| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
History of vulnerabilities analyzed by Vigil@nce:
ClamAV: buffer overflow of UPX and denial of service of FSG
Synthesis of the vulnerability
An attacker can create malicious UPX or FSG programs in order to run code or lead to a denial of service.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 19/09/2005.
Identifiers: BID-14866, BID-14867, CERTA-2005-AVI-348, CVE-2005-2919, CVE-2005-2920, DSA-824-1, MDKSA-2005:166, SUSE-SA:2005:055, VIGILANCE-VUL-5201, VU#363713.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Programs can be packed in order to shrink their size and make their analyze more complex. ClamAV supports several packers, such as UPX (Ultimate Packer for eXecutables) and FSG (Fast Small Good).
A program compacted with UPX can lead to a buffer overflow in libclamav/upx.c.
A program compacted with FSG can lead to an infinite loop in libclamav/fsg.c.
An attacker can therefore send a compacted program in order to run code or to conduct a denial of service.
Full Vigil@nce bulletin... (Free trial) |
Squid: denial of service by changing authentication type
Synthesis of the vulnerability
An attacker can change authentication type in order to stop Squid-cache.
Severity: 2/4.
Creation date: 16/09/2005.
Identifiers: 1391, 20060401-01-U, BID-14977, CERTA-2005-AVI-371, CVE-2005-2917, DSA-828-1, FLSA-2006:152809, MDKSA-2005:181, RHSA-2006:004, RHSA-2006:0045-01, RHSA-2006:005, RHSA-2006:0052-01, SUSE-SR-2005:027, TLSA-2005-101, VIGILANCE-VUL-5200.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Proxy Squid-cache supports several authentication types:
- Basic: login and password are sent encoded in base64
- NTLM: a NTLM (Microsoft) authentication is used
A NTLM authentication needs a challenge and a response:
- client asks an access to the resource
- server returns a 401 error, and "WWW-Authenticate: NTLM"
- client sends "Authorization: NTLM first_part"
- server returns a 401 error, and "WWW-Authenticate: NTLM challenge"
- client sends "Authorization: NTLM second_part"
An attacker can start a NTLM authentication, then send a basic authentication instead of second part. In this case, an error occurs and proxy stops.
This vulnerability therefore permits an attacker to conduct a denial of service.
Full Vigil@nce bulletin... (Free trial) |
Domino: Cross Site Scripting of BaseTarget and Src
Synthesis of the vulnerability
An attacker can use BaseTarget and Src parameters to conduct a Cross Site Scripting attack.
Severity: 2/4.
Creation date: 15/09/2005.
Identifiers: BID-14845, BID-14846, CVE-2005-3015, LO07849, LO07850, VIGILANCE-VUL-5199.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Parameters BaseTarget and Src can be set in url:
http://server/base.nsf/?OpenForm&BaseTarget=valeur
http://server/base.nsf/?OpenFrameSet&Frame=Main&Src=valeur
However, these parameters are not filtered before being displayed.
An attacker can therefore use this error to conduct a Cross Site Scripting attack.
Full Vigil@nce bulletin... (Free trial) |
CUPS: denial of service with an IPP query
Synthesis of the vulnerability
An attacker can send an IPP request containing /.. leading to an infinite loop in CUPS.
Severity: 2/4.
Creation date: 14/09/2005.
Identifiers: CVE-2005-2874, FEDORA-2005-908, RHSA-2005:772-01, VIGILANCE-VUL-5197.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
CUPS system (Common UNIX Printing System) ensures printers management under Unix.
This software uses IPP protocol (Internet Printing Protocol), based on HTTP/1.1, and listens on port 631/tcp.
When CUPS receives a query like "/rep/../f", it is converted to "/f". This is done by searching "/.." pattern. However, if this pattern is not followed by '/', an infinite loop occurs because search always start on the same offset.
This vulnerability therefore permits a network attacker to conduct a denial of service by overloading computer where CUPS is installed.
Full Vigil@nce bulletin... (Free trial) |
Java System AS: disclosure of jar files content
Synthesis of the vulnerability
An attacker can obtain contents of a jar file.
Severity: 2/4.
Creation date: 14/09/2005.
Identifiers: 101905, 6246426, BID-14823, CVE-2005-4804, VIGILANCE-VUL-5196.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Files with jar extension are Java archives.
Sun announced an attacker can obtain contents of jar files.
This vulnerability permits an attacker to obtain information about installed applications.
Full Vigil@nce bulletin... (Free trial) |
common-lisp-controller: compiled code execution
Synthesis of the vulnerability
A local attacker can cache a compiled code, which will be run by next user.
Severity: 1/4.
Creation date: 14/09/2005.
Identifiers: BID-14829, CVE-2005-2657, DSA-811-1, DSA-811-2, VIGILANCE-VUL-5195.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Package common-lisp-controller compiles Common Lisp source code. Compiled code can be cached in a directory.
On first execution of a Common Lisp code, cached code is used. However, this code may have been compiled by a local attacker.
An attacker can therefore compile malicious code, which will be run by next user.
Full Vigil@nce bulletin... (Free trial) |
Enigmail: encryption for an unspecified recipient
Synthesis of the vulnerability
When user keyring contains a key with an empty uid, this key is selected to encrypt the message.
