The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

security note CVE-2005-3358

Linux kernel: denial of service with sys_set_mempolicy

Synthesis of the vulnerability

A local attacker can use sys_set_mempolicy() to stop system.
Severity: 1/4.
Creation date: 03/01/2006.
Identifiers: 175683, BID-16135, CERTA-2002-AVI-006, CVE-2005-3358, DSA-1017-1, FLSA-2006:157459-3, FLSA-2006:157459-4, RHSA-2006:010, RHSA-2006:0101-01, SUSE-SA:2006:006, SUSE-SA:2006:012, VIGILANCE-VUL-5466.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

System call sys_set_mempolicy() defines memory policy of the current process :
  long sys_set_mempolicy(int mode, unsigned long __user *nmask, unsigned long maxnode);

Parameter "nmaks" indicates a bitfield, stored in a long integer array, corresponding to a node mask.

However, if all bits are zero, an error occurs in sys_set_mempolicy() and kernel stops.

This vulnerability therefore permits a local attacker to conduct a denial of service.
Full Vigil@nce bulletin... (Free trial)

weakness note 5465

FreeBSD: denial of service of nfs_lookup

Synthesis of the vulnerability

A local attacker can generate an error using a NFS client in order to stop system.
Severity: 1/4.
Creation date: 03/01/2006.
Identifiers: FreeBSD-EN-05:04.nfs, VIGILANCE-VUL-5465.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Kernel supports NFS filesystems.

The nfs_lookup() function obtains a handle on a file. This function does not correctly lock its data, and a call to vrele() releasing function can occur, which corrupts memory. This error occurs in some particular usage cases of NFS client.

A local attacker could generate this error in order to stop system.
Full Vigil@nce bulletin... (Free trial)

computer threat announce CVE-2005-4604

mtink: buffer overflow of HOME

Synthesis of the vulnerability

A local attacker can use an overflow of mtink in order to obtain root privileges.
Severity: 2/4.
Creation date: 02/01/2006.
Identifiers: BID-16095, CVE-2005-4604, MDKSA-2005:239, VIGILANCE-VUL-5464.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The mtink utility manages ink and cartridges of Epson printers. It is installed suid root.

This program does not check size of HOME environment variable before storing it in a fixed buffer. An overflow can thus occur.

This vulnerability therefore permits a local attacker to obtain root privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 5463

AIX: information disclosure with getShell or getCommand

Synthesis of the vulnerability

A local attacker can use getShell or getCommand to obtain information on a file.
Severity: 1/4.
Creation date: 02/01/2006.
Identifiers: BID-16102, BID-16103, VIGILANCE-VUL-5463, xfocus-SD-060101.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The WebSM environment can be used to administer several servers. The /usr/websm/bin/getShell and /usr/websm/bin/getCommand programs are installed suid root.

A local attacker can use these programs to:
 - detect a file, located in an unreadable directory
 - display content of an unreadable file

These vulnerabilities therefore permit a local attacker to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer weakness alert CVE-2005-4532 CVE-2005-4533

scponly: privilege increase with scponlyc

Synthesis of the vulnerability

A local attacker can increase his privileges using scponlyc.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 29/12/2005.
Identifiers: BID-16051, CVE-2005-4532, CVE-2005-4533, DSA-969-1, VIGILANCE-VUL-5462.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The scponly restricted shell is used with OpenSSH to limit access to scp.

The scponlyc program is installed suid root and permits to create a chrooted environment.

However, a local attacker can use this program to chroot to arbitrary locations. He can thus:
 - create a hard link located in the environment, and linked to a suid root program
 - use ld preload to load a malicious library
The code in library is then run with root rights.

