metamail 2.7_1

Ulf Härnhammar reported four bugs in metamail: two are format string bugs and two are buffer overflows. The bugs are in SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().

These vulnerabilities could be triggered by a maliciously formatted email message if `metamail' or `splitmail' is used to process it, possibly resulting in arbitrary code execution with the privileges of the user reading mail.

 CAN-2004-0104 CAN-2004-0105 2004-02-18 2004-02-18 mnGoSearch buffer overflow in UdmDocToTextBuf() mnogosearch 3.2

Jedi/Sector One <j@pureftpd.org> reported the following on the full-disclosure list:

Every document is stored in multiple parts according to its sections (description, body, etc) in databases. And when the content has to be sent to the client, UdmDocToTextBuf() concatenates those parts together and skips metadata.

Unfortunately, that function lacks bounds checking and a buffer overflow can be triggered by indexing a large enough document.

'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c . S->val length depends on the length of the original document and on the indexer settings (the sample configuration file has low limits that work around the bug, though).

Exploitation should be easy, moreover textbuf points to the stack.

 http://lists.netsys.com/pipermail/full-disclosure/2004-February/017366.html 2004-02-15 2004-02-15 GNU libtool insecure temporary file handling libtool 1.31.3.5_2 1.41.4.3_3 1.51.5.2

libtool attempts to create a temporary directory in which to write scratch files needed during processing. A malicious user may create a symlink and then manipulate the directory so as to write to files to which she normally has no permissions.

This has been reported as a ``symlink vulnerability'', although I do not think that is an accurate description.

This vulnerability could possibly be used on a multi-user system to gain elevated privileges, e.g. root builds some packages, and another user successfully exploits this vulnerability to write to a system file.

 http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405 http://www.securityfocus.com/archive/1/352333 2004-01-30 2004-02-13 seti@home remotely exploitable buffer overflow setiathome 3.0.8

The seti@home client contains a buffer overflow in the HTTP response handler. A malicious, spoofed seti@home server can exploit this buffer overflow to cause remote code execution on the client. Exploit programs are widely available.

 http://setiathome.berkeley.edu/version308.html http://web.archive.org/web/20030609204812/http://spoor12.edup.tudelft.nl/ 2003-04-08 2004-02-12 icecast 1.x multiple vulnerabilities icecast 1.3.12

icecast 1.3.11 and earlier contained numerous security vulnerabilities, the most severe allowing a remote attacker to execute arbitrary code as root.

 CAN-2002-0177 CAN-2001-1230 CAN-2001-1229 CAN-2001-1083 CAN-2001-0784 4415 2933 2002-04-28 2004-02-12 nap allows arbitrary file access nap 1.4.5

According to the author:

Fixed security loophole which allowed remote clients to access arbitrary files on our system.

 http://quasar.mathstat.uottawa.ca/~selinger/nap/NEWS 2001-04-12 2004-02-12 CCE contains exploitable buffer overflows zh-cce 0.40

The Chinese Console Environment contains exploitable buffer overflows.

 http://programmer.lib.sjtu.edu.cn/cce/cce.html 2000-06-22 2004-02-12 ChiTeX/ChiLaTeX unsafe set-user-id root zh-chitex 0

Niels Heinen reports that ChiTeX installs set-user-id root executables that invoked system(3) without setting up the environment, trivially allowing local root compromise.

 http://cvsweb.freebsd.org/ports/chinese/chitex/Attic/Makefile?rev=1.5&content-type=text/x-cvsweb-markup 2003-04-25 2004-02-12 pine remotely exploitable buffer overflow in newmail.c zh-pine iw-pine pine pine4-ssl 4.21

Kris Kennaway reports a remotely exploitable buffer overflow in newmail.c. Mike Silbersack submitted the fix.

 http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/pine4/Makefile?rev=1.43&content-type=text/x-cvsweb-markup 2000-09-29 2004-02-12 pine insecure URL handling pine zh-pine iw-pine 4.44

An attacker may send an email message containing a specially constructed URL that will execute arbitrary commands when viewed.

 SA-02:05 2002-01-04 2004-02-12 pine remote denial-of-service attack pine zh-pine iw-pine 4.50

An attacker may send a specially-formatted email message that will cause pine to crash.

 http://marc.theaimsgroup.com/?l=bugtraq&m=103668430620531&w=2 CAN-2002-1320 2002-10-23 2004-02-12 pine remotely exploitable vulnerabilities pine zh-pine iw-pine 4.58

Pine versions prior to 4.58 are affected by two vulnerabilities discovered by iDEFENSE, a buffer overflow in mailview.c and an integer overflow in strings.c. Both vulnerabilities can result in arbitrary code execution when processing a malicious message.

 CAN-2003-0720 CAN-2003-0721 http://www.idefense.com/application/poi/display?id=5 2003-09-10 2004-02-12 rsync buffer overflow in server mode rsync 2.5.7

When rsync is run in server mode, a buffer overflow could allow a remote attacker to execute arbitrary code with the privileges of the rsync server. Anonymous rsync servers are at the highest risk.

 CAN-2003-0962 http://marc.theaimsgroup.com/?l=bugtraq&m=107055681311602&w=2 http://rsync.samba.org/#security 2003-12-04 2004-02-12 Several remotely exploitable buffer overflows in gaim gaim 0.75_3 0.75_5

Stefan Esser of e-matters found almost a dozen remotely exploitable vulnerabilities in Gaim. From the e-matters advisory:

While developing a custom add-on, an integer overflow in the handling of AIM DirectIM packets was revealed that could lead to a remote compromise of the IM client. After disclosing this bug to the vendor, they had to make a hurried release because of a change in the Yahoo connection procedure that rendered GAIM useless. Unfourtunately at the same time a closer look onto the sourcecode revealed 11 more vulnerabilities.

The 12 identified problems range from simple standard stack overflows, over heap overflows to an integer overflow that can be abused to cause a heap overflow. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. But the underlying protocols are easy to implement and MIM attacks on ordinary TCP sessions is a fairly simple task.

In combination with the latest kernel vulnerabilities or the habit of users to work as root/administrator these bugs can result in remote root compromises.

 http://security.e-matters.de/advisories/012004.txt CAN-2004-0005 CAN-2004-0006 CAN-2004-0007 CAN-2004-0008 2004-01-26 2004-02-12 Samba 3.0.x password initialization bug samba 3.0,13.0.1_2,1

From the Samba 3.0.2 release notes:

Security Announcement: It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script.

 http://www.samba.org/samba/whatsnew/samba-3.0.2.html CAN-2004-0082 2004-02-09 2004-02-12 clamav remote denial-of-service clamav 0.65_7

clamav will exit when a programming assertion is not met. A malformed uuencoded message can trigger this assertion, allowing an attacker to trivially crash clamd or other components of clamav.

 http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/62586 http://www.securityfocus.com/archive/1/353186 2004-02-09 2004-02-12 Buffer overflows in XFree86 servers XFree86-Server 4.3.0_14 4.3.994.3.99.15_1

A number of buffer overflows were recently discovered in XFree86, prompted by initial discoveries by iDEFENSE. These buffer overflows are present in the font alias handling. An attacker with authenticated access to a running X server may exploit these vulnerabilities to obtain root privileges on the machine running the X server.

 http://www.idefense.com/application/poi/display?id=72 http://www.idefense.com/application/poi/display?id=73 CAN-2004-0083 CAN-2004-0084 CAN-2004-0106 2004-02-10 2004-02-12 Buffer overflow in Mutt 1.4 mutt ja-mutt 1.41.4.2

Mutt 1.4 contains a buffer overflow that could be exploited with a specially formed message, causing Mutt to crash or possibly execute arbitrary code.

 CAN-2004-0078 http://www.mutt.org/news.html 2004-02-11 2004-02-12 Apache-SSL optional client certificate vulnerability apache+ssl 1.3.29.1.53

From the Apache-SSL security advisory:

If configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate.

All the attacker needed is the "one-line DN" of a valid user, as used by faked basic auth in Apache-SSL, and the fixed password ("password" by default).

 http://www.apache-ssl.org/advisory-20040206.txt 2004-02-06 2004-02-10 L2TP, ISAKMP, and RADIUS parsing vulnerabilities in tcpdump tcpdump 3.8.1_351 FreeBSD 5.2.1

Jonathan Heusser discovered vulnerabilities in tcpdump's L2TP, ISAKMP, and RADIUS protocol handlers. These vulnerabilities may be used by an attacker to crash a running `tcpdump' process.

 CAN-2003-0989 CAN-2003-1029 CAN-2004-0057 http://marc.theaimsgroup.com/?l=tcpdump-workers&m=107228187124962&w=2 http://marc.theaimsgroup.com/?l=tcpdump-workers&m=107325073018070&w=2 2003-12-24 2004-01-19 fsp buffer overflow and directory traversal vulnerabilities fspd 0

The Debian security team reported a pair of vulnerabilities in fsp:

A vulnerability was discovered in fsp, client utilities for File Service Protocol (FSP), whereby a remote user could both escape from the FSP root directory (CAN-2003-1022), and also overflow a fixed-length buffer to execute arbitrary code (CAN-2004-0011).

 CAN-2003-1022 CAN-2004-0011 http://www.debian.org/security/2004/dsa-416 2004-01-06 2004-01-19 Buffer overflow in INN control message handling inn 2.4.1 inn-stable 20031022_1

A small, fixed-size stack buffer is used to construct a filename based on a received control message. This could result in a stack buffer overflow.

 http://lists.litech.org/pipermail/inn-workers/2004q1/002763.html 2004-01-07 2004-01-08 ProFTPD ASCII translation bug resulting in remote root compromise proftpd 1.2.8_1

A buffer overflow exists in the ProFTPD code that handles translation of newline characters during ASCII-mode file uploads. An attacker may exploit this buffer overflow by uploading a specially crafted file, resulting in code execution and ultimately a remote root compromise.

 http://xforce.iss.net/xforce/alerts/id/154 CAN-2003-0831 2003-09-23 2004-01-05 bind8 negative cache poison attack bind 8.38.3.7 8.48.4.3 FreeBSD 5.15.1p11 5.05.0p19 4.94.9p1 4.84.8p14 4.74.7p24 4.64.6.2p27 4.54.5p37 4.4p47

A programming error in BIND 8 named can result in a DNS message being incorrectly cached as a negative response. As a result, an attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS.

 CAN-2003-0914 SA-03:19 734644 2003-11-28 2003-12-12 ElGamal sign+encrypt keys created by GnuPG can be compromised gnupg 1.0.21.2.3_4

Any ElGamal sign+encrypt keys created by GnuPG contain a cryptographic weakness that may allow someone to obtain the private key. These keys should be considered unusable and should be revoked.

The following summary was written by Werner Koch, GnuPG author:

Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds.

...

Please take immediate action and revoke your ElGamal signing keys. Furthermore you should take whatever measures necessary to limit the damage done for signed or encrypted documents using that key.

Note that the standard keys as generated by GnuPG (DSA and ElGamal encryption) as well as RSA keys are NOT vulnerable. Note also that ElGamal signing keys cannot be generated without the use of a special flag to enable hidden options and even then overriding a warning message about this key type. See below for details on how to identify vulnerable keys.

 CAN-2003-0971 http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html 2003-11-27 2003-12-12 Mathopd buffer overflow mathopd 1.4p2

Mathopd contains a buffer overflow in the prepare_reply() function that may be remotely exploitable.

 http://www.mail-archive.com/mathopd%40mathopd.org/msg00136.html 2003-12-04 2003-12-12 lftp HTML parsing vulnerability lftp 2.6.10

A buffer overflow exists in lftp which may be triggered when requesting a directory listing from a malicious server over HTTP.

 CAN-2003-0963 http://lftp.yar.ru/news.html#2.6.10 2003-12-11 2003-12-12 Fetchmail address parsing vulnerability fetchmail 6.2.0

Fetchmail can be crashed by a malicious email message.

 http://security.e-matters.de/advisories/052002.html 2003-10-25 2003-10-25 Buffer overflow in pam_smb password handling pam_smb 1.9.9_3

Applications utilizing pam_smb can be compromised by any user who can enter a password. In many cases, this is a remote root compromise.

 http://www.skynet.ie/~airlied/pam_smb/ CAN-2003-0686 2003-10-25 2003-10-25 2003-10-25 Buffer overflows in libmcrypt libmcrypt 2.5.6

libmcrypt does incomplete input validation, leading to several buffer overflow vuxml. Additionally, a memory leak is present. Both of these problems may be exploited in a denial-of-service attack.

 http://seclists.org/lists/bugtraq/2003/Jan/0022.html CAN-2003-0031 CAN-2003-0032 2003-10-25 2003-10-25 2003-10-25 qpopper format string vulnerability qpopper 2.53_1

An authenticated user may trigger a format string vulnerability present in qpopper's UIDL code, resulting in arbitrary code execution with group ID `mail' privileges.

 1241 CVE-2000-0442 http://www.netsys.com/suse-linux-security/2000-May/att-0137/01-b0f5-Qpopper.txt 2000-05-23 2003-12-12