News August 1997
Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Most of the files are transferred by ftp.
| System: | Short description and further information: |
| Netscape Navigator (incl. V 4.02) |
As reported by CNet
there are still vulnerabilities in the Netscape
Navigator/Communicator caused by Java Script.
Andre dos Santos
showed that by loading a 'tracker'-applet it is still
possible to send data, typed by the user, to other sites.
This includes data transferred by use of SSL or SHHTP
also because they are tracked before the encryption. Netscape Communications ships now version 4.03. |
| all | New CERT Summary: CS-97.05
(ESB-97.111) Trends in incidents reported to CERT: 1. Continuing IMAP Exploits 2. Increased Denial-of-Service Attacks 3. Increased Use of IRC in Root Compromises 4. Increased Exploitation of IRIX Buffer Overflows 5. Continuing INND Exploits More important information about these and other topics can be found in the document linked above. |
| IRIX | Vulnerability by the Outbox Subsystem:
SGI
19970501-02-PX, VB-97.07,
ESB-97.113,
H-102,
S-97-67 Several programs provided with the Outbox Environment subsystem have been found to be insecure. These are the cgi-bin programs webdist.cgi, handler and wrap available for IRIX 5.x and 6.x. Each of these programs can be manipulated to execute arbitrary commands with potentially elevated privileges. For these particular vulnerabilities, a local account is not required. Furthermore, each of these vulnerabilities can be exploited remotely. Utilizing these vulnerabilities, arbitrary commands can be executed with httpd daemon privileges or even increased to privileged access (see also Advisories CA-97.12 und AA-97.14). Patches are available by Silicon Graphics. |
| FreeBSD | Vulnerability in procfs: SA-97:04, ESB-97.112,
H-101 Procfs provides a filesystem interface to processes on a system. Among others it is used by ps(1) and gdb(1). A problem exists in the procfs kernel code that allows processes to write memory of other processes where it should have been prohibited. The hole can be used by any user on the system to gain root privileges. Patches can be found at FreeBsd Inc |
| Solaris 2.3 - 2.5.1 (Sparc and x86) |
Vulnerability in libXt: SUN Security
Bulletin #00153,
H-100,
ESB-97.110,
S-97-66 libXt is a library in the X Windows system. There are several buffers in libXt that may be overflowed. The buffer overflow vulnerabilities may be exploited through setuid and setgid programs that link libXt to increase privileges, including root privileges. The patches can be found at the site of Sun Microsystems. |
| Solaris 2.3 - 2.5.1 (Sparc and x86) |
Vulnerability in ifconfig: SUN
Security Bulletin #00152,
H-99,
ESB-97.109,
S-97-65 The command ifconfig assigns addresses to network interfaces and configures network interface parameters. The use of ifconfig to configure network interface parameters is restricted to superusers. This vulnerability, if exploited, allows non-root attackers to use ifconfig to configure network interface parameters for any network interface on a system. The patches can be found at the site of Sun Microsystems. |
| Solaris 2.3 - 2.5.1 (Sparc and x86) |
Vulnerability in automountd: SUN
Security Bulletin #00151,
ESB-97.108,
H-98 The automounter daemon automountd is an RPC server that answers file system mount and unmount requests from the autofs filesystem. Unprivileged users may exploit this vulnerability to send RPCs to automountd to change mount options of a file system. The patches can be found at the site of Sun Microsystems. |
| IRIX | Vulnerability in ftpd: CA-97.16,
ESB-97.107,
H-97 As part of normal operation of the ftpd program, various service signals are received and handled. Due to a race condition with this signal handling, a vulnerability can result that allows the manipulation of files with root privileges. The patches are available at SGI. |
| Solaris 2.3 - 2.5.1 (Sparc and x86) | Security risk by xclock: SUN
Security Bulletin #00150,
H-95,
ESB-97.104 The xlock program locks the local X display until the user supplies a password. Due to insufficient bounds checking on arguments supplied to xlock it is possible to overwrite the stack space of the xlock program. As xlock is setuid root, this vulnerability may be exploited by users on a system to gain root access. This problem was reported in May, now the Patches are available by Sun Microsystems. |
| all | Security risk in BIND (Version <
8.1.1): CA-97.22,
ESB-97.105,
S-97-63,
H-96 Even if there are newer versions in use, there are still attacks on elder Nameservers: The mapping between host names and IP addresses may be changed. As a result, attackers can inspect, capture, or corrupt the information exchanged between hosts on a network. Further details and some patches can be found at CERT. |
| Solaris 2.3 - 2.5.1 (Sparc and x86) |
Vulnerability by ps: SUN Security
Bulletin #00149,
H-94,
ESB-97.103,
S-97-64 The ps command prints information about active processes on a system. Due to insufficient bounds checking on arguments supplied to ps, it is possible to overwrite the internal data space of the ps program. As ps is setuid root, this vulnerability may be exploited by users on a system to gain root access. Patches are available by Sun Microsystems. |
| all | Security risks by IMAP: CS-97.04 CERT has made a new list of the vulnerabilities which are reasoned by using an IMAP Server (CA-97.09). The risks occur on all systems, esp. Linux: Most of these systems start the IMAP Server by default. |
| UNIX | Security Risks by the mSQL Data
Base: ESB-97.096 The mSQL server software, msqld or msql2d, performs no length checking on many of thestrings it manipulates. By creating a query which contains a string longer than the mSQL server is prepared to deal with, an attacker can overwrite the stack, and cause the mSQL server to execute arbitrary code. A second vulnerability exists due to the fact that the mSQL server does not perform a forward DNS lookup on the results of reverse DNS lookups, allowing users able to spoof hostnames to access the mSQL server. Inofficial patches for mSQL 2.0-rel and mSQL 2.0.1. are distributed by secnet. Further Information about mSQL you can find at Hughes Technology. |
| IRIX | Vulnerability in the program ordist(1):
SGI
19970509-02-PX, S-97-62,
ESB-97.102,
H-93 There are new and additional patches available by SGI, distributed also by DFN-CERT |
| Novell Netware 3.12 | Novell Netware 3.12 in combination with HP-UX release
B.10.08 or earlier, and B.09.05 or earlier allows
unauthorized users to read files: HP Security Advisory #0068, H-92,
ESB-97.106 Patches are available from Hewlett-Packard. |
| HP-UX | A vulnerability exists with the use of user or group
id's greater than 60000: H-91 The new list of patches is available from Hewlett-Packard. |
| HP-UX | Suid/sgid programs linked with X11/Motif libraries
can be exploited to increase privileges because of Buffer
overflows in X11/Motif libraries: HP Security Advisory #0067, H-92. Patches are available from Hewlett-Packard. |
Back to the News
© 1997 Dr. Matthias Leu, EDV Beratung für Internet/Intranet, last Update: 13.09.1997