ekg 1.1-1.6 rc1&rc2, 2005-06-05 22:03, 2005-04-11

 

Multiple vulnerabilities have been reported in 'libgadu.c' due to input validation errors and an integer overflow, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.

EKG
http://dev.null.pl/ekg/
download.php

KDE:
ftp://ftp.kde.org/pub/
kde/security_patches/

Fedora:
http://download.fedora.
redhat.com/ pub/fedora
/linux/core/updates/

Slackware:
http://slackware.com/security/
viewer.php?l=
slackware-security&
y=2005&m=slackware-
security.355986

Gentoo:
http://www.gentoo.org/security/
en/glsa/glsa-200507-23.xml

Debian:
http://www.debian.org/
security/2005/dsa-767

Currently we are not aware of any exploits for these vulnerabilities.

EKG 'LIbGadu' Multiple Vulnerabilities

CAN-2005-1852

High

Security Tracker Alert ID: 1014539, July 21, 2005

Secunia, Advisory: SA16194, July 25, 2005

Slackware Security Advisory, SSA:2005-203-02, July 22, 2005

Gentoo Security Advisory, GLSA 200507-23 kopete, July 25, 2005

Debain Security Advisory, DSA-767-1, July 27, 2005

Multiple Vendors

Novell Evolution 2.0.2-2.0.4; LibTIFF 3.6.1; sy Software Products CUPS 1.1.12-1.1.23, 1.1.10, 1.1.7, 1.1.6, 1.1.4 -5, 1.1.4-3, 1.1.4 -2, 1.1.4, 1.1.1, 1.0.4 -8, 1.0.4; Ubuntu 4.10, 5.04

A remote Denial of Service vulnerability has been reported due to insufficient validation of specific header values.

Libtiff:
http://freshmeat.net/redir/
libtiff/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/t/tiff/

A Proof of Concept exploit has been published.

LibTiff Tiff Image Header Remote Denial of Service Low

Security Focus 14417, July 29, 2005

Ubuntu Security Notice, USN-156-1, July 29, 2005

MySQL AB

Eventum 1.5.5, 1.5.4, 1.4, 1.3.1, 1.3, 1.2-1.2.2, 1.1

Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'view.php' due to insufficient sanitization of the 'id' parameter, in 'list.php' due to insufficient sanitization of the 'release' parameter, and in 'get_jrs_data.php' due to insufficient sanitization of the 'F' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported due to insufficient sanitization of input to the release, report, and authentication classes before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

Updates available at:
http://dev.mysql.com/get/
Downloads/eventum/

There is no exploit code required; however, a Proof of Concept exploit has been published.

MySQL Eventum Cross-Site Scripting & SQL Injection High Securiteam, August 2, 2005
Netquery V3.1

Multiple vulnerabilities have been reported in Netquery that could allow a remote malicious user to perform cross site scripting, execute arbitrary code, or disclose information.

No workaround or patch available at time of publishing.

Another exploit script has been published.

Netquery Multiple Vulnerabilities High

Security Focus, 14373, July 25, 2005

Security Focus, 14373, August 1,2005

ProFTPd

Multiple format string vulnerabilities have been reported in ProFTPd that could let remote malicious users cause a denial of service or disclose information.

Upgrade to version 1.3.0rc2:
http://www.proftpd.org/

Gentoo:
http://www.gentoo.org/
security/en/glsa/
glsa-200508-02.xml

Currently we are not aware of any exploits for this vulnerability.

ProFTPD Denial of Service or Information Disclosure

CAN-2005-2390

Medium

Secunia, Advisory: SA16181, July 26, 2005

Gentoo Linux Security Advisory, GLSA 200508-02, August 1, 2005

Sun Micro-systems, Inc.

Solaris 10.0, 9.0 _x86, 9.0

A vulnerability has been reported in LD_AUDIT,' which could let a malicious user obtain superuser privileges.

Workaround and patch information available at:
http://sunsolve.sun.com/
search/document.do?
assetkey=1-26-101794-1

Avaya:
http://support.avaya.com/
elmodocs2/security/
ASA-2005-162.pdf

An exploit script has been published.

Sun Solaris Runtime Linker 'LD_AUDIT' Elevated
Privileges

CAN-2005-2072

High

Security Focus, 14074, June 28, 2005

Sun(sm) Alert Notification, 101794, June 28, 2005

Sun(sm) Alert Notification, 101794, Updated July 12, 13, 15, 2005

Avaya Security Advisory, ASA-2005-162, August 2, 2005

University of Minnesota

gopherd 3.0.9, 3.0.7, 3.0.3

A vulnerability has been reported in 'gopher.c' due to the failure to verify a file's existence before writing to it, which could let a malicious user obtain elevated privileges.

Debian:
http://security.debian.org/
pool/updates/main/g/gopher

There is no exploit code required.

Gopher Insecure Temporary File Creation

CAN-2005-1853

Medium Debian Security Advisory, DSA 770-1, July 29, 2005
Vim V6.3.082

A vulnerability has been reported in Vim that could let remote malicious users execute arbitrary code.

Vendor patch available:
ftp://ftp.vim.org/pub/vim/
patches/6.3/6.3.082

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/v/vim/

Trustix:
http://http.trustix.org/
pub/trustix/updates/

There is no exploit code required; however, Proof of Concept exploits have been published.

Vim Arbitrary Code Execution

CAN-2005-2368

High

Security Focus, 14374, July 25, 2005

Ubuntu Security Notice, USN-154-1, July 26, 2005

Trustix Secure Linux Security Advisory, TSLSA-2005-0038, July 29, 2005

[back to top] 

Multiple Operating Systems - Windows / UNIX / Linux / Other
Vendor & Software Name
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts
Common Name /
CVE Reference
Risk
Source

AderSoftware

CFBB 1.1

A Cross-Site Scripting vulnerability has been reported in 'Index.cfm' due to insufficient sanitization of the 'page' parameter, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, a Proof of Concept exploit has been published.

AderSoftware CFBB Index.CFM Cross-Site Scripting High Security Focus, 14440, August 1, 2005

Azndragon

Ragnarok Online Control Panel
4.3.4 a

A vulnerability has been reported due to the way PHP variables are handled, which could let a remote malicious user bypass user authentication.

No workaround or patch available at time of publishing.

A Proof of Concept exploit has been published.

Ragnarok Online Control Panel Authentication Bypass Medium Secunia Advisory: SA16287, August 2, 2005

Blue Magic
Board

BMForum Plus!
V2.61, 3.0RC1, 3.0RC4

An input validation vulnerability has been reported in BMForum Plus! that could let remote malicious users perform Cross-Site Scripting.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

BMForum Plus! Cross-Site Scripting High Secunia, Advisory: SA16224, July 27, 2005

Calacode

@Mail V4.03Win, 4.11Unix

Multiple vulnerabilities have been reported in @Mail that could allow remote malicious users to perform Cross-Site Scripting.

Vendor patch available:
http://calacode.com/patch.pl

There is no exploit code required; however, Proof of Concept exploits have been published.

Calacode @Mail Cross-Site Scripting High Secunia, Advisory: SA16252, July 29, 2005

ChurchInfo

ChurchInfo 1.2.2

SQL injection vulnerabilities have been reported in 'WhyCameEditor.php' due to insufficient sanitization of the 'PersonID' parameter, in 'DepositSlipEditor.php' due to insufficient sanitization of the 'DepositSlipID' parameter, and in 'AutoPaymentEditor.php,' 'CanvassEditor.php,' and Canvas05Editor.php' due to insufficient sanitization of the 'FamilyID' parameter, which could let a remote malicious user execute arbitrary SQL code; and a vulnerability was reported because the full path to certain scripts can be obtained by accessing them directly. Note: Successful exploitation requires that the user has been authenticated.

No workaround or patch available at time of publishing.

There is no exploit code required.

ChurchInfo SQL Injections & Path Disclosure High Security Focus, 14438, August 1, 2005

Cisco

Cisco IOS
12.4 & prior 12.x versions

An IPv6 packet handling vulnerability has been reported in Cisco IOS that could let local malicious users cause a remote Denial of Service or potentially execute arbitrary code.

Vendor fix available:
http://www.cisco.com/warp
/public/707/cisco-sa-20050729-
ipv6.shtml#software

A working Proof of Concept exploit has been developed; however, it is currently not publicly available.

Cisco IOS Remote Denial of Service or Arbitrary Code Execution High

Cisco Security Advisory, Document ID: 65783 Revision 1.5, August 1, 2005

US-CERT VU#930892

Cisco Systems

IOS 11.1-12.0

A buffer overflow vulnerability exists when a malformed OSPF (Open Shortest Path First) packet is submitted, which could let a malicious user cause a Denial of Service or execute arbitrary code.

Cisco customers should contact the vendor for details on obtaining fixes.

An exploit script has been published.

Cisco IOS OSPF Neighbor Buffer Overflow

CAN-2003-0100

High

Security Focus, February 21, 2003

US-CERT VU#959203

Clever Copy

Clever Copy
V2.0 & 2.0a

Multiple vulnerabilities have been reported in Clever Copy which could let remote malicious users disclose information or perform Cross-Site Scripting.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

Clever Copy Information Disclosure or Cross-Site Scripting High Secunia, Advisory: SA16236, July 27, 2005

Ethereal

Ethereal
V0.10.11

Multiple dissector and zlib vulnerabilities have been reported in Ethereal that could let remote malicious users cause a denial of service or execute arbitrary code.

Upgrade to version 0.10.12:
http://www.ethereal.com/
download.html

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

Currently we are not aware of any exploits for these vulnerabilities.

High

Secunia, Advisory: SA16225, July 27, 2005

 

Hewlett Packard Company

DCE Core Services T8403 ABH

A remote Denial of Service vulnerability has been reported due to an unspecified error in the DCE daemon (DCED) when processing requests.

Contack the vendor for updates.

Currently we are not aware of any exploits for this vulnerability.

HP NonStop Server DCE Core Services Daemon Remote Denial of Service
Low
HP Security Bulletin,
HPSBNS01213 , July 29, 2005

Hewlett Packard Company

Radia
Management
Portal 1.0, 2.0

A vulnerability has been reported in the Radia Management Agent due to an unspecified flaw, which could let a remote malicious user cause a Denial of Service or execute arbitrary code with SYSTEM privileges on a Windows platform and elevated privileges on UNIX-based platforms.

Updates available at: http://support.openview.hp.com

An exploit script has been published.

HP OpenView Radia Management Portal Remote Command Execution

CAN-2005-1370

Low/ High

(High if arbitrary code can be executed)

HP Security Bulletin,
HPSBMA01138, April 28, 2005

PacketStorm July 28, 2005

IBM

Lotus Domino
VR5, R6

A vulnerability has been reported in Lotus Domino that could let malicious users disclose passwords and information.

No workaround or patch available at time of publishing.

There is no exploit code required.

Lotus Domino Information Disclosure

Medium
Security Tracker, Alert ID: 1014584, July 27, 2005

Jabber Software Foundation

Jabber Server
2.0 s8, 2.0

Several buffer overflow vulnerabilities have been reported in 'jid.c' due to boundary errors when parsing 'JID' strings that contain overly long user, host, or resource components, which could let a remote malicious user cause a Denial of Service or potentially execute arbitrary code.

Upgrades available at:
http://jabberstudio.org/projects/
jabberd2/releases/download.
php?file=j abberd-2.0s9.tar.gz

Currently we are not aware of any exploits for this vulnerability.

jabberd 'jid.c' Remote Buffer Overflows High Secunia Advisory: SA16291, August 1, 2005

Kayako Web Solutions

LiveResponse 2.0

Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'index.php' due to insufficient sanitization of the 'username' parameter, which could let a remote malicious user execute arbitrary HTML and script code; an SQL injection vulnerability was reported in 'index.php' due to insufficient sanitization of the 'year' and 'date' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a vulnerability was reported due to insufficient sanitization of input passed to the name in sessions and support messages, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability was reported because passwords are sent in clear text when logging in, which could let a remote malicious user obtain sensitive information; and a vulnerability was reported because the full path to certain scripts can be obtained when accessed directly.

No workaround or patch available at time of publishing.

here no exploit code required; however, Proofs of Concept exploits have been published.

Kayako LiveResponse Multiple Input Validation High Secunia Advisory: SA16286, August 1, 2005

KDE

KDE 3.4,
3.3-3.3.2,
3.2-3.2.3

A vulnerability has been reported in KDE Kate and KWrite because backup files are created with default permissions even if the original file had more restrictive permissions set, which could let a local/remote malicious user obtain sensitive information.

Patches available at:
ftp://ftp.kde.org/pub/kde/
security_patches/

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/3/

Mandriva:
http://www.mandriva.com/
security/advisories

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-612.html

There is no exploit code required.

KDE Kate, KWrite Local Backup File Information Disclosure

CAN-2005-1920

Medium

Security Tracker Alert ID: 1014512, July 18, 2005

Fedora Update Notification,
FEDORA-2005-594, July 19, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:122, July 20, 2005

RedHat Security Advisory, RHSA-2005:612-07, July 27, 2005

Metasploit
Project

Metasploit Framework
2.0-2.4, 1.0

An unspecified vulnerability has been reported which could let a remote malicious user execute arbitrary code.

No workaround or patch available at time of publishing.

Currently we are not aware of any exploits for this vulnerability.

Metasploit Framework Unspecified Remote Vulnerability High Security Focus, 14431, July 30, 2005

Mozilla.org

Firefox 0.x, 1.x

Multiple vulnerabilities have been reported: a vulnerability was reported due to an error because untrusted events generated by web content are delivered to the browser user interface; a vulnerability was reported because scripts in XBL controls can be executed even when JavaScript has been disabled; a vulnerability was reported because remote malicious users can execute arbitrary code by tricking the user into using the 'Set As Wallpaper' context menu on an image URL that is really a javascript; a vulnerability was reported in the 'InstallTrigger.install()' function due to an error in the callback function, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to an error when handling 'data:' URL that originates from the sidebar, which could let a remote malicious user execute arbitrary code; an input validation vulnerability was reported in the 'InstallVersion.compareTo()' function when handling unexpected JavaScript objects, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because it is possible for remote malicious user to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL; a vulnerability was reported due to an error when handling DOM node names with different namespaces, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported due to insecure cloning of base objects, which could let a remote malicious user execute arbitrary code.

Updates available at:
http://www.mozilla.org/
products/firefox/

Gentoo:
ftp://security.gentoo.org/
glsa/

Mandriva:
http://www.mandriva.com/
security/advisories

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-
586.html

Slackware:
http://slackware.com/
security/viewer.php?
l=slackware-security
&y=2005& m=
slackware-security
.418880

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/
e/epiphany-browser/

http://security.ubuntu.com/
ubuntu/pool/main/e/enigmail/

http://security.ubuntu.com/
ubuntu/pool/main/
m/mozilla-thunderbird/

Exploits have been published.

Firefox Multiple Vulnerabilities

CAN-2005-2260
CAN-2005-2261
CAN-2005-2262
CAN-2005-2263
CAN-2005-2264
CAN-2005-2265
CAN-2005-2267
CAN-2005-2269
CAN-2005-2270

High

Secunia Advisory: SA16043, July 13, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:120, July 13, 2005

Gentoo Linux Security Advisory, GLSA 200507-14, July 15, 2005

Gentoo Linux Security Advisory, GLSA 200507-17, July 18, 2005

Fedora Update Notifications,
FEDORA-2005-603 & 605, July 20, 2005

RedHat Security Advisory, RHSA-2005:586-11, July 21, 2005

Slackware Security Advisory, SSA:2005-203-01, July 22, 2005

US-CERT VU#652366

US-CERT VU#996798

Ubuntu Security Notices, USN-155-1 & 155-2 July 26 & 28, 2005

Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005

Mozilla.org

Mozilla
Browser 1.0-1.0.2, 1.1-1.7.6;
Firefox 0.8-0.10.1, 1.0.1, 1.0.2; Netscape Navigator 7.0, 7.0.2, 7.1, 7.2, 7.0-7.2

Multiple vulnerabilities have been reported: a vulnerability was reported in the 'EMBED' tag for non-installed plugins when processing the 'PLUGINSPAGE' attribute due to an input validation error, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because blocked popups that are opened through the GUI incorrectly run with 'chrome' privileges, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because the global scope of a window or tab are not cleaned properly before navigating to a new web site, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because the URL of a 'favicons' icon for a web site isn't verified before changed via JavaScript, which could let a remote malicious user execute arbitrary code with elevated privileges; a vulnerability was reported because the search plugin action URL is not properly verified before used to perform a search, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to the way links are opened in a sidebar when using the '_search' target, which could let a remote malicious user execute arbitrary code; several input validation vulnerabilities were reported when handling invalid type parameters passed to 'InstallTrigger' and 'XPInstall' related objects, which could let a remote malicious user execute arbitrary code; and vulnerabilities were reported due to insufficient validation of DOM nodes in certain privileged UI code, which could let a remote malicious user execute arbitrary code.

