News October 1997
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
| System: | Short description and further information: |
| cgi-bin | Vulnerability in Counter.cgi: AA-97.27,
I-013,
CA-97.24,
S-97-80 The Count.cgi cgi-bin program is used to record and display the number of times a WWW page has been accessed. Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the Count.cgi program while it is executing. By supplying a carefully designed argument to the Count.cgi program, intruders may be able to force Count.cgi to execute arbitrary commands with the privileges of the httpd process.Remote user may be able to execute arbitrary commands with the privileges It's strongly recommended to install version 2.4. |
| Linux | New patches for Red Hat 4.x: ESB-97.132 Numerous security holes have recentely been fixed. Only one of these is at all serious, most are minor problems with possible /tmp exploits. The patches are linked in the bulletin. Similiar fixes for the Thunderbird and Mustang beta glibc releases will show up in the devel tree on ftp.redhat.com. |
| AIX 3.2, 4.x | Vulnerability in ftp-clients: ERS-009,
ESB-97.143,
S-97-77,
I-012,
S-97-78 The AIX ftp client interprets server provided filenames. The ftp client can be tricked into running arbitrary commands supplied by the remote server. When the remote file begins with a pipe symbol, the ftp client will process the contents of the remote file as a shell script. So remote ftp servers can cause arbitrary commands to run on the local machine. This can include remote root access. It is recommended to install the patch for AIX 4.x. There is no patch available for AIX 3.2, an upgrade to 4.x is strongly recommended. |
| AIX 4.x | Vulnerability in nslookup: ERS-008,
ESB-97.142,
I-010,
S-97-77 The AIX "nslookup" command does not drop privileges correctly. In some versions it has a vulnerability that allows local users to become root. It's recommended to install the patch from IBM. |
| AIX 4.x | Vulnerability in piodmgrsu: ERS-007,
ESB-97.141,
I-010,
S-97-77 The piodmgrsu command was first shipped in AIX 4.1 and performs various operations on the printer backend's alternate ODM database. The command passes an insecure environment to its children allowing local users to gain access to the administrative "printq" group. It's recommended to install the patch from IBM. |
| AIX 4.2.1 | Vulnerabilities in portmir: ERS-006,
ESB-97.138,
I-011,
S-97-77 Buffer overflow and insecure log files in the AIX portmir command may allow local users to become root. As a workaround the administrator should remove the setuid bit from /usr/sbin/portmir or install the patch, released by IBM. |
| FreeBSD 2.x | Security compromise via open(): SA-97:05 (pgp
necessary), ESB-97.144 A problem exists in the open() syscall that allows processes to obtain a valid file descriptor without having read or write permissions on the file being opened. This is normally not a problem. The FreeBSD way of obtaining the right to do io instructions however, is based on the right to open a specific file (/dev/io). The problem can be used by any user on the system to do unauthorised io instructions. A patch for this problem ist available by FreeBSD, Inc. |
| HP-UX 10.x | Vulnerability in CDE libraries:
Hewlett-Packard Security Bulletin #00072 (updated 06.11.1997), ESB-97.139,
I-009 Because of Buffer-Overflows the suid/sgid CDE programs can be exploited to increase the privileges on the local machine. Patches are available from Hewlett-Packard, the recommended patches are listed in the bulletin. |
| AIX 4.x | Vulnerability caused by the libDtSvc.a
library: ERS-005,
ESB-97.138,
I-010,
S-97-77 A buffer overflow vulnerability exists in the AIX libDtSvc.a library that can allow local users to become root. There has been an exploit posted to the Bugtraq mailing list. In the course of investigating the libDtSvc.a overflows, fixes were made to the writesrv and rcp commands as well. The recommended patches are named in the alert. |
| Solaris 2.3 - 2.5.1 (Sparc und x86) and SunOS |
For the vulnerability in rlogin reported in CA-97.06 the patches are available: SUN Security Bulletin #00158, ESB-97.137, S-97-79. No patches are necessary for Solaris 2.6 because they are implemented! |
| Solaris 2.3 - 2.5.1 (Sparc und x86) |
Vulnerability in sysdef: SUN
Security Bulletin #00157,
ESB-97.136,
I-007,
S-97-79 The sysdef command displays the current system definition, listing hardware devices, pseudo devices, system devices, loadable modules, and values of selected kernel tunable parameters. This vulnerability, if exploited, allows unprivileged users to read kernel memory which may contain sensitive information such as unencrypted passwords. Attackers can subsequently use the information to gain root access. The list of patches is published in the Sun Bulletin, the vulnerability is fixed in Solaris 2.6! |
| Solaris 2.3 - 2.5.1 (Sparc und x86) and SunOS |
Vulnerability in ftpd/rlogind: SUN
Security Bulletin #00156,
ESB-97.135,
I-007,
S-97-79 The daemon in.ftpd is the Internet File Transfer Protocol (FTP) server process and the daemon in.rlogind is the rlogin server process. This vulnerability, if exploited, allows an unprivileged user to connect from an ftp server's data port to a rlogin server on a host that trusts the host that the ftp server resides on. If exploited, attackers may execute arbitrary commands on the attacked host. The list of patches is published in the Sun Bulletin, the vulnerability is fixed in Solaris 2.6! |
