News

Wednesday, July 04, 2007

SecurityFocus Linux Newsletter #344

SecurityFocus Linux Newsletter #344
----------------------------------------

This Issue is Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of sensitive data - including personal, medical and financial information - are exchanged, and stored. This paper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701700000008yka


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1. Don't Be Evil
2. Persistence of data on storage media
II. LINUX VULNERABILITY SUMMARY
1. Hiki Session ID File Deletion Vulnerability
2. Avahi Empty TXT Data Denial Of Service Vulnerability
3. Red Hat Kernel SysFS_ReadDir NULL Pointer Dereference Vulnerability
4. Apache HTTP Server Mod_Status Cross-Site Scripting Vulnerability
5. SlackRoll GnuPG And HTTP Codes Signature Validation Bypass Vulnerability And Weakness
6. Apache HTTP Server Mod_Cache Denial of Service Vulnerability
7. MIT Kerberos 5 KAdminD Server Rename_Principal_2_SVC() Function Stack Buffer Overflow Vulnerability
8. MIT Kerberos Administration Daemon RPC Library Free Pointer Remote Code Execution Vulnerability
9. MIT Kerberos 5 KAdminD Server RPC Type Conversion Stack Buffer Overflow Vulnerability
10. RealPlayer/HelixPlayer ParseWallClockValue Function Buffer Overflow Vulnerability
11. Wireshark Multiple Protocol Denial of Service Vulnerabilities
12. CA BrightStor ARCserve Backup Server Unspecified Remote Code Execution Vulnerability
13. Sun JavaDoc Tool Cross-Site Scripting Vulnerability
14. GSAMBAD Insecure Temporary File Creation Vulnerability
15. Fireflier-Server Insecure Temporary File Creation Vulnerability
16. PHPEventCalendar Eventdisplay.PHP Script SQL Injection Vulnerability
17. Linux Kernel USBLCD Memory Consumption Denial Of Service Vulnerability
18. SlackRoll Malicious Package Denial of Service Vulnerability
19. ImLib BMP Image _LoadBMP Function Denial of Service Vulnerability
20. GNU GLibC LD.SO Mask Dynamic Loader Integer Overflow Vulnerability
III. LINUX FOCUS LIST SUMMARY
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Don't Be Evil
By Mark Rasch
A series of developments raise the specter that remotely stored or created documents may be subject to subpoena or discovery all without the knowledge or consent of the document's creators.
http://www.securityfocus.com/columnists/447

2. Persistence of data on storage media
By Jamie Ridden
Jamie Ridden discusses the re-use of storage media and how slack space can prevent sensitive data from being completely removed.
http://www.securityfocus.com/infocus/1891


II. LINUX VULNERABILITY SUMMARY
------------------------------------
1. Hiki Session ID File Deletion Vulnerability
BugTraq ID: 24603
Remote: Yes
Date Published: 2007-06-24
Relevant URL: http://www.securityfocus.com/bid/24603
Summary:
Hiki is prone to a vulnerability that allows an attacker to delete arbitrary files because of an error in the way it deletes files when a user logs out.

An attacker can exploit this vulnerability to delete arbitrary files in the context of the affected software, which can allow the attacker to cause significant damage to an installation, potentially denying service to legitimate users.

2. Avahi Empty TXT Data Denial Of Service Vulnerability
BugTraq ID: 24614
Remote: No
Date Published: 2007-06-25
Relevant URL: http://www.securityfocus.com/bid/24614
Summary:
Avahi is prone to a denial-of-service vulnerability.

A local attacker may exploit this issue to cause the application to crash, denying further service to legitimate users.

Versions prior to 0.6.20 are vulnerable to this issue.

3. Red Hat Kernel SysFS_ReadDir NULL Pointer Dereference Vulnerability
BugTraq ID: 24631
Remote: No
Date Published: 2007-06-25
Relevant URL: http://www.securityfocus.com/bid/24631
Summary:
The Red Hat kernel is prone to a NULL-pointer dereference vulnerability.

A local attacker can exploit this issue to crash the affected kernel, denying service to legitimate users.

UPDATE (June 26, 2007): Given the nature of this issue, remote code execution may also be possible but has not been confirmed.

