Source code reviews of lha by Lukasz Wojtow, Thomas Biege, and others uncovered a number of vulnerabilities affecting lha:
There is a buffer overflow in the prepared statements API (libmysqlclient) when a statement containing thousands of placeholders is executed.
Under certain situations it is possible for the security icon which Mozilla displays when connected to a site using SSL to be spoofed. This could be used to make so-called "phishing attacks" more difficult to detect.
When handling FTP URLs containing NULL bytes, Mozilla will interpret the file content as HTML. This may allow unexpected execution of Javascript when viewing plain text or other file types via FTP.
A malicious web page can cause an automated file upload from the victim's machine when viewed with Mozilla with Javascript enabled. This is due to a bug permitting default values for type="file" <input> elements in certain situations.
Under some situations, Mozilla will automatically import a certificate from an email message or web site. This behavior can be used as a denial-of-service attack: if the certificate has a distinguished name (DN) identical to one of the built-in Certificate Authorities (CAs), then Mozilla will no longer be able to certify sites with certificates issued from that CA.
rssh expands command line paramters before invoking chroot. This could result in the disclosure to the client of file names outside of the chroot directory. A posting by the rssh author explains:
The cause of the problem identified by Mr. McCaw is that rssh expanded command-line arguments prior to entering the chroot jail. This bug DOES NOT allow a user to access any of the files outside the jail, but can allow them to discover what files are in a directory which is outside the jail, if their credentials on the server would normally allow them read/execute access in the specified directory.
An iDEFENSE security advisory reports:
Remote exploitation of an input validation error in version 1.2 of GNU radiusd could allow a denial of service.
The vulnerability specifically exists within the asn_decode_string() function defined in snmplib/asn1.c. When a very large unsigned number is supplied, it is possible that an integer overflow will occur in the bounds-checking code. The daemon will then attempt to reference unallocated memory, resulting in an access violation that causes the process to terminate.
A new feature of sudo 1.6.8 called "sudoedit" (a safe editing facility) may allow users to read files to which they normally have no access.
A buffer overflow exists in mod_proxy which may allow an attacker to launch local DoS attacks and possibly execute arbitrary code.
A number of vulnerabilities were discovered in CVS by Stefan Esser, Sebastian Krahmer, and Derek Price.
Additionally, iDEFENSE reports an undocumented command-line flag used in debugging does not perform input validation on the given path names.
CVS servers ("cvs server" or :pserver: modes) are affected by these vulnerabilities. They vary in impact but include information disclosure (the iDEFENSE-reported bug), denial-of-service (CAN-2004-0414, CAN-2004-0416, CAN-2004-0417 and other bugs), or possibly arbitrary code execution (CAN-2004-0418). In very special situations where the attacker may somehow influence the contents of CVS configuration files in CVSROOT, additional attacks may be possible.
Chris Evans discovered several flaws in the gdk-pixbuf XPM image decoder:
Some of these flaws are believed to be exploitable.
Chris Evans discovered several vulnerabilities in the libXpm image decoder:
The X11R6.8.1 release announcement reads:
This version is purely a security release, addressing multiple integer and stack overflows in libXpm, the X Pixmap library; all known versions of X (both XFree86 and X.Org) are affected, so all users of X are strongly encouraged to upgrade.
If the CUPS server (cupsd) receives a zero-length UDP message, it will disable its print queue browser service.
The Apache Software Foundation Security Team discovered a programming error in the apr-util library function apr_uri_parse. When parsing IPv6 literal addresses, it is possible that a length is incorrectly calculated to be negative, and this value is passed to memcpy. This may result in an exploitable vulnerability on some platforms, including FreeBSD.
A malicious user with DAV write privileges can trigger a null pointer dereference in the Apache mod_dav module. This could cause the server to become unavailable.
SITIC discovered a vulnerability in Apache 2's handling of environmental variable settings in the httpd configuration files (the main `httpd.conf' and `.htaccess' files). According to a SITIC advisory:
The buffer overflow occurs when expanding ${ENVVAR} constructs in .htaccess or httpd.conf files. The function ap_resolve_env() in server/util.c copies data from environment variables to the character array tmp with strcat(3), leading to a buffer overflow.
The Webmin developers documented a security issue in the release notes for version 1.160:
Fixed a security hole in the maketemp.pl script, used to create the /tmp/.webmin directory at install time. If an un-trusted user creates this directory before Webmin is installed, he could create in it a symbolic link pointing to a critical file on the system, which would be overwritten when Webmin writes to the link filename.
Code found in nmbd and smbd may allow a remote attacker to effectively crash the nmbd server or use the smbd server to exhaust the system memory.
zen-parse discovered a heap buffer overflow in Mozilla's POP client implementation. A malicious POP server could exploit this vulnerability to cause Mozilla to execute arbitrary code.
zen-parse discovered and iDEFENSE reported an exploitable integer overflow in a scriptable Mozilla component `SOAPParameter':
Improper input validation to the SOAPParameter object constructor in Netscape and Mozilla allows execution of arbitrary code. The SOAPParameter object's constructor contains an integer overflow which allows controllable heap corruption. A web page can be constructed to leverage this into remote execution of arbitrary code.
OpenOffice creates a working directory in /tmp on startup, and uses this directory to temporarily store document content. However, the permissions of the created directory may allow other user on the system to read these files, potentially exposing information the user likely assumed was inaccessible.
The mpg123 software version 0.59r contains a buffer overflow vulnerability which may permit the execution of arbitrary code as the owner of the mpg123 process.
Marcus Meissner discovered that ImageMagick's BMP decoder would crash when loading the test BMP file created by Chris Evans for testing the previous Qt vulnerability.
A class of bugs affecting many web browsers in the same way was discovered. A Secunia advisory reports:
The problem is that the browsers don't check if a target frame belongs to a website containing a malicious link, which therefore doesn't prevent one browser window from loading content in a named frame in another window.
Successful exploitation allows a malicious website to load arbitrary content in an arbitrary frame in another browser window owned by e.g. a trusted site.
A KDE Security Advisory reports:
A malicious website could abuse Konqueror to insert its own frames into the page of an otherwise trusted website. As a result the user may unknowingly send confidential information intended for the trusted website to the malicious website.
Secunia has provided a demonstration of the vulnerability at http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/.
Numerous errors in isakmpd's input packet validation lead to denial-of-service vulnerabilities. From the Rapid7 advisory:
The ISAKMP packet processing functions in OpenBSD's isakmpd daemon contain multiple payload handling flaws that allow a remote attacker to launch a denial of service attack against the daemon.
Carefully crafted ISAKMP packets will cause the isakmpd daemon to attempt out-of-bounds reads, exhaust available memory, or loop endlessly (consuming 100% of the CPU).
Marcus Meissner discovered that imlib's BMP decoder would crash when loading the test BMP file created by Chris Evans for testing the previous Qt vulnerability. It is believed that this bug could be exploited for arbitrary code execution.
An advisory published by the MIT Kerberos team says:
The MIT Kerberos 5 implementation's Key Distribution Center (KDC) program contains a double-free vulnerability that potentially allows a remote attacker to execute arbitrary code. Compromise of a KDC host compromises the security of the entire authentication realm served by the KDC. Additionally, double-free vulnerabilities exist in MIT Kerberos 5 library code, making client programs and application servers vulnerable.
Double-free vulnerabilities of this type are not believed to be exploitable for code execution on FreeBSD systems. However, the potential for other ill effects may exist.
An advisory published by the MIT Kerberos team says:
The ASN.1 decoder library in the MIT Kerberos 5 distribution is vulnerable to a denial-of-service attack causing an infinite loop in the decoder. The KDC is vulnerable to this attack.
An unauthenticated remote attacker can cause a KDC or application server to hang inside an infinite loop.
An attacker impersonating a legitimate KDC or application server may cause a client program to hang inside an infinite loop.
Marcus Meissner discovered that imlib2's BMP decoder would crash when loading the test BMP file created by Chris Evans for testing the previous Qt vulnerability. There appears to be both a stack-based and a heap-based buffer overflow that are believed to be exploitable for arbitrary code execution.
According to the SpamAssassin 2.64 release announcement:
Security fix prevents a denial of service attack open to certain malformed messages; this DoS affects all SpamAssassin 2.5x and 2.6x versions to date.
The issue appears to be triggered by overly long message headers.
lukemftpd(8) is an enhanced BSD FTP server produced within the NetBSD project. The sources for lukemftpd are shipped with some versions of FreeBSD, however it is not built or installed by default. The build system option WANT_LUKEMFTPD must be set to build and install lukemftpd. [NOTE: An exception is FreeBSD 4.7-RELEASE, wherein lukemftpd was installed, but not enabled, by default.]
Przemyslaw Frasunek discovered several vulnerabilities in lukemftpd arising from races in the out-of-band signal handling code used to implement the ABOR command. As a result of these races, the internal state of the FTP server may be manipulated in unexpected ways.
A remote attacker may be able to cause FTP commands to be executed with the privileges of the running lukemftpd process. This may be a low-privilege `ftp' user if the `-r' command line option is specified, or it may be superuser privileges if `-r' is *not* specified.
By submitting a carefully crafted authentication packet, it is possible for an attacker to bypass password authentication in MySQL 4.1. Using a similar method, a stack buffer used in the authentication mechanism can be overflowed.
According to a Debian Security Advisory:
Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore [...]) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session.
ISS X-Force reports that a remotely exploitable buffer overflow exists in the Netscape Security Services (NSS) library's implementation of SSLv2. From their advisory:
The NSS library contains a flaw in SSLv2 record parsing that may lead to remote compromise. When parsing the first record in an SSLv2 negotiation, the client hello message, the server fails to validate the length of a record field. As a result, it is possible for an attacker to trigger a heap-based overflow of arbitrary length.
Note that the vulnerable NSS library is also present in Mozilla-based browsers. However, it is not believed that browsers are affected, as the vulnerability is present only in code used by SSLv2 *servers*.
ripMIME may prematurely terminate decoding Base64 encoded messages when it encounters multiple blank lines or other non-standard Base64 constructs. Virus scanning and content filtering tools that use ripMIME may therefore be bypassed.
The ripMIME CHANGELOG file says:
There's viruses going around exploiting the ability to hide the majority of their data in an attachment by using blank lines and other tricks to make scanning systems prematurely terminate their base64 decoding.
The moinmoin package contains two bugs with ACLs and anonymous users. Both bugs may permit anonymous users to gain access to administrative functions; for example the delete function.
There is no known workaround, the vulnerability exists regardless if a site is using ACLs or not.
An rsync security advisory reports:
There is a path-sanitizing bug that affects daemon mode in all recent rsync versions (including 2.6.2) but only if chroot is disabled.
The bug may allow a remote user to access files outside of an rsync module's configured path with the privileges configured for that module.