This vulnerability therefore permits a local attacker to gain root privileges.
Full Vigil@nce bulletin... (Free trial)

computer weakness bulletin CVE-2005-4605

Linux kernel: reading memory with procfs

Synthesis of the vulnerability

An attacker can read memory contents using some files under procfs.
Severity: 1/4.
Creation date: 28/12/2005.
Identifiers: BID-16284, CERTA-2002-AVI-006, CVE-2005-4605, DSA-1017-1, FEDORA-2005-013, FLSA-2006:157459-3, FLSA-2006:157459-4, MDKSA-2006:040, RHSA-2006:010, RHSA-2006:0101-01, SUSE-SA:2006:006, SUSE-SA:2006:012, VIGILANCE-VUL-5461.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The procfs filesystem (/proc) can be used to set or read system information. The reading function has following prototype (read_proc_t):
  int f(char *page, char **start, off_t off, int count, int *eof, void *data);
With:
  page: memory area
  off: starting offset of data to read
  count: size to read
  data: private opaque data
  start: pointer on data start (page+off)
  return value: read size
  eof: indicator of end of data

In several places of kernel, eof indicator is set when off+count is greater to data size kernel expects to return. However, this sum can overflow, and eof indicator is not set. In this case, read continues without stopping.

A local attacker can therefore use this vulnerability to read memory contents.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2005-3623

Linux kernel: setting ACL on NFS

Synthesis of the vulnerability

A local attacker can set ACL on a NFS filesystem mounted readonly.
Severity: 1/4.
Creation date: 28/12/2005.
Identifiers: CVE-2005-3623, RHSA-2006:057, RHSA-2006:0575-01, SUSE-SA:2006:006, SUSE-SA:2006:012, VIGILANCE-VUL-5460.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The fh_verify() function checks notably file handle access rights. The MAY_SATTR parameter indicates to check if file attributes can be changed.

nfsd3_proc_setacl() and nfsacld_proc_setacl() functions call fh_verify() without checking MAY_SATTR parameter. Thus, when file system is mounted readonly, an attacker can still change its ACL.

This vulnerability therefore permit a local attacker to alter access rights of a readonly file over NFS.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2005-4560

Windows: code execution with a WMF file

Synthesis of the vulnerability

Displaying a malicious WMF file leads to code execution.
Severity: 3/4.
Creation date: 28/12/2005.
Revisions dates: 29/12/2005, 02/01/2006, 04/01/2006, 06/01/2006.
Identifiers: 912840, BID-16074, CERTA-2006-AVI-011, CVE-2005-4560, MS06-001, VIGILANCE-VUL-5459, VU#181038.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Images in WMF (Windows Metafile) format are supported by the Graphics Rendering Engine. It is used in the Windows Picture and Fax Viewer (shimgvw.dll), which is used to pre-visualize images in explorer (Windows XP and 2003)

A WMF image can contain a META_ESCAPE record of SETABORTPROC type indicating code to run when an error occurs. Thus, when an invalid WMF image containing this function type is displayed, code is run.

An attacker can therefore send a malicious image to user, or invite him to surf on a web site, in order to run code on his computer.
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2005-3343

tkdiff: file corruption

Synthesis of the vulnerability

A local attacker can alter a file during tkdiff usage.
Severity: 1/4.
Creation date: 28/12/2005.
Identifiers: BID-16064, CVE-2005-3343, DSA-927-1, DSA-927-2, MDKSA-2006:001, VIGILANCE-VUL-5458.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The tkdiff program is used to compare two files.

This program creates a temporary file in an insecure manner (its name is composed of predictable items: tmpdir username pid number).

A local attacker can therefore create a symlink in order to alter a file with rights of tkdiff user.
Full Vigil@nce bulletin... (Free trial)

threat alert CVE-2005-3341

dhis-tools-dns: file corruption

Synthesis of the vulnerability

A local attacker can alter a file during usage of scripts from dhis-tools-dns.
Severity: 1/4.
Creation date: 28/12/2005.
Identifiers: BID-16065, CVE-2005-3341, DSA-928-1, VIGILANCE-VUL-5457.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The dhis-tools-dns suite contains tools used by Dynamic Host Information system.

The register-p.sh script uses temporary files in an insecure manner (/etc/dhis/temp/pass.$$, id.$$, nsupdate.$$).
The register-q.sh script uses temporary files in an insecure manner (/etc/dhis/temp/keys.$$, id.$$, nsupdate.$$).
These scripts are run with root rights.

A local attacker can therefore create a symlink in order to alter a system file with root rights.
Full Vigil@nce bulletin... (Free trial)

   

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 516 517 518 519 520 521 522 523 524 526 528 529 530 531 532 533 534 535 536 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2881 2901 2921 2926