3 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 21
May 31, 2004

A second quiet week in a row. Separately, MacOS users who thought they were mostly invulnerable now may be rethinking that position.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Third Party Windows Apps
    • 6 (#2, #3)
    • MacOS
    • 2 (#1, #5))
    • UNIX
    • 1
    • IRIX
    • 1
    • Cross Platform
    • 7 (#4)
    • Web Application
    • 6
    • Network Device
    • 5 (#6)
Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Mac Os
Irix
Unix
Cross Platform
Web Application
Network Device
PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) MODERATE: Mac OS X SSH URI Handling Vulnerability
  • Affected:
    • Mac OS X Safari, Camino, Firefox and Mozilla browsers
  • Description: Multiple Mac OS X browsers reportedly contain a vulnerability in handling SSH URIs i.e. URIs of the form "ssh://". The flaw can be exploited to pass arbitrary command-line options to the "ssh" program, which is invoked by the browsers upon processing an SSH URI. An attacker can leverage this flaw via a specially crafted SSH URI in a malicious webpage or an HTML email to execute arbitrary commands on a client system. The commands would execute with the privileges of the currently logged-on user. The technical details and proof-of-concept exploits have been publicly posted.

  • Status: Apple has been notified. No official fix is available from Apple yet. An unofficial fix can be downloaded from http://www.unsanity.com/haxies/pa.

  • Council Site Actions: Three of the reporting council sites are using the affected software. They have notified their appropriate support groups and are waiting for the official patch from Apple. One site commented that many of their users are aware of the unofficial fix, although they are not supporting it. They plan no action at this time, but will devote more resources to this if we see reports of in-the-wild exploitation.

  • References:
  • (2) MODERATE: WildTangent Web Driver Filename Buffer Overflow
  • Affected: Web Driver version 4.0 and possibly earlier versions
  • Description: The technology from WildTangent is designed to provide high quality media content such as online games to the Internet users. WildTangent's Web Driver, a browser plug-in that includes real-time 2D/3D graphics engines and media streaming support, has been reportedly downloaded over 80 million times. This software contains multiple buffer overflows that can be triggered by an overlong "filename" parameter. A malicious webpage or an HTML email can exploit these flaws to possibly execute arbitrary code on a client system. Limited technical details regarding the flaw have been posted. The discoverer has created a proof-of-concept exploit that has not been publicly posted.

  • Status: Vendor confirmed, upgrade to version 4.1.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary. One site did comment that as a result of 80 million downloads logged, they plan to research the issue further and attempt to learn more about specific applications that a user may have installed, where the installation process would have pulled in the WildTangent application.

  • References:
  • (3) LOW: Symantec Norton Antivirus Remote Code Execution
  • Affected: Norton Antivirus 2004
  • Description: Symantec Norton Antivirus 2004, which is used by millions of home users worldwide, contains a vulnerability that allows an attacker to execute arbitrary code on a client system. The problem lies in an ActiveX control used by the software, which does not sufficiently sanitize its user-supplied input. A malicious webpage or an HTML email can exploit this flaw to launch any executables already present on the client system. Limited technical details regarding the flaw have been posted.

  • Status: Symantec has confirmed the flaw. Please use the "LiveUpdate" feature to upgrade the anti-virus software.

  • Council Site Actions: Three of the reporting council sites are using the affected software. All are using Symantec's "LiveUpdate" process and are presuming systems have already been patched. One site plans to devote more resources to issue this if there are reports of in-the-wild exploitation.

  • References:
  • (4) LOW: Apache mod_ssl "ssl_util_uuencode_binary" Buffer Overflow
  • Affected: Apache version 1.3.x and 2.x configured with "mod_ssl" support.
  • Description: The "mod_ssl" module provides cryptography support for the Apache webserver. This module contains a stack-based buffer overflow in its "ssl_util_uuencode_binary" function. The flaw can be triggered by an overlong "Subject-DN" in a specially crafted client certificate, if the certificate's Certificate Authority (CA) is trusted and the "mod_ssl" module is configured with "FakeBasicAuth" option. Exploiting this flaw to execute arbitrary code on the x86 architecture is reportedly not possible. However, it may be possible to execute arbitrary code when Apache is installed on other machine architectures (not confirmed). The technical details regarding the flaw have been posted.