Alexander Larsson reports that some versions of gnome-vfs and MidnightCommander contain a number of `extfs' scripts that do not properly validate user input. If an attacker can cause her victim to process a specially-crafted URI, arbitrary commands can be executed with the privileges of the victim.
Ulf Härnhammar discovered a pair of buffer overflows in the WAV file handling code of SoX. If an attacker can cause her victim to process a specially-crafted WAV file with SoX (e.g. through social engineering or through some other program that relies on SoX), arbitrary code can be executed with the privileges of the victim.
According to a KDE Security Advisory:
WESTPOINT internet reconnaissance services alerted the KDE security team that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains.
Web sites operating under the affected domains can set HTTP cookies in such a way that the Konqueror web browser will send them to all other web sites operating under the same domain. A malicious website can use this as part of a session fixation attack. See e.g. http://www.acros.si/papers/session_fixation.pdf
Affected are all country specific secondary top level domains that use more than 2 characters in the secondary part of the domain name and that use a secondary part other than com, net, mil, org, gov, edu or int. Examples of affected domains are .ltd.uk, .plc.uk and .firm.in
It should be noted that popular domains such as .co.uk, .co.in and .com are NOT affected.
c0ntex[at]open-security.org reports a buffer overflow in xine's handling of vcd:// URLs:
Like the excellent Mplayer, Xine is a superb free media player for Linux. Sadly there is a generic stack based buffer overflow in all versions of Xine-lib, including Xine-lib-rc5 that allows for local and remote malicious code execution.
By overflowing the vcd:// input source identifier buffer, it is possible to modify the instruction pointer with a value that a malicious attacker can control. The issue can be replicated in a remote context by embedding the input source idientifier within a playlist file, such as an asx. When a user plays the file, this stack overflow will occur, exploit code can then be executed with the rights of the user running Xine.
Neils Heinen reports that the setuid `news' binaries installed as part of fidogate may be used to create files or append to file with the privileges of the `news' user by setting the LOGFILE environmental variable.
The log functions in jftpgw may allow remotely authenticated user to execute arbitrary code via the format string specifiers in certain syslog messages.
Qt contains several vulnerabilities related to image loading, including possible crashes when loading corrupt GIF, BMP, or JPEG images. Most seriously, Chris Evans reports that the BMP crash is actually due to a heap buffer overflow. It is believed that an attacker may be able to construct a BMP image that could cause a Qt-using application to execute arbitrary code when it is loaded.
An iDEFENSE security advisory describes a format string vulnerability that could be exploited when Courier-IMAP is run in debug mode (DEBUG_LOGIN set).
According to Christian Hammers:
[mysqlhotcopy created] temporary files in /tmp which had predictable filenames and such could be used for a tempfile run attack.
Jeroen van Wolffelaar is credited with discovering the issue.
Evgeny Demidov discovered that the Samba server has a buffer overflow in the Samba Web Administration Tool (SWAT) on decoding Base64 data during HTTP Basic Authentication. Versions 3.0.2 through 3.0.4 are affected.
Another buffer overflow bug has been found in the code used to support the "mangling method = hash" smb.conf option. The default setting for this parameter is "mangling method = hash2" and therefore not vulnerable. Versions between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected.
The Mozilla project's family of browsers contain a design flaw that can allow a website to spoof almost perfectly any part of the Mozilla user interface, including spoofing web sites for phishing or internal elements such as the "Master Password" dialog box. This achieved by manipulating "chrome" through remote XUL content. Recent versions of Mozilla have been fixed to not allow untrusted documents to utilize "chrome" in this way.
Chris Evans has discovered multiple vulnerabilities in libpng, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service).
According to a KDE Security Advisory, KDE may sometimes create temporary files without properly checking the ownership and type of the target path. This could allow a local attacker to cause KDE applications to overwrite arbitrary files.
Sebastian Krahmer discovered several remotely exploitable buffer overflow vulnerabilities in the MSN component of gaim.
An iDEFENSE security advisory reports:
Remote exploitation of an input validation error in the uudecoding feature of Adobe Acrobat Reader (Unix) 5.0 allows an attacker to execute arbitrary code.
The Unix and Linux versions of Adobe Acrobat Reader 5.0 automatically attempt to convert uuencoded documents back into their original format. The vulnerability specifically exists in the failure of Acrobat Reader to check for the backtick shell metacharacter in the filename before executing a command with a shell. This allows a maliciously constructed filename to execute arbitrary programs.
John Graham-Cumming reports that certain configurations of POPFile may allow the retrieval of any files with the extensions .gif, .png, .ico, .css, as well as some files with the extension .html.
A buffer overflow exists in the logging functionality of the DHCP daemon which could lead to Denial of Service attacks and has the potential to allow attackers to execute arbitrary code.
Steve Grubb reports a buffer read overrun in libpng's png_format_buffer function. A specially constructed PNG image processed by an application using libpng may trigger the buffer read overrun and possibly result in an application crash.
Stefan Esser has reported two vulnerabilities in PHP, which can be exploited by malicious people to bypass security functionality or compromise a vulnerable system. An error within PHP's memory_limit request termination allows remote code execution on PHP servers with activated memory_limit. A binary safety problem within PHP's strip_tags() function may allow injection of arbitrary tags in Internet Explorer and Safari browsers.
Mozilla and Mozilla Firefox contains a flaw that may allow a malicious user to spoof SSL certification.
Glenn Randers-Pehrson has contributed a fix for the png vulnerabilities discovered by Chris Evans.
The Courier set of mail services use a common Unicode library. This library contains buffer overflows in the converters for two popular Japanese character encodings. These overflows may be remotely exploitable, triggered by a maliciously formatted email message that is later processed by one of the Courier mail services. From the release notes for the corrected versions of the Courier set of mail services:
iso2022jp.c: Converters became (upper-)compatible with ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and ISO-2022-JP-1 (RFC2237). Buffer overflow vulnerability (when Unicode character is out of BMP range) has been closed. Convert error handling was implemented.
shiftjis.c: Broken SHIFT_JIS converters has been fixed and became (upper-)compatible with Shifted Encoding Method (JIS X 0208:1997 Annex 1). Buffer overflow vulnerability (when Unicode character is out of BMP range) has been closed. Convert error handling was implemented.
Stefan Esser of e-matters Security discovered a baker's dozen of buffer overflows in Ethereal's decoders, including:
In addition, a vulnerability in the RADIUS decoder was found by Jonathan Heusser.
Finally, there is one uncredited vulnerability described by the Ethereal team as:
A zero-length Presentation protocol selector could make Ethereal crash.
Issues have been discovered in multiple protocol dissectors.
Issues have been discovered in multiple protocol dissectors.
SSLtelnet contains a format string vulnerability that could allow remote code execution and privilege escalation.
Roman Medina-Heigl Hernandez did a survey which other webmail systems where vulnerable to a bug he discovered in SquirrelMail. This advisory summarizes the results.
When pavuk sends a request to a web server and the server sends back the HTTP status code 305 (Use Proxy), pavuk copies data from the HTTP Location header in an unsafe manner. This leads to a stack-based buffer overflow with control over EIP.
Janek Vind "waraxe" reports that several issues in the PHPNuke software may be exploited via carefully crafted URL requests. These URLs will permit the injection of SQL code, cookie theft, and the readability of the PHPNuke administrator account.
This vulnerability would allow remote user to inject PHP code to be executed by eval() function. This vulnerability is only exploitable if variable $cfg['LeftFrameLight'] is set to FALSE (in file config.inc.php).
GNATS 3.113.1 contains multiple buffer overflows, through which a local attacker could gain elevated privileges on the system.
A programming error in the handling of some Linux system calls may result in memory locations being accessed without proper validation.
It may be possible for a local attacker to read and/or overwrite portions of kernel memory, resulting in disclosure of sensitive information or potential privilege escalation. A local attacker can cause a system panic.
giFT-FastTrack is susceptible to a remote Denial of Service attack which could allow a remote attacker to render HTTP services unusable. According to the developers, no code execution is possible; however, they recommend an immediate upgrade.
When the IPv6 code was added to xdm a critical test to disable xdmcp was accidentally removed. This caused xdm to create the chooser socket regardless if DisplayManager.requestPort was disabled in xdm-config or not.
A serious flaw exists in the MoinMoin software which may allow a malicious user to gain access to unauthorized privileges.
In December 2002, Timo Sirainen reported:
Cyrus IMAP server has a a remotely exploitable pre-login buffer overflow. [...] Note that you don't have to log in before exploiting this, and since Cyrus runs everything under one UID, it's possible to read every user's mail in the system.
It is unknown whether this vulnerability is exploitable for code execution on FreeBSD systems.
The Cyrus team reported multiple vulnerabilities in older versions of Cyrus IMSPd:
These releases correct a recently discovered buffer overflow vulnerability, as well as clean up a significant amount of buffer handling throughout the code.
A remotely exploitable heap buffer overflow vulnerability was found in MPlayer's URL decoding code. If an attacker can cause MPlayer to visit a specially crafted URL, arbitrary code execution with the privileges of the user running MPlayer may occur. A `visit' might be caused by social engineering, or a malicious web server could use HTTP redirects which MPlayer would then process.
Timo Sirainen reports multiple buffer overflows that may be triggered while parsing messages, as well as input validation errors that could result in disclosure of mailing list passwords.
These bugs were resolved in the August 2003 snapshot of ecartis.
When the directive "SecFilterScanPost" is enabled, the Apache 2.x version of ModSecurity is vulnerable to an off-by-one overflow
clamav will exit when a programming assertion is not met. A malformed uuencoded message can trigger this assertion, allowing an attacker to trivially crash clamd or other components of clamav.
Stefan Esser reports:
A vulnerability within a libneon date parsing function could cause a heap overflow which could lead to remote code execution, depending on the application using libneon.
The vulnerability is in the function ne_rfc1036_parse, which is in turn used by the function ne_httpdate_parse. Applications using either of these neon functions may be vulnerable.
Greuff reports that the neon WebDAV client library contains several format string bugs within error reporting code. A malicious server may exploit these bugs by sending specially crafted PROPFIND or PROPPATCH responses.
Although several applications include neon, such as cadaver and subversion, the FreeBSD Ports of these applications are not impacted. They are specifically configured to NOT use the included neon. Only packages listed as affected in this notice are believed to be impacted.
A flaw exists in Gallery versions previous to 1.4.3-pl1 and post 1.2 which may give an attacker the potential to log in under the "admin" account. Data outside of the gallery is unaffected and the attacker cannot modify any data other than the photos or photo albums.
Jakub Jelinek reports several security related bugs in Midnight Commander, including:
Remote exploitation of a buffer overflow vulnerability in the NTLM authentication helper routine of the Squid Web Proxy Cache could allow a remote attacker to execute arbitrary code. A remote attacker can compromise a target system if the Squid Proxy is configured to use the NTLM authentication helper. The attacker can send an overly long password to overflow the buffer and execute arbitrary code.
