Summary of Security Items from July 6 through July 20, 2004
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends and viruses identified between
July 6 and July 20, 2004.
Bugs,
Holes, & Patches
The table below
summarizes vulnerabilities that have been identified, even if they
are not being exploited. Updates to items appearing in previous
bulletins are listed in bold. Complete details about patches or
workarounds are available from the source of the information or from the URL provided in the
section. CVE numbers are listed where applicable.
Note: All the information included in the
following tables has been discussed in newsgroups and
on web sites.
Risk is defined as follows:
- High - A high-risk
vulnerability is defined as one that will allow an intruder to immediately
gain privileged access (e.g., sysadmin or root) to the system or allow an
intruder to execute code or alter arbitrary system files. An example of a
high-risk vulnerability is one that allows an unauthorized user to send a
sequence of instructions to a machine and the machine responds with a command
prompt with administrator privileges. - Medium - A
medium-risk vulnerability is defined as one that will allow an intruder immediate
access to a system with less than privileged access. Such vulnerability will
allow the intruder the opportunity to continue the attempt to gain privileged
access. An example of medium-risk vulnerability is a server configuration
error that allows an intruder to capture the password file. - Low - A low-risk
vulnerability is defined as one that will provide information to an intruder
that could lead to further compromise attempts or a Denial of Service (DoS)
attack. It should be noted that while the DoS attack is deemed low from a
threat potential, the frequency of this type of attack is very high. DoS attacks
against mission-critical nodes are not included in this rating and any attack
of this nature should instead be considered to be a "High" threat.
| Windows Operating Systems | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name | Risk | Source |
| Adobe
Adobe Acrobat Reader version 6.0.1 | A buffer overflow vulnerability exists that allows remote attackers to execute arbitrary code. The problem specifically exists within a routine that is responsible for splitting the filename path into multiple components. Successful exploitation allows an attacker to execute arbitrary code under the privileges of the local user. Remote exploitation is possible by sending a specially crafted e-mail and attaching the malicious PDF document.
Update to the latest release of Adobe Acrobat and the free Adobe Reader, version 6.0.2 available at: http://www.adobe.com/support/techdocs/34222.htm Currently, we are not aware of any exploits for this vulnerability. | Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability
CVE Name: | High | iDEFENSE Security Advisory, July 12, 2004
Securiteam, July 11, 2004 |
| Code-Crafters
Ability Mail Server 1.x | Cross-Site Scripting and Denial of Service vulnerabilities exist due to unsanitized input and an error in connection handling. These can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Ability Mail Server Cross-Site Scripting and Denial of Service Vulnerabilities | High | Secunia Advisory, SA12039, July 12, 2004
SecurityTracker Alert, 1010672, July 12, 2004 |
| EA Games
Medal of Honor | A buffer overflow vulnerability in the Medal of Honor and related game software. It is reported that a remote user can send a specially crafted packet to the target server to trigger a buffer overflow in the code that checks for slash characters and null bytes. A remote user can execute arbitrary code on the target system. An unofficial patch is available for Windows-based platforms at: http://aluigi.altervista.org/patches.htm A Proof of Concept exploit has been published. | EA Games Medal of Honor Has Buffer Overflow in 'connect' Packet | High | SecurityTracker Alert, 1010725, July 17, 2004 |
| Microsoft
Internet Explorer 6 | A remote code execution vulnerability exists in popup.show(). A malicious user can take arbitrary mouse-based actions on the target system. This vulnerability can be used in conjunction with a "shell://" vulnerability to execute arbitrary code on the target user's system.
No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | HijackClick 3 | High | SecurityTracker Alert, 1010679, July 12, 2004
Bugtraq, July 11, 2004 |
| Microsoft
Hotmail HTML | An input validation vulnerability exists because Hotmail does not filter scripting code from within conditional IF statements contained in HTML comments. A remote user can conduct cross-site scripting attacks against target users via Internet Explorer. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Hotmail HTML Comment Condition Lets Remote Users Conduct Cross-Site Scripting Attacks | High | SecurityTracker Alert, 1010726 July 17, 2004 |
| Microsoft
MS Windows NT® Workstation 4.0 SP; | A buffer overrun vulnerability exists in Internet Information Server 4.0 due to an unchecked buffer in the IIS 4.0 redirect function. This vulnerability could allow remote code execution on an affected system.
Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx Currently, we are not aware of any exploits for this vulnerability. | IIS Redirection Vulnerability
CVE Name: | High | Microsoft Security Bulletin MS04-021, July 13, 2004 |
| Microsoft
Internet Explorer 6 | A cross-domain scripting vulnerability exists in which a remote user can create HTML containing a javascript function that redirects to a different javascript function of the same name as the original function to bypass cross-domain security restrictions. Arbitrary scripting code can be executed in the security context of an arbitrary site.