4. Apache HTTP Server Mod_Status Cross-Site Scripting Vulnerability
BugTraq ID: 24645
Remote: Yes
Date Published: 2007-06-26
Relevant URL: http://www.securityfocus.com/bid/24645
Summary:
The Apache HTTP Server mod_status module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

5. SlackRoll GnuPG And HTTP Codes Signature Validation Bypass Vulnerability And Weakness
BugTraq ID: 24648
Remote: Yes
Date Published: 2007-06-26
Relevant URL: http://www.securityfocus.com/bid/24648
Summary:
SlackRoll is prone to a signature-validation bypass vulnerability and an HTTP-error detection weakness

These issues occur because the application fails to adequately interpret certain GnuPG exit codes and HTTP error codes.

An attacker can exploit these issues to bypass GnuPG signature detection. Successful attacks could result in the execution of arbitrary code; other attacks are possible.

Versions prior to SlackRoll 8 are vulnerable.

6. Apache HTTP Server Mod_Cache Denial of Service Vulnerability
BugTraq ID: 24649
Remote: Yes
Date Published: 2007-06-26
Relevant URL: http://www.securityfocus.com/bid/24649
Summary:
The Apache mod_cache module is prone to a denial-of-service vulnerability.

A remote attacker may be able to exploit this issue to crash the child process. This could lead to denial-of-service conditions if the server is using a multithreaded Multi-Processing Module (MPM).

7. MIT Kerberos 5 KAdminD Server Rename_Principal_2_SVC() Function Stack Buffer Overflow Vulnerability
BugTraq ID: 24653
Remote: Yes
Date Published: 2007-06-26
Relevant URL: http://www.securityfocus.com/bid/24653
Summary:
Kerberos 5 'kadmind' (Kerberos Administration Daemon) server is prone to a stack-based buffer-overflow vulnerability because the software fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code with administrative privileges. A successful attack can result in the complete compromise of the application. Failed attempts will likely result in denial-of-service conditions.

All 'kadmind' servers run on the master Kerberos server. Since the master server holds the KDC principal and policy database, an attack may not only compromise the affected computer, but could also compromise multiple hosts that use the server for authentication.

Kerberos 5 'kadmind' 1.6.1, 1.5.3, and prior versions are vulnerable.

8. MIT Kerberos Administration Daemon RPC Library Free Pointer Remote Code Execution Vulnerability
BugTraq ID: 24655
Remote: Yes
Date Published: 2007-06-26
Relevant URL: http://www.securityfocus.com/bid/24655
Summary:
MIT Kerberos 5 Administration Daemon (kadmind) is prone to a remote code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary code with superuser privileges, completely compromising affected computers. Failed exploit attempts will likely result in a denial-of-service conditions.

All kadmind servers run on the master Kerberos server. Since the master server holds the KDC principal and policy database, an attack may not only compromise the affected computer, but could also compromise multiple hosts that use the server for authentication.

This issue also affects third-party applications using the affected RPC library.

kadmind versions prior to krb5-1.6.1 are vulnerable.

9. MIT Kerberos 5 KAdminD Server RPC Type Conversion Stack Buffer Overflow Vulnerability
BugTraq ID: 24657
Remote: Yes
Date Published: 2007-06-26
Relevant URL: http://www.securityfocus.com/bid/24657
Summary:
Kerberos 5 'kadmind' (Kerberos Administration Daemon) server is prone to a stack-based buffer-overflow vulnerability because the software fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code with administrative privileges. A successful attack can result in the complete compromise of the application. Failed attempts will likely result in denial-of-service conditions.

This issue also affects third-party applications using the affected RPC library.

All 'kadmind' servers run on the master Kerberos server. Since the master server holds the KDC principal and policy database, an attack may not only compromise the affected computer, but could also compromise multiple hosts that use the server for authentication.

Kerberos 5 'kadmind' 1.6.1 and prior versions are vulnerable.

10. RealPlayer/HelixPlayer ParseWallClockValue Function Buffer Overflow Vulnerability
BugTraq ID: 24658
Remote: Yes
Date Published: 2007-06-26
Relevant URL: http://www.securityfocus.com/bid/24658
Summary:
RealPlayer and HelixPlayer are prone to a buffer-overflow vulnerability because the applications fail to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

This issue affects RealPlayer 10.5-GOLD and HelixPlayer 10.5-GOLD; other versions may also be affected.

11. Wireshark Multiple Protocol Denial of Service Vulnerabilities
BugTraq ID: 24662
Remote: Yes
Date Published: 2007-06-26
Relevant URL: http://www.securityfocus.com/bid/24662
Summary:
Wireshark is prone to multiple denial-of-service vulnerabilities.

Exploiting these issues may permit attackers to cause crashes and deny service to legitimate users of the application.

Wireshark versions prior to 0.99.6 are affected.

12. CA BrightStor ARCserve Backup Server Unspecified Remote Code Execution Vulnerability
BugTraq ID: 24680
Remote: Yes
Date Published: 2007-06-27
Relevant URL: http://www.securityfocus.com/bid/24680
Summary:
Computer Associates BrightStor ARCserve Backup is prone to a remote code-execution vulnerability.

Currently, very few details are available regarding this issue. We will update this BID as more information emerges.

Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges.

BrightStor ARCserve Backup 11.5 SP3 for Microsoft Windows is reported vulnerable; other versions may also be affected.

13. Sun JavaDoc Tool Cross-Site Scripting Vulnerability
BugTraq ID: 24690
Remote: Yes
Date Published: 2007-06-28
Relevant URL: http://www.securityfocus.com/bid/24690
Summary:
Sun JavaDoc Tool is prone to a cross-site scripting vulnerability.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

14. GSAMBAD Insecure Temporary File Creation Vulnerability
BugTraq ID: 24717
Remote: No
Date Published: 2007-07-01
Relevant URL: http://www.securityfocus.com/bid/24717
Summary:
GSAMBAD creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symlink attacks, overwriting arbitrary files in the context of the affected application.

An attacker may leverage this issue to corrupt or overwrite arbitrary files with the privileges of an unsuspecting user that activated the affected application. Reportedly, attackers can exploit this issue to escalate privileges.

All versions of GSAMBAD are considered to be vulnerable to this issue.

15. Fireflier-Server Insecure Temporary File Creation Vulnerability
BugTraq ID: 24718
Remote: No
Date Published: 2007-07-01
Relevant URL: http://www.securityfocus.com/bid/24718
Summary:
Fireflier-Server application creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to remove arbitrary files from the local system.

Successfully mounting a symlink attack may allow the attacker to remove sensitive files, which may result in a denial of service. Other attacks may also be possible.

16. PHPEventCalendar Eventdisplay.PHP Script SQL Injection Vulnerability
BugTraq ID: 24721
Remote: Yes
Date Published: 2007-07-01
Relevant URL: http://www.securityfocus.com/bid/24721
Summary:
phpEventCalendar is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

phpEventCalendar 0.2.3 and prior versions are reported prone to this issue.

17. Linux Kernel USBLCD Memory Consumption Denial Of Service Vulnerability
BugTraq ID: 24734
Remote: No
Date Published: 2007-07-02
Relevant URL: http://www.securityfocus.com/bid/24734
Summary:
The Linux Kernel is prone to a denial-of-service vulnerability because it fails to limit memory consumption by 'fast writers'.

Attackers can exploit this issue to consume memory, resulting in denial-of-service conditions.

Versions prior to 2.6.22-rc7 are vulnerable.

18. SlackRoll Malicious Package Denial of Service Vulnerability
BugTraq ID: 24739
Remote: Yes
Date Published: 2007-07-02
Relevant URL: http://www.securityfocus.com/bid/24739
Summary:
SlackRoll is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

This issue affects versions prior to SlackRoll 10.

19. ImLib BMP Image _LoadBMP Function Denial of Service Vulnerability
BugTraq ID: 24750
Remote: Yes
Date Published: 2007-07-03
Relevant URL: http://www.securityfocus.com/bid/24750
Summary:
ImLib is prone to a denial-of-service vulnerability because the application fails to properly process certain BMP image files.

Remote attackers may exploit this issue by enticing victims into opening maliciously crafted BMP files.

An attacker could exploit this issue to cause denial-of-service conditions on applications using the affected library.

20. GNU GLibC LD.SO Mask Dynamic Loader Integer Overflow Vulnerability
BugTraq ID: 24758
Remote: Yes
Date Published: 2007-07-03
Relevant URL: http://www.securityfocus.com/bid/24758
Summary:
GNU glibc is prone to an integer-overflow vulnerability because it fails to properly ensure that integer math operations do not result in overflow.

An attacker can exploit this issue to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected application. Failed exploit attempts will result in a denial-of-service.

Versions 2.5 and prior vulnerable to this issue.

III. LINUX FOCUS LIST SUMMARY
---------------------------------
IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to linux-secnews-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of sensitive data - including personal, medical and financial information - are exchanged, and stored. This paper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701700000008yka

No comments:

Blog Archive