Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 6
February 10, 2005

SANS Newsletters Home

This was a big week for the bad guys! Windows users need to do a lot of patching because the newly discovered vulnerabilities are numerous and dangerous. (#1 through #7 and #10 and #11 below). If you are using Exchange, pay particular attention to #7. Computer Associates (#12), Symantec (#8) and F-Secure (#9) users should also act quickly.

Better news: San Diego (right on the ocean) is the site of this year's SANS 2005 - the largest security training conference, by far. The early registration deadline is in two weeks. Details at: http://www.sans.org/sans2005

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 8 (#1, #5, #6, #10)
    • Microsoft Office
    • 1 (#4, #7)
    • Other Microsoft Products
    • 5 (#2, #3, #5, #11)
    • Third Party Windows Apps
    • 14 (#13)
    • Linux
    • 1
    • Unix
    • 8
    • Cross Platform
    • 13 (#8, #9, #12)
    • Web Application
    • 10
    • Network Device
    • 3

***************This issue sponsored by AlterPoint***********************

FREE Network Configuration Management eBook from AlterPoint Want expert advice on Network Change & Configuration Management (NCCM)? In this FREE eBook, "Tips & Tricks Guide to Network Configuration Management" you'll get over 120-pages of how-to advice on change management techniques and best practices, troubleshooting configuration errors, enhancing network security, and selecting and deploying a NCCM solution. Download your copy today. http://www.alterpoint.com/support/r?c=701300000000xH9

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Linux
Unix
Cross Platform
Web Application
Network Device
PART I Critical Vulnerabilities

Part I is researched and compiled by Rohit Dhamankar at TippingPoint (rohitd_at_tippingpoint.com), a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Windows License Logging Service Buffer Overflow
  • Affected:
    • Windows NT/2000/2003 Servers

  • Description: Windows license logging service was originally designed to manage licenses for Microsoft server products. The license logging is an RPC service that can be reached via "llsrpc" SMB named pipe. This service contains a buffer overflow that may be exploited to execute arbitrary code with "SYSTEM" privileges. Since the service is an RPC service, the buffer overflow may be triggered by a specially crafted DCE/RPC packet to the service's RPC interface. Note that the service runs by default on Windows NT, 2000, Small Business Server 2000 and Small Business Server 2003 servers. However, only NT and 2000 SP3 servers are critically affected as remote "anonymous" users can establish connection to the service. On Windows 2000 SP4 and 2003 servers, the service is not accessible to anonymous users i.e. only authorized users can exploit the overflow. The technical details regarding how to trigger the flaw have not been posted.

  • Status: Patches are available as described in the Microsoft Security Bulletin MS05-010. A general workaround is to block ports 139/tcp and 445/tcp at the network perimeter. For NT and Windows 2000 SP3 server systems, the Microsoft advisory describes how to edit the registry to stop "anonymous" users from accessing the service.

  • Council Site Actions: Most of the council sites are responding to this item. Some are already in the process of distributing the patch while others plan to deploy the patch during their next regularly scheduled patch update process. One site commented they have this feature turned off by default and another site has very few affected hosts, but will patch as the hosts are discovered.

  • References:
  • (2) HIGH: Cumulative Update for Microsoft Internet Explorer
  • Affected:
    • Internet Explorer versions 5.01, 5.5, 6.0

  • Description: Microsoft has released another cumulative patch for Internet Explorer, which fixes previously disclosed as well as privately reported vulnerabilities. (a) Drag and Drop Vulnerability: This vulnerability was disclosed in October 2004, and has been discussed in the previous issues of the @RISK newsletter. A malicious HTML page or email can completely compromise a user's system by installing arbitrary files in the "Startup" folder. Multiple proof-of-concept exploits have already been posted. Note that the patches MS05-008 as well as MS05-014 are required to completely patch this vulnerability. (b) URL Decoding Zone Spoofing Vulnerability: Internet Explorer contains a vulnerability in decoding specially constructed URLs. Such URLs can lead to Internet Explorer downloading malicious code from untrusted servers and executing the code in the context of the "Local Security" zone. The problem occurs because Internet Explorer decodes URLs containing hex-encoded characters twice. (c) DHTML Method Heap Memory Corruption: Certain Dynamic HTML method(s) contain a flaw that can be leveraged to corrupt Internet Explorer's heap memory. Specially crafted webpage or an HTML email may exploit this flaw to execute arbitrary code on a Windows client. The discoverer has not yet disclosed any technical details. (d) Channel Definition Format Cross Domain Vulnerability: Internet Explorer's "Active Channel" technology allows users to group web sites by content. A channel file specifies how the content from a website is displayed, and the frequency the content is automatically updated. Internet Explorer contains a vulnerability in handling "channel" files. A specially crafted channel file can lead to execution of arbitrary script code in the context of the "Local Security Zone", thereby completely compromising the client system. The technical details regarding how to trigger this flaw have not been posted.

  • Status: Patches referenced in the Microsoft Security Bulletin MS05-014 and MS05-008.

