Summary of Security Items from August 3 through August 9, 2005
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Multiple buffer overflow vulnerabilities have been reported in BrightStor ARCserve Backup that could let remote malicious users execute arbitrary code.
V2.0: Update available for x64-based systems, Microsoft Windows Server 2003 for Itanium-based Systems, and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems.
Currently we are not aware of any exploits for this vulnerability.
Microsoft Security Bulletin MS05-032, August 9, 2005
Microsoft
ActiveSync 3.8, 3.7.1
Multiple vulnerabilities have been reported in ActiveSync's network synchronization protocol that could let remote malicious users to disclose information or cause a Denial of Service.
No workaround or patch available at time of publishing.
There is no exploit code required.
Microsoft ActiveSync Information Disclosure or Denial of Service
Medium
Security Focus, 14457, August 2, 2005
Microsoft
Internet Explorer
A memory corruption vulnerability has been reported in Internet Explorer COM Object instantiation that could let remote malicious users execute arbitrary code.
Microsoft Security Bulletin MS05-038, August 9, 2005
Microsoft
Plug and Play
A vulnerability has been reported in Plug and Play that could let local or remote malicious users execute arbitrary code or obtain elevated privileges.
A buffer overflow vulnerability has been reported in Microsoft Telephony Service that could let local or remote malicious users execute arbitrary code.
Microsoft Security Bulletin MS05-040, August 9, 2005
Microsoft
Windows Kerberos PKINT
Multiple vulnerabilities have been reported in Windows Kerberos PKINT that could let remote malicious users disclose information or cause a Denial of Service.
A buffer overflow vulnerability has been reported that could lead to remote execution of arbitrary code or escalation of privilege.
V1.1 Bulletin updated to point to the correct Exchange 2000 Server Post-Service Pack 3 (SP3) Update Rollup and to advise on the scope and caveats of workaround "Unregister xlsasink.dll and fallback to Active Directory for distribution of route information."
Microsoft Security Bulletin MS05-023 V1.1, April 14, 2005
Microsoft Security Bulletin MS05-023 V1.1, August 9, 2005
Naxtor Technologies
Naxtor e-Directory 1.0
A vulnerability has been reported in Naxtor e-Directory that could let remote malicious users to conduct Cross-Site Scripting and perform SQL injection.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Naxtor e-Directory Cross-Site Scripting or SQL Injection
Medium
Secunia, Advisory: SA16314, August 3, 2005
Naxtor Technologies
Naxtor Shopping Cart 1.0, Pro 1.0
Multiple vulnerabilities has been reported in Naxtor Shopping Cart that could let remote malicious users to conduct Cross-Site Scripting or perform SQL injection.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Naxtor Shopping Cart Cross-Site Scripting or SQL Injection
An input validation vulnerability has been reported in Quick 'n Easy FTP Server (USER Command) that could let remote malicious users cause a Denial of Service.
No workaround or patch available at time of publishing.
Debian Security Advisory, DSA 772-1, August 3, 2005
GNU
zgrep 1.2.4
A vulnerability has been reported in 'zgrep.in' due to insufficient validation of user-supplied arguments, which could let a remote malicious user execute arbitrary commands.
Gentoo Security Advisory, GLSA 200507-26, July 27, 2005
Conectiva Linux Announce-
ment, CLSA-2005:989, August 4, 2005
Ubuntu Security Notice,
USN-162-1, August 08, 2005
Lantronix
Lantronix SCS82, SCS1620
Multiple vulnerabilities have been reported: a vulnerability was reported due in '/tmp' due to insecure pipe permissions, which could let a malicious user read arbitrary files with elevated privileges; a Directory Traversal vulnerability was reported in the console command interface, which could let a malicious user obtain sensitive information; a vulnerability was reported in the command-line interface, which could let a malicious user obtain superuser privileges; and a buffer overflow vulnerability was reported in the 'edituser' binary due to a boundary error, which could let a malicious user execute arbitrary code with root privileges.
A Proof of Concept exploit has been published for the 'edituser' buffer overflow vulnerability.
Lantronix Secure Console Server SCS820/
SCS1620 Multiple Local Vulnerabilities
High
Security Focus, 14486, August 5, 2005
Multiple Vendors
Turbolinux
Server 10.0, 8.0, Desktop 10.0, Turbolinux
Home
Appliance
Server 1.0 Workgroup Edition,
Hosting Edition; Trustix Secure Linux 3.0, 2.2, Secure Enterprise
Linux 2.0; Sun Solaris 10.0 _x86, 10.0, 9.0 _x86 Update 2, 9.0 _x86,
9.0,
Sun SEAM 1.0-1.0.2;
SuSE Linux Professional
9.3 x86_64,
9.3, Linux Personal 9.3 x86_64, 9.3;
RedHat
Fedora Core3 & 4, Advanced Workstation for the Itanium Processor 2.1; MIT Kerberos 5 5.0 -1.4.1
& prior;
Gentoo Linux
Multiple vulnerabilities have been reported: a remote Denial of Service vulnerability was reported when a malicious user submits a specially crafted TCP connection that causes the Key Distribution Center (KDC) to attempt to free random memory; a buffer overflow vulnerability was reported in KDC due to a boundary error when a specially crafted TCP or UDP request is submitted, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported in 'krb/recvauth.c' which could let a remote malicious user execute arbitrary code.
Conectiva Linux Advisory,
CLSA-2005
:993, August 8, 2005
Multiple Vendors
Linux kernel
2.6 prior to 2.6.12.1
A vulnerability has been reported in the 'restore_sigcontext()' function due to a failure to restrict access to the 'ar.rsc' register, which could let a malicious user cause a Denial of Service or obtain elevated privileges.
A race condition in ia32 emulation, vulnerability has been reported in the Linux Kernel that could let local malicious users obtain root privileges or create a buffer overflow.
SUSE Security Announce-
ment,
SUSE-SA:
2005:
018, March 24, 2005
Fedora Security
Update Notification,
FEDORA-2005-262, March 28, 2005
Conectiva Linux Security Announce-
ment,
CLA-2005:945,
March 31, 2005
Fedora Update Notification
FEDORA-2005-313, April 11, 2005
RedHat Security Advisory,
RHSA-2005
:366-21, August 9, 2005
Multiple Vendors
Linux Kernel
2.6 up to & including
2.6.12-rc4
Several vulnerabilities have been reported: a vulnerability was reported in raw character devices (raw.c) because the wrong function is called before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space; and a vulnerability was reported in the 'pkt_ioctl' function in the 'pktcdvd' block device ioctl handler
(pktcdvd.c) because the wrong function is called before passing an ioctl to the block device, which could let a malicious user execute arbitrary code.
RedHat Security Advisory,
RHSA-2005
:420-24,
Updated
August 9, 2005
Multiple Vendors
Linux kernel
2.6-2.6.11
A vulnerability has been reported in the '/sys' file system due to a mismanagement of integer signedness, which could let a malicious user cause a Denial of Service and potentially execute arbitrary code.
RedHat Security Advisory, RHSA-2005:420-22, June 8, 2005
RedHat Security Advisory,
RHSA-2005
:420-24,
Updated
August 9, 2005
Multiple Vendors
Linux kernel 2.6.10, 2.6
-test9-CVS,
2.6-test1-
test11, 2.6,
2.6.1-2.6.11; RedHat
Desktop 4.0, Enterprise
Linux WS 4,
ES 4, AS 4
Multiple vulnerabilities exist: a vulnerability exists in the 'shmctl' function, which could let a malicious user obtain sensitive information; a Denial of Service vulnerability exists in 'nls_ascii.c' due to the use of incorrect table sizes; a race condition vulnerability exists in the 'setsid()' function; and a vulnerability exists in the OUTS instruction on the AMD64 and Intel EM64T architecture, which could let a malicious user obtain elevated privileges.
RedHat Security Advisory,
RHSA-2005:
472-05,
May 25, 2005
Avaya Security Advisory, ASA-2005-120, June 3, 2005
FedoraLegacy: FLSA:152532, June 4, 2005
RedHat Security Advisory,
RHSA-2005
:420-24,
Updated
August 9, 2005
Multiple Vendors
SuSE Linux Professional
9.3, x86_64,
9.2, x86_64, Linux Personal 9.3, x86_64; Linux kernel
2.6-2.6.12
A buffer overflow vulnerability has been reported in the XFRM network architecture code due to insufficient validation of user-supplied input, which could let a malicious user execute arbitrary code.
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported due to an error when handling keyrings; and a Denial of Service vulnerability was reported in the 'KEYCTL_JOIN_SESSION_KEYRING' operation due to an error when attempting to join a key management session.
Trustix Secure Linux Security Advisory, #2005-0038, July 29, 2005
Gentoo Linux Security Advisory, GLSA 200508-04, August 5, 2005
ProFTPd
Multiple format string vulnerabilities have been reported in ProFTPd that could let remote malicious users cause a denial of service or disclose information.
A vulnerability has been reported in the 'printd' daemon due to an unspecified error, which could let a local/remote malicious user delete arbitrary files.
Currently we are not aware of any exploits for this vulnerability.
Sun Solaris Printd Arbitrary File Deletion
Medium
Sun(sm) Alert Notification, 101842, August 8, 205
SysCP
SysCP 1.2.1-1.2.10
Several vulnerabilities have been reported: a vulnerability was reported due to insufficient verification of input in an unspecified parameter before including a language file, which could let a remote malicious user include arbitrary files from external resources; and a vulnerability was reported in the internal template engine due to insufficient sanitization of input, which could let a remote malicious user execute arbitrary PHP code.
There is no exploit code required; however a Proof of Concept exploit has been published.
SysCP Multiple Script Execution
High
Secunia Advisory: SA16347, August 8,2005
Wine
Windows API Emulator 20050725
A vulnerability has been reported in 'winelauncher.in' due to the insecure creation of a temporary file in '/tmp,' which could let a malicious user create/overwrite arbitrary files.
No workaround or patch available at time of publishing.
There is no exploit code required.
Wine Wine
Launcher.IN Local Insecure File Creation
Medium
Security Focus 14495, August 8, 2005
Wojtek Kaniewski
ekg 2005-
06-05 22:03
A vulnerability has been reported in 'contrib/scripts/linki.py' due to the insecure creation of temporary files, which could let a malicious user obtain elevated privileges.
Several vulnerabilities have been reported: a vulnerability was reported in 'contrib/ekgnv.sh,' 'contrib/getekg.sh,' and 'contrib/ekgh' due to the insecure creation of a temporary file, which could let a remote malicious user create/overwrite arbitrary files; and an SQL injection vulnerability was reported in 'contrib/scripts/ekgbot-pre1.py' due to an error, which could let a remote malicious user inject arbitrary shell commands.
Debian Security Advisory,
DSA 760-1,
July 18, 2005
Ubuntu Security Notice, USN-162-1, August 08, 2005
Yukihiro Matsumoto
Ruby 1.8.2
A vulnerability has been reported in the XMLRPC server due to a failure to set a valid default value that prevents security protection using handlers, which could let a remote malicious user execute arbitrary code.
Fedora Update Notification
FEDORA-2005-638
& 639, August 2, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:129,
August 3, 2005
Ubuntu Security Notice, USN-160-1, August 04, 2005
Turbolinux Security Advisory, TLSA-2005-81,
August 9, 2005
Chipmunk Scripts
Chipmunk Forum 1.3
A Cross-Site Scripting vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'fontcolor' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proofs of Concept exploits have been published.
Chipmunk Forum 'fontcolor' Cross-Site Scripting
Medium
Security Tracker Alert ID: 1014630, August 8, 2005
Cisco
Cisco IOS
12.4 & prior 12.x versions
An IPv6 packet handling vulnerability has been reported in Cisco IOS that could let local malicious users cause a remote Denial of Service or potentially execute arbitrary code.
A vulnerability has been reported in the 'path[docroot]' parameter due to insufficient verification before including files, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept has been published.
A buffer overflow vulnerability has been reported in the 'rdb_query()' function due to a boundary error, which could let a remote malicious user execute arbitrary code.
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported because users can upload HTML and TXT attachments that contain JavaScript, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published for the Cross-Site Scripting vulnerability.
E107 Website System Cross-Site Scripting & HTML Injection
Medium
Security Focus, 14495 & 14508, August 8, 2005
EMC
Navisphere Manager 6.4-6.6
Several vulnerabilities have been reported: a Directory Traversal vulnerability was reported due to insufficient validation of HTTP requests, which could let a remote malicious user obtain sensitive information; and an information disclosure vulnerability was reported because it is possible to list the contents of a directory.
The vendor has addressed this issue in the latest version of the affected application.
There is no exploit code required; however, Proofs of Concept exploits have been published.
Multiple dissector and zlib vulnerabilities have been reported in Ethereal that could let remote malicious users cause a denial of service or execute arbitrary code.
Mandriva Linux Security Update Advisory, MDKSA-2005:131,
August 4, 2005
FFTW
FFTW 3.0.1
A vulnerability has been reported due to the insecure creation of temporary files, which could let a malicious user create/overwrite arbitrary files.
No workaround or patch available at time of publishing.
There is no exploit code required.
FFTW Insecure Temporary File Creation
Medium
Security Focus, 14501, August 8, 2005
FlatNuke
FlatNuke 2.5.5
Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'structure.php' due to insufficient sanitization of the 'bodycolor,' 'backimage,' 'theme,' and 'logo' parameters, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability was reported due to insufficient sanitization of posted news articles before displaying to site administrators, which could let a remote malicious user execute arbitrary code; a vulnerability was ported due to insufficient sanitization of the 'firma' parameter when saving the user's signature to the user file, which could let a remote malicious user inject and execute arbitrary PHP commands; and a vulnerability was reported because it is possible to obtain path information.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proofs of Concept exploits have been published.
Cross-Site Scripting vulnerabilities have been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proofs of Concept exploits have been published.
FunkBoard Multiple Cross-Site Scripting
Medium
Security Focus, 13507, August 8, 2005
Fusebox
Fusebox 4.1.0
A Cross-Site Scripting vulnerability has been reported in the 'index.cfm' due to insufficient sanitization of the 'fuseaction' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been reported.
Multiple vulnerabilities have been reported: an SQL injection vulnerability was reported in 'index.php' due to insufficient sanitization of the 'email' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; a Cross-Site Scripting vulnerability was reported in 'deletethread.php' due to insufficient sanitization of the 'board_id' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in the 'editcss.php' script due to insufficient access restrictions, which could let a remote malicious user execute arbitrary PHP scripts.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proofs of Concept exploits and a script for the Cross-Site Scripting vulnerability have been published.
Gravity Board X Input Validation & Access Restrictions
High
Security Tracker Alert ID: 1014631, August 8, 2005
Inkscape
Inkscape 0.41
A vulnerability has been reported in 'ps2epsi.sh' due to the insecure creation of a temporary file, which could let a malicious user create/overwrite arbitrary files.
a Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Multiple Cross-Site Scripting vulnerabilities have been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept has been published.
Multiple vulnerabilities have been reported due to insufficient access validation, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept has been published.
Jax PHP Scripts Multiple Remote Information Disclosure
Medium
Security Focus 14482, August 5, 2005
Karrigell
Karrigell 2.1-2.1.5, 2.0-2.0.5, 1.x
A vulnerability has been reported in a karrigell services (.ks) script due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary python code.
A vulnerability has been reported in KDE Kate and KWrite because backup files are created with default permissions even if the original file had more restrictive permissions set, which could let a local/remote malicious user obtain sensitive information.
Fedora Update Notification,
FEDORA-2005-594, July 19, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:122, July 20, 2005
RedHat Security Advisory, RHSA-2005:612-07, July 27, 2005
Conectiva Linux Announcement, CLSA-2005:988, August 4, 2005
Lansoft Enterprises
OpenBB 1.1 .0
Multiple SQL injection vulnerabilities have been reported in 'board.php,' read.php,' and member.php' due to insufficient sanitization of the 'FID,' 'TID,' and 'UID' parameters before used in a SQL query, which could let a malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proofs of Concept exploits have been published.
OpenBB Multiple SQL Injection
Medium
Secunia Advisory: SA16369, August 9, 2005
Logicampus
Logicampus 1.1 .0
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of input passed to the helpdesk before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
Sun(sm) Alert Notification, 101833, August 3, 2005
Secunia Advisory: SA16295, August 4, 2005
Metasploit Project
Metasploit Framework 2.0-2.4, 1.0
A vulnerability has been reported in the 'StateToOptions()' function because the '_Defanged' environment variable can be overwritten, which could let a remote malicious user bypass security restrictions.
Contact the vendor for further information on obtaining fixes.
SQL injection vulnerabilities have been reported due to insufficient sanitization of the 'Theme,' 'SousTheme,' 'Question,' and 'Faq' parameters before using in SQL queries, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
A buffer overflow vulnerability has been reported due to insufficient bounds checking of data that is supplied as an argument in a user-defined function, which could let a remote malicious user execute arbitrary code.
This issue is reportedly addressed in MySQL versions 4.0.25, 4.1.13, and 5.0.7-beta available at: http://dev.mysql.com/downloads/
Currently we are not aware of any exploits for this vulnerability.
An SQL injection vulnerability was reported in 'Messages.php' script due to insufficient input validation before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
PHP-Fusion 'Messages.PHP' SQL Injection
Medium
Security Focus 14489, August 6, 2005
PHPLite
Calendar Express 2.0
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in several scripts due to insufficient sanitization of the 'cid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported in 'search.php' due to insufficient sanitization of the 'allwords' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proofs of Concept exploits have been published.
A remote Denial of Service vulnerability has been reported in 'class.smtp.php' due to an error when processing overly long headers in the 'Data()' function.
Multiple Cross-Site Scripting vulnerabilities. have been reported due to insufficient sanitization of user-supplied input before using in dynamically generated content, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
A vulnerability has been reported in the login script due to an unspecified error, which could let a remote malicious user bypass authentication routines.
An SQL injection vulnerability has been reported in 'Index.php' due to insufficient sanitization before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
An SQL injection vulnerability has been reported in 'Admin.php' due to insufficient sanitization of the username before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code or bypass authentication to obtain access to the administrative section.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Gentoo Linux Security Advisory, GLSA 200506-19, June 21, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:108, July 1, 2005
Debian Security Advisory , DSA 756-1, July 13, 2005
RedHat Security Advisory, RHSA-2005:595-12, August 3, 2005
SquirrelMail
SquirrelMail 1.4.0-1.4.5-RC1.
A vulnerability has been reported in 'options_identities.php' because parameters are insecurely extracted, which could let a remote malicious user execute arbitrary HTML and script code, or obtain/manipulate sensitive information.
GulfTech Security Research
Advisory, July 13, 2005
Debian Security Advisory,
DSA 756-1,
July 13, 2005
RedHat Security Advisory, RHSA-2005:595-12, August 3, 2005
tDiary
tDiary 2.1.1, 2.0.1
A vulnerability has been reported due to a failure to perform validity checks on user's requests, which could let a remote malicious user edit/delete entries or configurations.
A Cross-Site Scripting vulnerability has been reported a vulnerability in 'Includes/validsession.php' due to insufficient due to insufficient satiation of the 'strRootpath' parameter and in 'Admin/News/List.php' due to insufficient sanitization of the 'strTable' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in the 'Admin/Users/
AddModifyInput.php' script due to insufficient authentication, which could let a remote malicious user obtain administrative privileges.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proofs of Concept exploits and script have been published.
Web Content Management Cross-Site Scripting & Authentication Bypass
Security Tracker Alert ID: 1014616, August 3, 2005
XMB Forum
XMB Forum .9.1
An SQL injection vulnerability has been reported in 'U2U.Inc.PHP' due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
The section below contains wireless vulnerabilities, articles, and viruses/trojans identified during this reporting period.
Bluetooth: Those Spying Eyes: Security concerns regarding the use of Bluetooth technology is on the rise. According to Ollie Whitehouse, architect of Symantec's research division, infiltration is possible anywhere large groups of people are using Bluetooth for extended periods, e.g., in an airport. Whitehouse and his colleagues have coined the term "war nibbling" to describe the act of taking a lot of small bits of data. Source: http://www.varbusiness.com/showArticle.jhtml;jsessionid=SAPFFS2NWZRBOQS
NDBCSKHSCJUMEKJVN?articleID=166403057.
Wireless Networking Moves Into the Mainstream: Infonetics Research, a networking market analyst and consulting firm based in the United States and Europe, recently published a study to determine product requirements and implementation plans of organizations that have implemented WLANs or will do so in the next year. Another goal of the study was to understand key deployment drivers. Source: http://www.varbusiness.com/showArticle.jhtml;jsessionid=SAPFFS2NWZRBOQSNDBCSKH
SCJUMEKJVN?articleID=166403050.
Groups team up for Wi-Fi spec: Three competing groups have agreed to work together on the proposed 802.11n wireless protocol. This is a move that could speed up ratification of the standard.
Source: http://www.itweek.co.uk/itweek/news/2140913/groups-team-wi-spec.
The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.
Note: At times, scripts/techniques may contain names or content that may be considered offensive.
Date of Script
(Reverse Chronological Order)
Script name
Workaround or Patch Available
Script Description
August 10, 2005
aircrack-2.21.tgz
N/A
An 802.11 WEP cracking program that can recover a 40-bit or 104-bit WEP key once enough encrypted packets have been gathered.
August 10, 2005
funkboard066.txt
No
Exploit details for the FunkBoard Multiple Cross-Site Scripting vulnerability.
August 10, 2005
openSQL.txt
No
Sample exploit for the OpenBB Multiple SQL Injection vulnerability.
August 10, 2005
scapy-1.0.0.tar.gz
N/A
A powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer.
August 8, 2005
GBX-CSS-exp.zip
No
Exploit script for the Gravity Board Cross-Site Scripting vulnerability.
August 6, 2005
citiBypass.txt
N/A
Write up that discusses a methodology to bypass Citibank Virtual Keyboard Protection, a mechanism to help protect against keyloggers and spyware.
August 6, 2005
JaxXSS.txt
No
Exploitation details for the Jax PHP Scripts Multiple Cross-Site Scripting vulnerabilities.
August 6, 2005
nbSMTP_fsexp.c
Yes
Exploit for the no-brainer SMTP Client 'log_msg' Format String vulnerability.
August 5, 2005
aircrack-2.2.tgz
N/A
Aircrack is an 802.11 WEP cracking program that can recover a 40-bit or 104-bit WEP key once enough encrypted packets have been gathered.
August 5, 2005
Easyxp41.txt
No
Exploit for the Easy PX41 CMS Cross-Site Scripting or Information Disclosure vulnerability.
August 5, 2005
edituserxp.sh
Yes
Proof of Concept exploit for the Lantronix Secure Console Server 'edituser' Buffer Overflow vulnerability.
August 5, 2005
eventum.pl.txt
Yes
Proof of Concept exploit for the MySQL Eventum SQL Injection vulnerability.
August 5, 2005
FlatNuke-codexec.zip
flatnuke.html
No
Exploits for the FlatNuke User Data Arbitrary PHP Code Execution , Cross-Site Scripting, and Path Disclosure vulnerabilities.
August 5, 2005
phrack63.tar.gz
N/A
Phrack Magazine Issue 63 includes: Phrack Prophile on Tiago, OSX heap exploitation techniques, Hacking Windows CE, Games with kernel Memory...FreeBSD Style, Raising The Bar For Windows Rootkit Detection, Embedded ELF Debugging, Hacking Grub for Fun and Profit, Advanced antiforensics : SELF, Process Dump and Binary Reconstruction, Next-Gen. Runtime Binary Encryption, Shifting the Stack Pointer, NT Shellcode Prevention Demystified, PowerPC Cracking on OSX with GDB, Hacking with Embedded Systems, Process Hiding and The Linux Scheduler, Breaking Through a Firewall, Phrack World News.
August 5, 2005
pluggedBlog.txt
No
Detailed exploitation technique for the Plugged-Blog Multiple Vulnerabilities.
August 5, 2005
qlite.html
No
Proof of Concept exploit for the qliteNews arbitrary database manipulation and Cross-Site Scripting vulnerabilities.
August 5, 2005
webc.html
No
Proof of Concept exploit fir the Web Content Management Cross-Site Scripting & Authentication Bypass vulnerability.
August 5, 2005
yersinia-0.5.5.tar.gz
N/A
Yersinia implements several attacks for the following protocols: Spanning Tree (STP), Cisco Discovery (CDP), Dynamic Host Configuration (DHCP), Hot Standby Router (HSRP), Dynamic Trunking (DTP), 802.1q and VLAN Trunking (VTP), helping a pen-tester with different tasks.
August 3, 2005
CABrightStorSQL.c
Yes
Exploit for the the Computer Associates BrightStor ARCserve Backup Remote Buffer Overflow vulnerability.
August 2, 2005
prorat_server_dos.c
No
Proof of Concept Denial of Service exploit for the ProRat Server Remote Buffer Overflow vulnerability.
Get Up, Stand Up, Pharming Is On The Rise: Pharming is one of the latest online scams and a rapidly growing threat that has been showing up on the Internet. It’s a new way for criminals to try to get into your computer so they can steal your personal data that works by redirecting your Internet browser.
Source: http://www.crime-research.org/news/09.08.2005/1416/ .
Scanning Activity on Port 6070/tcp: US-CERT has seen reports indicating an increase in scanning activity of port 6070/tcp. This port is used by Computer Associates BrightStor ARCserve. Source: http://www.us-cert.gov/current/.
ID theft ring hits 50 banks, security firm says: A major identity theft ring discovered last weekly by Sunbelt Software, a security firm, has affected the customers of at least 50 banks. In a statement made by Sunbelt, the operation, which is being investigated by the FBI, is gathering personal data from "thousands of machines" using keystroke logging software. The data collected includes credit card details, Social Security numbers, usernames, passwords, instant messaging chat sessions and search term. Source: http://news.zdnet.com/2100-1009_22-5823591.html.
Government computers top target for cyberattacks: According to IBM's Global Business Security Index report, cyberattacks on computer systems escalated in the first half of 2005 and government agencies were targeted more than any other business sector, In the first half of 2005, there were more than 237 million security attacks worldwide, with 54 million directed at the U.S. government. The manufacturing sector received about 36 million attacks, followed by the financial services industry with 34 million and health care with 17 million. Source: http://www.govexec.com/dailyfed/0805/080505p1.htm.
New Trend Found In IM Enterprise Threats: A security firm, Akonix Systems, reported that nearly a quarter more new viruses threatening corporate computers through employee use of public instant-messaging networks were discovered in July. Including one that reflected a new trend of attacking multiple IM systems. A total of 42 new threats were tracked in July, a 24 percent increase over the previous month. Source: http://www.techweb.com/wire/security/167101004.
U.S. Passes the Buck on Identity Theft: A year ago President George W. Bush signed into law the Identity Theft Penalty Enhancement Act in response to the growing proliferation of Internet scams, such as phishing, pharming and other ploys aimed at stealing consumers' private information electronically. However, the evidence suggests that this new law has done nothing to reduce identity theft or fraud.
The number of publicly known identity theft cases has increased dramatically over the past year. Since January of 2005, there have been over 63 data-security breaches exposing nearly 50 million identities. Source: http://www.newsfactor.com/story.xhtml?story_id=37545.
First potential virus risk for Windows Vista found: Virus writers are targeting a new Microsoft tool that will be part of Windows and is set to ship as part of the next Exchange e-mail server release. According to F-Secure, a virus writer has published the first examples of malicious code that targets Microsoft's upcoming command-line shell, code-named Monad. If the technology is included in Windows Vista, these could be one of the first viruses to target the new operating system formerly known as Longhorn. Source: http://news.zdnet.com/2100-1009_22-5819428.html?tag=zdfd.newsfeed.
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.
Rank
Common Name
Type of Code
Trend
Date
Description
1
Netsky-P
Win32 Worm
Stable
March 2004
A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared files.
2
Mytob.C
Win32 Worm
Slight Increase
March 2004
A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.
3
Zafi-D
Win32 Worm
Slight Decrease
December 2004
A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.
4
Netsky-Q
Win32 Worm
Stable
March 2004
A mass-mailing worm that attempts to launch Denial of Service attacks against several web pages, deletes the entries belonging to several worms, and emits a sound through the internal speaker.
5
Mytob-BE
Win32 Worm
Slight Decrease
June 2005
A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling antivirus, and modifying data.
6
Mytob-AS
Win32 Worm
Stable
June 2005
A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine.
7
Zafi-B
Win32 Worm
Increase
June 2004
A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.
8
Netsky-D
Win32 Worm
Slight Increase
March 2004
A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
9
Netsky-Z
Win32 Worm
Decrease
April 2004
A mass-mailing worm that is very close to previous variants. The worm spreads in e-mails, but does not spread to local network and P2P and does not uninstall Bagle worm. The worm has a backdoor that listens on port 665.
10
Lovgate.w
Win32 Worm
Decrease
April 2004
A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.
Get Adobe Reader
US-CERT is part of the Department of Homeland Security