No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Microsoft Internet Explorer Same Name Javascript Bug | High | SecurityTracker Alert, 1010683, July 13, 2004 |
| Microsoft
MS Internet Explorer 5.01, 5.5, 6 | Multiple vulnerabilities exist in Internet Explorer, allowing malicious people to bypass security restrictions and potentially compromise a vulnerable system. It is possible to redirect a function to another function with the same name, which allows a malicious website to access the function without the normal security restrictions. Malicious sites can trick users into performing actions like drag'n'drop or click on a resource without their knowledge. It is possible to inject arbitrary script code into Channel links in Favorites. It is possible to place arbitrary content above any other window and dialog box using the "Window.createPopup()" function.
Workaround: Disabling Active Scripting will solve some of these vulnerabilities A Proof of Concept exploit has been published. | Microsoft Internet Explorer Multiple Vulnerabilities | High | Secunia Advisory, SA12048, July 13, 2004 |
| Microsoft
MS Windows 2000 SP 2, 3, and 4 | A privilege elevation vulnerability exists in the way that Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges and could take complete control of the system.
Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx A Proof of Concept exploit has been published. | Utility Manager Vulnerability
CVE Name: | High | Microsoft Security Bulletin MS04-019, July 13, 2004 |
| Microsoft
MS Windows 2000 SP 2, 3, and 4; XP and XP SP1; XP 64-Bit Edition SP 1 | A remote code execution vulnerability exists in the Task Scheduler because of an unchecked buffer during application name validation. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx Currently, we are not aware of any exploits for this vulnerability. | Task Scheduler Vulnerability
CVE Name: | High | Microsoft Security Bulletin MS04-022, July 13, 2004 |
| Microsoft
MS Windows 2000 Service Pack 2, 3 and 4; | Remote code execution vulnerabilities exist in the processing of a specially crafted showHelp URL and in HTML Help that could allow remote code execution on an affected system. This is due to incorrect file validation in the HTML Help protocol and incomplete input validation.
Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx Currently, we are not aware of any exploits for this vulnerability. | showHelp Vulnerability
CVE Name: HTML Help Vulnerability CVE Name: | High | Microsoft Security Bulletin MS04-023, July 13, 2004 |
Microsoft MS Windows NT® Workstation 4.0 SP 6a; | A remote code execution vulnerability exists in the way that the Windows Shell launches applications due to the way the shell API handles class identifiers. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx Currently, we are not aware of any exploits for this vulnerability. | Windows Shell Vulnerability
CVE Name: | High | Microsoft Security Bulletin MS04-024, July 13, 2004 |
| Microsoft
MS Windows NT® Workstation 4.0 SP 6a; | A privilege elevation vulnerability exists in the POSIX operating system component (subsystem) due to an unchecked buffer. This vulnerability could allow remote code execution on an affected system.
Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx Currently, we are not aware of any exploits for this vulnerability. | POSIX Vulnerability
CVE Name: | High | Microsoft Security Bulletin MS04-020, July 13, 2004 |
| Microsoft
MS Works Suite 2003; | A vulnerability exists when Word is used to edit mails in Outlook which can be exploited to execute arbitrary code on a user's system if the user is tricked into forwarding a malicious email with an unclosed "<OBJECT>" tag. This may be possible only when mails are forwarded. This may also be possible to exploit through malicious HTML documents if edited in Word.
No workaround or patch available at time of publishing. Currently, we are not aware of any exploits for this vulnerability. | Microsoft Outlook / Word Object Tag Vulnerability | High | Secunia Advisory, SA12041, July 12, 2004 |
| Mozilla Organization
Mozilla (Suite) 1.7.0 and prior; | A security vulnerability exists in the handling of the shell: protocol making it possible to combine this effect with a known buffer overrun to create a remote execution exploit or a denial-of-service type attacks (including crashing the system in some cases).
Patch available at: http://www.mozilla.org/security/shell.html A Proof of Concept exploit has been published. | Mozilla shell: Scheme Allows Code Execution | High | Mozilla Organization Advisory
Computer Associates, Vulnerability ID: 28693, July 11, 2004 |
| Sun
Sun Java JRE 1.4.x, 1.3.x, 1.2.x, 1.1.x | A temporary file creation issue in Sun's Java Virtual Machine combined with known security holes in Internet Explorer may lead to arbitrary script code execution on the victim's machine.
Workaround: Disable Active Scripting in Internet Explorer. A Proof of Concept exploit has been published. | Sun JVM Insecure Temporary File Creation Allows Remote Code Execution | High | Securiteam, July 11, 2004 Secunia Advisory, SA12043, July 12, 2004 |
| GeeOS Team
Gattaca Server 2003 1.x | Multiple vulnerabilities exist which can be exploited to disclose system information, cause a Denial of Service, or conduct cross-site scripting attacks. These vulnerabilities are due to input validation and sanitization errors, connection handling, and buffer overflows. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Gattaca Server 2003 Multiple Vulnerabilities | Medium | Secunia Advisory, SA12071, July 15, 2004 |
| Microsoft
MSN Messenger 6.x | A vulnerability exists in these programs due to the failure to restrict access to the "shell:" URI handler. This allows an attacker to invoke various programs associated with specific extensions. It is not possible to pass parameters to these programs, only filenames, thus limiting the impact of launching applications.
No workaround or patch available at time of publishing. Currently, we are not aware of any exploits for this vulnerability. | Microsoft Products Fail to Restrict "shell:" Access | Medium | Secunia Advisory, SA12042, July 12, 2004 |
| PsTools 2.01, 2.02, and 2.03 psexec 1.52; psgetsid 1.4;
| Multiple vulnerabilities were reported in Sysinternals PsTools. A local user can gain administrative access on certain remote hosts. Several of the PsTools utilities map the IPC$ or ADMIN$ share when executing a command on a remote host but do not properly disconnect from the share when the utility exits. As a result, a local user can access the share and take administrative actions on the target system. Updates available at: http://www.sysinternals.com/ntw2k/freeware/pstools.shtml A Proof of Concept exploit has been published. | Sysinternals PsTools Fails to Disconnect | Medium | SecurityTracker Alert, 1010737, July 19, 2004 |
| Apache Software Foundation
Apache 2.0.49 (Win32) with PHP 5.0.0 RC2 | A Denial of Service vulnerability exists in the Apache web server when running with PHP due to a flaw when invoking certain functions such as fopen and fsockopen in an endless loop.
No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Apache Can Be Crashed By PHP Code | Low | SecurityTracker Alert, 1010674, July 9, 2004 |
| INweb Mail Server 2.x | A Denial of Service vulnerability exists in INweb Mail Server due to an error in the connection handling, which can be exploited to crash the application.
No solution available at this time. Currently, we are not aware of any exploits for this vulnerability. | INweb Mail Server Multiple Connection Denial of Service Vulnerability | Low | Secunia Advisory, SA12056, July 12, 2004 |
| Microsoft Java Virtual Machine
version 5.0.0.3810 | A vulnerability in Microsoft Java Virtual Machine allows Java applets originating from different domains to communicate. This could be exploited to cause information leakage.
No workaround or patch available at time of publishing. Currently, we are not aware of any exploits for this vulnerability. | Microsoft Java Virtual Machine Cross-Site Communication Vulnerability | Low | Secunia Advisory, SA12047, July 12, 2004 |
Microsoft MS Outlook Express 5.5 SP 2, 6, 6 SP1, 6 SP1 (64 bit Edition), 6 on Windows Server 2003, 6 on Windows Server 2003 (64 bit edition) | A denial of service vulnerability exists that could allow an attacker to send a specially crafted e-mail message causing Outlook Express to fail. Updates available at: http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx Currently, we are not aware of any exploits for this vulnerability. | Malformed E-mail Header Vulnerability CVE Name: | Low | Microsoft Security Bulletin MS04-018 |
| Opera
Opera 5.x, 6.x, 7.x | Due to a race condition in Opera it is possible to spoof the contents of the address bar using a specially crafted HTML page.
Solution: Disable support for Javascript. A Proof of Concept exploit has been published. | Opera Address Bar Spoofing Condition | Low | Securiteam, July 11, 2004 |
| Symantec
Symantec Norton AntiVirus 2003 Professional Edition; | A denial of service vulnerability was reported in Norton Anti-Virus. A remote user can cause the application to consume excessive CPU resources.
No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Norton AntiVirus Denial Of Service Vulnerability | Low | SecurityTracker Alert, 1010671, July 9, 2004 |
| UNIX Operating Systems | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name | Risk | Source |
| 4D, Inc.
4D WebSTAR 5.3.2 and prior versions | Multiple vulnerabilities including buffer overflow exists that could allow an attacker to escalate privileges or obtain access to protected resources. A remote user can issue a specially crafted FTP command to trigger a stack-based overflow and execute arbitrary code.
The vendor has released a fixed version (5.3.3), available at: Currently, we are not aware of any exploits for this vulnerability. | 4D WebSTAR Grants Access to Remote Users and Elevated Privileges to Local Users | High | SecurityTracker Alert, 1010696, July 13, 2004 |
| Caol n McNamara and Dom Lachowicz
wvWare version 0.7.4, 0.7.5, 0.7.6 and 1.0.0 | A buffer overflow vulnerability exists if the user opens an exploit document in HTML mode using an application that builds upon the wv library.
Updates available at: http://www.abisource.com/bonsai/cvsview2.cgi? A Proof of Concept exploit has been published. | wvWare Library Buffer Overflow Vulnerability
CVE Name: | High | Securiteam, July 11, 2004
iDEFENSE Security Advisory, July 9, 2004 |
| Epic Games, Inc.
Unreal Tournament | A buffer overflow vulnerability exists in the Unreal game engine through the 'secure' query. An attacker could execute arbitrary code on the game server.
Updates available at: http://www.gentoo.org/security/en/glsa/glsa-200407-14.xml Currently, we are not aware of any exploits for this vulnerability. | Buffer overflow in Unreal Tournament
CVE Name: | High | Gentoo Advisory, GLSA 200407-14 / Unreal Tournament, July 19, 2004 |
| Ethereal
Ethereal 0.x | Multiple Denial of Service and buffer overflow vulnerabilities exist due to errors in the iSNS, SNMP, and SMB dissectors which may allow an attacker to run arbitrary code or crash the program.
Updates available at: http://www.ethereal.com/download.html or disable the affected protocol dissectors. Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/ Debian: http://lists.debian.org/debian-security-announce/debian- | Ethereal: Multiple security problems
CVE Names: | High | Gentoo Linux Security Advisory, GLSA 200407-08 / Ethereal, July 9, 2004 Secunia Advisory, 12034 & 12035, July 12, 2004 Etheral Advisory, enpa-sa-00015, July 6, 2004 |
| eXtropia
WebStore (version unknown) | An input validation vulnerability exists in eXtropia's WebStore because the web_store.cgi script does not properly validate user-supplied input in the 'page' parameter. A remote user can execute arbitrary shell commands on the target system. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | eXtropia WebStore Input Validation Bug Lets Remote Users Execute Arbitrary Commands | High | SecurityTracker Alert, 1010727, July 17, 2004 |
| FreeBSD
SSLTelnet version 0.13-1 | A format string vulnerability exists in telnetd.c when input is passed to a logging function without proper handling which could lead to remote code execution.
No workaround or patch available at time of publishing. There is no exploit code required. | SSLTelnet Remote Format String Vulnerability
CVE Name: | High | Securiteam, July 11, 2004
iDEFENSE Security Advisory, July 8, 2004 |
| Gentoo Linux 1.x
net-ww/moinmoin-1.2.2 | A vulnerability exists in the code handling administrative group Access Control Lists. A user created with the same name as an administrative group gains the privileges of the administrative group.
Update available at: http://www.gentoo.org/security/en/glsa/glsa-200407-09.xml | MoinMoin: Group ACL bypass | High | Gentoo Linux Security Advisory, GLSA 200407-09 / MoinMoin |
Gentoo, Linux Kernel 2.6.x Conectiva, Linux 8 and 9 | Multiple vulnerabilities exist in the Linux kernel, which can be exploited to gain escalated privileges, cause a DoS (Denial of Service), or gain knowledge of sensitive information.
Gentoo:http://www.gentoo.org/security/en/glsa/glsa-200407-12.xml Conectiva: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000846 Currently, we are not aware of any exploits for this vulnerability. | Multiple Vulnerabilities in the Linux Kernel | High | Gentoo Advisory, GLSA 200407-12 / Kernel, July 14, 2004
Conectiva Advisory, CLSA-2004:846 , July 16, 2004 |
| Mozilla Foundation
Bugzilla version 2.16.5 and prior | Multiple vulnerabilities exists that include one instance of arbitrary SQL injection exploitable only by a privileged user, several instances of insufficient data validation and/or escaping, and two instances of unprivileged access to names of restricted products. Upgrading to 2.16.6 and 2.18rc1 is recommended. Full release downloads, patches to upgrade Bugzilla to 2.16.6 from previous 2.16.x versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download.html Currently, we are not aware of any exploits for this vulnerability. | Multiple Vulnerabilities In Bugzilla | High | The Mozilla Organization, Security Advisory 2.16.5, 2.17.7, July 10, 2004
Securiteam, July 13, 2004 |
| MySQL AB
MySQL version 4.1.0 up to but not including MySQL version 4.1.3; | An authentication vulnerability allows a remote user to obtain access to the database completely bypassing the normal authentication mechanism and without providing the DB user's password.
Updates available at: http://dev.mysql.com/downloads/ A Proof of Concept exploit has been published. | MySQL Authentication Scheme Bypass | High | Securiteam, July 11, 2004
NGSSoftware Insight Security Research Advisory, July 1, 2004 |
| CGIscript.NET
csFAQ | A path disclosure vulnerability in the csFAQ product allows a remote user to determine the full path to the web root directory and other potentially sensitive information.
No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | csFAQ Path Disclosure | Medium | Securiteam, July 11, 2004 |
| Fedora Project
Fedora Core 2 | A temporary file creation vulnerability exists in Fedora's im-switch utility which can be exploited via symlink attacks to overwrite arbitrary files with the privileges of a user invoking the program.
Updates available at: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ | Fedora im-switch Insecure Temporary File Creation Vulnerability | Medium | Bugzilla Bug 126940: im-switch symlink vulnerability, June 29, 2004 |
| Fedora Project
Fedora Core 1 | Multiple vulnerabilities exist in httpd which can be exploited to cause a Denial of Service and potentially compromise a vulnerable system. Updates available at: Currently, we are not aware of any exploits for this vulnerability. | Fedora update for httpd | Medium | Secunia Advisory, SA12098, July 20, 2004 |
| GNU
Shorewall 1.4.x, 2.0.x | A privilege escalation vulnerability is caused due to the "shorewall" script creating temporary files insecurely, which can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user invoking the script (usually root). Update available at: http://shorewall.net/download.htm Currently, we are not aware of any exploits for this vulnerability. | Shorewall Insecure Temporary File Creation Vulnerability
CVE Name: CAN-2004-0647 | Medium | Shorewall Security Vulnerability, June 28, 2004 |
| Jaws
JAWS 0.3 | Multiple Cross-Site Scripting vulnerabilities exist in the index.php page that allows a malicious attacker to bypass authentication, read arbitrary files and perform Cross-Site-Scripting attacks.
