- Training
- Training Live Events
- Training Without Travel
- SANS Courses
- Certified Instructors
- Career Roadmap
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Partnership Series
- SANS Workshop Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
Security Alert Consensus
| -- Security Alert Consensus -- Number 001 (03.01) Thursday, January 9, 2003 Created for you by Network Computing and the SANS Institute Powered by Neohapsis |
| Welcome to SANS' distribution of the Security Alert Consensus. |
| ************************* Begin Advertisement ************************ |
| This issue sponsored by SPI Dynamics. |
| ALERT: Exploiting Web Applications -- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation, Session Hijacking and Parameter Manipulation. All undetectable by Firewalls and IDS! Download FREE white paper from SPI Dynamics for a complete guide to protection! http://www.spidynamics.com/mktg/webappsecurity39 |
| ************************** End Advertisement ************************* |
| Welcome back! After a two-week holiday break, SAC is now back on track and ready to go for 2003. We also expanded our coverage during the break. In addition to our normal categories, we now have specific Mac OS (all versions), Digital/Compaq/HP Tru64 and mobile devices (such as cell phones and PDAs) categories. You can add these new categories to your subscription by following the subscription change instructions at the bottom of this e-mail. And don't worry; we didn't use any of the new categories this week, so you won't miss anything. You'll also notice the 'Network Appliances' category was renamed to 'Network Devices'. You do not need to make any subscription changes as a result of this renaming. |
| Until next week, --Security Alert Consensus Team |
| ************************************************************************ |
| -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 |
| TABLE OF CONTENTS: |
| {03.01.027} Win - IPD bypass via subst {03.01.031} Win - Multiple Winamp overflows {03.01.032} Win - MS02-072: Windows shell/audio file overflow {03.01.001} Linux - Update {02.40.013}: Apache host name CSS, ab overflow and shared memory vulnerabilities {03.01.002} Linux - Update {02.50.004}: Multiple MySQL vulnerabilities {03.01.003} Linux - Update {02.49.008}: OpenLDAP2 multiple vulnerabilities {03.01.004} Linux - Update {02.29.004}: libpng progressive image loading overflows {03.01.005} Linux - Update {02.49.014}: wget directory recursion vulnerability {03.01.006} Linux - Update {02.45.008}: Perl Safe.pm reuse opmask modification {03.01.007} Linux - Update {02.49.017}: tcpdump BGP decoding overflow {03.01.008} Linux - Update {02.50.007}: Kernel /proc/pid/mem mmap DoS {03.01.013} Linux - Update {02.45.026}: KDE Lisa/resLISa multiple vulnerabilities {03.01.014} Linux - Update {02.49.019}: Cyrus SASL library overflows {03.01.015} Linux - Update {02.45.007}: BIND SIG cached RR overflow + 2 DoS {03.01.016} Linux - Update {02.50.024}: Fetchmail local address creation vulnerability {03.01.019} Linux - typespeed local buffer overflow {03.01.022} Linux - Update {02.46.014}: dhcpcd response command execution {03.01.023} Linux - Update {02.38.006}: Squirrel mail CGI multiple CSS vulnerabilities {03.01.024} Linux - Update {02.36.004}: MHonarc HTML mail CSS vulnerability {03.01.025} Linux - Update {02.45.022}: Pine 4.44 malformed From field vulnerability {03.01.026} BSD - FreeBSD fpathconf syscall vulnerability {03.01.017} HPUX - JFS sticky bit vulnerability {03.01.012} NetDev - Cisco products SSH reload DoS {03.01.009} Cross - Lynx CRLF header injection {03.01.010} Cross - CUPS multiple vulnerabilities {03.01.011} Cross - OpenWebmail sessionid path vulnerability {03.01.018} Cross - Update {02.50.014}: PFingerd host name format string vulnerability {03.01.020} Cross - Sendmail 8.12.7 available {03.01.021} Cross - Bugzilla CSS vulnerabilities {03.01.028} Cross - libmcrypt buffer overflows and memory leak {03.01.029} Cross - PHP 4.3.0 released, with security fixes {03.01.030} Cross - Tanne library syslog format vulnerabilities {03.01.033} Cross - xpdf/pdftops integer overflow |
| - --- Windows News ------------------------------------------------------- |
| *** {03.01.027} Win - IPD bypass via subst |
| The Integrity Protection Driver (IPD) versions 1.3 and prior do not correctly handle drive mappings created by the subst command, thereby allowing a local attacker to potentially bypass IPD's file protections. |
| The vendor confirmed this vulnerability and released an updated version. |
| Source: NTBugtraq http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0000.html http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0001.html |
| *** {03.01.031} Win - Multiple Winamp overflows |
| Winamp versions 3.0 and 2.81 reportedly contain multiple buffer overflows that allow a malicious MP3 file to execute arbitrary code on the user's system. |
| The vendor confirmed these vulnerabilities and released updates, available at: http://www.winamp.com |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2002-12/0186.html |
| *** {03.01.032} Win - MS02-072: Windows shell/audio file overflow |
| Microsoft released MS02-072 ("Windows shell/audio file overflow"). The Windows Shell framework included with Windows XP contains a buffer overflow in the handling of large audio file attributes, resulting in the execution of arbitrary code by a malicious MP3 or WMA file. |
| FAQ and patch: http://www.microsoft.com/technet/security/bulletin/MS02-072.asp |
| Source: Microsoft http://archives.neohapsis.com/archives/microsoft/2002-q4/0021.html |
| - --- Linux News --------------------------------------------------------- |
| *** {03.01.001} Linux - Update {02.40.013}: Apache host name CSS, ab overflow and shared memory vulnerabilities |
| Mandrake released updated Apache packages, which fix the vulnerabilities discussed in {02.40.013} ("Apache host name CSS, ab overflow and shared memory vulnerabilities"). |
| Updated RPMs are listed at the reference URL below. |
| Source: Mandrake http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0350.html |
| *** {03.01.002} Linux - Update {02.50.004}: Multiple MySQL vulnerabilities |
| Mandrake and Trustix released updated MySQL packages, which fix the vulnerabilities discussed in {02.50.004} ("Multiple MySQL vulnerabilities"). |
| Updated Mandrake RPMs: http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0351.html |
| Updated Trustix RPMs: http://archives.neohapsis.com/archives/bugtraq/2002-12/0196.html |
| Updated SuSE RPMs: http://archives.neohapsis.com/archives/linux/suse/2003-q1/0004.html |
| Source: Mandrake, Trustix, SuSE (SF Bugtraq) http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0351.html http://archives.neohapsis.com/archives/bugtraq/2002-12/0196.html http://archives.neohapsis.com/archives/linux/suse/2003-q1/0004.html |
| *** {03.01.003} Linux - Update {02.49.008}: OpenLDAP2 multiple vulnerabilities |
| Conectiva released updated OpenLDAP packages, which fix the vulnerabilities discussed in {02.49.008} ("OpenLDAP2 multiple vulnerabilities"). |
| Updated RPMs are listed at the reference URL below. |
| Source: Conectiva http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0028.html |
| *** {03.01.004} Linux - Update {02.29.004}: libpng progressive image loading overflows |
| Debian released updated libpng packages, which fix the vulnerability discussed in {02.29.004} ("libpng progressive image loading overflows"). |
| Updated DEBs are listed at the reference URL below. |
| Source: Debian http://archives.neohapsis.com/archives/vendor/2002-q4/0086.html |
| *** {03.01.005} Linux - Update {02.49.014}: wget directory recursion vulnerability |
| Trustix released updated wget packages, which fix the vulnerability discussed in {02.49.014} ("wget directory recursion vulnerability"). |
| Updated RPMs are listed at the reference URL below. |
| Source: Trustix http://archives.neohapsis.com/archives/bugtraq/2002-12/0198.html |
| *** {03.01.006} Linux - Update {02.45.008}: Perl Safe.pm reuse opmask modification |
| Trustix released updated Perl packages, which fix the vulnerability discussed in {02.45.008} ("Perl Safe.pm reuse opmask modification"). |
| Updated RPMs are listed at the reference URL below. |
| Source: Trustix http://archives.neohapsis.com/archives/bugtraq/2002-12/0200.html |
| *** {03.01.007} Linux - Update {02.49.017}: tcpdump BGP decoding overflow |
| Trustix released updated tcpdump packages, which fix the vulnerability discussed in {02.49.017} ("tcpdump BGP decoding overflow"). |
| Updated RPMs are listed at the reference URL below. |
| Source: Trustix http://archives.neohapsis.com/archives/bugtraq/2002-12/0201.html |
| *** {03.01.008} Linux - Update {02.50.007}: Kernel /proc/pid/mem mmap DoS |
| Trustix released updated kernel packages, which fix the vulnerability discussed in {02.50.007} ("Kernel /proc/pid/mem mmap DoS"). |
| Updated RPMs are listed at the reference URL below. |
| Source: Trustix http://archives.neohapsis.com/archives/bugtraq/2002-12/0202.html |
| *** {03.01.013} Linux - Update {02.45.026}: KDE Lisa/resLISa multiple vulnerabilities |
| Debian released updated kdenetwork packages, which fix the vulnerabilities discussed in {02.45.026} ("KDE Lisa/resLISa multiple vulnerabilities"). |
| Updated DEBs are listed at the reference URL below. |
| Source: Debian http://archives.neohapsis.com/archives/linux/debian/2002-q4/1129.html |
| *** {03.01.014} Linux - Update {02.49.019}: Cyrus SASL library overflows |
| Multiple vendors released updated Cyrus-SASL packages, which fix the vulnerability discussed in {02.49.019} ("Cyrus SASL library overflows"). |
| Updated SuSE RPMs: http://archives.neohapsis.com/archives/linux/suse/2002-q4/1275.html |
| Updated Debian DEBs: http://archives.neohapsis.com/archives/vendor/2002-q4/0089.html |
| Updated Conectiva RPMs: http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0029.html |
| Updated Red Hat RPMs: http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0002.html |
| Source: SuSE, Debian, Conectiva, Red Hat http://archives.neohapsis.com/archives/linux/suse/2002-q4/1275.html http://archives.neohapsis.com/archives/vendor/2002-q4/0089.html http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0002.html |
| *** {03.01.015} Linux - Update {02.45.007}: BIND SIG cached RR overflow + 2 DoS |
| Caldera/SCO released updated BIND packages, which fix the vulnerability discussed in {02.45.007} ("BIND SIG cached RR overflow + 2 DoS"). |
| Updated RPMs are listed at the reference URL below. |
| Source: Caldera/SCO http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0029.html |
| *** {03.01.016} Linux - Update {02.50.024}: Fetchmail local address creation vulnerability |
| Debian and SuSE released updated Fetchmail packages, which fix the vulnerability discussed in {02.50.024} ("Fetchmail local address creation vulnerability"). |
| Updated Debian DEBs: http://archives.neohapsis.com/archives/vendor/2002-q4/0090.html |
| Updated SuSE RPMs: http://archives.neohapsis.com/archives/linux/suse/2003-q1/0000.html |
| Source: Debian, SuSE http://archives.neohapsis.com/archives/vendor/2002-q4/0090.html http://archives.neohapsis.com/archives/linux/suse/2003-q1/0000.html |
| *** {03.01.019} Linux - typespeed local buffer overflow |
| The typespeed typing utility/game contains a locally exploitable buffer overflow that lets a local attacker gain group id 'games' privileges. |
| Debian confirmed this vulnerability and released updated DEBs, listed at the reference URL below. |
| Source: Debian http://archives.neohapsis.com/archives/vendor/2002-q4/0091.html |
| *** {03.01.022} Linux - Update {02.46.014}: dhcpcd response command execution |
| Debian released updated dhcpcd packages, which fix the vulnerability discussed in {02.46.014} ("dhcpcd response command execution"). |
| Updated DEBs are listed at the reference URL below. |
| Source: Debian http://archives.neohapsis.com/archives/vendor/2002-q4/0093.html |
| *** {03.01.023} Linux - Update {02.38.006}: Squirrel mail CGI multiple CSS vulnerabilities |
| Debian released updated Squirrel mail packages, which fix the vulnerabilities discussed in {02.38.006} ("Squirrel mail CGI multiple CSS vulnerabilities"). |
| Updated DEBs are listed at the reference URL below. |
| Source: Debian http://archives.neohapsis.com/archives/vendor/2003-q1/0003.html |
| *** {03.01.024} Linux - Update {02.36.004}: MHonarc HTML mail CSS vulnerability |
| Debian released updated MHonarc packages, which fix the vulnerability discussed in {02.36.004} ("MHonarc HTML mail CSS vulnerability"). |
| Updated DEBs are listed at the reference URL below. |
| Source: Debian http://archives.neohapsis.com/archives/vendor/2003-q1/0004.html |
| *** {03.01.025} Linux - Update {02.45.022}: Pine 4.44 malformed From field vulnerability |
| Red Hat released updated Pine packages, which fix the vulnerability discussed in {02.45.022} ("Pine 4.44 malformed From field vulnerability"). |
| Updated RPMs are listed at the reference URL below. |
| Source: Red Hat http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0000.html |
| - --- BSD News ----------------------------------------------------------- |
| *** {03.01.026} BSD - FreeBSD fpathconf syscall vulnerability |
| A FreeBSD advisory indicates that the fpathconf system call may leak a file descriptor, thereby leading to a local denial of service attack. A local root privilege elevation attack is also possible (this exploitation was confirmed by a third party). |
| FreeBSD 4.4-4.7 and 5.0 as of Jan. 7, 2003, contain a fix. |