The NISCC and the OUSPG developed a test suite for the H.323 protocol. This test suite has uncovered vulnerabilities in several H.323 implementations with impacts ranging from denial-of-service to arbitrary code execution.
In the FreeBSD Ports Collection, `pwlib' is directly affected. Other applications such as `asterisk' and `openh323' incorporate `pwlib' statically and so are also independently affected.
A programming error resulting in a failure to verify that an attempt to manipulate routing tables originated from a non-jailed process.
Jailed processes running with superuser privileges could modify host routing tables. This could result in a variety of consequences including packets being sent via an incorrect network interface and packets being discarded entirely.
Programming errors in the implementation of the msync(2) system call involving the MS_INVALIDATE operation lead to cache consistency problems between the virtual memory system and on-disk contents.
In some situations, a user with read access to a file may be able to prevent changes to that file from being committed to disk.
The leafnode NNTP server may go into an unterminated loop with 100% CPU use when an article is requested by Message-ID that has been crossposted to several news groups when one of the group names is the prefix of another group name that the article was cross-posted to. Found by Jan Knutar.
Fetchnews could hang when a news article to be downloaded lacked one of the mandatory headers. Found by Joshua Crawford.
When a downloaded news article ends prematurely, i. e. when the server sends [CR]LF.[CR]LF before sending a blank line, fetchnews may wait indefinitely for data that never arrives. Workaround: configure "minlines=1" (or use a bigger value) in the configuration file. Found by Toni Viemerö.
Shaun Colley reports that the script `mysqlbug' included with MySQL sometimes creates temporary files in an unsafe manner. As a result, an attacker may create a symlink in /tmp so that if another user invokes `mysqlbug' and quits without making any changes, an arbitrary file may be overwritten with the bug report template.
Stefan Esser reports:
Subversion versions up to 1.0.2 are vulnerable to a date parsing vulnerability which can be abused to allow remote code execution on Subversion servers and therefore could lead to a repository compromise.
NOTE: This vulnerability is similar to the date parsing issue that affected neon. However, it is a different and distinct bug.
Due to a programming error in code used to parse data received from the client, malformed data can cause a heap buffer to overflow, allowing the client to overwrite arbitrary portions of the server's memory.
A malicious CVS client can exploit this to run arbitrary code on the server at the privilege level of the CVS server software.
Joe Orton reports a memory leak in Apache 2's mod_ssl. A remote attacker may issue HTTP requests on an HTTPS port, causing an error. Due to a bug in processing this condition, memory associated with the connection is not freed. Repeated requests can result in consuming all available memory resources, probably resulting in termination of the Apache process.
Karol Wiesek and Greg MacManus reported via iDEFENSE that the Opera web browser contains a flaw in the handling of certain URIs. When presented with these URIs, Opera would invoke external commands to process them after some validation. However, if the hostname component of a URI begins with a `-', it may be treated as an option by an external command. This could have undesirable side-effects, from denial-of-service to code execution. The impact is very dependent on local configuration.
After the iDEFENSE advisory was published, the KDE team discovered similar problems in KDE's URI handlers.
The Debian security team reported a pair of vulnerabilities in fsp:
A vulnerability was discovered in fsp, client utilities for File Service Protocol (FSP), whereby a remote user could both escape from the FSP root directory (CAN-2003-1022), and also overflow a fixed-length buffer to execute arbitrary code (CAN-2004-0011).
Jindrich Makovicka reports a regression in proftpd's handling of IP address access control lists (IP ACLs). Due to this regression, some IP ACLs are treated as ``allow all''.
Some scripts installed with xine create temporary files insecurely. It is recommended that these scripts (xine-check, xine-bugreport) not be used. They are not needed for normal operation.
A remote exploitable buffer overflow has been discovered in exim when verify = header_syntax is used in the configuration file. This does not affect the default configuration.
The includes/sessions.php unnecessarily adds session item into session table and therefore vulnerable to a denial-of-service attack.
An input validation error was discovered in the kadmind code that handles the framing of Kerberos 4 compatibility administration requests. The code assumed that the length given in the framing was always two or more bytes. Smaller lengths will cause kadmind to read an arbitrary amount of data into a minimally-sized buffer on the heap.
A remote attacker may send a specially formatted message to kadmind, causing it to crash or possibly resulting in arbitrary code execution.
The kadmind daemon is part of Kerberos 5 support. However, this bug will only be present if kadmind was built with additional Kerberos 4 support. Thus, only systems that have *both* Heimdal Kerberos 5 and Kerberos 4 installed might be affected.
NOTE: On FreeBSD 4 systems, `kadmind' may be installed as `k5admind'.
Two programming errors were discovered in which path names handled by CVS were not properly validated. In one case, the CVS client accepts absolute path names from the server when determining which files to update. In another case, the CVS server accepts relative path names from the client when determining which files to transmit, including those containing references to parent directories (`../').
These programming errors generally only have a security impact when dealing with remote CVS repositories.
A malicious CVS server may cause a CVS client to overwrite arbitrary files on the client's system.
A CVS client may request RCS files from a remote system other than those in the repository specified by $CVSROOT. These RCS files need not be part of any CVS repository themselves.
The kernel interface for creating a snapshot of a filesystem is the same as that for changing the flags on that filesystem. Due to an oversight, the mksnap_ffs(8) command called that interface with only the snapshot flag set, causing all other flags to be reset to the default value.
A regularly scheduled backup of a live filesystem, or any other process that uses the mksnap_ffs command (for instance, to provide a rough undelete functionality on a file server), will clear any flags in effect on the filesystem being snapshot. Possible consequences depend on local usage, but can include disabling extended access control lists or enabling the use of setuid executables stored on an untrusted filesystem.
The mksnap_ffs command is normally only available to the superuser and members of the `operator' group. There is therefore no risk of a user gaining elevated privileges directly through use of the mksnap_ffs command unless it has been intentionally made available to unprivileged users.
A programming error in the shmat(2) system call can result in a shared memory segment's reference count being erroneously incremented.
It may be possible to cause a shared memory segment to reference unallocated kernel memory, but remain valid. This could allow a local attacker to gain read or write access to a portion of kernel memory, resulting in sensitive information disclosure, bypass of access control mechanisms, or privilege escalation.
A programming error has been found in the jail_attach(2) system call which affects the way that system call verifies the privilege level of the calling process. Instead of failing immediately if the calling process was already jailed, the jail_attach system call would fail only after changing the calling process's root directory.
A process with superuser privileges inside a jail could change its root directory to that of a different jail, and thus gain full read and write access to files and directories within the target jail.
FreeBSD does not limit the number of TCP segments that may be held in a reassembly queue. A remote attacker may conduct a low-bandwidth denial-of-service attack against a machine providing services based on TCP (there are many such services, including HTTP, SMTP, and FTP). By sending many out-of-sequence TCP segments, the attacker can cause the target machine to consume all available memory buffers (``mbufs''), likely leading to a system crash.
From the FreeBSD Security Advisory:
A programming error in the handling of some IPv6 socket options within the setsockopt(2) system call may result in memory locations being accessed without proper validation.
It may be possible for a local attacker to read portions of kernel memory, resulting in disclosure of sensitive information. A local attacker can cause a system panic.
A remote attacker could cause an application using OpenSSL to crash by performing a specially crafted SSL/TLS handshake.
A programming error in BIND 8 named can result in a DNS message being incorrectly cached as a negative response. As a result, an attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS.
Heimdal does not correctly validate the `transited' field of Kerberos tickets when computing the authentication path. This could allow a rogue KDC with which cross-realm relationships have been established to impersonate any KDC in the authentication path.
Ulf Härnhammar discovered several vulnerabilities in LHa for UNIX's path name handling code. Specially constructed archive files may cause LHa to overwrite files or execute arbitrary code with the privileges of the user invoking LHa. This could be particularly harmful for automated systems that might handle archives such as virus scanning processes.
A straightforward stack buffer overflow exists in XChat's Socks5 proxy support.
The XChat developers report that `tsifra' discovered this issue.
NOTE: XChat Socks5 support is disabled by support in the FreeBSD Ports Collection.
When running rsync in daemon mode, no checks were made to prevent clients from writing outside of a module's `path' setting.
From the xinehq advisory:
By opening a malicious MRL in any xine-lib based media player, an attacker can write arbitrary content to an arbitrary file, only restricted by the permissions of the user running the application.
The flaw is a result of a feature that allows MRLs (media resource locator URIs) to specify arbitrary configuration options.
An unknown remotely exploitable vulnerability was disclosed. Robert Segall writes:
a security vulnerability was brought to my attention (many thanks to Akira Higuchi). Everyone running any previous version should upgrade to 1.6 immediately - the vulnerability may allow a remote exploit. No exploits are currently known and none have been observed in the wild till now. The danger is minimised if you run Pound in a root jail and/or you run Pound as non-root user.
The common.php script always trusts the `X-Forwarded-For' header in the client's HTTP request. A remote user could forge this header in order to bypass any IP address access control lists (ACLs).
NISCC / UNIRAS has published an advisory that re-visits the long discussed spoofed TCP RST denial-of-service vulnerability. This new look emphasizes the fact that for some applications such attacks are practically feasible.
Jack of RaptureSecurity reported a double byte buffer overflow in ident2. The bug may allow a remote attacker to execute arbitrary code within the context of the ident2 daemon. The daemon typically runs as user-ID `nobody', but with group-ID `wheel'.
A buffer overflow is present in some versions of the KDE personal information manager (kdepim) which may be triggered when processing a specially crafted VCF file.
When racoon receives an ISAKMP header, it will attempt to allocate sufficient memory for the entire ISAKMP message according to the header's length field. If an attacker crafts an ISAKMP header with a ridiculously large value in the length field, racoon may exceed operating system resource limits and be terminated, resulting in a denial of service.
When racoon receives an IKE message with an incorrectly constructed Generic Payload Header, it may behave erratically, going into a tight loop and dropping connections.
Chad Loder has discovered vulnerabilities in tcpdump's ISAKMP protocol handler. During an audit to repair these issues, Bill Fenner discovered some related problems.
These vulnerabilities may be used by an attacker to crash a running `tcpdump' process. They can only be triggered if the `-v' command line option is being used.
NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP protocol handler from tcpdump, and so is also affected by this issue.
Midnight Commander uses a fixed sized stack buffer while resolving symbolic links within file archives (tar or cpio). If an attacker can cause a user to process a specially crafted file archive with Midnight Commander, the attacker may be able to obtain the privileges of the target user.
Ralf Spenneberg discovered a serious flaw in racoon. When using Phase 1 main or aggressive mode, racoon does not verify the client's RSA signature. Any installations using X.509 authentication are strongly urged to upgrade.
Installations using pre-shared keys are believed to be unaffected.
Stefan Esser of e-matters found almost a dozen remotely exploitable vulnerabilities in Gaim. From the e-matters advisory:
While developing a custom add-on, an integer overflow in the handling of AIM DirectIM packets was revealed that could lead to a remote compromise of the IM client. After disclosing this bug to the vendor, they had to make a hurried release because of a change in the Yahoo connection procedure that rendered GAIM useless. Unfourtunately at the same time a closer look onto the sourcecode revealed 11 more vulnerabilities.
The 12 identified problems range from simple standard stack overflows, over heap overflows to an integer overflow that can be abused to cause a heap overflow. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. But the underlying protocols are easy to implement and MIM attacks on ordinary TCP sessions is a fairly simple task.
In combination with the latest kernel vulnerabilities or the habit of users to work as root/administrator these bugs can result in remote root compromises.
Philippe Oechslin reported a denial-of-service vulnerability in oftpd. The oftpd server can be crashed by sending a PORT command containing an integer over 8 bits long (over 255).
From the Squid advisory:
Squid versions 2.5.STABLE4 and earlier contain a bug in the "%xx" URL decoding function. It may insert a NUL character into decoded URLs, which may allow users to bypass url_regex ACLs.
A remote attacker could cause zebra/quagga to crash by sending a malformed telnet command to their management port.
Users with admin rights can severly damage an phpBB installation, potentially triggered by viewing a page with a malicious link sent by an attacker.
A security hole exists that can be used to crash the proxy and execute arbitrary code. An exploit is circulating that takes advantage of this, and in some cases succeeds in obtaining a login shell on the machine.
A remote attacker may use specially crafted IKE/ISAKMP messages to cause racoon to delete security associations. This could result in denial-of-service or possibly cause sensitive traffic to be transmitted in plaintext, depending upon configuration.
Glenn Stewart reports a bug in wu-ftpd's ftpaccess `restricted-uid'/`restricted-gid' directives:
Users can get around the restriction to their home directory by issuing a simple chmod command on their home directory. On the next ftp log in, the user will have '/' as their root directory.
Matt Zimmerman discovered that the cause of the bug was a missing check for a restricted user within a code path that is executed only when a certain error is encountered.
Ulf Härnhammar discovered several vulnerabilities in GNU Anubis.
Ulf notes that these vulnerabilities can be exploited by a malicious IDENT server as a denial-of-service attack.
A number of buffer overflows were recently discovered in XFree86, prompted by initial discoveries by iDEFENSE. These buffer overflows are present in the font alias handling. An attacker with authenticated access to a running X server may exploit these vulnerabilities to obtain root privileges on the machine running the X server.
Steve Kemp reports (in a Debian bug submission):
Due to improper bounds checking it is possible for a malicious user to gain a shell with membership group 'games'. (The binary is installed setgid games).
Environmental variables are used without being bounds-checked in any way, from the source code:
highscore.c: /* Use the environment variable if it exists */ if ((str = getenv("XBOING_SCORE_FILE")) != NULL) strcpy(filename, str); else strcpy(filename, HIGH_SCORE_FILE); misc.c: if ((ptr = getenv("HOME")) != NULL) (void) strcpy(dest, ptr);Neither of these checks are boundschecked, and will allow arbitary shell code to be run.
Ulf Härnhammar reported four bugs in metamail: two are format string bugs and two are buffer overflows. The bugs are in SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().
These vulnerabilities could be triggered by a maliciously formatted email message if `metamail' or `splitmail' is used to process it, possibly resulting in arbitrary code execution with the privileges of the user reading mail.
Ulf Härnhammar reports multiple buffer overflows in Emil, some of which are triggered during the parsing of attachment filenames. In addition, some format string bugs are present in the error reporting code.
Depending upon local configuration, these vulnerabilities may be exploited using specially crafted messages in order to execute arbitrary code running with the privileges of the user invoking Emil.
Anyone can get admin's username and password's md5 hash via a single web request. A working example is provided in the advisory.
The authors of UUDeview report repairing two buffer overflows in their software.
Henning Brauer discovered a programming error in Apache 1.3's mod_access that results in the netmasks in IP address access control rules being interpreted incorrectly on 64-bit, big-endian platforms. In some cases, this could cause a `deny from' IP address access control rule including a netmask to fail.
An attacker may cause Apache with mod_python to crash by using a specially constructed query string.
In 2003, two vulnerabilities were discovered in mpg123 that could result in remote code execution when using untrusted input or streaming from an untrusted server.
Dave Jones discovered a denial-of-service vulnerability in fetchmail. An email message containing a very long line could cause fetchmail to segfault due to missing NUL termination in transact.c.
Eric Raymond decided not to mention this issue in the release notes for fetchmail 6.2.5, but it was fixed there.
A malformed message could cause mailman to crash.
Dirk Mueller reports:
I've found a cross-site scripting vulnerability in the admin interface of mailman 2.1.3 that allows, under certain circumstances, for anyone to retrieve the (valid) session cookie.
From the 2.1.3 release notes:
Closed a cross-site scripting exploit in the create cgi script.
From the 2.1.1 release notes:
Closed a cross-site scripting vulnerability in the user options page.
Multiple researchers have discovered multiple SQL injection vulnerabilities in some versions of Php-Nuke. These vulnerabilities may lead to information disclosure, compromise of the Php-Nuke site, or compromise of the back-end database.
Ulf Härnhammar discovered an exploitable vulnerability in lbreakout2's environmental variable handling. In several instances, the contents of the HOME environmental variable are copied to a stack or global buffer without range checking. A local attacker may use this vulnerability to acquire group-ID `games' privileges.
An exploit for this vulnerability has been published by ``Li0n7 voila fr''.
Ulf Härnhammar discovered a format string bug in hsftp's file listing code may allow a malicious server to cause arbitrary code execution by the client.
An attacker can cause an assertion to trigger by sending a long User-Agent field in a request.
Yuuichi Teranishi reported a crash in libxml2's URI handling when a long URL is supplied. The implementation in nanohttp.c and nanoftp.c uses a 4K stack buffer, and longer URLs will overwrite the stack. This could result in denial-of-service or arbitrary code execution in applications using libxml2 to parse documents.
Lack of proper input validation in phpMyAdmin may allow an attacker to obtain the contents of any file on the target system that is readable by the web server.
Jedi/Sector One <j@pureftpd.org> reported the following on the full-disclosure list:
Every document is stored in multiple parts according to its sections (description, body, etc) in databases. And when the content has to be sent to the client, UdmDocToTextBuf() concatenates those parts together and skips metadata.
Unfortunately, that function lacks bounds checking and a buffer overflow can be triggered by indexing a large enough document.
'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c . S->val length depends on the length of the original document and on the indexer settings (the sample configuration file has low limits that work around the bug, though).
Exploitation should be easy, moreover textbuf points to the stack.
libtool attempts to create a temporary directory in which to write scratch files needed during processing. A malicious user may create a symlink and then manipulate the directory so as to write to files to which she normally has no permissions.
This has been reported as a ``symlink vulnerability'', although I do not think that is an accurate description.
This vulnerability could possibly be used on a multi-user system to gain elevated privileges, e.g. root builds some packages, and another user successfully exploits this vulnerability to write to a system file.
The seti@home client contains a buffer overflow in the HTTP response handler. A malicious, spoofed seti@home server can exploit this buffer overflow to cause remote code execution on the client. Exploit programs are widely available.
icecast 1.3.11 and earlier contained numerous security vulnerabilities, the most severe allowing a remote attacker to execute arbitrary code as root.
According to the author:
Fixed security loophole which allowed remote clients to access arbitrary files on our system.
The Chinese Console Environment contains exploitable buffer overflows.
Niels Heinen reports that ChiTeX installs set-user-id root executables that invoked system(3) without setting up the environment, trivially allowing local root compromise.
Kris Kennaway reports a remotely exploitable buffer overflow in newmail.c. Mike Silbersack submitted the fix.
An attacker may send an email message containing a specially constructed URL that will execute arbitrary commands when viewed.
An attacker may send a specially-formatted email message that will cause pine to crash.
Pine versions prior to 4.58 are affected by two vulnerabilities discovered by iDEFENSE, a buffer overflow in mailview.c and an integer overflow in strings.c. Both vulnerabilities can result in arbitrary code execution when processing a malicious message.
When rsync is run in server mode, a buffer overflow could allow a remote attacker to execute arbitrary code with the privileges of the rsync server. Anonymous rsync servers are at the highest risk.
From the Samba 3.0.2 release notes:
Security Announcement: It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script.
Mutt 1.4 contains a buffer overflow that could be exploited with a specially formed message, causing Mutt to crash or possibly execute arbitrary code.
From the Apache-SSL security advisory:
If configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate.
All the attacker needed is the "one-line DN" of a valid user, as used by faked basic auth in Apache-SSL, and the fixed password ("password" by default).
Jonathan Heusser discovered vulnerabilities in tcpdump's L2TP, ISAKMP, and RADIUS protocol handlers. These vulnerabilities may be used by an attacker to crash a running `tcpdump' process.
A small, fixed-size stack buffer is used to construct a filename based on a received control message. This could result in a stack buffer overflow.
A buffer overflow exists in the ProFTPD code that handles translation of newline characters during ASCII-mode file uploads. An attacker may exploit this buffer overflow by uploading a specially crafted file, resulting in code execution and ultimately a remote root compromise.
Any ElGamal sign+encrypt keys created by GnuPG contain a cryptographic weakness that may allow someone to obtain the private key. These keys should be considered unusable and should be revoked.
The following summary was written by Werner Koch, GnuPG author:
Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds.
...
Please take immediate action and revoke your ElGamal signing keys. Furthermore you should take whatever measures necessary to limit the damage done for signed or encrypted documents using that key.
Note that the standard keys as generated by GnuPG (DSA and ElGamal encryption) as well as RSA keys are NOT vulnerable. Note also that ElGamal signing keys cannot be generated without the use of a special flag to enable hidden options and even then overriding a warning message about this key type. See below for details on how to identify vulnerable keys.
Mathopd contains a buffer overflow in the prepare_reply() function that may be remotely exploitable.
A buffer overflow exists in lftp which may be triggered when requesting a directory listing from a malicious server over HTTP.
An authenticated user may trigger a format string vulnerability present in qpopper's UIDL code, resulting in arbitrary code execution with group ID `mail' privileges.
Fetchmail can be crashed by a malicious email message.
Applications utilizing pam_smb can be compromised by any user who can enter a password. In many cases, this is a remote root compromise.
libmcrypt does incomplete input validation, leading to several buffer overflows. Additionally, a memory leak is present. Both of these problems may be exploited in a denial-of-service attack.