Update available at: http://jaws.com.mx/ A Proof of Concept exploit has been published. | Multiples Vulnerabilities In JAWS | Medium | Securiteam, July 11, 2004 |
| Red Hat, Inc.
Linux Kernel 2.4.x, ia64 | A vulnerability exists in the Linux kernel, which potentially can be exploited to gain knowledge of sensitive information. The vulnerability is caused due to an error within the context switch code.
Updates available at: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124734 A Proof of Concept exploit has been published. | Information leak on Linux/ia64
CVE Name: | Medium | Bugzilla Bug 124734, May 28, 2004 |
| SCO Group
SCO OpenServer 5.x | Multiple vulnerabilities exist in SCO MMDF. According to SCO the vulnerabilities are: buffer overflows, null dereferences and core dumps. One of the buffer overflows is known to affect "execmail". Updates available at: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7/ A Proof of Concept exploit has been published. | SCO OpenServer Multiple Vulnerabilities in MMDF
CVE Names: | Medium | SCO Advisory, SCOSA-2004.7, July 14, 2004
Deprotect Security Advisory 20040206, July 2, 2004 |
| Gentoo Linux 1.x
rsync | A vulnerability exists that could allow malicious people to write files outside the intended directory.
Update to "net-misc/rsync-2.6.0-r2" or later available at http://www.gentoo.org/security/en/glsa/glsa-200407-10.xml | Gentoo update for rsync
CVE Name: | Low | Gentoo Linux Security Advisory GLSA 200407-10 / rsync, July 12, 2004 |
| Linux Kernel 2.6.7 | A denial of service vulnerability exists in the equalizer load-balancer for serial network interfaces. A local user can invoke either the eql_g_slave_cfg() function or the eql_s_slave_cfg() function and supply a non-existent slave device name to cause the kernel to crash. Updates available at: Currently, we are not aware of any exploits for this vulnerability. | Linux Kernel 'eql.c' Device Driver Error Lets Local Users Crash the System
CVE Name: | Low | SecurityTracker Alert, 1010700, July 14, 2004 |
| OpenPKG Project
OpenPKG 1.x | Multiple Denial of Service vulnerabilities exists due to 1) a boundary error within the logging functionality and 2) Buffer overflow on certain platforms the vsnprintf() function isn't supported.
Update available at: ftp://ftp.openpkg.org/release/1.3/UPD/dhcpd-3.0.1rc11-1.3.1.src.rpm Currently, we are not aware of any exploits for this vulnerability. | ISC DHCP Buffer Overflow Vulnerabilities
CVE Names: | Low | OpenPKG Security Advisory, July 9, 2004 |
| Multiple/Other Operating Systems | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name | Risk | Source |
| Adobe
Adobe Reader 6.x; | A buffer overflow vulnerability exists in Adobe Acrobat / Reader due to a parsing and boundary error when splitting filename paths into components. Exploitation could allow remote attackers to execute arbitrary code. Update to version 6.0.2 available at http://www.adobe.com/support/techdocs/34222.htm Currently, we are not aware of any exploits for this vulnerability. | Adobe Acrobat / Reader File Extension Buffer Overflow Vulnerability | High | iDEFENSE Security Advisory, July 12, 2004 |
| GNU/GPL
PHP- Nuke 4.1 | Multiple vulnerabilities exist in the 'Search' module. A remote user can inject SQL commands, conduct cross-site scripting attacks and determine the installation path. These vulnerabilities are due to input validation errors and SQL injection flaws.
No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | PHP-Nuke Input Validation Error in Search Module 'categ' Variable Permits SQL Injection | High | SecurityTracker Alert, 1010734, July 18, 2004 |
| GNU/GPL
PostNuke 0.75-RC3, 0.726-3 | An input validation vulnerability was reported in PostNuke in the Reviews module in the showcontent() function. A remote user can conduct cross-site scripting attacks and determine the installation path. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | PostNuke Input Validation Hole in Reviews Module | High | Security Wari Projects, Advisory 10, July 14, 2004 |
| Hewlett-Packard
OpenVMS, DCE Version 3.1-SSB | A buffer overflow vulnerability exists in DCE for HP OpenVMS. A remote user may be able to cause denial of service conditions or execute arbitrary code. A remote user can send a specially crafted packet to a target DCE server to overflow a buffer on the target server.
Patches available through vendor. Currently, we are not aware of any exploits for this vulnerability. | DCE for HP OpenVMS Potential RPC Buffer Overrun Attack | High | HP Security Bulletin, HPSBOV01056, July 12, 2004 |
| mod SSL Project
mod_ssl 2.x | A vulnerability exists in mod_ssl, which may allow an attacker to compromise a vulnerable system. The vulnerability is reportedly caused due to a "ssl_log()" related format string error within the "mod_proxy" hook functions. Update to version 2.8.19-1.3.31 available at: OpenPKG: ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.6.src.rpm | mod_proxy" Hook Functions Format String Vulnerability in mod_ssl | High | modSSL Notice, July 16, 2004
Secunia Advisory, SA12077, July 19, 2004 |
| Moodle
Moodle 1.3.2+ stable; 1.4 dev | An input validation vulnerability exists in 'help.php', affecting the 'file' parameter due to input not being properly filtered to remove HTML code from user-supplied input before displaying the information. This could allow a remote user to conduct cross-site scripting attacks.
A fix is available via CVS at: http://cvs.sourceforge.net/viewcvs.py/moodle/moodle/help.php A Proof of Concept exploit has been published. | Moodle Input Validation Bug in 'help.php' | High | SecurityTracker Alert, 1010697, July 14, 2004 |
| Open Source Development Network
PlaySMS - SMS Gateway, versions prior to 0.7 | Multiple input verification vulnerabilities exist that could allow an attacker to conduct SQL injection attacks and execute arbitrary system commands. Update to version 0.7 available at: Currently, we are not aware of any exploits for this vulnerability. | PlaySMS SMS Gateway SQL and Command Injection Vulnerabilities | High | Secunia Advisory, |
| Outblaze
Outblaze E-mail | An input validation vulnerability exists in Outblaze E-mail that can allow a remote user to conduct cross-site scripting attacks. The e-mail server does not properly filter javascript from HTML-based e-mails. A remote user can send javascript code with an encoded carriage return character in the javascript tag to bypass the filtering mechanism. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Outblaze E-mail Javascript Filtering Error | High | SecurityTracker Alert, 1010735, July 18, 2004 |
| PHP Group
PHP 4.3.7 and prior versions; | A vulnerability exists in PHP when complied and running with 'memory_limit' enabled. A remote user may be able to execute arbitrary code on the target system. A vulnerability also exists in the handling of allowed tags within PHP's strip_tags() function. A remote user may be able to bypass the function to inject arbitrary tags when certain web browsers are used.
Update to version 4.3.8 or 5.0.0, available at: http://www.php.net/downloads.php | PHP 'memory_limit' and strip_tags() Remote Vulnerabilities
CVE Name: | High | SecurityTracker Alerts, 1010698 and 1010699, July 14, 2004
eMatters, Advisory 12/2004, July 14, 2004 Mandrake Advisory, MDKSA-2004:068, July 14, 2004 Gentoo Linux Security Advisory: GLSA 200407-13 / PHP, July 15, 2004 |
| phpBB Group
phpBB 2.0.8 | Input validation and other vulnerabilities exist in in 'index.php' and 'language\lang_english\lang_faq.php' which could allow a remote user to can determine the installation path or conduct cross-site scripting attacks.
Upgrade to version 2.0.9, available at: http://www.phpbb.com/downloads.php | phpBB Input Validation Holes | High | SecurityTracker Alert, 1010721, July 17, 2004 |
| SquirrelMail version 1.5.1 and earlier; IMP 3.2.3 (from Horde project); OpenWebmail 2.32; IlohaMail 0.8.12; Sqwebmail 4.0.4; | A vulnerability has been discovered in several web mail applications. Due to un-sanitized user input, a specially crafted e-mail being read by the victim can inject arbitrary HTML tags. When correctly exploited, it will permit the execution of malicious scripts to run in the context of the victim's browser. Upgrade to the next point release of the affected software. Currently, we are not aware of any exploits for this vulnerability. | Content-Type XSS Vulnerability in Multiple Webmail Programs | High | Securiteam, July 7, 2004 |
| Comersus Open Technologies
Comersus Shopping Cart 5.x, 4.x | Cross-Site Scripting and order manipulation vulnerabilities exist in Comersus Shopping Cart, due to improper input sanitization in certain scripts. Orders are also reportedly submitted insecurely via a GET request which can manipulate pricing.
Update to version 5.098 available at http://www.comersus.com/ | Comersus Shopping Cart Cross-Site Scripting and Price Manipulation | Medium | Secunia Advisory, SA12026, July 8, 2004 |
| D-Link Systems
D-Link DI-624 wireless router, firmware release 1.28 for Revision B. | A Denial of Service and Cross-Site Scripting vulnerabilities exist in D-Link DI-624.
Disable the DHCP service. A Proof of Concept has been published. | D-Link DI-624 Multiple Vulnerabilities | Medium | Bugtraq, June 27, 2004 |
| Fastream Technologies
Fastream NETFile FTP/Web Server 6.x | An input verification vulnerability exists in Fastream NETFile FTP/Web Server, allowing an attacker to retrieve arbitrary files. Update to version 6.7.3 available at http://www.fastream.com/netfile.htm Currently, we are not aware of any exploits for this vulnerability. | Fastream NETFile FTP/Web Server Directory Traversal Vulnerability | Medium | Secunia Advisory, SA12016, July 6, 2004 |
| Free Software Foundation
Ada ImgSvr 0.5 | Multiple input validation vulnerabilities exist that could allow a remote user to view files on the target system or execute arbitrary code on the target system.
No workaround or patch available at time of publishing. A Proof of Concept has been published. | Ada ImgSvr Discloses Files to Remote Users and May Execute Arbitrary Code | Medium | SecurityTracker Alert, 1010677, July 12, 2004 |
| GNU/GPL PHP-Nuke 7.x | Cross Site Scripting and other vulnerabilities exists in PHP-Nuke due to improperly sanitized input in the in the 'instory' field. These can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | PHP-Nuke Multiple Vulnerabilities | Medium | Secunia Advisory, SA12083, July 19, 2004
SecurityTracker Alert, 1010722, July 17, 2004 |
| IBM
IBM Lotus Instant Messaging and Web Conferencing (Sametime) 6.x; | A Denial of Service vulnerability exists in IBM Lotus Sametime due to an unspecified error within the IBM Global Security Toolkit (GSKit) during SSL handshakes. This can be exploited via specially crafted SSL records to crash the application or cause a performance degradation.
Updates available at: http://www-1.ibm.com/support/docview.wss?rs=203&uid=swg21169383 Currently, we are not aware of any exploits for this vulnerability. | IBM Lotus Sametime GSKit Denial of Service Vulnerability | Medium | IBM Technote, July 12, 2004 |
| IBM
Lotus Notes R6.x; | Multiple vulnerabilities exist in the Lotus Notes clients due to unspecified errors when handling Java applets. Disable support for Java applets ("Enable Java applets" option) via the Notes client menu. Currently, we are not aware of any exploits for this vulnerability. | IBM Lotus Notes Client Unspecified Java Applet Handling | Medium | Secunia Advisory, SA12046, July 14, 2004
IBM Technote Reference #1173910 |
| Linksys
Linksys Wireless Internet Camera version 2.12 | The Linksys Camera has a file disclosure vulnerability in main.cgi leading to exposure of sensitive data and bypassing authentication.
No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Linksys Wireless Internet Camera File Disclosure | Medium | Securiteam, July 13, 2004 |
| Mbedthis Software
Mbedthis AppWeb 1.x | Multiple vulnerabilities exist in Mbedthis AppWeb that may be exploited to gain knowledge of sensitive information or bypass certain security restrictions. Upgrade to versions 1.0.4 and 1.1.3 available at: http://www.mbedthis.com/downloads/appWeb/index.html Currently, we are not aware of any exploits for this vulnerability. | Mbedthis AppWeb Multiple Vulnerabilities | Medium | Secunia Advisory, SA12011, July 7, 2004
Mbedthis New Features Advisory |
| IBM
WebSphere Edge Components Caching Proxy version 5.02 using JunctionRewrite with UseCookiedirective, apparently all platforms | A Denial of Service vulnerability exists if the JunctionRewrite directive is active and a HTTP GET request is executed. Patches are available from the vendor for clients with support level 2 or 3. The upcoming version of the server (5.0.3) will be immune to the vulnerability. As a workaround, it is possible to disable the directive if not needed, or the UseCookie option of the directive. Both of these conditions will prevent the denial of service. Currently, we are not aware of any exploits for this vulnerability. | WebSphere Edge Server DoS Through JunctionRewrite Directive | Low | Securiteam, July 7, 2003
CYBEC Security Systems |
| Moodle
Moodle 1.2.x, 1.3.x | An unspecified vulnerability exists due to an error in the front page and affects Moodle servers with old versions of PHP (prior to 4.3).
Update available at: http://moodle.org/mod/resource/view.php?id=8 Currently, we are not aware of any exploits for this vulnerability. | Moodle Unspecified Front Page Vulnerability | Low | Secunia Advisory, SA12045, July 12, 2004
Moodle.org, July 9, 2004 |
| Mozilla Foundation
Mozilla 1.6; | A Denial of Service vulnerability exists in which arbitrary root certificates are imported silently without presenting users with a import dialog box. Due to another problem, this can e.g. be exploited by malicious websites or HTML-based emails to prevent users from accessing valid SSL sites. Workaround: Check the certificate store and delete untrusted certificates if an error message is displayed with error code -8182 ("certificate presented by [domain] is invalid or corrupt") when attempting to access a SSL-based website. Currently, we are not aware of any exploits for this vulnerability. | Mozilla / Firefox Certificate Store Corruption Vulnerability | Low | Secunia Advisory, SA12076, July 16, 2004 Bugzilla Bug 24900, July 14, 2004 |
| Sierra Entertainment, Inc.
Half-Life (versions prior to July 7, 2004) | A Denial of Service vulnerability exists in Sierra's Half-Life engine because the software does not properly process split data, causing the target application to attempt to write to read-only memory and crash.
Update via Stream content management system. A Proof of Concept exploit has been published. | Half-Life Game Server and Client Can Be Crashed | Low | SecurityTracker Alert, 1010678, July 7, 2004 |
| Zoom
Zoom X3 ADSL Modem | A vulnerability in the product leaves out an administrative port that is password protected by a default password that cannot be changed. A malicious user can change DSL settings and issue a complete "Factory Reset". Workaround: Create dummy "Virtual Servers" on port TCP 254 to block any incoming connections. Currently, we are not aware of any exploits for this vulnerability. | Backdoor Menu on Conexant Chipset Dsl Router (Zoom X3) | Low | Securiteam, July 8, 2004 |
Recent Exploit
Scripts/Techniques
The table below contains a
sample of exploit scripts and "how to" guides identified during
this period. Red text indicates scripts or techniques for which
vendors, security vulnerability listservs, or computer emergency
response teams have not published workarounds or patches, or which
represent scripts that malicious users are utilizing.
Note: At times, scripts/techniques may
contain names or content that may be considered offensive.
| Date of Script (Reverse Chronological Order) | Script name | Script Description |
July 17, 2004 | W32.Beagle.AC@mm | Mass-mailing worm that uses its own SMTP engine to spread through e-mail, and opens a backdoor on TCP Port 1080. Uses PeX as an executable packer. |
July 17, 2004 | W32.Beagle.AC@mm | Mass-mailing worm that uses its own SMTP engine to spread through e-mail, and opens a backdoor on TCP Port 1080. Uses PeX as an executable packer. |
July 17, 2004. | WinCE.Duts.A | First virus that infects the Windows CE (Pocket PC) platform. The virus will only infect ARM-based devices. |
July 17, 2004 | Cross-Site Scripting Attack | Allows a remote user to send specially crafted e-mail, when viewed will cause arbitrary scripting code to be executed by the target user’s browser. |
July 16, 2004 | W32.Spybot.Worm | Worm that spreads using KaZaA file-sharing and mIRC. Can also be spread to computers that are infected with common Backdoor Trojan horses. |
July 15, 2004 | W32.Beagle.AB@mm | Mass-mailing worm that uses its own SMTP engine to spread through e-mail, and opens a backdoor on TCP Port 1080. Uses UPX as an executable packer |
July 13, 2004 | Remote Buffer Overflow Vulnerability | Script that perpetuates a lack of sufficient validation performed on user-supplied data before the data is copied into an allocated buffer. |
July 9, 2004 | DHCPing-0.90.tar.gz | DHCPing 0.90 is a tool that can be used for various security audits allowing an engineer the ability to create valid and invalid DHCP/BOOTP traffic via hping. It also features several exploits for the latest ISC Infoblox and DLink vulnerabilities. |
July 8, 2004 | Mysql.authentication.bypass_client.c.diff | A .diff file, applied to the MySQL 5.0.0-alpha source distribution will allow building a MySQL client that can be used to connect to a remote MySQL server with no password. |
July 8, 2004 | getusr.c | Exploit that makes use of the mod-userdir vulnerability in various Apache 1.3 and 2.x servers. |
July 7, 2004 | Backdoor.Berbew.H | Script that attempts to steal cached passwords and may display fake windows to gather confidential information. A minor variant of Backdoor.Berbew.H |
July 6, 2004 | Weplab-0.0.7-beta.tar.gz | Weplab is a tool to review the security of WEP encryption in wireless networks from an educational point of view. Several attacks are available to help measure the effectiveness and minimum requirements necessary to succeed. |
Trends
Microsoft has released a Security Bulletin Summary for July 2004. This summary addresses vulnerabilities in various Windows applications and components. Exploitation of some of these vulnerabilities can result in the remote execution of arbitrary code by a remote attacker. For more information, see TA04-196A located at: http://www.us-cert.gov/cas/techalerts/TA04-196A.html
Six months since the W32/Bagle mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/Beagle are known to open a backdoor on an infected system which can lead to further exploitation by remote attackers.
US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.
Viruses/Trojans
Top 10 High Threat Viruses
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported during the latest three months), and approximate date first found.
| Rank | Common Name | Type of Code | Trends | Date |
1 | W32/Netsky-P | Win32 Worm | Increase | March 2004 |
2 | W32/Zafi-B | Win32 Worm | New to Table | June 2004 |
3 | W32/Netsky-Z | Win32 Worm | Increase | April 2004 |
4 | W32/Bagle-AA | Win32 Worm | New to Table | April 2004 |
5 | W32/Netsky-D | Win32 Worm | Decrease | March 2004 |
6 | W32/Netsky-B | Win32 Worm | Decrease | February 2004 |
7 | W32/Netsky-Q | Win32 Worm | Decrease | March 2004 |
8 | W32/Sasser | Win32 Worm | Slight Increase | April 2004 |
9 | Bagle.AD | Win32 Worm | Decrease | April 2004 |
10 | Lovgate.AB | Win32 Worm | New to Table | May 2004 |
10 | TROJ_AGENT.AC | Trojan | New to Table | July 2004 |
New Viruses / Trojans
Viruses or Trojans Considered to be a High Level of Threat
- Atak.A - Atak.A is a mass e-mailing worm that hides by going to sleep when it suspects that antivirus software is trying to detect it. This worm had received a lot of media attention and while it is not considered a serious threat, it can generate a significant amount of spam.
- Bagle / Beagle - New variants of the Bagle virus appeared over the last two weeks. Infected PCs download a Trojan which can use the infected computer to distribute spam and other malware and to launch distributed denial-of-service attacks.
- WinCE.Duts.A: While not considered a high threat, this virus is the first virus reported for the Windows CE (Pocket PC) platform. The virus is a simple appending file infector and will only infect ARM-based devices.
The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors and security related web sites: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.
NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.
Last
updated
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.