Upgrades available at:
http://www.mozilla.org/
products/firefox/

http://www.mozilla.org/
products/mozilla1.x/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-18.xml

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-383.html

http://rhn.redhat.com/errata/
RHSA-2005-386.html

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/
ia32/

SUSE:
ftp://ftp.SUSE.com/
pub/SUSE

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-384.html

SGI:
ftp://patches.sgi.com/
support/free/security/
advisories/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/m/
mozilla-firefox/

Mandriva:
http://www.mandriva.com/
security/advisories

FedoraLegacy:
http://download.
fedoralegacy.
org/redhat/

SCO:
ftp://ftp.sco.com/pub/
updates/UnixWare/
SCOSA-2005.29

Gentoo:
http://security.gentoo.org/
glsa/glsa-200507-17.xml

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/e/enigmail/

http://security.ubuntu.com/
ubuntu/pool/main/
m/mozilla-thunderbird/

An exploit script has been published.

Mozilla Suite / Firefox Multiple Vulnerabilities

CAN-2005-0752
CAN-2005-1153
CAN-2005-1154
CAN-2005-1155
CAN-2005-1156
CAN-2005-1157
CAN-2005-1158
CAN-2005-1159
CAN-2005-1160

 

High

Mozilla Foundation Security Advisories, 2005-35 -
2005-41,
April 16, 2005

Gentoo Linux Security Advisory, GLSA 200504-18, April 19, 2005

US-CERT VU#973309

RedHat Security Advisories, RHSA-2005:383-07 & RHSA-2005-386., April 21 & 26, 2005

Turbolinux Security Advisory,
TLSA-2005-49, April 21, 2005

US-CERT VU#519317

SUSE Security Announcement, SUSE-SA:2005:028, April 27, 2005

RedHat Security Advisory, RHSA-2005:384-11, April 28, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Ubuntu Security Notice, USN-124-1 & USN-124-2, May 11 & 12, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:088,
May 14, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:088-1,
May 17, 2005

Fedora Legacy Update Advisory, FLSA:152883, May 18, 2005

PacketStorm, May 23, 2005

SCO Security Advisory, SCOSA-2005.29, July 1, 2005

Gentoo Linux Security Advisory, GLSA 200507-17, July 18, 2005

Fedora Update Notifications,
FEDORA-2005-604 & 605, July 20, 2005

Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005

Mozilla.org

Mozilla Browser prior to 1.7.8;
Mozilla Suite prior to 1.7.8; Firefox prior to 1.0.4; Firebird 0.5, 0.6.1, 0.7

A vulnerability was reported due to a failure in the application to properly verify Document Object Model (DOM) property values, which could let a remote malicious user execute arbitrary code.

Firefox:
http://www.mozilla.org/
products/firefox/

Mozilla Browser Suite:
http://www.mozilla.org/
products/mozilla1.x/

TurboLinux::
ftp://ftp.turbolinux.co.jp/
pub/ TurboLinux/
TurboLinux/ia32/

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-
434.html

http://rhn.redhat.com/
errata/RHSA-2005-
435.html

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/m/
mozilla-firefox/

SUSE:
ftp://ftp.SUSE.com/
pub/SUSE

SGI:
ftp://patches.sgi.com/
support/ free/security
/advisories/

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/e/enigmail/

http://security.ubuntu.com/
ubuntu/pool/main/
m/mozilla-thunderbird/

Currently we are not aware of any exploits for this vulnerability.

Mozilla Suite And Firefox DOM Property Overrides

CAN-2005-1532

High

Mozilla Foundation Security Advisory,
2005-44,
May 12, 2005

Turbolinux Security Advisory,
TLSA-2005
-56, May 16, 2005

RedHat Security Advisories, RHSA-2005:434-10 & RHSA-2005:435-10, May 23 & 24, 2005

Ubuntu Security Notice, USN-134-1, May 26, 2005

SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005

SGI Security Advisory, 20050503-01-U, June 8, 2005

SUSE Security Announcement, SUSE-SA:2005:030, June 9, 2005

Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005

Multiple Vendors

Mozilla.org Mozilla Browser 1.7.6, Firefox 1.0.1, 1.0.2; K-Meleon 0.9; Netscape 7.2

A vulnerability has been reported in the javascript implementation due to improper parsing of lamba list regular expressions, which could a remote malicious user obtain sensitive information.

The vendor has issued a fix, available via CVS.