| Source: VulnWatch, FreeBSD (SF Bugtraq) http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0006.html http://archives.neohapsis.com/archives/bugtraq/2003-01/0057.html |
| - --- HP-UX News --------------------------------------------------------- |
| *** {03.01.017} HPUX - JFS sticky bit vulnerability |
| HP released a patch that fixes a bug in JFS's handling (or lack of handling) of the +s 'sticky bit' within the file system. |
| Apply the appropriate patch: HPUX 10.20: PHKL_27832, PHKL_27833 HPUX 11.00: PHKL_27932 HPUX 11.04: PHKL_24201 |
| Source: HP http://archives.neohapsis.com/archives/hp/2002-q4/0075.html |
| - --- Network Devices News ----------------------------------------------- |
| *** {03.01.012} NetDev - Cisco products SSH reload DoS |
| Cisco has released an advisory indicating various Cisco devices running IOS versions 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, and 12.2S, can be caused remotely to reboot by sending a malformed SSH packet to the device, if the SSH service is running. All products running the above versions of IOS and using SSH are affected. NOT affected are the Cisco Catalyst series running CatOS, VPN3000, PIX firewalls, SN5400 series, and NetRanger products. |
| Cisco confirmed this vulnerability. Patches are currently in production and available from Cisco. |
| Source: Cisco http://archives.neohapsis.com/archives/cisco/2002-q4/0005.html |
| - --- Cross-Platform News ------------------------------------------------ |
| *** {03.01.009} Cross - Lynx CRLF header injection |
| The Lynx Web browser potentially allows malformed URLs to insert arbitrary HTTP headers into the request. This could allow modification of the Host header or submission of extra cookies by an unsuspecting user. |
| Updated Trustix RPMs: http://archives.neohapsis.com/archives/bugtraq/2002-12/0199.html |
| Updated Debian DEBs: http://archives.neohapsis.com/archives/vendor/2002-q4/0082.html |
| Source: Trustix, Debian (SF Bugtraq) http://archives.neohapsis.com/archives/bugtraq/2002-12/0199.html http://archives.neohapsis.com/archives/vendor/2002-q4/0082.html |
| *** {03.01.010} Cross - CUPS multiple vulnerabilities |
| The CUPS (Common Unix Printing System) prior to version 1.1.18 contains multiple vulnerabilities: integer overflows leading to local privilege elevation; a PID file race condition; the remote addition of arbitrary printers; remote heap overflows; an options string buffer overflow; 0-width image arbitrary code execution; and file descriptor leaks. |
| The vendor confirmed these vulnerabilities fixed them in version 1.1.18. |
| Updated SuSE RPMs: http://archives.neohapsis.com/archives/linux/suse/2003-q1/0001.html |
| Source: VulnWatch, SuSE http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0117.html http://archives.neohapsis.com/archives/linux/suse/2003-q1/0001.html |
| *** {03.01.011} Cross - OpenWebmail sessionid path vulnerability |
| The OpenWebmail CGI suite versions 1.71 and prior contain a vulnerability in the handling of the sessionid URL parameter that could allow an attacker, who can somehow place a file on the target system, to gain root privileges (because the Openmail CGIs use suidperl to run as root). |
| The vendor confirmed this vulnerability and released patches. |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2002-12/0192.html http://archives.neohapsis.com/archives/bugtraq/2002-12/0205.html |
| *** {03.01.018} Cross - Update {02.50.014}: PFingerd host name format string vulnerability |
| The vendor released version 0.7.9, which fixes the vulnerability discussed in {02.50.014} ("PFingerd host name format string vulnerability"). |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2002-12/0253.html |
| *** {03.01.020} Cross - Sendmail 8.12.7 available |
| Sendmail 8.12.7 was released. This version contains one previously reported security-related fix in the smrsh utility. |
| The latest Sendmail source is available at: ftp://ftp.sendmail.org/pub/sendmail/ |
| Source: Sendmail http://archives.neohapsis.com/archives/sendmail/2002-q4/0000.html |
| *** {03.01.021} Cross - Bugzilla CSS vulnerabilities |
| A Debian advisory indicates that the Bugzilla CGI suite contains various cross-site scripting vulnerabilities. |
| Updated DEBs are listed at the reference URL below. |
| Source: Debian http://archives.neohapsis.com/archives/vendor/2002-q4/0092.html |
| *** {03.01.028} Cross - libmcrypt buffer overflows and memory leak |
| The libmcrypt library prior to version 2.5.5 contains multiple buffer overflows and a memory leak. Applications using the libmcrypt library may be vulnerable to various types of attack. |
| The vendor confirmed these vulnerabilities and released version 2.5.5. |
| Source: SecurityFocus Bugtraq http://archives.neohapsis.com/archives/bugtraq/2003-01/0020.html |
| *** {03.01.029} Cross - PHP 4.3.0 released, with security fixes |
| PHP 4.3.0 was released. It contains a few security fixes, including one for a buffer overflow in the wordwrap() function, as well as corrections to the included MySQL client. |
| Latest PHP versions are available from: http://www.php.net/ |
| Source: PHP http://archives.neohapsis.com/archives/php/2002-12/0050.html |
| *** {03.01.030} Cross - Tanne library syslog format vulnerabilities |
| The Tanne HTTP authentication library contains two format string vulnerabilities in the handling of syslog() parameters. |
| This vulnerability is not confirmed. |
| Source: VulnWatch http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0011.html |
| *** {03.01.033} Cross - xpdf/pdftops integer overflow |
| The pdftops filter contains an integer overflow in the handling of a large color space, resulting in a heap overflow and the execution of arbitrary code. It's possible to remotely trigger this vulnerability via CUPS/lpd. |
| The vendor confirmed this vulnerability and released a patch, available at: ftp://ftp.foolabs.com/pub/xpdf/xpdf-2.01-patch1 |
| Updated Debian DEBs: http://archives.neohapsis.com/archives/vendor/2003-q1/0007.html |
| Source: VulnWatch, Debian http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0122.html http://archives.neohapsis.com/archives/vendor/2003-q1/0007.html |
| ************************************************************************ |
| -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (BSD/OS) Comment: For info see http://www.gnupg.org |
| iD8DBQE+He1J+LUG5KFpTkYRAg9/AJ0fVwwMfNkVuxg7SQJGjzx6ulPfGgCgmsEL YNtvz2LeySnn4uwPzn1KUgI= =cbOB -----END PGP SIGNATURE----- |
| ************************* Begin Advertisement ************************ |
| This issue sponsored by SPI Dynamics. |
| ALERT: Exploiting Web Applications -- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation, Session Hijacking and Parameter Manipulation. All undetectable by Firewalls and IDS! Download FREE white paper from SPI Dynamics for a complete guide to protection! http://www.spidynamics.com/mktg/webappsecurity39 |
| ************************** End Advertisement ************************* |
| Become a Security Alert Consensus member! If this e-mail was passed to you and you would like to begin receiving our security e-mail newsletter on a weekly basis, we invite you to subscribe today. https://portal.sans.org/preferences.php/ |
| We are signing the Consensus newsletter with PGP. The new SANS PGP key is posted at: http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can also be accessed from the SANS Web site (http://www.sans.org). |
| Special Note: To better secure your confidential information, we will no longer include personal URLs in our Consensus newsletter mailings. Instead, we have created a new form (http://www.sans.org/sansurl). On this form you can enter the SD number located near your name at the top of the newsletter. When you submit this form, an e-mail containing a URL will be sent to you at the e-mail address on record. With this URL you can make changes to your account (edit the content of your Consensus mailing, for example) without endangering the security of your personal URL. If you'd like to change your e-mail address or other information, please visit your new URL as described above. If you have any problems or questions, e-mail us at <sans@sans.org>. |
| If you would like to unsubscribe from this newsletter, grab your SD number (next to your name at the top of this message) and visit the URL below. You will be sent a personal URL via E-mail, from which you can unsubscribe. http://www.sans.org/sansurl/ |
| Missed an issue? You can find back issues of Security Alert Consensus (and other SANS newsletters) online. http://www.sans.org/newsletters/ |
| Your opinion counts. We'd like to hear your thoughts on Security Alert Consensus. E-mail any questions or comments to <consensus@nwc.com>. |
| Copyright (c) 2002 Network Computing, a CMP Media LLC publication. All Rights Reserved. Distributed by Network Computing (http://www.networkcomputing.com) and The SANS Institute (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based security assessment and integration services consulting group (info@neohapsis.com | http://www.neohapsis.com/). |
Check Them Out!
This is hands-down, the premiere training opportunity.
- Dan Mather, JICPAC