  • Council Site Actions: All council sites are responding to this item. Some sites are deploying the patch on an accelerated schedule (already in progress for some sites) while other sites are planning to deploy during their next regularly scheduled patch process.

  • References:
  • (4) HIGH: Microsoft Office XP Buffer Overflow
  • Affected:
    • Microsoft Office XP SP2/SP3
    • Microsoft Word and PowerPoint 2002
    • Microsoft Project and Visio 2002
    • Microsoft Works Suite 2002/2003/2004

  • Description: This vulnerability in Microsoft Office XP can be exploited via Internet Explorer to execute arbitrary code on a client system. The exploitation proceeds as follows: (a) An attacker constructs a link such as http://www.evil.com/foo.doc%00<long string> and posts the link on a webpage, or sends it to potential victims in an HTML email. (b) When IE parses the malicious link, it requests "foo.doc" from the attacker's webserver. IE then passes foo.doc along with the "long string" to Microsoft Word (the program associated with the ".doc" extension), which triggers the overflow. Note that Internet Explorer automatically opens a ".doc" or ".rtf" or ".ppt" file. Hence, no user interaction is required to exploit this flaw. A proof-of-concept exploit has been publicly posted.

  • Status: Patches referenced in the Microsoft Security Bulletin MS05-005.

  • Council Site Actions: All but one of the council sites are responding to this item. Some sites are deploying the patch on an accelerated schedule (already in progress for some sites) while other sites are planning to deploy during their next regularly scheduled patch process. The remaining council site does not provide automated support for MS Office updates. They do plan to advise users to go to the Office Update site and select "Check for Updates". However, they do not have statistics about the fraction of the user community that is actually updating their systems.

  • References:
  • (5) HIGH: Microsoft PNG File Processing Vulnerabilities
  • Affected:
    • Windows Media Player 9 series
    • Windows Messenger version 5.0
    • MSN Messenger version 6.1 and 6.2
    • Windows 98/ME/SE

  • Description: Portable Network Graphics (PNG) is a format for rendering images and used as an alternative to GIF. The following Microsoft products contain buffer overflow vulnerabilities in processing PNG images: (a) Windows Media Player: A PNG image file with a large width or height parameter can trigger a buffer overflow in the Windows media player. In order to exploit the flaw, an attacker can craft a media player file (i.e. a file with a ".asf", ".asx", ".wma", or ".wmv" extension) that references a malicious PNG file. The attacker can then post the crafted media player file on a webserver, or send it in an HTML email. Note that Windows will automatically download and open the media player file. Hence, browsing a malicious webpage or opening an HTML email is sufficient to trigger the vulnerability. The attacker can leverage the flaw to execute arbitrary code on the client system. The technical details have been posted. (b) Windows and MSN Messenger: These products include a vulnerable version of the open-source "libpng" library. This library has been found to contain multiple buffer overflow vulnerabilities that have been discussed in a previous issue of the @RISK newsletter. However, exploiting these vulnerabilities is either difficult or requires user interaction. In the case of Windows Messenger, an attacker would need to spoof the ".NET" Messenger service or conduct a man-in-the-middle attack to exploit the flaw; To exploit the flaw in MSN Messenger, the attacker would need to entice a victim to add him to the victim's contact list prior to sending the malicious PNG image. The proof-of-concept exploits for this flaw have been posted since August 2004. An exploit targeting MSN Messenger has also been released.

  • Status: Patches referenced in the Microsoft Security Bulletin MS05-009.

  • Council Site Actions: All council sites are responding to this item. Some sites are deploying the patch on an accelerated schedule (already in progress for some sites) while other sites are planning to deploy during their next regularly scheduled patch process.

  • References:
  • (6) HIGH: Microsoft Server Message Block(SMB) Vulnerability
  • Affected: Microsoft Windows 2000, XP and Windows Server 2003

  • Description: Server Message Block (SMB) protocol is used by Windows to share files and printers and to communicate between computers. The client implementation of the SMB protocol contains a buffer overflow that can be triggered by a malformed SMB server response. Specifically, a SMB "transaction" response associated with a file query or MS-RPC call, may be used for exploitation purposes. A malicious SMB server can leverage the flaw to execute arbitrary code on a client with "kernel" privileges i.e. obtain a complete control over the client. In order to exploit the flaw, a remote attacker would need to entice a client to connect to his malicious SMB server. This can be accomplished via a link such as "file://evil.com/evil.txt" on a webpage or in an HTML email. An attacker on the same subnet as the victim may be able to use certain broadcast messages to initiate connection from the victim. The technical details and a proof-of-concept exploit have been publicly posted.

  • Status: Patches referenced in the Microsoft Security Bulletin MS05-011. A workaround to prevent attacks originating from the Internet is to block ports 139/tcp and 445/tcp at the network perimeter.

  • Council Site Actions: All council sites are responding to this item. Some sites are deploying the patch on an accelerated schedule (already in progress for some sites) while other sites are planning to deploy during their next regularly scheduled patch process. Several of the sites expressed concerns about a multi-vector worm built using this vulnerability. One of these sites plans to monitor for such exploits and will change their patch install plan to the "fire-drill" variety, if necessary.

  • References:
  • (7) HIGH: Microsoft OLE Remote Code Execution
  • Affected:
    • Microsoft Windows 2000, XP, 98/ME/SE, Server 2003
    • Exchange Server 2003/5.5
    • Office XP/2003

  • Description: Microsoft Object Linking and Embedding (OLE) technology enables embedding or linking a Microsoft document inside another document. For instance, with OLE it is possible to embed a Word file in a PowerPoint presentation. OLE processing contains a buffer overflow that can be exploited by a specially crafted document. A malicious webpage or an HTML email may exploit this flaw to execute arbitrary code on a Windows client. However, such an attack requires user interaction. Exchange servers are critically affected by this vulnerability as any user, who can deliver the crafted document to the Exchange server, may leverage the flaw. No technical details regarding how to craft a malicious document have been publicly posted.

  • Status: Patches referenced in the Microsoft Security Bulletin MS05-012. The patch also fixes another privilege-escalation vulnerability in the Windows COM component.

  • Council Site Actions: All but one of the council sites are responding to this item. Some sites are deploying the patch on an accelerated schedule (already in progress for some sites) while other sites are planning to deploy during their next regularly scheduled patch process. The remaining council site does not plan to take any action since this is a local escalation vulnerability only.

  • References:
  • (8) HIGH: Symantec Multiple Products UPX Processing Overflow
  • Affected:
    • A number of Symantec enterprise and consumer products including
    • anti-virus, anti-spam, gateways etc. For a complete listing of the
    • affected products, refer to the referenced Symantec Advisory.

  • Description: A number of Symantec enterprise and consumer products contain a heap-based buffer overflow vulnerability. The overflow can be triggered by a malicious UPX (a compression format) packed files. The problem lies in the "DEC2EXE" parsing engine used to decompress the UPX packed files for scanning. An unauthenticated attacker can compromise any client or server running the vulnerable Symantec product by delivering a malicious UPX file via email or web. The technical details regarding how to trigger the flaw have been publicly posted.

  • Status: Vendor confirmed, patches available.

  • Council Site Actions: Due to late breaking nature of the vulnerability, we were unable to solicit council site input.

  • References:
  • (9) HIGH: F-Secure Multiple Products ARJ Processing Overflow
  • Affected: A number of F-secure anti-virus products. For a complete
    • listing of the affected products, refer to the referenced F-Secure
    • advisory.

  • Description: A number of F-Secure anti-virus products contain a heap-based buffer overflow vulnerability. The overflow can be triggered by a malicious ARJ (a compression format) archive. An unauthenticated attacker can compromise any client or server running the vulnerable F-Secure product by delivering a malicious ARJ archive via email or web. Limited technical details regarding how to trigger the flaw have been publicly posted.

  • Status: Vendor confirmed, patches available.

  • Council Site Actions: Due to late breaking nature of the vulnerability, we were unable to solicit council site input.

  • References:
  • (10) MODERATE: Windows Hyperlink Object Library Buffer Overflow
  • Affected:
    • Windows 98/ME/SE/2000/SP/2003

  • Description: Windows Hyperlink object library provides functions and interfaces to handle hyperlinks in various Windows programs. This library contains a buffer overflow that can be triggered by a specially crafted hyperlink. The likely way an attacker would exploit this vulnerability is by enticing a victim to click the crafted link in a webpage or in an HTML email. The flaw can be leveraged to potentially execute arbitrary code on the victim's system. No technical details that may be used to construct a malicious hyperlink have been posted yet.

  • Status: Patches referenced in the Microsoft Security Bulletin MS05-015.

  • Council Site Actions: All council sites plan to deploy the patch during their next regularly scheduled patch update process.

  • References:
Other Software
  • (12) CRITICAL: CA BrightStor ARCserve BackUp Discovery Buffer Overflow
  • Affected:
    • BrightStor ARCserve Backup versions 9.x and 11.x
    • BrightStor Enterprise Backup version 10.x
    • BrightStor ARCserve 2000 for Windows and Netware

  • Description: Computer Associates BrightStor ARCserve Backup products provide backup services for Windows, NetWare, Linux and UNIX. The products detect other backup servers on a network by using the "v11" discovery service that runs on port 41524/udp. This service contains a stack-based buffer overflow that can be triggered by a UDP packet over 967 bytes. The overflow can be exploited to execute arbitrary code on the server with "Local System" privileges. Note that since the service is UDP-based, it is easy to spoof the discovery packets to trigger the overflow.

  • Status: Vendor confirmed, patches available. A workaround is to block port 41524/udp at the network perimeter.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (13) MODERATE: Qualcomm Eudora Remote Code Execution
  • Affected:
    • Eudora versions 6.2.0 and prior

  • Description: Eudora reportedly contains a vulnerability that can be exploited to execute arbitrary code. The flaw can be triggered by simply previewing a specially crafted email, stationery or mailbox files. No technical details regarding the flaw have been posted yet. The discoverers report they will release the technical details in May 2005.

  • Status: Eudora confirmed, upgrade to version 6.2.1.

