Any file that the FormHandler.cgi has read access to (the cgi is typically
run as user 'nobody' on Unix systems) can be specified as an attachment in
a reply email. This could allow an attacker to gain access to sensitive
files such as /etc/passwd simply by modifying the form document.
Certain versions of EmailClub, a mail server package by Admiral Systems
Inc. are vulnerable to a remote buffer overflow. This overflow is
exploitable via EmailClub's POP3 server which fails to perform proper
bounds checking on the 'From:' header on incoming e-mail.
This overflow will lead to a complete compromise of the Windows 95/98
target machine. It may well also affect Windows NT installations in the
same manner. It is unclear though if EmailClub run with ADMIN privileges
under Windows NT installations.
3. W4 Server Cgitest.exe Buffer Overflow Vulnerability
BugTraq ID: 802
Remote: Yes
Date Published: 1999-11-15
Relevant URL:
http://www.securityfocus.com/bid/802 Summary:
Certain versions of the W4-Server 32-bits personal webserver by Antelope
Software ship with a flawed script, Cgitest.exe. This compiled CGI script
fails to perform bounds checking on user supplied data and is vulnerable
to a buffer overflow.
Certain versions of WebBBS by Mike Bryeans of International
TeleCommunications contain a flaw in the initial login program. User
supplied data via the login name and password are not bounds checked and
can result in a buffer overflow. This leads a compromise of the system
running WebBBS.
Lynx generally classifies webpages as either internal or external.
Internal webpages are those which are used for such things as
configuration, handling downloaded files, etc. External are webpages that
are normally visited from a web client and are on a webserver somewhere
"external" from the client. To prevent authors of malicious webpages from
compromising the internals of the client, the creators of lynx put a
number of restrictions on what can manipulate the internal URLS. The
first is a hidden form value passed to internally rendered pages, called
"secure". Unfortunately, this value doesn't live up to its name, since it
is based on time(). The next method is verifying whether the pages which
contain internal URLS are allowed to or not. This is done by comparing
the titles of the pages being verified to what they should be (if they
were legal). The section of code which does this naive check is below:
If it is possible for an attacker (locally) to convince a user to enter a
configuration page ('O') in lynx, the "secure" value can be obtained by
calling utime() on the temporary file created in /tmp (which is where lynx
creates temporary html pages). Once the "secure" value is obtained, a
malicious page which is titled appropriately can pass configuration values
as hidden form variables to LYNXOPTIONS://, which will take them gladly
and modify the configuration options of the user (for example, setting
editor to whatever the attacker wants) silently. There is a possibility
that this can be exploited remotely, if the value of "secure" can be
guessed.
More vulnerabilities which are consequently exposed by this problem are
exploitable buffer overflows in handling of some of the configuration
options. Known to lack bounds checking are operations on the buffers
which store (at least temporarily) the values for options: "user agent",
"preferred language", and "preferred charset".
6. Gene6 G6 FTP Server Buffer Overflow DoS Vulnerability
BugTraq ID: 805
Remote: Yes
Date Published: 1999-11-17
Relevant URL:
http://www.securityfocus.com/bid/805 Summary:
The G6 FTP Server, by Gene6, is vulnerable to a buffer overflow attack. If
2000 characters are sent as the username or password, the software will
use up all available memory and CPU time and bring the host to a halt.
Certain versions of the Tektronix PhaserLink printer ship with a webserver
designed to help facilitate configuration of the device. This service is
essentially administrator level access as it can completely modify the
system characteristics, restart the machine, asign services etc.
In at least one version of this printer there are a series of undocumented
URL's which will allow remote users to retrieve the administrator
password. Once the password is obtained by the user, they can manipulate
the printer in any way they see fit.
8. Microsoft Riched20.dll Buffer Overflow Vulnerability
BugTraq ID: 807
Remote: Yes
Date Published: 1999-11-17
Relevant URL:
http://www.securityfocus.com/bid/807 Summary:
Riched20.dll, which Wordpad uses to parse Rich Text Forrmat files, has an
unchecked buffer which allows arbitrary code to be executed. The code can
be put into an .rtf file and emailed to the victim. Then if the victim
opens the document in Wordpad, the code will be run at the same privilege
level as the user.
9. Linux syslogd Denial of Service Vulnerability
BugTraq ID: 809
Remote: No
Date Published: 1999-11-19
Relevant URL:
http://www.securityfocus.com/bid/809 Summary:
Syslogd uses a unix domain stream socket (/dev/log) to recieve system log
messages. Unix domain stream sockets require a connection to be made
between client and server, meaning for each client served a separate
process is created. It is possible to cause a denial of service by opening
many local syslog connections in a short period of time. Unfortunately,
more details are lacking on this vulnerability.
10. Pine Environment Variable Expansion in URLS Vulnerability
BugTraq ID: 810
Remote: Yes
Date Published: 1999-11-18
Relevant URL:
http://www.securityfocus.com/bid/810 Summary:
When pine handles email formatted with or containing HTML, urls which
contain shell variables defined on the local machine where the client is
running are expanded when followed. This can cause many security
problems, ranging from sending expanded variables to webservers in the
form of cgi parameters (and then logged to collect information about the
target) to possibly executing arbitrary commands on the target host
through malicious email. The following example was given by Jim Hebert
<jhebert@jhebert.cx> in his post to BugTraq:
echo 'setenv WWW www.securityfocus.com' >> .tcshrc
source .tcshrc
pine
(view a link I mailed myself like: http://$WWW )
it works, I visit securityfocus.
11. Solaris rpc.ttdbserver Denial of Service Vulnerability
BugTraq ID: 811
Remote: Yes
Date Published: 1999-11-19
Relevant URL:
http://www.securityfocus.com/bid/811 Summary:
It is possible to crash rpc.ttdbserver by using an old tddbserver buffer
overflow exploit. This problem is caused by a NULL pointer being
dereferenced when rpc function 15 is called with garbage. You cannot make
rpc.ttdbserver execute arbitrary code with this vulnerability. The
consequence of this vulnerability being exploited is a denial of service
condition (rpc.ttdbserver).
12. ProFTPD mod_sqlpw Vulnerability
BugTraq ID: 812
Remote: No
Date Published: 1999-11-19
Relevant URL:
http://www.securityfocus.com/bid/812 Summary:
Compiling the mod_sqlpw module into ProFTPD makes it possible for local
users to view the passwords of users who have connected to the ftp server.
When the module is used, it writes information to wtmp. Unfortunately, it
writes the password to wtmp where the username should be. The passwords
can be seen when a command such as 'last' is used locally.
13. ZetaMail Login DoS Vulnerability
BugTraq ID: 813
Remote: Yes
Date Published: 1999-11-18
Relevant URL:
http://www.securityfocus.com/bid/813 Summary:
The ZetaMail mail server will crash if a username/password pair longer
than 3500 characters is supplied by the client.
14. HP JetDirect Internal Webserver Long URL DoS Vulnerability
BugTraq ID: 814
Remote: Yes
Date Published: 1999-11-18
Relevant URL:
http://www.securityfocus.com/bid/814 Summary:
The JetDirect J3111A module is used to connect many models of HP printers
to a network. It includes a bult-in webserver for remote printer
administration. This server is vulnerable due to an overflowable buffer in
the code that handles incoming URLs. If a URL longer than 256 characters
is requested the printer will crash.
III. PATCH UPDATES 1999-11-15 to 1999-11-21
-------------------------------------------
VI. SECURITY JOBS SUMMARY 1999-11-15 to 1999-11-21
---------------------------------------------------
1. Account Executive #293 - New York, NY
Reply to: Joyce Brocaglia <joyce@altaassociates.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11- 15&msg=19991115190951.11457.qmail@securityfocus.com
2. Software Security Consultant #581 - NYC
Reply to: Joyce Brocaglia <joyce@altaassociates.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11- 15&msg=19991115193259.12366.qmail@securityfocus.com
3. Regional Account Executive #293 - Palo Alto, CA
Reply to: Joyce Brocaglia <joyce@altaassociates.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11- 15&msg=19991115193642.12494.qmail@securityfocus.com
4. Security Management Applications Product Manager 339
Reply to: Lori Sabat <lori@altaassociates.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11- 15&msg=19991117210120.16184.qmail@securityfocus.com
VII. SECURITY SURVEY 1999-11-15 to 1999-11-21
----------------------------------------------
The question for 1999-11-15 to 1999-11-21 was:
Which Security conference do you think is more useful to attendees? (Bang
for your buck)
This program allows the user to monitor additions to the Security Focus
website without constantly maintaining an open browser. Sitting quietly in
the background, it polls the website at a user-specified interval and
alerts the user via a blinking icon in the system tray, a popup message or
both (also user-configurable).
Pingsting is a network monitoring application that determines
characteristics about ICMP Echo traffic. Pingsting is able to determine
the type of client that sent an ICMP Echo packet by comparing the data
portion of an ICMP Echo packet with known signatures.
3. cgi-check99 v0.4
URL: by deepquest URL: http://www.deepquest.pf/ Platforms:
BSDI, BeOS, DOS, FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD,
OS/2, OpenBSD, OpenVMS, PalmOS, Solaris, SunOS, UNIX, Windows 2000,
Windows 3.x, Windows 95/98, Windows CE and Windows NT
Number of downloads:
1435
One of the worlds most cross platform cgi scanners, running on 37
operating systems! Even Palmos soon! Will check for 119 of common cgi and
other remote issues. Plus it will report you the Bugtraq ID of some
vulnerabilities. Get the rebol interpreter at http://www.rebol.com.
4. Snoot 1.3.1
by Martin Roesch (roesch@clark.net)
URL: http://www.clark.net/~roesch/security.html >
Platforms: FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD, OpenBSD and Solaris
Number of downloads: 1129
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules based
logging and can perform content searching/matching in addition to being
used to detect a variety of other attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, and much more.
Snort has a real-time alerting capabilty, with alerts being sent to
syslog, a seperate "alert" file, or even to a Windows computer via Samba.
5. BUGS 2.0.1
by Sylvain Martinez
URL: http://www.asi.fr/~martinez/crypto/bugs-2.0.1.tgz Platforms: HP-UX, Linux, Solaris, SunOS, UNIX, Windows 2000, Windows 3.x,
Windows 95/98 and Windows NT
Number of downloads: 923
Strong private key cryptography algorithm and applications. Multiplateform
(UNIX and Windows). Crypt/hide/key generator. Unlimited key length, source
code available.
6. NSS Narr0w Security Scanner
by Narrow NaRr0w@LeGiOn2000.cC
URL: http://www.wiretrip.net/rfp/1/index.asp Platforms: Perl (any system supporting perl)
Number of downloads: 898
Narr0w Security Scanner checks for 153 remote vulnerabilities. Written in
perl.
IX. SPONSOR INFORMATION -
------------------------------------------
CORE SDI is an international computer security research and development
company. Its clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. CORE SDI also has extensive experience dealing with financial
and government contracts through out Latin and North America.
X. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed address
with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I will manualy remove
you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery without unsubscribing by
sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1) and then send a message to
LISTSERV@SECURITYFOCUS.COM with with a message body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from which you are sending
commands to LISTSERV from. Either send email from the appropiate address or email the
moderator to be unsubscribed manually.