RedHat:
http://rhn.redhat.com/
errata/ RHSA-2005-
383.html

http://rhn.redhat.com/errata/
RHSA-2005-386.html

Slackware:
http://www.mozilla.org
/projects/security/known-
vulnerabilities.html

TurboLinux:
ftp://ftp.turbolinux.co.jp/
pub/ TurboLinux/
TurboLinux/ia32/

SUSE:
ftp://ftp.SUSE.com
/pub/SUSE

RedHat:
http://rhn.redhat.com/
errata/RHSA-2005-
384.html

SGI:
ftp://patches.sgi.com/
support/ free/security
/advisories/

Mandriva:
http://www.mandriva.com/
security/advisories

FedoraLegacy:
http://download.
fedoralegacy.
org/redhat/

SCO:
ftp://ftp.sco.com/pub/
updates/ UnixWare/
SCOSA-2005.29

Gentoo:
http://security.gentoo.org/
glsa/glsa-200507-17.xml

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

Ubuntu:
http://security.ubuntu.com/
ubuntu/pool/main/e/enigmail/

http://security.ubuntu.com/
ubuntu/pool/main/
m/mozilla-thunderbird/

There is no exploit code required; however, a Proof of Concept exploit has been published.

Mozilla Suite/Firefox JavaScript Lambda Information Disclosure

CAN-2005-0989

Medium

Security Tracker Alert, 1013635, April 4, 2005

Security Focus, 12988, April 16, 2005

RedHat Security Advisories, RHSA-2005:383-07 & RHSA-2005:386-08,
April 21 & 26, 2005

Turbolinux
Security Advisory, TLSA-2005-49, April 21, 2005

Slackware Security Advisory, SSA:2005-111-04, April 22, 2005

SUSE Security Announcement, SUSE-SA:2005:028, April 27, 2005

RedHat Security Advisory, RHSA-2005:384-11, April 28, 2005

SGI Security Advisory, 20050501-01-U, May 5, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:088,
May 14, 2005

Mandriva Linux Security Update Advisory, MDKSA-2005:088-1,
May 17, 2005

Fedora Legacy Update Advisory, FLSA:152883, May 18, 2005

SCO Security Advisory, SCOSA-2005.29, July 1, 2005

Gentoo Linux Security Advisory, GLSA 200507-17, July 18, 2005

Fedora Update Notifications,
FEDORA-2005-604 & 605, July 20, 2005

Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005

Multiple Vendors

ALT Linux
Compact 2.3,
Junior 2.3;
Apple Mac OS X 10.0-10.0.4,
10.1-10.1.5,
10.2-10.2.8,
10.3-10.3.8,
Mac OS X Server 10.0, 10.1-10.1.5, 10.2-10.2.8,
10.3-10.3.8; MIT Kerberos 5 1.0, 5 1.0.6, 5 1.0.8,
51.1-5 1.4; Netkit Linux Netkit
0.9-0.12,
0.14-0.17,
0.17.17; Openwall
GNU/*/Linux
(Owl)-current,
1.0, 1.1; FreeBSD 4.10-
PRERELEASE,
2.0, 4.0 .x,
-RELENG,
alpha, 4.0, 4.1,
4.1.1 -STABLE, -RELEASE, 4.1.1,
4.2, -STABLE
pre122300, -STABLE
pre050201, 4.2 -STABLE,
-RELEASE,
4.2, 4.3 -
STABLE,
-RELENG, 4.3 -RELEASE
-p38, 4.3 -RELEASE, 4.3, 4.4
-STABLE,
-RELENG,
-RELEASE-p42,
4.4, 4.5
-STABLE
pre2002-
03-07, 4.5 -STABLE,
-RELENG, 4.5 -RELEASE-p32, 4.5 -RELEASE, 4.5, 4.6 -STABLE, -RELENG, 4.6 -RELEASE
-p20, 4.6 -RELEASE, 4.6, 4.6.2, 4.7 -STABLE, 4.7 -RELENG, 4.7 -RELEASE-p17, 4.7 -RELEASE, 4.7, 4.8 -RELENG,
4.8 -RELEASE-p7, 4.8 -PRE
RELEASE,
4.8, 4.9 -RELENG, 4.9 -PRE
RELEASE, 4.9, 4.10 -RELENG, 4.10 -RELEASE,
4.10, 4.11 -STABLE, 5.0 -RELENG, 5.0, 5.1 -RELENG, 5.1 -RELEASE-p5, 5.1 -RELEASE, 5.1, 5.2 -RELENG, 5.2 -RELEASE, 5.2,
5.2.1 -RELEASE, 5.3 -STABLE, 5.3 -RELEASE, 5.3, 5.4 -PRE
RELEASE; SuSE Linux 7.0, sparc, ppc, i386, alpha, 7.1, x86, sparc, ppc, alpha, 7.2, i386; SGI IRIX 6.5.24-6.5.27

Two buffer overflow vulnerabilities have been reported in Telnet: a buffer overflow vulnerability has been reported in the 'slc_add_reply()' function when a large number of specially crafted LINEMODE Set Local Character (SLC) commands is submitted, which could let a remote malicious user execute arbitrary code; and a buffer overflow vulnerability has been reported in the 'env_opt_add()' function, which could let a remote malicious user execute arbitrary code.

ALTLinux:
http://lists.altlinux.ru/
pipermail /security
-announce/2005-
March/000287.html

Apple:
http://wsidecar.apple.com/
cgi-bin/ nph-reg3rdpty1.pl/
product=05529& platform=
osx&method=sa/
SecUpd 2005-003Pan.dmg

Debian:
http://security.debian.
org/pool/ updates/main
/n/netkit-telnet/

Fedora:
http://download.fedora.
redhat.com/pub/fedora/
linux/core/updates/

FreeBSD:
ftp://ftp.FreeBSD.org/pub/
FreeBSD/CERT/patches/
SA-05:01/

MIT Kerberos:
http://web.mit.edu/kerberos/|
advisories/2005-001-patch
_1.4.txt

Netkit:
ftp://ftp.uk.linux.org/
pub/linux/
Networking/netkit/

Openwall:
http://www.openwall.com/
Owl/ CHANGES-
current.shtml

RedHat:
http://rhn.redhat.com/errata/
RHSA-2005-327.html

Sun:
http://sunsolve.sun.com/
search/ document.do?
assetkey= 1-26-57755-1

SUSE:
ftp://ftp.SUSE.com/
pub/SUSE

Ubuntu:
http://security.ubuntu.com/
ubuntu/ pool/main/n/
netkit-telnet/

OpenBSD:
http://www.openbsd.org/
errata.html#telnet

Mandrake:
http://www.mandrakesecure
.net/ en/ftp.php

Gentoo:
http://security.gentoo.org/
glsa/glsa-200503-36.xml

http://security.gentoo.org/
glsa/glsa-200504-01.xml

Debian:
http://security.debian.org/
pool/updates/main/k/krb5/

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-04.xml

SGI:
ftp://oss.sgi.com/projects/
sgi_propack/download
/3/updates/

SCO:
ftp://ftp.sco.com/pub/
updates/ UnixWare/
SCOSA-2005.21

Sun:
http://sunsolve.sun.com/
search/document.do?
assetkey=1-26-57761-1

Openwall:
http://www.openwall.com/
Owl/CHANGES-
current.shtml

Avaya:
http://support.avaya.com/
elmodocs2/security/
ASA-2005-088_
RHSA-2005-330.pdf

Gentoo:
http://security.gentoo.org/
glsa/glsa-200504-28.xml

TurboLinux:
ftp://ftp.turbolinux.co.jp/pub/
TurboLinux/TurboLinux/
ia32/

Sun:
http://sunsolve.sun.com/
search/ document.do?
assetkey=1-26-57761-1

OpenWall:
http://www.openwall.com/
Owl/CHANGES-
current.shtml

SCO:
ftp://ftp.sco.com/pub/
updates/ OpenServer/
SCOSA-2005.23

SGI IRIX:
Apply patch 5892 for IRIX 6.5.24-6.5.27:
ftp://patches.sgi.com/
support/free/security/
patches/

Debian:
http://security.debian.org/
pool/updates/main/k/krb4/

Conectiva:
http://distro.conectiva.com
.br/ atualizacoes/
index.php?id=
a&anuncio=000962

Trustix:
ftp://ftp.trustix.org/pub/
trustix/ updates/

Avaya:
http://support.avaya.com/
elmodocs2/security/
ASA-2005-132_
RHSA-2005-327.pdf

FedoraLegacy:
http://download.
fedoralegacy.
org/redhat/

Slackware:
ftp://ftp.slackware.com/
pub/slackware/

Currently we are not aware of any exploits for these vulnerabilities.

Telnet Client 'slc_add_reply()' & 'env_opt_add()'
Buffer Overflows

CAN-2005-0468
CAN-2005-0469

High

iDEFENSE Security Advisory,
March 28, 2005

US-CERT VU#291924

Mandrakelinux Security Update Advisory, MDKSA-2005:061,
March 30, 2005

Gentoo Linux Security Advisories, GLSA 200503-36 & GLSA 200504-01, March 31 &
April 1, 2005

Debian Security Advisory, DSA 703-1, April 1, 2005

US-CERT VU#341908

Gentoo Linux Security Advisory, GLSA 200504-04,
April 6, 2005

SGI Security Advisory, 20050401-01-U, April 6, 2005

Sun(sm) Alert Notification, 57761,
April 7, 2005

SCO Security Advisory, SCOSA-2005.21,
April 8, 2005

Avaya Security Advisory, ASA-2005-088, April 27, 2005

Gentoo Linux Security Advisory, GLSA 200504-28, April 28, 2005

Turbolinux Security Advisory, TLSA-2005-52, April 28, 2005

Sun(sm) Alert Notification, 57761, April 29, 2005

SCO Security Advisory, SCOSA-2005.23, May 17, 2005

SGI Security Advisory, 20050405-01-P, May 26, 2005

Debian Security Advisory, DSA 731-1, June 2, 2005

Conectiva Security Advisory, CLSA-2005:962, June 6, 2005

Trustix Secure Linux Security Advisory, TLSA-2005-0028, June 13, 2005

Avaya Security Advisory, ASA-2005-132, June 14, 2005

Fedora Legacy Update Advisory, FLSA:152583, July 11, 2005

Slackware Security Advisory, SSA:2005-210-01, August 1, 2005

nCipher

CHIL

A vulnerability has been reported in the CHIL library when obtaining random bytes from the hardware module, which could lead to a remote Denial of Service.

Update information available at:
http://www.ncipher.com/support/
advisories/advisory11.html

Currently we are not aware of any exploits for this vulnerability.

nCipher CHIL Random Cache Leakage Low nCipher Security Advisory No. 11, August 2, 2005

Opera Software

Opera V8.01

A image dragging vulnerability has been reported in Opera that could let remote malicious users perform Cross-Site Scripting.

Upgrade to V8.02:
http://www.opera.com/download/

There is no exploit code required.

Opera Cross-Site Scripting

CAN-2005-2406

High Secunia, Advisory: SA15756, July 28, 2005

Opera Software

Opera V8.01

A vulnerability has been reported in Opera that could let remote malicious users spoof dialogs and potentially execute arbitrary code.

Upgrade to V8.02:
http://www.opera.com/download/

There is no exploit code required.

Opera Dialog Spoofing

CAN-2005-2405

High Secunia, Advisory: SA15870, July 28, 2005

PHPFreeNews

PHPFreeNews 1.32 & prior

Multiple vulnerabilities have been reported: several Cross-Site Scripting vulnerabilities were reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability was reported because a remote malicious user can create a malicious URL that will redirect the target user to the attacker's site; a vulnerability was reported because the installation path can be obtained when certain URLs are followed; and an SQL injection vulnerability was reported which could lead to the execution of arbitrary SQL commands.

The vendor has issued a fixed version (1.40) available at:
http://www.phpfreenews.co.uk/
Download.php

There is no exploit code required; however, Proofs of Concept exploits have been published.

PHPFreeNews Multiple Vulnerabilities High Security Tracker Alert ID: 1014601, August 2, 2005
PHPlist V2.8.12

An input validation vulnerability has been reported in PHPlist the could let remote malicious users perform SQL injection.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

PHPlist SQL Injection High Secunia, Advisory: SA16274, July 29, 2005

PHPmyGallery

PHPmyGallery
prior to V1.5B2

An include file vulnerability has been reported in PHPmyGallery that could let remote malicious users execute arbitrary commands.

Vendor fix available:
http://phpmygallery.kapierich.net
/en/news/?file=2005-07-15

There is no exploit code required; however, Proof of Concept exploits have been published.

PHPmyGallery Arbitrary Command Execution High Security Tracker, Alert ID: 1014594, July 28, 2005

PHPSimplicity

Simplicity oF Upload V1.3

A vulnerability has been reported in Simplicity oF Upload that could let remote malicious users execute arbitrary code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

Simplicity oF Upload Arbitrary Code Execution
High Security Tracker, Alert ID: 1014591, July 29, 2005

PluggedOut

CMS 0.4.8

Multiple Cross-Site Scripting and SQL injection vulnerabilities have been reported due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML, SQL and script code.

No workaround or patch available at time of publishing.

There no exploit code required; however, Proofs of Concept exploits have been published.
PluggedOut CMS Multiple Input Validation High Security Focus, 14426, July 30, 2005
Sophos AntiVirus prior to V4.5.4

A buffer overflow vulnerability has been reported in Sophos Anti-Virus that could let remote malicious users execute arbitrary code.

Vendor fix available:
http://www.sophos.com/support
/knowledgebase/article/
3409.html

Currently we are not aware of any exploits for this vulnerability.

Sophos Arbitrary Code Execution High Security Tracker, Alert ID: 1014588, July 27, 2005

UNG

UNG prior to V20050728.1

An input validation vulnerability has been reported in UNG that could let remote malicious users inject arbitrary mail headers.

Upgrade to V20050728.1:
http://terisolow.com/
programs.php?prog=UNG

There is no exploit code required.

UNG Arbitrary Mail Header Injection Low Secunia, Advisory: SA16270, July 29, 2005

VBZoom

VBZoom Forum

An input validation vulnerability has been reported in VBZoom ('show.php') that could let remote malicious users inject arbitrary SQL commands.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

VBZooM Forum SQL Injection
High Security Tracker, Alert ID: 1014585, July 27, 2005

[back to top] 

Wireless

The section below contains wireless vulnerabilities, articles, and viruses/trojans identified during this reporting period.

  • Hackers cash in on 802.1x confusion: According to a survey by security vendor nCipher, companies are leaving their wireless networks exposed to hackers because of widespread failure to understand or implement 802.11x security systems. Source: http://www.vnunet.com/vnunet/news/2140662/poor-802-1x.
  • Linux Bluetooth hackers hijack car audio: By using a directional antennal and a Linux laptop running a tool called Car Whisperer, Linux hackers have demonstrated a way to inject or record audio signals from passing cars running insecure Bluetooth hands-free units. Source: http://www.theregister.co.uk/2005/08/02/car_whisperer/.
  • Interference, Not Hacking, Said To Be Biggest Wireless Threat At DefCon: According to a company that specializes in wireless LAN security, the biggest wireless threat at the recent DefCon conference for hackers didn't come from individual hackers trying to break into wireless network but, from items like microwave ovens. Bruce Hubbert, an AirMagnet engineer attending the DefCon conference, said in a statement, "We were more surprised to find that an abundance of Bluetooth devices, microwave ovens, 802.11 frequency-hopping devices and Web cameras were more effective at knocking out the conference's wireless network." Source: http://www.securitypipeline.com/news/167100145.

Wireless Vulnerabilities

  • Nothing significant to report.

[back to top] 

Recent Exploit Scripts/Techniques

The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.

Note: At times, scripts/techniques may contain names or content that may be considered offensive.

Date of Script
(Reverse
Chronological Order)

Script name
Workaround or Patch Available
Script Description
August 2, 2005 testserver.pl No Script that exploits the Software Solutions Quick 'n Easy FTP Server User Command Buffer Overflow vulnerability.
August 1, 2005 BusMail_SMTPDOS.pl No Exploit for the BusinessMail Server SMTP Command Validation Error Remote Denial of Service vulnerability.
August 1, 2005 netquerypoc.html Yes Exploit for the Netquery Multiple Vulnerabilities.
July 28, 2005 apa-include.txt
No

Proof of Concept exploit for Atomic Photo Album Arbitrary File Inclusion vulnerability.

July 28, 2005 atmailXSS.txt Yes

Proof of Concept exploit for @Mail Cross-Site Scripting vulnerability.

July 28, 2005 beehiveVulns.txt No

Proof of Concept exploit for Beehive Forum SQL Injection or Cross-Site Scripting vulnerability.

July 28, 2005 bmforumXSS.txt No

Proof of Concept exploit for BMForum Plus! Cross-Site Scripting vulnerability.

July 28, 2005 c050503-001.txt No

Proof of Concept exploit for Internet Graphics Server Directory Traversal vulnerability.

July 28, 2005 cartWIZxss.txt No Proof of Concept exploit for CartWIZ Cross-Site Scripting vulnerability.
July 28, 2005 cleverNotSo.txt No

Proof of Concept exploit for Clever Copy Information Disclosure or Cross-Site Scripting vulnerabilities.

July 28, 2005 EClrouter.txt No

Proof of Concept exploit for B-FOCuS Router Unauthorized Access vulnerability.

July 28, 2005 flsearch.txt
flsearch.pl.txt
No

Proof of Concept exploits for FtpLocate Arbitrary Command Execution vulnerability.

July 28, 2005 FTPshellDoS.txt No

Exploit for FTPshell Server Denial of Service vulnerability.

July 28, 2005 HPRadiaManagement.txt Yes Exploit information for the HP OpenView Radia Management Portal Remote Command Execution vulnerability
July 28, 2005 kismet-2005-07-R1.tar.gz N/A An 802.11 layer 2 wireless network sniffer that can sniff 802.11b, 802.11a, and 802.11g traffic. It is capable of sniffing using almost any wireless card supported in Linux, which currently divide into cards handled by libpcap and the Linux-Wireless extensions (such as Cisco Aironet), and cards supported by the Wlan-NG project which use the Prism/2 chipset (such as Linksys, Dlink, and Zoom).
July 28, 2005 mu-imap4d_fsexp.c Yes Proof of Concept exploit for GNU Mailutils Buffer Overflow and Format String Bugs Let Remote Users Execute Arbitrary Code vulnerability.
July 28, 2005 phpFirstPost.txt No

Proof of Concept exploit for PHP FirstPost Arbitrary Command Execution vulnerability.

July 28, 2005 redslim-slimftpd.c Yes Proof of Concept exploit for SlimFTPd Arbitrary Code Execution vulnerability.
July 28, 2005 SiemensSANTIS50.txt No

Proof of Concept exploit for Siemens Wireless Router Denial Of Service vulnerability.

July 28, 2005 simplicityRemote.txt No

Proof of Concept exploit for Simplicity oF Upload Arbitrary Code Execution vulnerability.

July 27, 2005 ethereal-0.10.12.tar.gz N/A A GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames.

[back to top]

Trends

  • Google now a hacker's tool: A well-crafted Google query could allow a malicious user to use Google's massive database as a resource for intrusion. The problem is not with Google itself but with the fact that users often do not realize what Google's powerful search engine has been able to dig up.
    Source: http://www.pcworld.idg.com.au/index.php/id;1157771722;fp;2;fpid;1.
  • Phishers hack eBay: A flaw has been discovered on eBay's website that would have allowed fraudsters to successfully redirect the sign-on process to a phishing site. Source: http://www.pcworld.idg.com.au/index.php/id;282351067;fp;2;fpid;1.
  • DefCon Day 2: Patching Your Hacker Toolkit: New research released at the DefCon conference indicates that patch installation is also important for the tools malicious users and security professionals frequently use to break into (or test the security of) computer networks. Some of these tools used to infiltrate and test the security of targeted networks contain flaws that defenders could use to turn the tables on malicious users. Source: http://blogs.washingtonpost.com/securityfix/2005/07/patching_your_e.html.
  • Hackers race to expose Cisco Internet flaw: Computer hackers worked through the weekend to expose a flaw that could allow an attacker to take control of the Cisco Systems Inc. routers that direct traffic across much of the Internet. Source: http://news.yahoo.com/s/nm/20050731/wr_nm/cisco_dc;_
    ylt=AlZ0TA0N5ZZ7pynNYK84wfMjtBAF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
    .
  • Virus Writer Targets AV Vendors: According to Sophos Plc, a virus writer has has released malicious code that ridicules anti-virus vendors and Sasser worm author Sven Jaschan. The Lebreat-D virus creates in infected computers a JPEG image file of Jaschan, a German teenager recently convicted of authoring the widespread Sasser and Netsky worms that is spread through email attachments. It exploits a Microsoft security vulnerability, and opens a backdoor to an infected Windows computer, enabling a malicious user to gain control. The virus also indicates that a Denial of Service attack could be planned against security vendors Symantec Corp. and McAfee Inc., but doesn't say when, Sophos said. Source: http://www.techweb.com/showArticle.jhtml?articleID=166403862.

[back to top]

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank
Common Name
Type of Code
Trend
Date
Description
1 Netsky-P Win32 Worm Stable March 2004 A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared files.
2 Mytob.C Win32 Worm Slight Increase March 2004 A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
3 Zafi-D Win32 Worm Slight Decrease December 2004 A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.
4 Netsky-Q Win32 Worm Stable March 2004 A mass-mailing worm that attempts to launch Denial of Service attacks against several web pages, deletes the entries belonging to several worms, and emits a sound through the internal speaker.
5 Mytob-BE Win32 Worm Slight Decrease June 2005 A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling antivirus, and modifying data.
6 Mytob-AS Win32 Worm Stable June 2005 A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine.
7 Zafi-B Win32 Worm Increase June 2004 A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.
8 Netsky-D Win32 Worm Slight Increase March 2004 A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
9 Netsky-Z Win32 Worm Decrease April 2004 A mass-mailing worm that is very close to previous variants. The worm spreads in e-mails, but does not spread to local network and P2P and does not uninstall Bagle worm. The worm has a backdoor that listens on port 665.
10 Lovgate.w Win32 Worm Decrease April 2004 A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.

Table updated August 2, 2005

[back to top

 

 
Last updated

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top