Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 39
October 4, 2004

SANS Newsletters Home

It is a quiet week for most of you in eliminating vulnerabilities.

Have any of you had success in using inoculation programs to reduce human error? We've gotten sporadic reports of organizations sending their employees phishing and similar email and then, if they fall for the scam, educating them about it. If you have experimented with this please send a note about your experience to info@sans.org with subject inoculation.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1
    • Other Microsoft Products
    • 1
    • Third Party Windows Apps
    • 8
    • Linux
    • 1 (#2)
    • AIX patch
    • 0 (#7)
    • Irix
    • 1
    • Cross Platform
    • 10 (#1, #3, #4, #5, #6)
    • Web Application
    • 9
    • Network Device
    • 1

******************** Security Training Update *************************

Featured Training program of the Week: SANS Cyber Defense Initiative CDI is in two parts: CDI South in New Orleans November 1-4 ( http://www.sans.org/cdisouth04) and CDI East in Washington, DC, December 7-14 ( http://www.sans.org/cdieast04)

New Orleans offers a whole new type of program that many people have asked us to provide: 18 one and two day courses on issues shaping the future of information security, from the newest hacker tools to changes in legal issues surrounding security. Perfect for people who have taken SANS courses and want updates and for people who just don't have time to attend a full class. On the other hand, Washington offers 13 full length immersion courses an a few short courses.

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Linux
Irix
Cross Platform
Web Application
Network Device

************************** SPONSORED LINKS ******************************

Privacy notice: Sponsored links redirect to non-SANS web pages.

(1) Need to improve network security policy compliance? Download the McAfee(r) ePolicy Orchestrator(r) white paper now. http://www.sans.org/info.php?id=603

(2) Stop Cyber Attacks Now. FREE White Paper: How to Evaluate Intrusion Prevention Systems http://www.sans.org/info.php?id=604

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) MODERATE: RealNetworks RealPlayer Buffer Overflow Vulnerabilities
  • Affected:
    • RealPlayer 10.5 version prior to 6.0.12.1053
    • RealPlayer 8, 10, Enterprise
    • RealOne Player v1, v2
    • Mac RealPlayer 10 Beta
    • Mac RealOne Player
    • Linux RealPlayer
    • Linux Helix Player

  • Description: RealPlayer is one of the popular Internet media players that has over 200 million users. The player contains a heap-based overflow in the "pnen3260.dll" component. The overflow can be triggered by a real movie (".rm") file that has a specially crafted length for its "VIDORV30" section. A malicious webpage or an email (containing a link to the malicious webpage) may leverage the flaw to execute arbitrary code on a client computer. The technical details have been publicly posted.

  • Status: RealNetworks has confirmed the vulnerabilities and has issued updates.

  • Council Site Actions: Most of the council sites plan to respond to this problem. They will distribute the patches during their next regularly scheduled systems update process. Some sites don't officially support the software, but they plan to make patches available for users to install themselves.

  • References:
  • (2) LOW: Samba Arbitrary File Access
  • Affected:
    • Samba versions 2.2.x, prior to and including 2.2.11
    • Samba versions 3.0.x, prior to and including 3.0.5

  • Description: The Samba server contains a vulnerability that can be exploited by an authenticated attacker to read/write arbitrary files on the server. The problem arises because the function "unix_clean_name()", which removes "./" and ".." characters from a file or a directory name, is applied twice to the same file or the directory name. The flaw can be exploited via specially crafted filenames to bypass any share access restrictions. For instance, an authenticated user may read arbitrary configuration files in the "/etc" directory, and launch further attacks against the server. Note that Samba shares that allow "anonymous" access face the maximum risk from the vulnerability. The flaw is easy to exploit as an attacker can use the "smbclient" command-line program to leverage the flaw i.e. no exploit code is required.

  • Status: Samba confirmed. Upgrade to version 2.2.12 or apply the patch for version 3.0.5. A workaround is to configure "wide link = no" in the smb.conf file.

  • Council Site Actions: Most of the reporting council sites are responding to this item as well. They plan to distribute the patch during their next regularly schedule system update process.

  • References:
Other Software
  • (5) HIGH: YPOPs! POP And SMTP Server Buffer Overflow
  • Affected:
    • YPOPs! version 0.4 through 0.6

  • Description: YPOPs! software provides a POP3 access to the Yahoo! email and has reportedly over 120,000 users. The software emulates a POP3 and an SMTP server, both of which contain a stack-based buffer overflow. The overflow in the POP server can be triggered by a username longer than 180 bytes, and the overflow in the SMTP server can be triggered by a command over 504 bytes. The flaws may be exploited to possibly execute arbitrary code with the privileges of the YPOPs! process. Exploit code has been published.

  • Status: Vendor not confirmed, no updates available.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
Patches
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 39, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3744 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.39.1 - CVE: Not Available
  • Platform: Windows
  • Title: GDI+ Library Malformed JPEG Handling Denial of Service
  • Description: It is reported that the Microsoft (Graphics Device Interface) GDI+ library is vulnerable to an unspecified denial of service issue when handling malformed JPEG files. This is reported to be a result of a NULL pointer dereferencing. An attacker can exploit this vulnerability by creating a malformed JPEG file and sending the file to a user to be opened by an application that is dependent on the vulnerable library.
  • Ref: http://www.heise.de/newsticker/meldung/51459
  • 04.39.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft SQL Server Remote Denial of Service
  • Description: Microsoft SQL server is reported to be vulnerable to a remote denial of service issue. The problem exists due to failure of handling a large amount of specially crafted data. MSSQL 7.0 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0420.html
  • 04.39.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MyWebServer Multiple Remote Vulnerabilities
  • Description: MyWebServer is reported to be vulnerable to remote denial of service and unauthorized administrative access issues. The "ServerProperties.html" file can be accessed without authentication, and a large number of simultaneous connections will trigger a denial of service condition. MyWebServer version 1.0.3 is affected.
  • Ref: http://secunia.com/advisories/12689/
  • 04.39.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: aspWebCalendar and aspWebAlbum Multiple SQL Injection Vulnerabilities
  • Description: Full Revolution aspWebCalendar and aspWebAlbum are ASP based applications. aspWebCalendar and aspWebAlbum are vulnerable to multiple security issues due to insufficient parameter validations. aspWebCalendar versions 4.5 and earlier as well as aspWebAlbum versions 3.2 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/376247
  • 04.39.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: BroadBoard Multiple SQL Injection Vulnerabilities
  • Description: BroadBoard is a message board application. Insufficient sanitization of user supplied parameters in "search.asp", "profile.asp", "forgot.asp" and "reg2.asp" scripts exposes multiple SQL injection issues. BroadBoard versions 1.x is affected.
  • Ref: http://secunia.com/advisories/12658/
  • 04.39.6 - CVE: CAN-2004-0552
  • Platform: Third Party Windows Apps
  • Title: Sophos Anti-Virus Reserved MS-DOS Name Scan Evasion
  • Description: Sophos Anti-Virus is affected by a reserved MS-DOS name virus scan evasion vulnerability. Attackers can name a standard file after a reserved MS-DOS device name such as LPT1 or COM1. In such cases the anti-virus scanner will not scan the file. Sophos Anti-Virus version 3.x is affected.
  • Ref: http://www.sophos.com/support/knowledgebase/article/2004.html
  • 04.39.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: YahooPOPS! Multiple Remote Buffer Overflow
  • Description: YahooPOPS! is a POP3 to Yahoo! webmail gateway and SMTP server application. Insufficient boundry checks of various user-supplied input parameters expose multiple remote buffer overflow issues in the software. YahooPOPS! version 0.4 to 0.6 are affected.
  • Ref: http://www.hat-squad.com/en/000075.html
  • 04.39.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Intellipeer Email Server User Account Enumeration Vulnerability
  • Description: Intellipeer email server is an SMTP/POP3 mail server. It is reported to be vulnerable to a user account enumeration issue. Intellipeer email server version 1.01 is known to be vulnerable.
  • Ref: http://www.nettica.com/Downloads/Default.aspx
  • 04.39.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Norton AntiVirus Malformed Email Denial of Service
  • Description: Symantec Norton AntiVirus is vulnerable to a denial of service issue due to its handling of malformed emails with empty body received by Microsoft Outlook. Norton AntiVirus 2004 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/11259
  • 04.39.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Chatman Denial of Service Vulnerability
  • Description: Chatman from Virtual Projects is a utility that allows users on a local area network to converse, share files and play network-based games. Chatman is vulnerable to a denial of service issue that results from its failure in handling exceptional conditions. The vulnerable versions are Chatman 1.5 and 1.5.1 RC1.
  • Ref: http://www.vp-soft.com/software/chatman.php
  • 04.39.11 - CVE: CAN-2004-0833
  • Platform: Linux
  • Title: Debian Sendmail Default SASL Password Vulnerability
  • Description: Debian GNU/Linux contains binary packages for the Sendmail MTA as well as SASL (Simple Authentication and Security Layer). The SASL database is initialized with a "sendmail" user with "sendmailpwd" for the password as default. Versions of the Debian Sendmail packages prior to 8.12.3-7.1 for Debian stable (woody), and versions prior to 8.13.1-13 for Debian unstable (sid) are affected.
  • Ref: http://www.debian.org/security/
  • 04.39.12 - CVE: CAN-2004-0139
  • Platform: Irix
  • Title: SGI IRIX t_bind/t_unbind Undisclosed Vulnerability
  • Description: SGI IRIX "t_bind()" and "t_unbind()" is used to bind and unbind an address to a transport endpoint. It is reported to be vulnerable to an unspecified vulnerability. IRIX versions 6.5.25 and prior are reported to be vulnerable.
  • Ref: http://www.securitytracker.com/alerts/2004/Sep/1011451.html
  • 04.39.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Zinf Malformed Playlist File Remote Buffer Overflow
  • Description: Zinf is a multi-platform audio player. Insufficient boundary checks performed on the playlist files (.pls) expose a buffer overflow condition in the application. Zinf version 2.2.1 for Windows is affected. Zinf version 2.2.5 for Linux is known to resolve this issue.
  • Ref: http://www.securityfocus.com/archive/1/376305
  • 04.39.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor TCP Packet Fragmentation Denial of Service
  • Description: Multiple vendor implementations of the TCP/IP stack are reported to be vulnerable to a remote denial of service condition. The issue presents itself when a large number of fragmented packets, with missing fragments, are sent to the system and then the final fragment is repetitively sent. Microsoft Windows 2000/XP, Linux kernel 2.4 tree and some Cisco devices are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/376490
  • 04.39.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MySQL Remote Buffer Overflow
  • Description: MySQL is a relational database. Insufficient boundary checks in the "cli_stmt_execute()" function of the "libmysql/libmysql.c" file expose a remote buffer overflow issue. MySQL versions 4.1.3-beta and 4.1.4 are affected.
  • Ref: http://bugs.mysql.com/bug.php?id=4017
  • 04.39.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: dBpowerAMP Music Converter and Audio Player Buffer Overflow
  • Description: Illustrate dBpowerAMP Music Converter is used to rip audio CDs and dBpowerAMP Audio Player is an audio player. Both are vulnerable to multiple buffer overflow issues due to insufficient boundary verifications. BPowerAmp Music Converter version 10.0 and Audio Player version 2.0 are known to be vulnerable.
  • Ref: http://www.gulftech.org/?node=research&article_id=00052-09272004
  • 04.39.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: XMLStarlet Multiple Unspecified Buffer Overflow Vulnerabilities
  • Description: XMLStarlet command line XML toolkit is a collection of utilities designed to facilitate the manipulation of XML files. It is affected by multiple unspecified buffer overflow issues due to improper sanitization of user-supplied input. XMLStarlet version 0.9.3 is reported to be vulnerable.
  • Ref: https://sourceforge.net/project/shownotes.php?release_id=268962
  • 04.39.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Icecast Server HTTP Header Buffer Overflow
  • Description: Icecast is a streaming audio server. Icecast is vulnerable to a buffer overflow issue due to insufficent boundary checks when receiving a malformed HTTP header. Icecast versions 2.x up to 2.0.1 are known to be vulnerable.
  • Ref: http://aluigi.altervista.org/adv/iceexec-adv.txt
  • 04.39.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ParaChat Directory Traversal Vulnerability
  • Description: ParaChat is a web-based chat system written in Java. Insufficient sanitization of "..%5C/" and "../" strings exposes a directory traversal issue in the software. ParaChat version 5.5 is affected.
  • Ref: http://www.autistici.org/fdonato/advisory/ParaChatServer5.5-adv.txt
  • 04.39.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RealOne Player And RealPlayer Remote Vulnerabilities
  • Description: RealNetworks RealPlayer and RealOne Player are multimedia players. Insufficient sanitization in the parsing of RM files exposes multiple remote code execution issues. RealOne Player versions v1 and v2, RealPlayer versions 8 through 10 are affected.
  • Ref: http://www.service.real.com/help/faq/security/040928_player/EN/
  • 04.39.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Samba Arbitrary File Access
  • Description: Samba is a file and printer sharing application. Insufficient sanitization of directory traversal sequences while converting malformed DOS path names to path names of the Samba host's file system exposes an arbitrary file access issue. Samba versions 2.x and 3.x are affected.
  • Ref: http://us3.samba.org/samba/news/#security_2.2.12
  • 04.39.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Kerio MailServer Unspecified Vulnerability
  • Description: Kerio MailServer is reported to be vulnerable to an unspecified security issue. The vendor has released version 6.0.3 to address this issue.
  • Ref: http://secunia.com/advisories/12702/
  • 04.39.23 - CVE: Not Available
  • Platform: Web Application
  • Title: Baal Systems Portal Software Authentication Bypass
  • Description: Baal Systems Portal Software is a PHP-based message portal application. It is reported to be vulnerable to a remote authentication bypass issue. The problem exists due to improper access rights of the "regadmin.php" script.
  • Ref: http://ingenapps.com/baalsmartform/subtopic2.php?page=1&fid=3&total=4
  • 04.39.24 - CVE: Not Available
  • Platform: Web Application
  • Title: MegaBBS Multiple Vulnerabilities
  • Description: PD9 Software MegaBBS is a web-based bulletin board application. MegaBBS is vulnerable to multiple security issues such as HTTP response splitting and SQL injection due to insufficient user supplied data validation. MegaBBS versions 2.0 and 2.1 are known to be vulnerable.
  • Ref: http://secunia.com/advisories/12650/
  • 04.39.25 - CVE: CAN-2004-0917
  • Platform: Web Application
  • Title: Vignette Application Portal Remote Information Disclosure
  • Description: Vignette Application Portal facilitates the creation of web-based applications. A diagnostic utility is included in the software, which serves sensitive information to remote machines without any authentication. Vignette Application Portal 7.x is affected.
  • Ref: http://www.atstake.com/research/advisories/2004/a092804-1.txt
  • 04.39.26 - CVE: Not Available
  • Platform: Web Application
  • Title: Wordpress Multiple Cross-Site Scripting
  • Description: Wordpress allows users to generate news pages and weblogs dynamically. Insufficient sanitization of user-supplied input exposes multiple cross-site scripting issues in the application. Wordpress version 1.2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/376766
  • 04.39.27 - CVE: Not Available
  • Platform: Web Application
  • Title: PeopleSoft Human Resources Management System Cross-Site Scripting
  • Description: PeopleSoft Human Resources Management System (HRMS) is reportedly vulnerable to a cross-site scripting attack. This issue exists due to improper validation of user-supplied data. This vulnerability is reported to affect version 7.0 of HRMS.
  • Ref: http://www.uniras.gov.uk/l1/l2/l3/brief2004/brief-53904.txt
  • 04.39.28 - CVE: Not Available
  • Platform: Web Application
  • Title: Silent-Storm Portal Multiple Input Validation Vulnerabilities
  • Description: Silent-Storm Portal is a web-based portal implemented in PHP. It is reported to be vulnerable to a cross-site scripting issue and multiple input validation issues. These issues exists due to improper sanitization of user-supplied input. Silent-Storm versions 2.1 and 2.2 are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0440.html
  • 04.39.29 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Fusion Multiple SQL and HTML Injection
  • Description: PHP-Fusion is a web-based content management application. PHP-Fusion is vulnerable to multiple SQL and HTML injection issues due to improper filtering of user supplied data. PHP-Fusion version 4.01 is known to be vulnerable.
  • Ref: http://secunia.com/advisories/12686/
  • 04.39.30 - CVE: Not Available
  • Platform: Web Application
  • Title: MediaWiki Raw Page Cross-Site Scripting
  • Description: MediaWiki is the collaborative editing software that runs Wikipedia. MediaWiki is vulnerable to a cross-site scripting issue due to insufficient parameter sanitization. MediaWiki version 1.3.5 was released to fix the problem.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=271848
  • 04.39.31 - CVE: Not Available
  • Platform: Web Application
  • Title: bBlog RSS.PHP SQL Injection
  • Description: bBlog is a web-based blogging application. Insufficient sanitization of the "p" parameter in the "rss.php" script exposes an SQL injection issue. bBlog version 0.x is affected.
  • Ref: http://www.bblog.com/viewtopic.php?t=790
  • 04.39.32 - CVE: Not Available
  • Platform: Network Device
  • Title: Canon imageRUNNER Email Printing Vulnerability
  • Description: Canon imageRUNNER iRC3200 and iR5000i are network based printers and photocopiers. Insufficient access validation checks in the printer may enable remote attackers to print arbitrary text, potentially consuming resources and triggering a denial of service condition.
  • Ref: http://www.securityfocus.com/archive/1/376242

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.

Absolutely wonderful, both in presentation and content
-Don Seymour, TerpSys

GIAC GMOB Certification

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU