fetchmail denial-of-service vulnerabilities fetchmail 6.2.5

Dave Jones discovered two denial-of-service vulnerabilities in fetchmail:

  • An out-of-bounds array reference in rfc822.c could cause fetchmail to segfault. (This bug was actually fixed in the OpenBSD port before the discovery of the implications by Dave.) (CAN-2003-0790)
  • An email message containing a very long line could cause fetchmail to segfault due to a missing NUL termination in transact.c. (CAN-2003-0792)

Eric Raymond decided not to mention these issues in the release notes for fetchmail 6.2.5, but they were fixed there.

NOTE: MITRE has mistakenly cancelled CAN-2003-0790.

CAN-2003-0790 CAN-2003-0792 8843 http://xforce.iss.net/xforce/xfdb/13450 http://www.openbsd.org/cgi-bin/cvsweb/ports/mail/fetchmail/patches/Attic/patch-rfc822_c?rev=1.1 2003-10-16 2004-02-25
mailman denial-of-service vulnerability in MailCommandHandler mailman 2.1

A malformed message could cause mailman to crash.

CAN-2003-0991 http://umn.dl.sourceforge.net/sourceforge/mailman/mailman-2.0.13-2.0.14-diff.txt 2003-11-18 2004-02-25
mailman XSS in admin script mailman 2.1.4

Dirk Mueller reports:

I've found a cross-site scripting vulnerability in the admin interface of mailman 2.1.3 that allows, under certain circumstances, for anyone to retrieve the (valid) session cookie.

CAN-2003-0965 http://mail.python.org/pipermail/mailman-announce/2003-December/000066.html http://xforce.iss.net/xforce/xfdb/14121 2003-12-31 2004-02-25
mailman XSS in create script mailman 2.1.3

From the 2.1.3 release notes:

Closed a cross-site scripting exploit in the create cgi script.

CAN-2003-0992 http://mail.python.org/pipermail/mailman-announce/2003-September/000061.html 2003-09-28 2004-02-25
mailman XSS in user options page mailman 2.1.1

From the 2.1.1 release notes:

Closed a cross-site scripting vulnerability in the user options page.

CAN-2003-0038 http://mail.python.org/pipermail/mailman-announce/2003-February/000056.html 2003-02-08 2004-02-25
SQL injection vulnerability in phpnuke phpnuke 6.9

Multiple researchers have discovered multiple SQL injection vulnerabilities in some versions of Php-Nuke. These vulnerabilities may lead to information disclosure, compromise of the Php-Nuke site, or compromise of the back-end database.

http://security.nnov.ru/search/document.asp?docid=5748 http://www.securityfocus.com/archive/1/348375 http://www.security-corporation.com/advisories-027.html http://www.securityfocus.com/archive/1/353201 2003-12-12 2004-02-25
lbreakout2 vulnerability in environment variable handling lbreakout2 2.2.2_1

Ulf Härnhammar discovered an exploitable vulnerability in lbreakout2's environmental variable handling. In several instances, the contents of the HOME environmental variable are copied to a stack or global buffer without range checking. A local attacker may use this vulnerability to acquire group-ID `games' privileges.

An exploit for this vulnerability has been published by ``Li0n7 voila fr''.

CAN-2004-0158 http://www.debian.org/security/2004/dsa-445 http://www.securityfocus.com/archive/1/354760/2004-02-21/2004-02-27/0 2004-02-21 2004-02-25
hsftp format string vulnerabilities hsftp 1.14

Ulf Härnhammar discovered a format string bug in hsftp's file listing code may allow a malicious server to cause arbitrary code execution by the client.

http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00044.html 2004-02-22 2004-02-25
Darwin Streaming Server denial-of-service vulnerability DarwinStreamingServer 4.1.3g

An attacker can cause an assertion to trigger by sending a long User-Agent field in a request.

CAN-2004-0169 http://www.idefense.com/application/poi/display?id=75 2004-02-23 2004-02-25
libxml2 stack buffer overflow in URI parsing libxml2 2.6.6

Yuuichi Teranishi reported a crash in libxml2's URI handling when a long URL is supplied. The implementation in nanohttp.c and nanoftp.c uses a 4K stack buffer, and longer URLs will overwrite the stack. This could result in denial-of-service or arbitrary code execution in applications using libxml2 to parse documents.

CAN-2004-0110 http://www.xmlsoft.org/news.html http://mail.gnome.org/archives/xml/2004-February/msg00070.html 2004-02-08 2004-02-25
file disclosure in phpMyAdmin phpMyAdmin 2.5.4

Lack of proper input validation in phpMyAdmin may allow an attacker to obtain the contents of any file on the target system that is readable by the web server.

CAN-2004-0129 http://marc.theaimsgroup.com/?l=bugtraq&m=107582619125932&w=2 http://cvs.sourceforge.net/viewcvs.py/phpmyadmin/phpMyAdmin/export.php#rev2.3.2.1 2004-02-17 2004-02-22
Vulnerabilities in H.323 implementations pwlib 1.6.0 asterisk 0.7.2 openh323 1.12.0_2

The NISCC and the OUSPG developed a test suite for the H.323 protocol. This test suite has uncovered vulnerabilities in several H.323 implementations with impacts ranging from denial-of-service to arbitrary code execution.

In the FreeBSD Ports Collection, `pwlib' is directly affected. Other applications such as `asterisk' and `openh323' incorporate `pwlib' statically and so are also independently affected.

http://www.uniras.gov.uk/vuls/2004/006489/h323.htm http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html CA-2004-01 749342 CAN-2004-0097 http://www.southeren.com/blog/archives/000055.html 2004-01-13 2004-02-22
metamail format string bugs and buffer overflows metamail 2.7_1

Ulf Härnhammar reported four bugs in metamail: two are format string bugs and two are buffer overflows. The bugs are in SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().

These vulnerabilities could be triggered by a maliciously formatted email message if `metamail' or `splitmail' is used to process it, possibly resulting in arbitrary code execution with the privileges of the user reading mail.

CAN-2004-0104 CAN-2004-0105 2004-02-18 2004-02-18 2004-02-19
Buffer overflows in XFree86 servers XFree86-Server 4.3.0_13 4.3.994.3.99.15_1

A number of buffer overflows were recently discovered in XFree86, prompted by initial discoveries by iDEFENSE. These buffer overflows are present in the font alias handling. An attacker with authenticated access to a running X server may exploit these vulnerabilities to obtain root privileges on the machine running the X server.

http://www.idefense.com/application/poi/display?id=72 http://www.idefense.com/application/poi/display?id=73 CAN-2004-0083 CAN-2004-0084 CAN-2004-0106 2004-02-10 2004-02-12 2004-02-18
mnGoSearch buffer overflow in UdmDocToTextBuf() mnogosearch 3.2

Jedi/Sector One <j@pureftpd.org> reported the following on the full-disclosure list:

Every document is stored in multiple parts according to its sections (description, body, etc) in databases. And when the content has to be sent to the client, UdmDocToTextBuf() concatenates those parts together and skips metadata.

Unfortunately, that function lacks bounds checking and a buffer overflow can be triggered by indexing a large enough document.

'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c . S->val length depends on the length of the original document and on the indexer settings (the sample configuration file has low limits that work around the bug, though).

Exploitation should be easy, moreover textbuf points to the stack.

http://lists.netsys.com/pipermail/full-disclosure/2004-February/017366.html 2004-02-15 2004-02-15
GNU libtool insecure temporary file handling libtool 1.31.3.5_2 1.41.4.3_3 1.51.5.2

libtool attempts to create a temporary directory in which to write scratch files needed during processing. A malicious user may create a symlink and then manipulate the directory so as to write to files to which she normally has no permissions.

This has been reported as a ``symlink vulnerability'', although I do not think that is an accurate description.

This vulnerability could possibly be used on a multi-user system to gain elevated privileges, e.g. root builds some packages, and another user successfully exploits this vulnerability to write to a system file.

http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405 http://www.securityfocus.com/archive/1/352333 2004-01-30 2004-02-13
seti@home remotely exploitable buffer overflow setiathome 3.0.8

The seti@home client contains a buffer overflow in the HTTP response handler. A malicious, spoofed seti@home server can exploit this buffer overflow to cause remote code execution on the client. Exploit programs are widely available.

http://setiathome.berkeley.edu/version308.html http://web.archive.org/web/20030609204812/http://spoor12.edup.tudelft.nl/ 2003-04-08 2004-02-12
icecast 1.x multiple vulnerabilities icecast 1.3.12

icecast 1.3.11 and earlier contained numerous security vulnerabilities, the most severe allowing a remote attacker to execute arbitrary code as root.

CAN-2002-0177 CAN-2001-1230 CAN-2001-1229 CAN-2001-1083 CAN-2001-0784 4415 2933 2002-04-28 2004-02-12
nap allows arbitrary file access nap 1.4.5

According to the author:

Fixed security loophole which allowed remote clients to access arbitrary files on our system.

http://quasar.mathstat.uottawa.ca/~selinger/nap/NEWS 2001-04-12 2004-02-12
CCE contains exploitable buffer overflows zh-cce 0.40

The Chinese Console Environment contains exploitable buffer overflows.

http://programmer.lib.sjtu.edu.cn/cce/cce.html 2000-06-22 2004-02-12
ChiTeX/ChiLaTeX unsafe set-user-id root zh-chitex 0

Niels Heinen reports that ChiTeX installs set-user-id root executables that invoked system(3) without setting up the environment, trivially allowing local root compromise.

http://cvsweb.freebsd.org/ports/chinese/chitex/Attic/Makefile?rev=1.5&content-type=text/x-cvsweb-markup 2003-04-25 2004-02-12
pine remotely exploitable buffer overflow in newmail.c zh-pine iw-pine pine pine4-ssl 4.21

Kris Kennaway reports a remotely exploitable buffer overflow in newmail.c. Mike Silbersack submitted the fix.

http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/pine4/Makefile?rev=1.43&content-type=text/x-cvsweb-markup 2000-09-29 2004-02-12
pine insecure URL handling pine zh-pine iw-pine 4.44

An attacker may send an email message containing a specially constructed URL that will execute arbitrary commands when viewed.

SA-02:05 2002-01-04 2004-02-12
pine remote denial-of-service attack pine zh-pine iw-pine 4.50

An attacker may send a specially-formatted email message that will cause pine to crash.

http://marc.theaimsgroup.com/?l=bugtraq&m=103668430620531&w=2 CAN-2002-1320 2002-10-23 2004-02-12
pine remotely exploitable vulnerabilities pine zh-pine iw-pine 4.58

Pine versions prior to 4.58 are affected by two vulnerabilities discovered by iDEFENSE, a buffer overflow in mailview.c and an integer overflow in strings.c. Both vulnerabilities can result in arbitrary code execution when processing a malicious message.

CAN-2003-0720 CAN-2003-0721 http://www.idefense.com/application/poi/display?id=5 2003-09-10 2004-02-12
rsync buffer overflow in server mode rsync 2.5.7

When rsync is run in server mode, a buffer overflow could allow a remote attacker to execute arbitrary code with the privileges of the rsync server. Anonymous rsync servers are at the highest risk.

CAN-2003-0962 http://marc.theaimsgroup.com/?l=bugtraq&m=107055681311602&w=2 http://rsync.samba.org/#security 2003-12-04 2004-02-12
Several remotely exploitable buffer overflows in gaim gaim 0.75_3 0.75_5

Stefan Esser of e-matters found almost a dozen remotely exploitable vulnerabilities in Gaim. From the e-matters advisory:

While developing a custom add-on, an integer overflow in the handling of AIM DirectIM packets was revealed that could lead to a remote compromise of the IM client. After disclosing this bug to the vendor, they had to make a hurried release because of a change in the Yahoo connection procedure that rendered GAIM useless. Unfourtunately at the same time a closer look onto the sourcecode revealed 11 more vulnerabilities.

The 12 identified problems range from simple standard stack overflows, over heap overflows to an integer overflow that can be abused to cause a heap overflow. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. But the underlying protocols are easy to implement and MIM attacks on ordinary TCP sessions is a fairly simple task.

In combination with the latest kernel vulnerabilities or the habit of users to work as root/administrator these bugs can result in remote root compromises.

http://security.e-matters.de/advisories/012004.txt CAN-2004-0005 CAN-2004-0006 CAN-2004-0007 CAN-2004-0008 2004-01-26 2004-02-12
Samba 3.0.x password initialization bug samba 3.0,13.0.1_2,1

From the Samba 3.0.2 release notes:

Security Announcement: It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script.

http://www.samba.org/samba/whatsnew/samba-3.0.2.html CAN-2004-0082 2004-02-09 2004-02-12
clamav remote denial-of-service clamav 0.65_7

clamav will exit when a programming assertion is not met. A malformed uuencoded message can trigger this assertion, allowing an attacker to trivially crash clamd or other components of clamav.

http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/62586 http://www.securityfocus.com/archive/1/353186 2004-02-09 2004-02-12
Buffer overflow in Mutt 1.4 mutt ja-mutt 1.41.4.2

Mutt 1.4 contains a buffer overflow that could be exploited with a specially formed message, causing Mutt to crash or possibly execute arbitrary code.

CAN-2004-0078 http://www.mutt.org/news.html 2004-02-11 2004-02-12
Apache-SSL optional client certificate vulnerability apache+ssl 1.3.29.1.53

From the Apache-SSL security advisory:

If configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate.

All the attacker needed is the "one-line DN" of a valid user, as used by faked basic auth in Apache-SSL, and the fixed password ("password" by default).

http://www.apache-ssl.org/advisory-20040206.txt 2004-02-06 2004-02-10
L2TP, ISAKMP, and RADIUS parsing vulnerabilities in tcpdump tcpdump 3.8.1_351 FreeBSD 5.2.1

Jonathan Heusser discovered vulnerabilities in tcpdump's L2TP, ISAKMP, and RADIUS protocol handlers. These vulnerabilities may be used by an attacker to crash a running `tcpdump' process.

CAN-2003-0989 CAN-2003-1029 CAN-2004-0057 http://marc.theaimsgroup.com/?l=tcpdump-workers&m=107228187124962&w=2 http://marc.theaimsgroup.com/?l=tcpdump-workers&m=107325073018070&w=2 2003-12-24 2004-01-19
fsp buffer overflow and directory traversal vulnerabilities fspd 0

The Debian security team reported a pair of vulnerabilities in fsp:

A vulnerability was discovered in fsp, client utilities for File Service Protocol (FSP), whereby a remote user could both escape from the FSP root directory (CAN-2003-1022), and also overflow a fixed-length buffer to execute arbitrary code (CAN-2004-0011).

CAN-2003-1022 CAN-2004-0011 http://www.debian.org/security/2004/dsa-416 2004-01-06 2004-01-19
Buffer overflow in INN control message handling inn 2.4.1 inn-stable 20031022_1

A small, fixed-size stack buffer is used to construct a filename based on a received control message. This could result in a stack buffer overflow.

http://lists.litech.org/pipermail/inn-workers/2004q1/002763.html 2004-01-07 2004-01-08
ProFTPD ASCII translation bug resulting in remote root compromise proftpd 1.2.8_1

A buffer overflow exists in the ProFTPD code that handles translation of newline characters during ASCII-mode file uploads. An attacker may exploit this buffer overflow by uploading a specially crafted file, resulting in code execution and ultimately a remote root compromise.

http://xforce.iss.net/xforce/alerts/id/154 CAN-2003-0831 2003-09-23 2004-01-05
bind8 negative cache poison attack bind 8.38.3.7 8.48.4.3 FreeBSD 5.15.1p11 5.05.0p19 4.94.9p1 4.84.8p14 4.74.7p24 4.64.6.2p27 4.54.5p37 4.4p47

A programming error in BIND 8 named can result in a DNS message being incorrectly cached as a negative response. As a result, an attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS.

CAN-2003-0914 SA-03:19 734644 2003-11-28 2003-12-12
ElGamal sign+encrypt keys created by GnuPG can be compromised gnupg 1.0.21.2.3_4

Any ElGamal sign+encrypt keys created by GnuPG contain a cryptographic weakness that may allow someone to obtain the private key. These keys should be considered unusable and should be revoked.

The following summary was written by Werner Koch, GnuPG author:

Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds.

...

Please take immediate action and revoke your ElGamal signing keys. Furthermore you should take whatever measures necessary to limit the damage done for signed or encrypted documents using that key.

Note that the standard keys as generated by GnuPG (DSA and ElGamal encryption) as well as RSA keys are NOT vulnerable. Note also that ElGamal signing keys cannot be generated without the use of a special flag to enable hidden options and even then overriding a warning message about this key type. See below for details on how to identify vulnerable keys.

CAN-2003-0971 http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html 2003-11-27 2003-12-12
Mathopd buffer overflow mathopd 1.4p2

Mathopd contains a buffer overflow in the prepare_reply() function that may be remotely exploitable.

http://www.mail-archive.com/mathopd%40mathopd.org/msg00136.html 2003-12-04 2003-12-12
lftp HTML parsing vulnerability lftp 2.6.10

A buffer overflow exists in lftp which may be triggered when requesting a directory listing from a malicious server over HTTP.

CAN-2003-0963 http://lftp.yar.ru/news.html#2.6.10 2003-12-11 2003-12-12
Fetchmail address parsing vulnerability fetchmail 6.2.0

Fetchmail can be crashed by a malicious email message.

http://security.e-matters.de/advisories/052002.html 2003-10-25 2003-10-25
Buffer overflow in pam_smb password handling pam_smb 1.9.9_3

Applications utilizing pam_smb can be compromised by any user who can enter a password. In many cases, this is a remote root compromise.

http://www.skynet.ie/~airlied/pam_smb/ CAN-2003-0686 2003-10-25 2003-10-25 2003-10-25
Buffer overflows in libmcrypt libmcrypt 2.5.6

libmcrypt does incomplete input validation, leading to several buffer overflow vuxml. Additionally, a memory leak is present. Both of these problems may be exploited in a denial-of-service attack.

http://seclists.org/lists/bugtraq/2003/Jan/0022.html CAN-2003-0031 CAN-2003-0032 2003-10-25 2003-10-25 2003-10-25
qpopper format string vulnerability qpopper 2.53_1

An authenticated user may trigger a format string vulnerability present in qpopper's UIDL code, resulting in arbitrary code execution with group ID `mail' privileges.

1241 CVE-2000-0442 http://www.netsys.com/suse-linux-security/2000-May/att-0137/01-b0f5-Qpopper.txt 2000-05-23 2003-12-12