| Solaris 2.3 - 2.5.1 (Sparc und x86) |
Vulnerability in nis_cachemgr: SUN
Security Bulletin #00155,
ESB-97.134,
I-007,
S-97-79 NIS+ clients run nis_cachemgr, a NIS+ utility that caches location information about NIS+ servers. This vulnerability, if exploited, allows attackers to add bogus directory objects to the global shared cache, in effect specifying rogue NIS+ servers that are under their control. In the Sun Bulletin the patches to be installed for the systems Solaris 2.4 - 2.5.1, a patch for Solaris 2.3 will be published within a month. The vulnerability does not exist in Solaris 2.6! |
| OSF/DCE | Vulnerability in OSF/DCE implementations: VB-97.12,
ESB-97.133,
I-008 A secd can be brought to a core dump. The buffer is overrun causing memory corruption. In certain cases, the lookup attempt (or add or whatever) on the client will then rebind to another secd to make the request, eventually crashing all security daemons in the cell. The bulletin describes a source code patch. |
| all | The U.S. Department of Energy, Computer Incident Advisory Capability (CIAC) has published an advisory about E-Mail Spamming countermeasures and Detection and prevention of E-Mail spamming: I-005 |
| some Unix | Vulnerability in tgetagent: SNI-20,
ESB-97.131 There is a vulnerability in the tgetent(3) library routine on some BSD based systems which allows an attacker to obtain root privileges by connecting to a vulnerable system's telnet daemon. A patch for BSD/OS V.2.1. is available. |
| AIX 4.x | Vulnerability in xdat: ERS-004,
ESB-97.130,
I-006 For local users it's under some circumstances possible to gain root access to the machine. This is reasoned by a buffer overflow in xdat. A workaround is described in the advisory, a patch can be downloaded from IBM. |
| Microsoft IE 4.0 | Security risk in Microsoft Internet Explorer
4.0: jabadoo,
cnet,
DSB-97:03 It is possible to spy on the contents of any text and HTML file on the client machine or in the local intranet by transporting some code to the client via Web or E-Mail. The security hole exists even if users have activated the highest security level in their browser. A patch can be downloaded from Microsoft. |
| NEC Unix | Vulnerability by the Mount-Option nosuid:
VB-97.11,
ESB-97.129,
I-004,
S-97-74 NEC Corporation has identified and corrected a problem with the "nosuid" mount(1) option. The "nosuid" mount(1) option nullifies the effect of setuid and setgid bits for files on a particular file system. This problem manifests itself by allowing setuid and setgid program execution on file systems mounted with "nosuid". Which platforms are affected and workarounds are described in the bulletin, patches are also available |
| BSD Unix, Linux | Vulnerabilities in lpd: SNI-19,
ESB-97.128 These vulnerabilities can enable a remote individual to create and remove arbitrary files, as well as enabling remote individuals to obtain shell access as the user which lpd runs as. A privileged port on a valid client system is required to exploit all of these vulnerabilities. A privileged port can be obtained on many operating systems by utilizing another vulnerability present in the file transfer protocol daemon (ftpd). The Advisory of Secure Networks Inc. shows some hints how to avoid these problems. |
| HP-UX | Vulnerability in mediainit:
Hewlett-Packard Security Bulletin #00071, ESB-97.127,
I-003,
S-97-75 The mediainit(1) command contains a defect, so users may under some circumstances perform unauthorized activities. Patches are available from Hewlett-Packard, the recommended patches are listed in the bulletin. |
| HP-UX 10.30 | Danger of Denial Of Service by telnet:
Hewlett-Packard Security Bulletin #00070, ESB-97.125,
I-001,
S-97-76 Under some circumstances a defect in the telnet service could be used to cause a denial of service on the destination HP-UX release 10.30 system. A Patch is available from Hewlett-Packard. |
| Cisco | A serious security vulnerability exists in PPP CHAP
authentication in all "classic" Cisco IOS
software versions: VB-97.09,
ESB-97.126,
I-002A,
S-97-73 A moderately sophisticated programmer with appropriate knowledge can set up an unauthorized PPP connection to any system that is running vulnerable software, and that depends on CHAP for authentication. The exact list of affected systems can be read in the CERT Bulletin. Here is also described where to get patches and/or workaround for these systems. |
| Linux | Vulnerability in Samba running under
Intel Linux: H-110,
ESB-97.124,
VB-97.10 Because of a security hole unauthorized remote users are allowed to obtain root access on the Samba server. The exploit for the security hole is very architecture specific and has been only demonstrated to work for Samba servers running on Intel based platforms. The exploit posted to the internet is specific to Intel Linux servers. It would be very difficult to produce an exploit for other architectures but it may be possible. It ist recommended to install Samba version 1.9.17p2 |
Back to the News
© 1997 Dr. Matthias Leu, EDV Beratung für Internet/Intranet, last Update: 17.11.1997