- Training
- Training - ALL
- Training - US / Canada
- Training - EMEA
- Training - International
- Training - Virtual
- SANS Courses
- Courses - Best Sellers
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Partnership Series
- SANS Workshop Series
- Webcasts
- Career Roadmap
- Certified Instructors
- Work Study
- Group Discounts
- Events Archive
- DoD 8570
- Voucher Credit Program
- Certification
- Resources
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
Security Alert Consensus
| -- Security Alert Consensus -- Number 125 (01.48) Thursday, November 29, 2001 Created for you by Network Computing and the SANS Institute Powered by Neohapsis |
| Welcome to SANS' distribution of the Security Alert Consensus. |
| Did you know that it is actually warmer in San Francisco in December than in August? And that this December international tourism is way down, so you can enjoy the city without fighting crowds? Cyber Defense Initiative West will be held in San Francisco on December 16-21 and features the five most popular SANS immersion training and certification tracks. (http://www.sans.org/CDI.htm) |
| An interesting turn of events happened this week. A wu-ftpd bug found and discussed back in April -- and believed to be benign -- actually turned out to be exploitable on some platforms (particularly Linux). You can find more information on this bug in this issue under the 'Cross-Platform' category, item {01.48.028}. |
| For those of you looking for a secure FTP daemon alternative, the SAC team recommends vsftpd. It was designed with security as its number-one priority. You can download vsftpd from: http://freshmeat.net/projects/vsftpd/ |
| Until next week, --Security Alert Consensus Team |
| ************************************************************************ |
| -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 |
| TABLE OF CONTENTS: |
| {01.48.017} Win - helpcntr.exe URL overflow {01.48.025} Win - IE htmlfile control file viewing/command execution {01.48.002} Linux - Update {01.45.013}: teTeX insecure temp file and dvips invocation {01.48.003} Linux - Update {01.43.009}: procmail privilege elevation via signals {01.48.004} Linux - Update {01.23.002}: gpg file name format string vulnerability {01.48.005} Linux - Update {01.45.004}: SYNCookie problems in Linux kernels {01.48.010} Linux - Update {01.44.002}: RPM info query heap overflow {01.48.011} Linux - Mandrake expect loads libraries from user directory {01.48.012} Linux - Update {01.39.015}: Squid FTP mkdir PUT DoS {01.48.013} Linux - susehelp CGIs arbitrary command exec {01.48.014} Linux - Update {01.47.012}: Postfix session log memory DoS {01.48.023} Linux - Cyrus/sasl logging function format string vulnerability {01.48.024} Linux - RedHat Stronghold Web server info disclosure {01.48.006} HPUX - rlpdaemon arbitrary file writing {01.48.016} SGI - Update {01.42.001}: Various shells create insecure tmp files for << processing {01.48.008} Other - Update {01.46.003}: IBM HTTP server source disclosure {01.48.009} Other - Update {01.46.020}: IBM 4758 cryptographic storage weakness {01.48.019} Other - Xircom REX6000 transmits PIN in clear {01.48.001} Cross - OpenSSH 3.0.1 available with security fixes {01.48.007} Cross - pmake shell format string vulnerability {01.48.018} Cross - Secure Computing SafeWord SSH CRC attack vulnerability {01.48.020} Cross - libgtop_daemon syslog() format string vulnerability {01.48.021} Cross - NetDynamics session hijacking {01.48.022} Cross - NSI/ARIN rwhoisd syslog() format string vulnerability {01.48.026} Cross - Auto nice daemon process name format string vulnerability {01.48.027} Cross - Xitami server world-readable configuration file {01.48.028} Cross - wu-ftpd unclosed glob heap overflow {01.48.015} Tools - Bind 9.2.0 available |
| - --- Windows News ------------------------------------------------------- |
| *** {01.48.017} Win - helpcntr.exe URL overflow |
| An advisory has surfaced indicating that a remotely exploitable buffer overflow exists in the helpcntr.exe application, which handles all URLs using the 'hcp' protocol. It may be possible for a malicious Web site or e-mail to execute arbitrary code under the user's privileges. |
| This vulnerability has not been confirmed. |
| Source: SecurityFocus Bugtra http://archives.neohapsis.com/archives/bugtraq/2001-11/0179.html |
| *** {01.48.025} Win - IE htmlfile control file viewing/command execution |
| Multiple advisories have been released indicating that the htmlfile ActiveX control shipped with Internet Explorer 5.x and 6.0 allows a malicious Web site or e-mail to view arbitrary files on the user's system and potentially execute programs, as well. |
| This vulnerability has not been confirmed. |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2001-11/0201.html |
| - --- Linux News --------------------------------------------------------- |
| *** {01.48.002} Linux - Update {01.45.013}: teTeX insecure temp file and dvips invocation |
| Mandrake has released updated teTeX packages, which fix the vulnerability discussed in {01.45.013} ("teTeX insecure temp file and dvips invocation"). |
| Updated RPMs are listed at: http://archives.neohapsis.com/archives/bugtraq/2001-11/0159.html |
| Source: Mandrake (SF Bugtraq) http://archives.neohapsis.com/archives/bugtraq/2001-11/0159.html |
| *** {01.48.003} Linux - Update {01.43.009}: procmail privilege elevation via signals |
| Mandrake has released updated procmail packages, which fix the vulnerability discussed in {01.43.009} ("procmail privilege elevation via signals"). |
| Updated RPMs are listed at: http://archives.neohapsis.com/archives/bugtraq/2001-11/0156.html |
| Source: Mandrake (SF Bugtraq) http://archives.neohapsis.com/archives/bugtraq/2001-11/0156.html |
| *** {01.48.004} Linux - Update {01.23.002}: gpg file name format string vulnerability |
| Mandrake has released updated gnupg packages, which fix the vulnerability discussed in {01.23.002} ("gpg file name format string vulnerability"). |
| Updated RPMs are listed at: http://archives.neohapsis.com/archives/bugtraq/2001-11/0160.html |
| Source: Mandrake (SF Bugtraq) http://archives.neohapsis.com/archives/bugtraq/2001-11/0160.html |
| *** {01.48.005} Linux - Update {01.45.004}: SYNCookie problems in Linux kernels |
| Mandrake has released updated kernel packages, which fix the vulnerability discussed in {01.45.004} ("SYNCookie problems in Linux kernels"). |
| Updated RPMs are listed at: http://archives.neohapsis.com/archives/bugtraq/2001-11/0163.html http://archives.neohapsis.com/archives/bugtraq/2001-11/0164.html |
| Source: Mandrake (SF Bugtraq) http://archives.neohapsis.com/archives/bugtraq/2001-11/0163.html http://archives.neohapsis.com/archives/bugtraq/2001-11/0164.html |
| *** {01.48.010} Linux - Update {01.44.002}: RPM info query heap overflow |
| Conectiva has released updated rpm packages, which fix the vulnerability discussed in {01.44.002} ("RPM info query heap overflow"). |
| Updated RPMs are listed at: http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0015.html |
| Source: Conectiva http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0015.html |
| *** {01.48.011} Linux - Mandrake expect loads libraries from user directory |
| Mandrake has released an advisory indicating a problem in its distribution of expect. The expect binary looks into a particular user's directory to load required libraries, thus allowing a malicious user to offer trojaned libraries and to execute code under the unsuspecting user's privileges. |
| Updated RPMs are listed at: http://archives.neohapsis.com/archives/bugtraq/2001-11/0176.html |
| Source: Mandrake (SF Bugtraq) http://archives.neohapsis.com/archives/bugtraq/2001-11/0176.html |
| *** {01.48.012} Linux - Update {01.39.015}: Squid FTP mkdir PUT DoS |
| Mandrake has released updated squid packages, which fix the vulnerability discussed in {01.39.015} ("Squid FTP mkdir PUT DoS"). |
| Updated RPMs are listed at: http://archives.neohapsis.com/archives/bugtraq/2001-11/0180.html |
| Source: Mandrake (SF Bugtraq) http://archives.neohapsis.com/archives/bugtraq/2001-11/0180.html |
| *** {01.48.013} Linux - susehelp CGIs arbitrary command exec |
| SuSE has released an advisory indicating that some of the susehelp CGIs allow a remote attacker to execute arbitrary commands under the Web server's uid. |
| Updated RPMs are listed at: http://archives.neohapsis.com/archives/linux/suse/2001-q4/1085.html |
| Source: SuSE http://archives.neohapsis.com/archives/linux/suse/2001-q4/1085.html |
| *** {01.48.014} Linux - Update {01.47.012}: Postfix session log memory DoS |
| Conectiva has released updated postfix packages, which fix the vulnerability discussed in {01.47.012} ("Postfix session log memory DoS"). |
| Updated RPMs are listed at: http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0014.html |
| Source: Conectiva http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0014.html |
| *** {01.48.023} Linux - Cyrus/sasl logging function format string vulnerability |
| SuSE has released an advisory indicating that a format string vulnerability exists in a logging function used by the cyrus/sasl package. This could allow a remote attacker to execute arbitrary code on the system. |
| Updated SuSE RPMs are listed at: http://archives.neohapsis.com/archives/linux/suse/2001-q4/1109.html |
| Source: SuSE http://archives.neohapsis.com/archives/linux/suse/2001-q4/1109.html |
| *** {01.48.024} Linux - RedHat Stronghold Web server info disclosure |
| An advisory was released indicating that the default configuration of the RedHat Stronghold secure Web server prior to version 3.0 build 3015 allows a remote attacker to view various configuration and runtime information via two particular status URLs. The advisory also hints that it's possible to view file contents. |
| The advisory indicates vendor confirmation, and version 3.0 build 3015 is supposed to fix the problem. |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2001-11/0195.html |
| - --- HP-UX News --------------------------------------------------------- |
| *** {01.48.006} HPUX - rlpdaemon arbitrary file writing |
| HP has released updated patches for a vulnerability in the rlpdaemon printer service that could allow a remote attacker to (over)write data into arbitrary files. |
| Apply the appropriate patch: HPUX 10.01: PHCO_25107 HPUX 10.10: PHCO_25108 HPUX 10.20: PHCO_25109 HPUX 11.00: PHCO_25110 HPUX 11.11: PHCO_25111 |
| Source: HP http://archives.neohapsis.com/archives/hp/2001-q4/0047.html |
| - --- SGI News ----------------------------------------------------------- |
| *** {01.48.016} SGI - Update {01.42.001}: Various shells create insecure tmp files for << processing |
| SGI has released patches that fix the vulnerability discussed in {01.42.001} ("Various shells creates insecure tmp files for << processing"). |
| A patch matrix is available at: http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0058.html |
| Source: SGI (Vulnwatch) http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0058.html |
| - --- Other News --------------------------------------------------------- |
| *** {01.48.008} Other - Update {01.46.003}: IBM HTTP server source disclosure |
| IBM has reportedly confirmed the vulnerability discussed in {01.46.003} ("IBM HTTP server source disclosure"). A fix will be included in fixpack 5, which is due at the end of November. |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2001-11/0174.html |
| *** {01.48.009} Other - Update {01.46.020}: IBM 4758 cryptographic storage weakness |
| IBM has released a statement addressing the vulnerability discussed in {01.46.020} ("IBM 4758 cryptographic storage weakness"). |
| The statement is available at: http://www-3.ibm.com/security/cryptocards/html/ccaupdate.shtml |
| Source: IBM http://www-3.ibm.com/security/cryptocards/html/ccaupdate.shtml |
| *** {01.48.019} Other - Xircom REX6000 transmits PIN in clear |
| A recent advisory indicates that the Xircom REX6000 PDA device will transmit its PIN number over the serial connection to the host-based software. As a result, it is not necessary to know the appropriate PIN number to access the device, regardless of the security setting. |
| No patches have been made available. |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2001-11/0187.html |
| - --- Cross-Platform News ------------------------------------------------ |
| *** {01.48.001} Cross - OpenSSH 3.0.1 available with security fixes |
| OpenSSH version 3.0.1 has been released. The new version contains two security related fixes: attackers can bypass authentication if KerberosV is enabled and a memory-clearing bug may cause the service to crash leading to a denial of service. |
| The updated version can be downloaded from: http://www.openssh.com/ |
| Source: OpenBSD http://archives.neohapsis.com/archives/openbsd/2001-11/1772.html |
| *** {01.48.007} Cross - pmake shell format string vulnerability |
| pmake version 2.1.33 has been reported vulnerable to a format string vulnerability in the handling of certain parameters used in a makefile. If pmake is setuid/setgid, then this could lead to a local system compromise. |
| This vulnerability has not been confirmed. |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2001-11/0172.html |
| *** {01.48.018} Cross - Secure Computing SafeWord SSH CRC attack vulnerability |
| Secure Computing distributes a SafeWord-enabled SSH server that has been found vulnerable to the previously reported SSH CRC compensation attack ({01.07.027}). |
| No patches have been made available. |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2001-11/0186.html |
| *** {01.48.020} Cross - libgtop_daemon syslog() format string vulnerability |
| Libgtop_daemon prior to version 1.0.13 has been found to contain a format string vulnerability when passing data to the syslog() function. This could allow a remote attacker to execute arbitrary code under the ilbgtop_daemon's uid (typically 'nobody'). |
| This vulnerability has been confirmed, and version 1.0.13 has been released. It is available at: ftp://ftp.gnome.org/pub/GNOME/stable/sources/ libgtop/libgtop-1.0.13.tar.gz |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2001-11/0218.html |
| *** {01.48.021} Cross - NetDynamics session hijacking |
| NetDynamics versions 4.x and 5.x are reportedly vulnerable to session hijacking, whereby a remote attacker can possibly guess the 'random' variables provided to new users. This allows the attacker to assume the new users' logged in identity. |
| This vulnerability has not been confirmed. |
| Source: VulnWatch http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0056.html |
| *** {01.48.022} Cross - NSI/ARIN rwhoisd syslog() format string vulnerability |
| NSI/ARIN's rwhoisd versions 1.5.7.2 and prior have been found to contain a remotely exploitable format string vulnerability in the handling of data passed to the syslog() function. This would allow a remote attacker to execute arbitrary code on the system. |
| This vulnerability has not been confirmed. |
| Source: VulnWatch http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0051.html |
| *** {01.48.026} Cross - Auto nice daemon process name format string vulnerability |
| The auto nice daemon (and) versions 1.0.4 and prior have been found to contain a format string vulnerability in the handling of process names. This could allow a local attacker to execute arbitrary code with root privileges. |
| This vulnerability has been confirmed, and version 1.0.5 has been released at: http://and.sourceforge.net |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2001-11/0206.html |
| *** {01.48.027} Cross - Xitami server world-readable configuration file |
| Xitami Web server version 2.4d9 has been found to leave the configuration file world readable. This file contains the administrative password, which a local user then could use to reconfigure the server and potentially read arbitrary files because of the server's running with root privileges. |
| This vulnerability has not been confirmed. |
| Source: VulnWatch http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0055.html |
| *** {01.48.028} Cross - wu-ftpd unclosed glob heap overflow |
| A vulnerability has been found in wu-ftpd versions 2.7.0 (beta) and prior. If an attacker is able to log into the FTP service, via anonymous or actual user account, then it is possible for the attacker to execute arbitrary code under the privileges of the logged in user. |
| This vulnerability has been confirmed. At this point in time the exploitability is believed to be limited to the Linux platform. |
| A patch for wu-ftpd 2.6.1 is available at: http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0059.html |
| Updated Immunix RPMs: http://archives.neohapsis.com/archives/bugtraq/2001-11/0257.html |
| Updated RedHat RPMs: http://archives.neohapsis.com/archives/bugtraq/2001-11/0226.html |
| Updated SuSE RPMs: http://archives.neohapsis.com/archives/linux/suse/2001-q4/1218.html |
| Updated Caldera RPMs: http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0013.html |
| Source: Caldera, SuSE, RedHat, Immunix, SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2001-11/0254.html http://archives.neohapsis.com/archives/bugtraq/2001-11/0257.html http://archives.neohapsis.com/archives/bugtraq/2001-11/0226.html http://archives.neohapsis.com/archives/linux/suse/2001-q4/1218.html http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0013.html |
| - --- Tool Announcements News -------------------------------------------- |
| *** {01.48.015} Tools - Bind 9.2.0 available |
| Bind version 9.2.0 has been released. This version contains bug fixes and performance enhancements. No security-related fixes are associated with this release. |
| The new version can be downloaded from: ftp://ftp.isc.org/isc/bind9/9.2.0/bind-9.2.0.tar.gz |
| Source: BIND http://archives.neohapsis.com/archives/bind/2001/0055.html |
| ************************************************************************ |
| Did you know that it is actually warmer in San Francisco in December than in August? And that this December international tourism is way down, so you can enjoy the city without fighting crowds? Cyber Defense Initiative West will be held in San Francisco on December 16-21 and features the five most popular SANS immersion training and certification tracks. (http://www.sans.org/CDI.htm) |
| Become a Security Alert Consensus member! If this e-mail was passed to you and you would like to begin receiving our security e-mail newsletter on a weekly basis, we invite you to subscribe today. https://portal.sans.org/preferences.php/ |
| We are signing the Consensus newsletter with PGP. The new SANS PGP key is posted at: http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and can be accessed from the SANS Web site (http://www.sans.org). |
| Special Note: To better secure your confidential information, we will no longer include personal URLs in our Consensus newsletter mailings. Instead, we have created a new form (http://www.sans.org/sansurl). On this form you can enter the SD number located near your name at the top of the newsletter. When you submit this form, an e-mail containing a URL will be sent to you at the e-mail address on record. With this URL you can make changes to your account (edit the content of your Consensus mailing, for example) without endangering the security of your personal URL. If you'd like to change your e-mail address or other information, or unsubscribe to this newsletter, please visit your new URL as described above. If you have any problems or questions, e-mail us at <consensus@nwc.com>. |
| Missed an issue? You can find all back issues of Security Alert Consensus (and Security Express) online. http://archives.neohapsis.com/ |
| Your opinion counts. We'd like to hear your thoughts on Security Alert Consensus. E-mail any questions or comments to <consensus@nwc.com>. |
| Copyright (c) 2001 Network Computing, a CMP Media LLC publication. All Rights Reserved. Distributed by Network Computing (http://www.networkcomputing.com) and The SANS Institute (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based security assessment and integration services consulting group (info@neohapsis.com | http://www.neohapsis.com/). |
Check Them Out!
This is hands-down, the premiere training opportunity.
- Dan Mather, JICPAC