  • Council Site Actions: Only one of the reporting council sites is running the affected software. Eudora is their most popular email program and the potential impact of this vulnerability could be severe. They plan to send out a mass mailing to inform all affected users.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 6, 2005

This list is compiled by the Qualys Security Research Team (research_at_qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4064 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.6.1 - CVE: CAN-2005-0053
  • Platform: Windows
  • Title: Microsoft Windows Shell Remote Code Execution
  • Description: A privilege elevation vulnerability exists in Windows because of the way that Windows handles drag-and-drop events. Microsoft has released security advisory MS05-008 to fix this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms05-008.mspx
  • 05.6.2 - CVE: CAN-2005-0049
  • Platform: Windows
  • Title: Microsoft Windows SharePoint Services Multiple Vulnerabilities
  • Description: Microsoft Windows SharePoint Services are used to create Web sites for information sharing and document collaboration. It is vulnerable to a cross-site scripting and spoofing issue due to insufficient user data sanitization and can be exploited to run arbitrary scripts in a user's browser. Microsoft released patch MS05-006 to deal with this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-006.mspx
  • 05.6.3 - CVE: CAN-2005-0057
  • Platform: Windows
  • Title: Microsoft Windows Hyperlink Object Library Buffer Overflow
  • Description: The Microsoft Windows Hyperlink Object Library is reported to be vulnerable to a buffer overflow vulnerability. This can be exploited to execute arbitrary code in the context of applications linked against the vulnerable object library. Successful exploitation requires that a user opens a malicious URL by following a link from an email or an HTML document.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms05-015.mspx
  • 05.6.4 - CVE: CAN-2005-0044
  • Platform: Windows
  • Title: Microsoft Windows OLE and COM Remote Buffer Overflow
  • Description: Microsoft OLE technology allows applications to create and edit compound documents between various formats. It is reported to be vulnerable to a buffer overflow issue, due to improper boundary checks of user-supplied data. All applications that use OLE are reported to be vulnerable. Microsoft released patch MS05-012 to address this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms05-012.mspx
  • 05.6.5 - CVE: CAN-2004-1244
  • Platform: Windows
  • Title: Microsoft Windows PNG Image Parsing Vulnerabilites
  • Description: Two vulnerabilities have been reported in a variety of Microsoft products. There is an issue in Windows Messenger and MSN Messenger that allows for arbitrary code execution due to a specially crafted PNG image file. The second is a remote buffer overflow issue with Windows Media Player due to failing to properly validate the size of PNG image data prior to copying it into static process buffers. Microsoft has released security advisory MS05-009 to address this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx
  • 05.6.6 - CVE: CAN-2005-0051
  • Platform: Windows
  • Title: Microsoft Windows Named Pipe Remote Information Disclosure
  • Description: Microsoft Windows supports the named pipe technology that facilitates communication between processes running on the same local machine, or on a networked computer. Microsoft Windows is affected by a remote information disclosure vulnerability. Microsoft Windows XP Service Pack 1, Microsoft Windows XP Service Pack 2 and Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) are known to be vulnerable.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms05-007.mspx
  • 05.6.7 - CVE: CAN-2005-0050
  • Platform: Windows
  • Title: Microsoft Windows License Logging Service Buffer Overflow
  • Description: A remote code execution vulnerability exists in the License Logging service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. Microsoft has released advisory MS05-010 to address this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms05-010.mspx
  • 05.6.8 - CVE: CAN-2005-0045
  • Platform: Windows
  • Title: Microsoft Windows Server Message Block Remote Code Execution
  • Description: Microsoft Windows is vulnerable to a remote arbitrary code execution issue in its Server Message Block (SMB) when processing specially crafted SMB requests. Micrsoft has released security advisory MS05-011 to address this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx
  • 05.6.9 - CVE: CAN-2004-0848
  • Platform: Microsoft Office
  • Title: Microsoft Office XP HTML Link Processing Remote Buffer Overflow
  • Description: A vulnerability exists in Microsoft Office XP software that could allow remote code execution due to a buffer overrun in the process that passes URL file locations to Microsoft Office XP software. Microsoft has released security advisory MS05-005 to address this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms05-005.mspx
  • 05.6.10 - CVE: CAN-2004-0847
  • Platform: Other Microsoft Products
  • Title: Microsoft ASP.NET Path Validation Vulnerability
  • Description: A canonicalization vulnerability exists in ASP.NET that could allow an attacker to bypass the security of an ASP.NET Web site and gain unauthorized access. Microsoft has released security advisory MS05-004 to address this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms05-004.mspx
  • 05.6.11 - CVE: CAN-2004-1319
  • Platform: Other Microsoft Products
  • Title: Microsoft DHTML Editing Component ActiveX Control Cross Domain Vulnerability
  • Description: A cross-domain vulnerability exists in the Microsoft Dynamic HTML (DHTML) Editing Component ActiveX control that could allow information disclosure or remote code execution. Microsoft has released security advisory MS05-013 to address this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms05-013.mspx
  • 05.6.12 - CVE: CAN-2005-0054
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer URI Decoding Vulnerability
  • Description: Microsoft Internet Explorer has a zone security bypass issue due to improper URI decoding. It is possible for a URI to trick the browser into rendering the web content in a different security zone, such as Local or Intranet, which has lower security. Specially crafted web sites or HTML content can trick an unsuspecting user into rendering malicious content in the browser. Microsoft has released security advisory MS05-014 to address this issue.
  • Ref: http://secunia.com/advisories/11165/
  • 05.6.13 - CVE: CAN-2005-0055
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer DHTML Method Buffer Overflow
  • Description: A remote code execution vulnerability exists in Internet Explorer because of the way that it handles certain DHTML methods. Microsoft has released security advisory MS05-014 to address this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx
  • 05.6.14 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer AddChannel Cross-Zone Scripting
  • Description: The vulnerability presents itself when a malicious remote site uses the "window.expternal.AddChannel" method to add or replace channel. Currently Internet explorer versions 6.0 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12427
  • 05.6.15 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ArGoSoft Mail Server Multiple Directory Traversal Vulnerabilities
  • Description: ArGoSoft Mail Server is reported to be vulnerable to multiple directory traversal issues. Arbitrary/sensitive files or emails can be viewed this way by remote attackers. ArGoSoft Mail Server version 1.8.7.3 is reported to be vulnerable.
  • Ref: http://www.security.org.sg/vuln/argosoftmail1873.html
  • 05.6.16 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Software602 602 Lan Suite Arbitrary File Upload Vulnerability
  • Description: 602 Lan Suite is a webmail server application. It is reported to be vulnerable to an arbitrary file upload issue, due to improper sanitization of file attachment names. 602 Lan Suite 2004 version 2004.0.04.1221 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14169/
  • 05.6.17 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: RealArcade Multiple Remote Vulnerabilities
  • Description: RealNetworks RealArcade is an application that facilitates the playing of computer games. There are multiple remote vulnerabilities such as input validation and interger overflow issues. RealNetworks RealArcade versions 1.2.0.994 and earlier are vulnerable.
  • Ref: http://aluigi.altervista.org/adv/realarcade-adv.txt
  • 05.6.18 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ArGoSoft FTP Server Shortcut File Extension Filter Bypass
  • Description: ArGoSoft FTP server is an FTP server for the Windows platform. ArGoSoft FTP server is affected by a vulnerability regarding the upload of compressed shortcut files. ArGoSoft FTP server versions 1.4.2.7 and earlier are known to be vulnerable.
  • Ref: http://www.lovebug.org/argosoft_advisory.txt
  • 05.6.19 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: 3Com 3CServer Multiple Remote Buffer Overflow Vulnerabilities
  • Description: 3Com 3CServer is an FTP and TFTP server designed to aid in performing upgrades on devices. It is reported to be vulnerable to remote buffer overflow issues, due to improper boundary checks of FTP commands. 3CServer version 1.1 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2005-02/0008.html
  • 05.6.20 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Foxmail MAIL-FROM Remote Buffer Overflow
  • Description: Foxmail is a freely available email server for the Microsoft Windows platform. Foxmail server is affected by a remote buffer overflow vulnerability. Foxmail version 2.0 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/389550
  • 05.6.21 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: RaidenHTTPD Remote File Disclosure Vulnerability
  • Description: RaidenHTTPD is a web server for Microsoft Windows platform. It is vulnerable to a remote file disclosure issue due to improper handling of requests for restricted files that reside outside of the web document root folder and can be exploited by a remote attacker to disclose the contents of web server files. RaidenHTTPD versions 1.1.27 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/389548
  • 05.6.22 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: LANChat Pro Revival UDP Processing Remote Denial of Service
  • Description: LANChat Pro Revival is an instant messaging application. It is vulnerable to a remote denial of service condition. LANChat Pro Revival version 1.666c is reported to be affected.
  • Ref: http://www.securityfocus.com/archive/1/389402
  • 05.6.23 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Painkiller Gamespy CD-Key Hash Remote Buffer Overflow
  • Description: Painkiller is a computer game for Microsoft Windows that includes support for network play. It is vulnerable to a remote buffer overflow issue due to insufficient boundary checks performed by the application and may allow an attacker to cause denial of service or arbitrary code execution. Painkiller versions 1.35 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/389229
  • 05.6.24 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ventia DeskNow Mail and Collaboration Server Multiple Vulnerabilities
