Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 47
November 25, 2004

SANS Newsletters Home

Whether you are running Windows, Solaris or Linux, you have at least one high priority, critical vulnerability to deal with this week. And this is a short week. Alan PS We've included a bonus for everyone who supports users. The next five weeks will see a huge surge of phishing attacks. Users who don't expect them can be hurt. The December issue of OUCH is a user newsletter that helps them see how to protect themselves. Feel free to distribute it wherever it can be helpful. And if you want to get the monthly updates (all free) add Ouch to your subscriptions at the SANS Portal. http://www.sans.org/newsletters/ouch/

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • - -------------------------------------------------------------------------
    • Category # of Updates & Vulnerabilities
    • - -------------------------------------------------------------------------
    • Third Party Windows Apps
    • 5 (#1, #5, #6, #8)
    • Mac Os
    • 2
    • Unix
    • 2 (#3, #7)
    • Cross Platform
    • 7 (#2)
    • Web Application
    • 4 (#4)
    • - -------------------------------------------------------------------------

*************************************************************************

Highlighted Cybersecurity Training: Washington, DC, Dec. 7-14, 2004 SANS best instructors will be in DC teaching great courses for

  • Auditors who want the technical skills so critical to successful audits.
  • Security Managers interested in best practices and SANS exclusive "security make-over"
  • Security professionals seeking CISSP (a trademark of (ISC)2) certification who want a more effective course.
  • Technical security professionals with hands-on responsibility: Hacker Exploits; Intrusion Detection In-Depth; Introduction to Information Security; SANS Security Essentials; Firewalls, VPNs, and Perimeter Protection; Securing Windows; Securing Linux/Linux; System Forensics, Investigation & Response; .Net Security.
More information and http://www.sans.org/cdieast04

*************************************************************************

Table Of Contents
PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Nullsoft Winamp IN_CCDA.dll Buffer Overflow
  • Affected:
    • Winamp versions 5.05, 5.06

  • Description: Winamp, a popular Windows media player, contains a stack-based buffer overflow in its "IN_CCDA.dll" DLL. The overflow can be triggered by a malformed playlist file i.e. a file with an ".m3u"extension. In order to exploit the flaw, an attacker can create a malicious webpage. When a user visits the webpage, Winamp will automatically open the specially crafted playlist file, which will trigger the overflow. The overflow can be leveraged to execute arbitrary code on the user's system. The problem arises because Winamp allocates limited memory for a filename with a ".cda" extension in a playlist file. Exploit code has been publicly posted.

  • Status: Vendor is aware of the vulnerability and reported that the flaw is fixed in version 5.06. However, the discoverer reported that version5.06 is also vulnerable. A workaround is to dissociate ".cda" and ".m3u"extensions from Winamp.

  • Council Site Actions: Some council sites plans to remove the application from all systems. The other sites do not plan any action at this time since the software is not supported at their site.

  • References:
  • (2) HIGH: Sun Java Plugin Security Bypass
  • Affected:
    • Sun J2SE/JRE version 1.4.2_05 and prior on Linux/Solaris/Windows platforms Internet Explorer, Firefox and Opera browsers using the affected JRE

  • Description: The Sun Java Plugin technology, a part of the Java Runtime Environment (JRE), enables applets on websites to run on a client's browser. The Java Security Manager controls the resources a downloaded applet can access ("sandbox" model). A vulnerability in the Sun Java Virtual Manager can be exploited by a malicious applet to break out of this "sandbox", and access any local resources. The malicious applet may even be able to disable the Java Security Manager. As a result, if a user browses a webpage containing the malicious applet, the applet may be able to execute arbitrary code on the client system with the privileges of the logged-on user. Note that applets are automatically downloaded and executed in typical browser configurations. The problem arises because Javascript code can bypass the applet access restrictions. The technical details about the flaw have been publicly posted.

  • Status: Sun confirmed, upgrade to Sun J2SE 1.4.2_06.

  • Council Site Actions: Some council sites hava already upgraded to Sun J2SE 1.4.2_06. Other sites do not plan any action unless the vulnerability is being actively exploited.

  • References:
  • (3) MODERATE: Cyrus IMAP Login Command Overflow
  • Affected:
    • Cyrus IMAP servers prior to 2.2.9

  • Description: Cyrus IMAP server, a popularly used server on Linux and Solaris platforms, contains a stack-based overflow in the implementation of LOGIN and PROXY commands. If the option "imapmagicplus" is turned on (not a default setting), an unauthenticated attacker can trigger the buffer overflow by specifying an overlong username. The flaw can be exploited to execute arbitrary code on the server with the privileges of the imap daemon.

  • Status: Upgrade to Cyrus IMAP server 2.2.9. This version also fixes other memory corruption vulnerabilities that may be exploited by an authenticated user.

  • Council Site Actions: Council sites using the affected software report that their servers will be updated to version 2.2.9 within a week.

  • References:
Other Software
  • (5) HIGH: Seattle Lab SLMail Password Overflow
  • Affected:
    • SLMail version 5.5

  • Description: SLMail, a POP3 and SMTP server for Microsoft NT/2000 platform, reportedly contains a stack-based buffer overflow in its POP3 server. The overflow can be triggered by an overlong password, and exploited to execute arbitrary code on the server. Exploit code has been publicly posted.

  • Status: Vendor has not confirmed, no patches available.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (6) HIGH: Van Dyke SecureCRT Remote Command Execution
  • Affected:
    • SecureCRT version prior to 4.1.9

  • Description: SecureCRT is a client program for Windows that supports multiple protocols like telnet, SSH etc. The application installs a URI handler; hence the application can be invoked via URLs of the form "telnet://". A specially crafted URL can be used to pass command-line options to the SecureCRT application. By passing a "/f" option, an attacker can control the application's configuration. A malicious webpage or an HTML email may exploit the flaw to execute arbitrary script code on a client system. The posted advisory contains technical details and a proof-of-concept script.

  • Status: Vendor confirmed, upgrade to version 4.1.9.

  • Council Site Actions: Sites using the affected software plan to make version 4.1.9 available on their internal distribution server and request that users either upgrade or disable the handler for telnet:// URLs. At some sites SecureCRT sessions almost exclusively use SSH; therefore they have no need to support telnet:// URLs.

  • References:
  • (7) MODERATE: ProZilla Multiple Buffer Overflow Vulnerabilities
  • Affected:
    • ProZilla all versions

  • Description: ProZilla client software provides accelerated downloads on Linux platforms. This software contains multiple buffer overflow vulnerabilities. An attacker-controlled server can exploit the overflows to execute arbitrary code on a client system. In order to exploit the flaw, an attacker has to entice a user to download content from his server. Exploit code has been posted.

  • Status: Vendor is aware, no fixes available yet.

  • Council Site Actions: The affected software is not in production or widespread use or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 47, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3887 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.47.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Winamp IN_CDDA.dll Remote Buffer Overflow
  • Description: Nullsoft Winamp is a freely available media player. A buffer overflow is exposed in the IN_CDDA.dll component when it tries to process playlist files with malicious data. Winamp version 5.x is affected.
  • Ref: http://secunia.com/advisories/13269/
  • 04.47.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Van Dyke SecureCRT Remote Command Execution
  • Description: SecureCRT is a Secure Shell (SSH) client for Microsoft Windows from Van Dyke Software. It is vulnerable to a remote command execution issue. SecureCRT versions before 4.1.9 are vulnerable.
  • Ref: http://secunia.com/advisories/13275/
  • 04.47.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Sacred Multiple Inbound Connections Denial of Service
  • Description: Sacred, an adventure game, is reported to be vulnerable to a remote denial of service condition in the game server. The vulnerability is caused due to a failure of the application to handle more than 16 simultaneous inbound client connections. Sacred versions prior to 1.7 are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/13264/
  • 04.47.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: wodFtpDLX ActiveX Component Remote Buffer Overflow
  • Description: WeOnlyDo! wodFtpDLX ActiveX component is an FTP library. Insufficient sanitization of long filenames exposes a buffer overflow in the ActiveX library. wodFtpDLX ActiveX Component 2.x is affected.
  • Ref: http://unsecure.altervista.org/security/wodftpdlx.htm
  • 04.47.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Digital Mappings POP3 Server Remote Buffer Overrun
  • Description: Digital Mappings Systems POP3 server is affected by a remote buffer overrun issue. This issue is a result of insufficient bounds checking made on the "USER" parameter. Digital Mappings Systems POP3 server versions 1.5.3 build 37 and earlier are affected.
  • Ref: http://www.digitalmapping.sk.ca/pop3srv/Update.asp
  • 04.47.6 - CVE: CAN-2004-1021
  • Platform: Mac Os
  • Title: iCal Calendar Import Alarm Notification Failure
  • Description: Apple iCal is an organizer application. It is reportedly vulnerable to a remote security issue that allows attackers to compromise a vulnerable system. Specifically it is possible to execute arbitrary programs or send emails via alarms by tricking a user into opening or importing a new iCal calendar. iCal versions prior to 1.5.4 are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/13277/
  • 04.47.7 - CVE: CAN-2004-0810
  • Platform: Mac Os
  • Title: Netopia Timbuktu Server For Apple Mac OS X Remote Buffer Overflow
  • Description: Netopia Timbuktu is a remote administration tool available for multiple platforms. Its server component for Apple Mac OS X is vulnerable to a buffer overflow vulnerability caused by insufficient boundary checks performed by the application and can be exploited remotely to cause a denial of service condition. Versions of Netopia Timbuktu for Macintosh before 7.0.4 are vulnerable.
  • Ref: http://www.uniras.gov.uk/vuls/2004/190204/index.htm
  • 04.47.8 - CVE: CAN-2004-1011, CAN-2004-1012, CAN-2004-1013,CAN-2004-1015
  • Platform: Unix
  • Title: Cyrus IMAPD Multiple Remote Vulnerabilities
  • Description: Cyrus IMAPD is an IMAP daemon. It is reported to be vulnerable to multiple remote buffer overflow issues. Cyrus IMAPD versions 2.2.4 to 2.2.8 are reported to be vulnerable.
  • Ref: http://security.e-matters.de/advisories/152004.html
  • 04.47.9 - CVE: Not Available
  • Platform: Unix
  • Title: ProZilla Multiple Remote Buffer Overflow Vulnerabilities
  • Description: ProZilla is a download accelerator used to fetch HTTP, and FTP URIs using multiple simultaneous connections. It is vulnerable to multiple buffer overflow issues due to improper bounds checking of user supplied input. ProZilla versions 1.3.6-r2 and earlier are vulnerable.
  • Ref: http://www.gentoo.org/security/en/glsa/glsa-200411-31.xml
  • 04.47.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SugarCRM Unspecified Vulnerabilities
  • Description: SugarCRM is a customer relationship management suite. SugarCRM version 2.0.1a has been released by the vendor to address multiple unspecified security vulnerabilities.
  • Ref: http://secunia.com/advisories/13287/
  • 04.47.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Soldier of Fortune II Buffer Overflow
  • Description: Soldier of Fortune II is a computer game developed by Raven Software. A buffer overflow issue is exposed when UDP datagrams containing valid, but excessively long data are processed. This issue affects both the client and the server components. Soldier of Fortune II version 1.x is affected.
  • Ref: http://aluigi.altervista.org/adv/sof2boom-adv.txt
  • 04.47.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: F-Secure Anti-Virus ZIP Archive Scanner Bypass Vulnerability
  • Description: F-Secure Anti-Virus is a virus scan suite. It is reported to be vulnerable to a zip archive scanner bypass issue. F-Secure has released a patch to address the issue. All current unpatched versions are affected.
  • Ref: http://www.f-secure.com/security/fsc-2004-3.shtml
  • 04.47.13 - CVE: CAN-2004-1029
  • Platform: Cross Platform
  • Title: Sun Java Plug-in Security Restriction Bypass
  • Description: Java Plug-in technology, part of the Java 2 Runtime Environment (JRE), establishes a connection between popular browsers and the Java platform. It is possible to bypass the Java sandbox and all security restrictions imposed within Java Applets to execute malicious applets and gain full control. Sun Java 2 Platform, Standard Edition (J2SE) versions 1.4.2_01 and 1.4.2_04 are known to be vulnerable.
  • Ref: http://www.idefense.com/application/poi/display?id=158&type=vulnerabilities
  • 04.47.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Gearbox Software Halo Game Client Remote Denial of Service
  • Description: Halo Combat Evolved includes a game server. It is reported to be vulnerable to a remote denial of service issue due to improper sanitization of the server reply. Halo versions 1.05 and earlier are reported to be vulnerable.
  • Ref: http://aluigi.altervista.org/adv/halocboom-adv.txt
  • 04.47.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Web Browser Multiple Remote Vulnerabilities
  • Description: The Opera web browser is reportedly vulnerable to multiple security issues in its Java implementation. These include issues that allow remote applets to access all Sun Java packages on the vulnerable browser, to corrupt process memory, and to cause sensitive information disclosure. Opera Version 7.54 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/381634
  • 04.47.16 - CVE: CAN-2004-0950
  • Platform: Cross Platform
  • Title: NetOp Remote Control Information Disclosure
  • Description: Danware NetOp Remote Control is a remote administration tool. It is vulnerable to an information disclosure issue that can be exploited to obtain the name of the user currently logged in, the internal IP address and the hostname of the targeted computer. NetOp Remote Control versions prior to 7.65 build 2004278 are known to be vulnerable.
  • Ref: http://www.corsaire.com/advisories/c040619-001.txt
  • 04.47.17 - CVE: Not Available
  • Platform: Web Application
  • Title: IPBProArcade Remote SQL Injection Vulnerability
  • Description: ipbProArcade is a third-party module for Invision Power Board. ipbProArcade is vulnerable to a remote SQL injection issue due to a failure of the application to properly sanitize user-supplied input in the "category" parameter of the "proarcade.php" script. ipbProArcade versions 2.5 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/381737
  • 04.47.18 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPKIT Multiple Input Validation Vulnerabilities
  • Description: PHPKIT is web content management application. It is vulnerable to a cross-site scripting attack and an SQL injection issue.
  • Ref: http://secunia.com/advisories/13262/
  • 04.47.19 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPWishlist Database Corruption
  • Description: phpWishlist is an application for managing wish lists. Insufficient sanitization of user-supplied input in the "details.php" file exposes a database corruption issue. phpWishlist versions 0.1.12 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/11713/info/
  • 04.47.20 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPBB Login Form Multiple Input Validation Vulnerabilities
  • Description: phpBB is reported to be vulnerable to multiple input validation vulnerabilities. The issues exist due to improper sanitization of the "username" field. phpBB versions 2.0.9 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/7547

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner. ==end== Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters. To change your subscription, address, or other information, visit http://portal.sans.org Copyright 2004. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

Provided more depth on available tools than any other conference!
-Eric Moriak, Flowserve

AMEX gift card with Mentor class

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee