| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
History of vulnerabilities analyzed by Vigil@nce:
ClamAV: buffer overflow of UPX and denial of service of FSG
Synthesis of the vulnerability
An attacker can create malicious UPX or FSG programs in order to run code or lead to a denial of service.
Impacted products: ClamAV, Debian, Mandriva Linux, openSUSE.
Severity: 3/4.
Consequences: user access/rights, denial of service on server.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 19/09/2005.
Identifiers: BID-14866, BID-14867, CERTA-2005-AVI-348, CVE-2005-2919, CVE-2005-2920, DSA-824-1, MDKSA-2005:166, SUSE-SA:2005:055, VIGILANCE-VUL-5201, VU#363713.
Description of the vulnerability
Programs can be packed in order to shrink their size and make their analyze more complex. ClamAV supports several packers, such as UPX (Ultimate Packer for eXecutables) and FSG (Fast Small Good).
A program compacted with UPX can lead to a buffer overflow in libclamav/upx.c.
A program compacted with FSG can lead to an infinite loop in libclamav/fsg.c.
An attacker can therefore send a compacted program in order to run code or to conduct a denial of service.
Full Vigil@nce bulletin... (Free trial) |
Squid: denial of service by changing authentication type
Synthesis of the vulnerability
An attacker can change authentication type in order to stop Squid-cache.
Impacted products: Debian, Fedora, Mandriva Linux, Mandriva NF, openSUSE, RHEL, RedHat Linux, Squid, TurboLinux.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 16/09/2005.
Identifiers: 1391, 20060401-01-U, BID-14977, CERTA-2005-AVI-371, CVE-2005-2917, DSA-828-1, FLSA-2006:152809, MDKSA-2005:181, RHSA-2006:004, RHSA-2006:0045-01, RHSA-2006:005, RHSA-2006:0052-01, SUSE-SR-2005:027, TLSA-2005-101, VIGILANCE-VUL-5200.
Description of the vulnerability
Proxy Squid-cache supports several authentication types:
- Basic: login and password are sent encoded in base64
- NTLM: a NTLM (Microsoft) authentication is used
A NTLM authentication needs a challenge and a response:
- client asks an access to the resource
- server returns a 401 error, and "WWW-Authenticate: NTLM"
- client sends "Authorization: NTLM first_part"
- server returns a 401 error, and "WWW-Authenticate: NTLM challenge"
- client sends "Authorization: NTLM second_part"
An attacker can start a NTLM authentication, then send a basic authentication instead of second part. In this case, an error occurs and proxy stops.
This vulnerability therefore permits an attacker to conduct a denial of service.
Full Vigil@nce bulletin... (Free trial) |
Domino: Cross Site Scripting of BaseTarget and Src
Synthesis of the vulnerability
An attacker can use BaseTarget and Src parameters to conduct a Cross Site Scripting attack.
Impacted products: Domino.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/09/2005.
Identifiers: BID-14845, BID-14846, CVE-2005-3015, LO07849, LO07850, VIGILANCE-VUL-5199.
Description of the vulnerability
Parameters BaseTarget and Src can be set in url:
http://server/base.nsf/?OpenForm&BaseTarget=valeur
http://server/base.nsf/?OpenFrameSet&Frame=Main&Src=valeur
However, these parameters are not filtered before being displayed.
An attacker can therefore use this error to conduct a Cross Site Scripting attack.
Full Vigil@nce bulletin... (Free trial) |
CUPS: denial of service with an IPP query
Synthesis of the vulnerability
An attacker can send an IPP request containing /.. leading to an infinite loop in CUPS.
Impacted products: CUPS, Fedora, RHEL.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 14/09/2005.
Identifiers: CVE-2005-2874, FEDORA-2005-908, RHSA-2005:772-01, VIGILANCE-VUL-5197.
Description of the vulnerability
CUPS system (Common UNIX Printing System) ensures printers management under Unix.
This software uses IPP protocol (Internet Printing Protocol), based on HTTP/1.1, and listens on port 631/tcp.
When CUPS receives a query like "/rep/../f", it is converted to "/f". This is done by searching "/.." pattern. However, if this pattern is not followed by '/', an infinite loop occurs because search always start on the same offset.
This vulnerability therefore permits a network attacker to conduct a denial of service by overloading computer where CUPS is installed.
Full Vigil@nce bulletin... (Free trial) |
Java System AS: disclosure of jar files content
Synthesis of the vulnerability
An attacker can obtain contents of a jar file.
Impacted products: Sun AS.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 14/09/2005.
Identifiers: 101905, 6246426, BID-14823, CVE-2005-4804, VIGILANCE-VUL-5196.
Description of the vulnerability
Files with jar extension are Java archives.
Sun announced an attacker can obtain contents of jar files.
This vulnerability permits an attacker to obtain information about installed applications.
Full Vigil@nce bulletin... (Free trial) |
common-lisp-controller: compiled code execution
Synthesis of the vulnerability
A local attacker can cache a compiled code, which will be run by next user.
Impacted products: Debian.
Severity: 1/4.
Consequences: user access/rights.
Provenance: user shell.
Creation date: 14/09/2005.
Identifiers: BID-14829, CVE-2005-2657, DSA-811-1, DSA-811-2, VIGILANCE-VUL-5195.
Description of the vulnerability
Package common-lisp-controller compiles Common Lisp source code. Compiled code can be cached in a directory.
On first execution of a Common Lisp code, cached code is used. However, this code may have been compiled by a local attacker.
An attacker can therefore compile malicious code, which will be run by next user.
Full Vigil@nce bulletin... (Free trial) |
Enigmail: encryption for an unspecified recipient
Synthesis of the vulnerability
When user keyring contains a key with an empty uid, this key is selected to encrypt the message.
Impacted products: Debian, Mandriva Linux, Mozilla Suite, Thunderbird, openSUSE.
Severity: 3/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 13/09/2005.
Identifiers: BID-15155, CVE-2005-3256, DSA-889-1, MDKSA-2005:226, SUSE-SR:2005:028, VIGILANCE-VUL-5194, VU#805121.
Description of the vulnerability
Enigmail extension signs and encrypts emails with GnuPG.
User keyring contains publics keys for other users. When user encrypts a message, a dialog box may appear asking him to select recipient keys.
However, if a key has an empty uid field, it is selected by default. User may not see it has been selected if his keyring contains many keys.
An attacker can therefore convince user to add a key in his keyring, then capture sent messages in order to decrypt them.
Full Vigil@nce bulletin... (Free trial) |
util-linux: increase of privileges with umount
Synthesis of the vulnerability
An attacker can mount a device, containing for example suid programs, in order to increase his privileges.
Impacted products: Debian, Fedora, Mandriva Linux, Mandriva NF, openSUSE, RHEL, RedHat Linux, Slackware, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 13/09/2005.
Identifiers: 20051003-01-U, 20051003-02-U, BID-14816, CERTA-2005-AVI-359, CVE-2005-2876, DSA-823-1, DSA-825-1, FEDORA-2005-886, FEDORA-2005-887, FLSA:168326, FLSA-2005:168326, MDKSA-2005:167, RHSA-2005:782, RHSA-2005:782-01, SSA:2005-255-02, SUSE-SR:2005:021, VIGILANCE-VUL-5193.
Description of the vulnerability
Package util-linux contains several utilities: fdisk, ipcs, more, mount, shutdown, etc.
Command umount detaches a filesystem from its mount point. If filesystem is in use, this operation fails. In this case, if '-r' option is specified, umount tries to remount the system read-only.
However, flags (nosuid, nodev, etc.) are not reused for read-only remounting. So, if an attacker is allowed to remount a filesytem containing suid root programs, these programs will be fully operational.
A local attacker can therefore increase his privileges by remounting a filesystem containing suid or sgid programs.
Full Vigil@nce bulletin... (Free trial) |
XFree86: integer overflows of pixmap images
Synthesis of the vulnerability
A malicious pixmap image leads to several overflows in XFree86.
Impacted products: Debian, Fedora, HP-UX, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, Slackware.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 13/09/2005.
Identifiers: 101926, 166859, 20051004-01-U, 20060403-01-U, 594, 6316436, 6316438, BID-14807, c00732238, CERTA-2005-AVI-345, CERTA-2005-AVI-375, CVE-2005-2495, DSA-816-1, FEDORA-2005-893, FEDORA-2005-894, FLSA-2006:168264-1, FLSA-2006:168264-2, HPSBUX02137, MDKSA-2005:164, RHSA-2005:329, RHSA-2005:329-01, RHSA-2005:396-01, RHSA-2005:501, RHSA-2005:501-01, SSA:2005-269-02, SSRT051024, SUSE-SA:2005:056, SUSE-SR:2005:023, VIGILANCE-VUL-5192, VU#102441.
Description of the vulnerability
Graphic library of XFree86 supports pixmap images.
This implementation does not correctly check size of images. Indeed, the product height by width can overflow and lead to a short memory allocation. Memory will be corrupted during data copy.
Other integer overflows have been announced, but their technical details are unknown.
An attacker can therefore run code if user opens a malicious pixmap.
Full Vigil@nce bulletin... (Free trial) |
Snort: denial of service with a SACK TCP option
Synthesis of the vulnerability
An attacker can send a TCP packet with a malicious SACK option in order to stop snort.
Impacted products: Snort.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 13/09/2005.
Identifiers: BID-14811, VIGILANCE-VUL-5191.
Description of the vulnerability
Option TCP SACK (Selective Acknowledgment) is defined in RFC 1072 and 2018. Snort implements RFC 1072 :
- 1 byte : type : 5
- 1 byte : length : minimum 6 (1+1+2+2)
- 2 bytes : Relative Origin
- 2 bytes : Block Size
When snort is run in verbose mode, SACK option is decoded and displayed:
Sack: Relative_Origin@Block_Size
However, snort does not check if length is greater or equal than 6, before accessing Relative Origin and Block Size.
An attacker can therefore use a short option in order to generate a segment violation, during access to memory parts containing both variables.
Thus, a denial of service occurs when snort is run in verbose mode.
Full Vigil@nce bulletin... (Free trial) |
Previous page Next page Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2871
|