Severity: 3/4.
Creation date: 13/09/2005.
Identifiers: BID-15155, CVE-2005-3256, DSA-889-1, MDKSA-2005:226, SUSE-SR:2005:028, VIGILANCE-VUL-5194, VU#805121.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Enigmail extension signs and encrypts emails with GnuPG.
User keyring contains publics keys for other users. When user encrypts a message, a dialog box may appear asking him to select recipient keys.
However, if a key has an empty uid field, it is selected by default. User may not see it has been selected if his keyring contains many keys.
An attacker can therefore convince user to add a key in his keyring, then capture sent messages in order to decrypt them.
Full Vigil@nce bulletin... (Free trial) |
util-linux: increase of privileges with umount
Synthesis of the vulnerability
An attacker can mount a device, containing for example suid programs, in order to increase his privileges.
Severity: 1/4.
Creation date: 13/09/2005.
Identifiers: 20051003-01-U, 20051003-02-U, BID-14816, CERTA-2005-AVI-359, CVE-2005-2876, DSA-823-1, DSA-825-1, FEDORA-2005-886, FEDORA-2005-887, FLSA:168326, FLSA-2005:168326, MDKSA-2005:167, RHSA-2005:782, RHSA-2005:782-01, SSA:2005-255-02, SUSE-SR:2005:021, VIGILANCE-VUL-5193.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Package util-linux contains several utilities: fdisk, ipcs, more, mount, shutdown, etc.
Command umount detaches a filesystem from its mount point. If filesystem is in use, this operation fails. In this case, if '-r' option is specified, umount tries to remount the system read-only.
However, flags (nosuid, nodev, etc.) are not reused for read-only remounting. So, if an attacker is allowed to remount a filesytem containing suid root programs, these programs will be fully operational.
A local attacker can therefore increase his privileges by remounting a filesystem containing suid or sgid programs.
Full Vigil@nce bulletin... (Free trial) |
XFree86: integer overflows of pixmap images
Synthesis of the vulnerability
A malicious pixmap image leads to several overflows in XFree86.
Severity: 2/4.
Creation date: 13/09/2005.
Identifiers: 101926, 166859, 20051004-01-U, 20060403-01-U, 594, 6316436, 6316438, BID-14807, c00732238, CERTA-2005-AVI-345, CERTA-2005-AVI-375, CVE-2005-2495, DSA-816-1, FEDORA-2005-893, FEDORA-2005-894, FLSA-2006:168264-1, FLSA-2006:168264-2, HPSBUX02137, MDKSA-2005:164, RHSA-2005:329, RHSA-2005:329-01, RHSA-2005:396-01, RHSA-2005:501, RHSA-2005:501-01, SSA:2005-269-02, SSRT051024, SUSE-SA:2005:056, SUSE-SR:2005:023, VIGILANCE-VUL-5192, VU#102441.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Graphic library of XFree86 supports pixmap images.
This implementation does not correctly check size of images. Indeed, the product height by width can overflow and lead to a short memory allocation. Memory will be corrupted during data copy.
Other integer overflows have been announced, but their technical details are unknown.
An attacker can therefore run code if user opens a malicious pixmap.
Full Vigil@nce bulletin... (Free trial) |
Snort: denial of service with a SACK TCP option
Synthesis of the vulnerability
An attacker can send a TCP packet with a malicious SACK option in order to stop snort.
Severity: 2/4.
Creation date: 13/09/2005.
Identifiers: BID-14811, VIGILANCE-VUL-5191.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Option TCP SACK (Selective Acknowledgment) is defined in RFC 1072 and 2018. Snort implements RFC 1072 :
- 1 byte : type : 5
- 1 byte : length : minimum 6 (1+1+2+2)
- 2 bytes : Relative Origin
- 2 bytes : Block Size
When snort is run in verbose mode, SACK option is decoded and displayed:
Sack: Relative_Origin@Block_Size
However, snort does not check if length is greater or equal than 6, before accessing Relative Origin and Block Size.
An attacker can therefore use a short option in order to generate a segment violation, during access to memory parts containing both variables.
Thus, a denial of service occurs when snort is run in verbose mode.
Full Vigil@nce bulletin... (Free trial) |
Previous page Next page Direct access to page
1
21
41
61
81
101
121
141
161
181
201
221
241
261
281
301
321
341
361
381
401
421
441
461
481
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
521
541
561
581
601
621
641
661
681
701
721
741
761
781
801
821
841
861
881
901
921
941
961
981
1001
1021
1041
1061
1081
1101
1121
1141
1161
1181
1201
1221
1241
1261
1281
1301
1321
1341
1361
1381
1401
1421
1441
1461
1481
1501
1521
1541
1561
1581
1601
1621
1641
1661
1681
1701
1721
1741
1761
1781
1801
1821
1841
1861
1881
1901
1921
1941
1961
1981
2001
2021
2041
2061
2081
2101
2121
2141
2161
2181
2201
2221
2241
2261
2281
2301
2321
2341
2361
2381
2401
2421
2441
2461
2481
2501
2521
2541
2561
2581
2601
2621
2641
2661
2681
2701
2721
2741
2761
2781
2801
2821
2841
2861
2881
2901
2921
2924
|