  • Description: Ventia DeskNow Mail and Collaboration Server is a suite of applications designed to facilitate a network based communication solution. It is reportedly vulnerable to multiple remote directory traversal issues. Ventia has released a new version 2.5.14 to address these issues.
  • Ref: http://www.securityfocus.com/archive/1/389222
  • 05.6.25 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ZipGenius Multiple Directory Traversal Vulnerabilities
  • Description: ZipGenius is a file compression suite for Windows. There are multiple directory traversal techniques that may be used because of a failure to check user-supplied data of compressed file names. An attacker could use techiques such as "../" as part of the name. ZipGenius version 5.5 and earlier are reported vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/389231
  • 05.6.26 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WinRAR Directory Traversal
  • Description: RARLAB WinRAR is a compression utility available for the Microsoft Windows operating system. WinRAR is affected by a directory traversal vulnerability. WinRAR versions 3.42 and earlier are reported to be vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/389254
  • 05.6.27 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Techland XPand Rally Remote Denial of Service
  • Description: XPand Rally client and server are reportedly vulnerable to a remote denial of service condition. A malicious client/server may exploit this vulnerability to deny service to legitimate users. XPand Rally version 1.0 is reported to be vulnerable.
  • Ref: http://aluigi.altervista.org/adv/xprallyboom-adv.txt
  • 05.6.28 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: SmarterTools SmarterMail Cross-Site Scripting
  • Description: SmarterTools SmarterMail is a web based email server. SmarterTools SmarterMail is affected by a cross-site scripting vulnerability. SmarterMail version 2.0.1837 fixes this issue.
  • Ref: http://www.smartertools.com/Products/SmarterMail/ReleaseNotes.aspx
  • 05.6.29 - CVE: Not Available
  • Platform: Linux
  • Title: SuSE Linux Open-Xchange Unspecified Path Traversal
  • Description: SuSE Linux Open-Xchange (SLOX) is reported to be vulnerable to an unspecified path traversal vulnerability. It is conjectured that this could allow access to sensitive files outside of the application's root directory. Version 4.1 of the application is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/7999
  • 05.6.30 - CVE: Not Available
  • Platform: Unix
  • Title: Frox Access Control List Bypass Vulnerability
  • Description: Frox is a transparent ftp proxy service. It is vulnerable to an ACL bypass issue because it fails to parse "Deny" ACL entries correctly and may be exploited by a malicious user to access unauthorized services. Frox versions 0.7.16 and 0.7.17 are vulnerable to this issue.
  • Ref: http://frox.sourceforge.net/ChangeLog
  • 05.6.31 - CVE: Not Available
  • Platform: Unix
  • Title: Postfix IPv6 Unauthorized Mail Relay Vulnerability
  • Description: Postfix is a mail server. Postfix is vulnerable to mail relay issue due to a design error in the IPv6 processing code. Postfix version 2.1.3 is known to be vulnerable.
  • Ref: http://www.ubuntulinux.org/support/documentation/usn/usn-74-2
  • 05.6.32 - CVE: CAN-2005-0085
  • Platform: Unix
  • Title: ht://Dig Unspecified Cross-Site Scripting
  • Description: The "ht://Dig" search engine is reported vulnerable to an unspecified cross-site scripting vulnerability due to improper sanitization of user-supplied input. All versions of ht://Dig are considered vulnerable.
  • Ref: http://www.securityfocus.com/advisories/7999
  • 05.6.33 - CVE: CAN-2005-0153, CAN-2005-0154
  • Platform: Unix
  • Title: Newsgrab Multiple Local and Remote Vulnerabilities
  • Description: Newsgrab is a utility that is used to download binary multipart encoded messages from USENet. Newsgrab is affected by multiple local and remote vulnerabilities. Newsgrab version 0.5.0pre4 is known to be vulnerable.
  • Ref: http://people.freebsd.org/~niels/issues/newsgrab-20050114.txt
  • 05.6.34 - CVE: CAN-2005-0175
  • Platform: Unix
  • Title: Squid Proxy squid_ldap_auth Authentication Bypass
  • Description: Squid Proxy is reported vulnerable to an authentication bypass vulnerability. A remote attacker may gain unauthorized access or gain elevated privileges from bypassing access controls. Squid versions 2.5 and earlier are reported to be vulnerable.
  • Ref: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces
  • 05.6.35 - CVE: Not Available
  • Platform: Unix
  • Title: Squid Proxy Malformed HTTP Header Parsing Cache Poisoning Vulnerability
  • Description: Squid Proxy is web proxy and caching software available. It is vulnerable to a cache poisoning issue when processing malformed HTTP requests and responses due to insufficient sanitization of user-supplied data. Squid versions 2.5 and earlier are vulnerable.
  • Ref: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsin
    g
  • 05.6.36 - CVE: Not Available
  • Platform: Unix
  • Title: Newspost Remote Buffer Overflow Vulnerability
  • Description: Newspost is an NNTP client available for Unix platforms. It is vulnerable to a remote buffer overflow issue due to an unbound memory copy operation in the 'socket_getline' function. An attacker can successfully exploit this issue to execute arbitrary code on the vulnerable machine. Newspost versions 2.1.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/7992
  • 05.6.37 - CVE: CAN-2005-0132
  • Platform: Unix
  • Title: Newsfetch Remote Buffer Overflow
  • Description: Newsfetch is an NNTP client. Newsfetch is vulnerable to a remote buffer overflow due to insecure sscanf calls attempting to read data from a 501 byte buffer into a 100 byte buffer. Newsfetch version 1.21, 1.4, and other versions are reported to be vulnerable.