  • Status: Vendor confirmed, fixes available.

  • Council Site Actions: We were unable to solicit the council site input for this item.

  • References:
  • (5) UPDATE: Mac OS X Remote Code Execution Vulnerabilities
  • Description: The "disk" and the "help" URI handling vulnerabilities were discussed in the last week's @RISK newsletter. It has been reported that the code silently placed on a client system by exploiting the "disk" URI handling vulnerability can be invoked via arbitrary protocol handlers such as "ftp". A malicious website or an HTML email can leverage these flaws to silently execute arbitrary code on a client system. The flaws are reportedly being exploited in the wild. Currently no patches are available for the additional attack vectors. Please refer to the suggested workarounds in the CERT advisory.

  • Council Site Actions: Three of the reporting council sites are using the affected software. They are waiting on the official patch from Apple. One site plans to investigate the issue further since an exploitation in the wild has been discussed.

  • References:
Other Software
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 21, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3445 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.


  • 04.21.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MiniShare Server Remote Denial of Service
  • Description: MiniShare is an HTTP server designed for file sharing. MiniShare fails to handle HTTP requests not ended by two new lines, resulting in a denial of service condition. MiniShare version 1.3.2 is known to be vulnerable.
  • Ref: http://www.autistici.org/fdonato/advisory/MiniShare1.3.2-adv.txt

  • 04.21.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Eudora Memory Corruption Vulnerability
  • Description: Eudora is reportedly vulnerable to a memory corruption issue. This occurs when it processes an email with a "To:" field longer than 240 characters resulting in memory corruption and a consequent denial of service. Eudora version 6.1 has been reported by the vendor to be vulnerable.
  • Ref: http://www.eudora.com/download/eudora/windows/6.1.1/RelNotes.txt

  • 04.21.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: BNBT BitTorrent Tracker Denial of Service
  • Description: BNBT BitTorrent Tracker is a server for managing P2P BitTorrent connections. A denial of service vulnerability is exposed when a client transmits a credential string containing "A==" to the server causing it to crash. BNBT BitTorrent Tracker versions Beta 7.5 release 2 and earlier are reported to be affected.
  • Ref: http://security-protocols.com/modules.php?name=News&file=article&sid=197
    7

  • 04.21.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Orenosv HTTP/FTP Server GET Denial of Service
  • Description: Orenosv is an HTTP/FTP server suite available for Microsoft platforms. The application is reported to be vulnerable to a denial of service condition. This issue is exposed when the application processes an HTTP GET request of 420 or more characters, which will cause it to stop responding. Orenosv version 0.59.f of the software is reported to be vulnerable.
  • Ref: http://fux0r.phathookups.com/advisory/sp-x13-advisory.txt

  • 04.21.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WildTangent WebDriver Remote Buffer Overflow
  • Description: WildTangent WebDriver is a browser plug-in used for delivering multimedia gaming content. It is reported to have a buffer overflow that could be remotely exploitable. The vulnerability is expressed when a user is lured into viewing a malicious web page while this plug-in is enabled. WebDriver version 4.0 is reported to be vulnerable, although earlier versions may be similarly affected.
  • Ref: http://www.nextgenss.com/advisories/wildtangent.txt

  • 04.21.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MollenSoft Lightweight FTP Server Remote Buffer Overflow
  • Description: MollenSoft Lightweight FTP Server is available for Microsoft Windows operating systems. Insufficient boundary checks performed on "CWD" command arguments exposes a buffer overflow issue in the software. A "CWD" command of 238 bytes or more in length triggers this issue. Lightweight FTP Server version 3.6 is affected.
  • Ref: http://www.securiteam.com/windowsntfocus/5RP0L15CUM.html

  • 04.21.7 - CVE: CAN-2004-0485,CAN-2004-0486
  • Platform: Mac Os
  • Title: Apple OS X URI Handler Remote Code Execution
  • Description: System libraries in Apple's OS X contain handlers for different types of URIs. It has been revealed that multiple handler attacks are available, either by clicking on malicious URIs, or by downloading "disk images" (DMG) that silently register handlers unbeknownst to the user. Once these handlers are registered it is possible to launch arbitrary code.
  • Ref: http://secunia.com/advisories/11622

  • 04.21.8 - CVE: CAN-2004-0134
  • Platform: Irix
  • Title: SGI IRIX cpr Arbitrary Library Privilege Escalation
  • Description: A local malicious user can, under certain conditions, force the /usr/sbin/cpr binary to load a user provided library while restarting the checkpointed process. This can be used to obtain root user privileges. IRIX version 6.5.25 is known to fix this issue.
  • Ref: ftp://patches.sgi.com/support/free/security/advisories/20040507-01-P.asc

  • 04.21.9 - CVE: CAN-2004-0412
  • Platform: Unix
  • Title: GNU Mailman Unspecified Password Retrieval Vulnerability
  • Description: Mailman is a software package for managing electronic mail discussion and e-newsletter lists. Mailman versions 2.1.4 and earlier are vulnerable to unspecified password retrieval vulnerabilities.
  • Ref: http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html

  • 04.21.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: HP OpenView Unicode Remote Access
  • Description: HP OpenView Select Access provides identity management services to access various network resources. It is reported that the software permits remote attackers to gain unauthorized access. Improper decoding of UTF-8 characters in its URI handler exposes this issue. Patches are available from the vendor for versions 5.0, 5.1, 5.2 and 6.0.
  • Ref: http://www.kb.cert.org/vuls/id/205766

  • 04.21.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun JSSE Incorrect Certificate Validation
  • Description: Sun Java Secure Socket Extension (JSSE) is a collection of Java libraries used to facilitate secure network communications. Sun JSSE does not validate certificates correctly, resulting in untrusted web sites being successfully authenticated for SSL transactions. This vulnerability affects Sun JSSE versions 1.0.3, 1.0.3_01 and 1.0.3_02 for Windows, Solaris and Linux.
  • Ref: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57560&zone_32=secu
    rity

  • 04.21.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Netscape Navigator Embedded Image URI Obfuscation Weakness
  • Description: Netscape Navigator browser allows an attacker to craft a malicious hyperlink that appears to point to a trusted site, but in fact points to the attacker's site. The flaw exists in Navigator's handling of specially crafted "IMG" tags contained an "A HREF" tag. The status bar displays the URL associated with the "A HREF" tag. However, on clicking the URL the user is directed to the attacker's site. Netscape Navigator version 7.1 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10389

  • 04.21.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Application Server Path Disclosure
  • Description: Java System Application Server is reported to be vulnerable to a path disclosure vulnerability. It is exposed when the server processes HTTP requests with unexpected backslash characters or device names. Such requests cause the server to throw an exception with a message that includes the installation path. Sun Java System Application Server version 8.x is affected.
  • Ref: http://secunia.com/advisories/11730/

  • 04.21.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: F-Secure Anti-Virus Malformed LHA Archive Buffer Overflow
  • Description: It has been reported that F-Secure Anti-Virus is susceptible to a buffer overflow in its LHA archive scanning. Properly exploited this could allow arbitrary code execution. All F-Secure products that handle LHA archives are known to be vulnerable to this issue.
  • Ref: http://www.f-secure.com/security/fsc-2004-1.shtml

  • 04.21.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: F-Secure Anti-Virus Content Detection Bypass
  • Description: It has been reported that F-Secure Anti-Virus is susceptible to an unspecified method for bypassing virus detection in certain viruses stored in PKZip files. F-Secure Anti-Virus versions 5.41 and 5.42 for Workstations and File Servers and Anti-Virus Client Security versions 5.50 and 5.52 are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/11699

  • 04.21.16 - CVE: CAN-2004-0402
  • Platform: Cross Platform
  • Title: libpcd PhotoCD Image Error Handling Buffer Overflow
  • Description: Multiple buffer overflow vulnerabilities have been reported in the "pcd_open()" function of libpcd. These can be exploited by using a specially crafted image name. xpcd version 2.08 and libpcd version 1.0.1 are known to be vulnerable.
  • Ref: http://www.debian.org/security/2004/dsa-508

  • 04.21.17 - CVE: Not Available
  • Platform: Web Application
  • Title: e107 Website System User.PHP HTML Injection
  • Description: e107 Website System is a web-based content management system. The application is reported to be vulnerable to an HTML injection issue. The cause of the problem is traced to insufficient sanitization of the "AIM" and "MSN" fields in the user.php script.
  • Ref: http://www.ramsecurity.us/content.php?article.25.0

  • 04.21.18 - CVE: Not Available
  • Platform: Web Application
  • Title: PimenGest2 Information Disclosure
  • Description: PimenGest2 is a finance management web application developed by PimenTech. An authenticated attacker can load the rowLatex.inc.php script in debug mode to reveal database credentials. PimenGest2 versions 1.10-1 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10408

  • 04.21.19 - CVE: Not Available
  • Platform: Web Application
  • Title: e107 Log.php HTML Injection
  • Description: e107 website system is a content management system written in PHP. Reportedly, el07 is vulnerable to a remote HTML injection in its log.php script. A malicious user can inject arbitrary HTML content into the website log which will then be rendered verbatim when a user browses the log page.
  • Ref: http://www.securityfocus.com/archive/1/363965

  • 04.21.20 - CVE: Not Available
  • Platform: Web Application
  • Title: SquirrelMail Multiple Unspecified Input Validation Vulnerabilities
  • Description: SquirrelMail is an open source webmail package. SquirrelMail versions earlier than 1.4.3 are vulnerable to an unspecified SQL injection as well as cross-site scripting attacks.
  • Ref: http://sourceforge.net/mailarchive/forum.php?thread_id=4199060&forum_id=1988

  • 04.21.21 - CVE: Not Available
  • Platform: Web Application
  • Title: Liferay Enterprise Portal Cross-Site Scripting
  • Description: Liferay Enterprise Portal is a web portal providing a single sign-on web interface for email, document management and message board. Most of the fields used for text input can be used to perform cross-site scripting attacks. There is currently no fix for this issue.
  • Ref: http://www.securityfocus.com/archive/1/364073

  • 04.21.22 - CVE: Not Available
  • Platform: Web Application
  • Title: JPortal Print.php SQL Injection Vulnerability
  • Description: JPortal is a web-based bulletin board system for PHP enabled web servers. It has been reported that an SQL injection attack has been found in the "print.inc.php" script. This issue is due to insufficient input sanitization. Using this vulnerability, a hostile user could execute arbitrary SQL commands on the back-end database serving the JPortal site.
  • Ref: http://www.securityfocus.com/archive/1/364599/2004-05-25/2004-05-31/0

  • 04.21.23 - CVE: Not Available
  • Platform: Network Device
  • Title: HP Integrated Lights Out Denial of Service
  • Description: HP ProLiant server has been revealed to have a denial of service vulnerability in its "Integrated Lights Out" (iLO) management system. If accessed using TCP source port 0, iLO will cease responding. iLO version 1.55 is reported to be vulnerable to this attack.
  • Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=PSD_HPSBM
    A01046

  • 04.21.24 - CVE: Not Available
  • Platform: Network Device
  • Title: VocalTec VGW120/VGW480 Denial of Service
  • Description: VocalTec VGW120/VGW480 gateways are VoIP gateways supporting H.255 and H.323 VoIP protocols. A denial of service attack has been reported in these devices that reveals itself when processing certain types of H.323 traffic. When properly exercised a remote attacker could cause the device to stop responding.
  • Ref: http://www.securitylab.ru/45401.html

  • 04.21.25 - CVE: Not Available
  • Platform: Network Device
  • Title: Netgear RP114 Content Filter Bypass Vulnerability
  • Description: The Netgear RP114 Cable/DSL Web Safe Router provides NAT routing capabilities with URI based outbound filtering. Reportedly users can bypass the filtering by padding URIs with "%20" sequences and making the URIs longer than 220 bytes in length.
  • Ref: http://secunia.com/advisories/11698/

  • 04.21.26 - CVE: CAN-2004-0476
  • Platform: Network Device
  • Title: 3Com OfficeConnect Remote 812 ADSL Router Telnet BufferOverflow
  • Description: The 3Com OfficeConnect Remote 812 ADSL Router is reportedly vulnerable to a buffer overflow condition. This occurs when a specially crafted long string is sent to the telnet service running on the device. Reportedly, this will cause the device to crash or reboot causing a denial of service condition.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-05/0263.html


(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters. To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.