  • Ref: http://people.freebsd.org/~niels/issues/newsfetch-20050119.txt
  • 05.6.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: BrightStor ARCserve/Enterprise Backup Discovery Service Buffer Overflow
  • Description: Computer Associates BrightStor ARCserve/Enterprise Backup is a backup solution. These products are vulnerable to a buffer overflow issue due to an unspecified boundary error in the discovery service.
  • Ref: http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO62769&star
    tsearch=1
  • 05.6.39 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Symantec UPX Parsing Engine Remote Heap Overflow Vulnerability
  • Description: Various Symantec products are reported to be vulnerable to a remote heap overflow issue. The issue exists in UPX packed file parsing, due to improper boundary checks.
  • Ref: http://secunia.com/advisories/14179/
  • 05.6.40 - CVE: CAN-2005-0231
  • Platform: Cross Platform
  • Title: Mozilla/Firefox Cross-Domain Tab Window Script Execution Vulnerability
  • Description: Mozilla Mozilla/Firefox are vulnerable to to a cross-domain script execution issue due to a failure of the browser to prevent javascript coming from a tab from accessing properties of a site contained in another tab. Firefox version 1.0 and Mozilla version 1.7.5 are known to be vulnerable.
  • Ref: http://www.mikx.de/firetabbing/
  • 05.6.41 - CVE: CAN-2005-0230
  • Platform: Cross Platform
  • Title: Mozilla Firefox Drag And Drop Security Policy Bypass
  • Description: Mozilla Firefox is reported vulnerable to a security vulnerability that could allow a malicious website to bypass drag-and-drop functionality security policies. Files with arbitrary file extensions can be dropped onto the desktop if the file is spoofed to have a content-type of "image/gif". This issue can be leveraged to trick an unsuspecting user to drag, drop and execute malicious binaries that are disguised as images. Firefox version 1.0 is reported to be vulnerable.
  • Ref: http://www.mikx.de/index.php?p=8
  • 05.6.42 - CVE: CAN-2005-0232
  • Platform: Cross Platform
  • Title: Mozilla Firefox Remote Configuration Manipulation
  • Description: Mozilla Firefox is an open source Internet browser. There is a remote configuration manipulation vulnerability due to the failure of the application to secure the "about:config" script from being activated by remote attackers. Firefox 1.0 and Mozilla 1.7.5 and earlier versions are vulnerable.
  • Ref: http://marc.theaimsgroup.com/?l=bugtraq&m=110781055630856&w=2
  • 05.6.43 - CVE: CAN-2005-0100
  • Platform: Cross Platform
  • Title: Emacs Movemail POP3 Remote Format String Vulnerability
  • Description: Emacs is vulnerable to a remote format string issue in the "movemail" utility due to insufficient sanitization of the packets sent by a POP3 server. This issue has been fixed in the emacs cvs repository.
  • Ref: http://www.ubuntulinux.org/support/documentation/usn/usn-76-1
  • 05.6.44 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Web Browser IDN Handling Spoofing Vulnerabilities
  • Description: Multiple web browsers are reportedly vulnerable to spoofing issues that surround the handling of International Domain Names. These may be exploited by a remote attacker to aid in phishing style attacks. Vulnerable browsers include Firefox 1.0, Camino .8.5, Mozilla 1.6, Safari 1.2.5, Opera 7.54 and Omniweb 5.
  • Ref: http://www.shmoo.com/idn/homograph.txt
  • 05.6.45 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PowerDNS Remote Denial of Service
  • Description: PowerDNS is a nameserver application. It is reported to be vulnerable to an unspecified denial of service when receiving a stream of random bytes. PowerDNS versions 2.9.15 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/12446/info/
  • 05.6.46 - CVE: CAN-2005-0089
  • Platform: Cross Platform
  • Title: Python SimpleXMLRPCServer Library Module Unauthorized Access
  • Description: Python is a programming language. There is a security flaw in the SimpleXMLRPCServer library module which can give remote attackers access to internals of the registered object or its module or possibly other modules. The flaw only affects Python XML-RPC servers that use the "register_instance()" method to register an object without the "a_dispatch()" method. Python versions 2.3.5 and earlier, and version 2.4 are known to be vulnerable.
  • Ref: http://www.python.org/security/PSF-2005-001/
  • 05.6.47 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SunShop Shopping Cart Cross-Site Scripting
  • Description: TurnkeyWebTools SunShop Shopping Cart is a web store application. It is vulnerable to a cross-site scripting attack due to a failure to sanitize user-supplied input to the "search" parameter of the "index.php" file. SunShop Shopping Cart versions 3.4RC1 and earlier are reported vulnerable.
  • Ref: http://www.systemsecure.org/wwwboard/messages/227.html
  • 05.6.48 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ngIRCd Remote Format String Vulnerability
  • Description: ngIRCd is an IRC server. ngIRCd is affected by a remote format string vulnerability. ngIRCd versions 0.8.2 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/389399
  • 05.6.49 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Eudora Multiple Unspecified Vulnerabilities
  • Description: Qualcomm Eudora is an email client. Eudora is vulnerable to multiple unspecified security issues. Successfull exploitation of these flaws can permit the execution of arbitrary code via previewing or opening a specially crafted email or when opening specially crafted stationary or mailbox files. Qualcomm Eudora version 6.2.1 has been released to fix these issues.
  • Ref: http://www.eudora.com/security.html
  • 05.6.50 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RealNetworks RealPlayer Drag And Drop Zone Bypass Vulnerability
  • Description: RealNetworks RealPlayer is a media player available for multiple platforms. It is vulnerable to a security zone bypass issue and can allow a remote attacker to execute script code in the local zone of the affected client computer. RealPlayer 10.5 versions 6.0.12.1056 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/389023
  • 05.6.51 - CVE: Not Available
  • Platform: Web Application
  • Title: BXCP Local File Include Vulnerability
  • Description: BXCP is a content management web site. BXCP is vulnerable to a file include issue due to insufficient sanitization of the "show" parameter in the "index.php" script.
  • Ref: http://secunia.com/advisories/14141/
  • 05.6.52 - CVE: Not Available
  • Platform: Web Application
  • Title: PerlDesk SQL Injection Vulnerability
  • Description: PerlDesk is a web-based help desk application. It is reported to be vulnerable to an SQL injection issue, due to improper sanitization of the "view" parameter of the "kb.cgi" script. PerlDesk versions 1.x are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2005-02/0022.html
  • 05.6.53 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Fusion Information Disclosure
  • Description: PHP-Fusion is a web content management system. PHP-Fusion is vulnerable to information disclosure due to failing to sanitize user-supplied input to the "viewthread.php" script. It is reported that PHP-Fusion version 4 and earlier are affected by this vulnerability.
  • Ref: http://secunia.com/advisories/14090/
  • 05.6.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Chipmunk Forum Multiple SQL Injection Vulnerabilities
  • Description: Chipmunk Forum is a web forum application. It is vulnerable to multiple SQL injection issues due to insufficient sanization of user-supplied data.
  • Ref: http://secunia.com/advisories/14143/
  • 05.6.55 - CVE: Not Available
  • Platform: Web Application
  • Title: CMScore Multiple SQL Injection Vulnerabilities
  • Description: CMScore is reportedly affected by multiple SQL injection vulnerabilities. These can be leveraged by remote attackers to compromise the backend database.
  • Ref: http://www.securityfocus.com/bid/12457
  • 05.6.56 - CVE: Not Available
  • Platform: Web Application
  • Title: LiteForum Enter.PHP SQL Injection Vulnerability
  • Description: LiteForum is web forum software. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of the "pswrd" parameter of the "enter.php" script. LiteForum version 2.1.1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12452
  • 05.6.57 - CVE: Not Available
  • Platform: Web Application
  • Title: WWWBoard Password Database Disclosure
  • Description: Matt Wright's WWWBoard is a web-based discussion forum and message board. It is vulnerable to a password disclosure issue due to the application not securing the password database file. Matt Wright's WWWBoard versions 2.0 Alpha 2.1 and Alpha 2 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/12453/info/
  • 05.6.58 - CVE: Not Available
  • Platform: Web Application
  • Title: MediaWiki Unspecified Cross-Site Scripting Vulnerability
  • Description: MediaWiki is a wiki engine designed to run Wikipedia. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-suplied input. MediaWiki versions 1.3.9 and earlier are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14125/
  • 05.6.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo Open Source Global Variables Unauthorized Access Vulnerability
  • Description: Mambo Open Source is a web based content management system. It is reported to be vulnerable to unauthorized access. The issue exists due to improper implementation of global variables. Mambo versions 4.5.1 and earlier are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14124/
  • 05.6.60 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Fusion Information Disclosure
  • Description: PHP-Fusion is a web content management application. It is vulnerable to an information disclosure issue due to insufficient sanitization of user supplied data in the "forum_search.php" script. PHP-Fusion version 4.01 is known to be vulnerable.
  • Ref: http://secunia.com/advisories/14090/
  • 05.6.61 - CVE: Not Available
  • Platform: Network Device
  • Title: Netgear DG834 ADSL Firewall Router Insecure Configuration
  • Description: Netgear DG834 ADSL Firewall Router is an appliance. The Netgear DG834 ADSL Firewall Router is affected by a firewall insecure configuration vulnerability.
  • Ref: http://www.securityfocus.com/bid/12447
  • 05.6.62 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys PSUS4 PrintServer Malformed HTTP POST Denial Of Service
  • Description: Linksys PSUS4 PrintServer is a device that provides printer-sharing functionality to a local area network. It is vulnerable to a remote denial of service issue while handling certain HTTP POST requests received on TCP port 80. Linksys PSUS4 PrintServer 6032 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/389420
  • 05.6.63 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IP/VC SNMP Remote Default Community String
  • Description: Cisco IP/VC Videoconferencing System is videoconference solution. Hard-coded Simple Network Management Protocol (SNMP) community strings are present in Cisco IP/VC Videoconferencing System models 3510, 3520, 3525 and 3530.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20050202-ipvc.shtml

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

This is critical to any business to protect sensitive data.
-Melissa Black, Lockheed Martin

Healthcare Cyber Security Summit - San Francisco

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd