A remote exploitable buffer overflow has been discovered in exim when verify = header_syntax is used in the configuration file. This does not affect the default configuration.
The includes/sessions.php unnecessarily adds session item into session table and therefore vulnerable to a denial-of-service attack.
An input validation error was discovered in the kadmind code that handles the framing of Kerberos 4 compatibility administration requests. The code assumed that the length given in the framing was always two or more bytes. Smaller lengths will cause kadmind to read an arbitrary amount of data into a minimally-sized buffer on the heap.
A remote attacker may send a specially formatted message to kadmind, causing it to crash or possibly resulting in arbitrary code execution.
The kadmind daemon is part of Kerberos 5 support. However, this bug will only be present if kadmind was built with additional Kerberos 4 support. Thus, only systems that have *both* Heimdal Kerberos 5 and Kerberos 4 installed might be affected.
NOTE: On FreeBSD 4 systems, `kadmind' may be installed as `k5admind'.
Two programming errors were discovered in which path names handled by CVS were not properly validated. In one case, the CVS client accepts absolute path names from the server when determining which files to update. In another case, the CVS server accepts relative path names from the client when determining which files to transmit, including those containing references to parent directories (`../').
These programming errors generally only have a security impact when dealing with remote CVS repositories.
A malicious CVS server may cause a CVS client to overwrite arbitrary files on the client's system.
A CVS client may request RCS files from a remote system other than those in the repository specified by $CVSROOT. These RCS files need not be part of any CVS repository themselves.
The kernel interface for creating a snapshot of a filesystem is the same as that for changing the flags on that filesystem. Due to an oversight, the mksnap_ffs(8) command called that interface with only the snapshot flag set, causing all other flags to be reset to the default value.
A regularly scheduled backup of a live filesystem, or any other process that uses the mksnap_ffs command (for instance, to provide a rough undelete functionality on a file server), will clear any flags in effect on the filesystem being snapshot. Possible consequences depend on local usage, but can include disabling extended access control lists or enabling the use of setuid executables stored on an untrusted filesystem.
The mksnap_ffs command is normally only available to the superuser and members of the `operator' group. There is therefore no risk of a user gaining elevated privileges directly through use of the mksnap_ffs command unless it has been intentionally made available to unprivileged users.
A programming error in the shmat(2) system call can result in a shared memory segment's reference count being erroneously incremented.
It may be possible to cause a shared memory segment to reference unallocated kernel memory, but remain valid. This could allow a local attacker to gain read or write access to a portion of kernel memory, resulting in sensitive information disclosure, bypass of access control mechanisms, or privilege escalation.
A programming error has been found in the jail_attach(2) system call which affects the way that system call verifies the privilege level of the calling process. Instead of failing immediately if the calling process was already jailed, the jail_attach system call would fail only after changing the calling process's root directory.
A process with superuser privileges inside a jail could change its root directory to that of a different jail, and thus gain full read and write access to files and directories within the target jail.
FreeBSD does not limit the number of TCP segments that may be held in a reassembly queue. A remote attacker may conduct a low-bandwidth denial-of-service attack against a machine providing services based on TCP (there are many such services, including HTTP, SMTP, and FTP). By sending many out-of-sequence TCP segments, the attacker can cause the target machine to consume all available memory buffers (``mbufs''), likely leading to a system crash.
From the FreeBSD Security Advisory:
A programming error in the handling of some IPv6 socket options within the setsockopt(2) system call may result in memory locations being accessed without proper validation.
It may be possible for a local attacker to read portions of kernel memory, resulting in disclosure of sensitive information. A local attacker can cause a system panic.
A remote attacker could cause an application using OpenSSL to crash by performing a specially crafted SSL/TLS handshake.
A programming error in BIND 8 named can result in a DNS message being incorrectly cached as a negative response. As a result, an attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS.
Ulf Härnhammar discovered several vulnerabilities in LHa for UNIX's path name handling code. Specially constructed archive files may cause LHa to overwrite files or execute arbitrary code with the privileges of the user invoking LHa. This could be particularly harmful for automated systems that might handle archives such as virus scanning processes.
Steve Grubb reports a buffer read overrun in libpng's png_format_buffer function. A specially constructed PNG image processed by an application using libpng may trigger the buffer read overrun and possibly result in an application crash.
Jindrich Makovicka reports a regression in proftpd's handling of IP address access control lists (IP ACLs). Due to this regression, some IP ACLs are treated as ``allow all''.
A straightforward stack buffer overflow exists in XChat's Socks5 proxy support.
The XChat developers report that `tsifra' discovered this issue.
NOTE: XChat Socks5 support is disabled by support in the FreeBSD Ports Collection.
When running rsync in daemon mode, no checks were made to prevent clients from writing outside of a module's `path' setting.
From the xinehq advisory:
By opening a malicious MRL in any xine-lib based media player, an attacker can write arbitrary content to an arbitrary file, only restricted by the permissions of the user running the application.
The flaw is a result of a feature that allows MRLs (media resource locator URIs) to specify arbitrary configuration options.
Jakub Jelinek reports several security related bugs in Midnight Commander, including:
An unknown remotely exploitable vulnerability was disclosed. Robert Segall writes:
a security vulnerability was brought to my attention (many thanks to Akira Higuchi). Everyone running any previous version should upgrade to 1.6 immediately - the vulnerability may allow a remote exploit. No exploits are currently known and none have been observed in the wild till now. The danger is minimised if you run Pound in a root jail and/or you run Pound as non-root user.
Shaun Colley reports that the script `mysqlbug' included with MySQL sometimes creates temporary files in an unsafe manner. As a result, an attacker may create a symlink in /tmp so that if another user invokes `mysqlbug' and quits without making any changes, an arbitrary file may be overwritten with the bug report template.
Greuff reports that the neon WebDAV client library contains several format string bugs within error reporting code. A malicious server may exploit these bugs by sending specially crafted PROPFIND or PROPPATCH responses.
Although several applications include neon, such as cadaver and subversion, the FreeBSD Ports of these applications are not impacted. They are specifically configured to NOT use the included neon. Only packages listed as affected in this notice are believed to be impacted.
The common.php script always trusts the `X-Forwarded-For' header in the client's HTTP request. A remote user could forge this header in order to bypass any IP address access control lists (ACLs).
NISCC / UNIRAS has published an advisory that re-visits the long discussed spoofed TCP RST denial-of-service vulnerability. This new look emphasizes the fact that for some applications such attacks are practically feasible.
Jack of RaptureSecurity reported a double byte buffer overflow in ident2. The bug may allow a remote attacker to execute arbitrary code within the context of the ident2 daemon. The daemon typically runs as user-ID `nobody', but with group-ID `wheel'.
A buffer overflow is present in some versions of the KDE personal information manager (kdepim) which may be triggered when processing a specially crafted VCF file.
The NISCC and the OUSPG developed a test suite for the H.323 protocol. This test suite has uncovered vulnerabilities in several H.323 implementations with impacts ranging from denial-of-service to arbitrary code execution.
In the FreeBSD Ports Collection, `pwlib' is directly affected. Other applications such as `asterisk' and `openh323' incorporate `pwlib' statically and so are also independently affected.
When racoon receives an ISAKMP header, it will attempt to allocate sufficient memory for the entire ISAKMP message according to the header's length field. If an attacker crafts an ISAKMP header with a ridiculously large value in the length field, racoon may exceed operating system resource limits and be terminated, resulting in a denial of service.
When racoon receives an IKE message with an incorrectly constructed Generic Payload Header, it may behave erratically, going into a tight loop and dropping connections.
Chad Loder has discovered vulnerabilities in tcpdump's ISAKMP protocol handler. During an audit to repair these issues, Bill Fenner discovered some related problems.
These vulnerabilities may be used by an attacker to crash a running `tcpdump' process. They can only be triggered if the `-v' command line option is being used.
NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP protocol handler from tcpdump, and so is also affected by this issue.
Midnight Commander uses a fixed sized stack buffer while resolving symbolic links within file archives (tar or cpio). If an attacker can cause a user to process a specially crafted file archive with Midnight Commander, the attacker may be able to obtain the privileges of the target user.
Ralf Spenneberg discovered a serious flaw in racoon. When using Phase 1 main or aggressive mode, racoon does not verify the client's RSA signature. Any installations using X.509 authentication are strongly urged to upgrade.
Installations using pre-shared keys are believed to be unaffected.
Stefan Esser of e-matters found almost a dozen remotely exploitable vulnerabilities in Gaim. From the e-matters advisory:
While developing a custom add-on, an integer overflow in the handling of AIM DirectIM packets was revealed that could lead to a remote compromise of the IM client. After disclosing this bug to the vendor, they had to make a hurried release because of a change in the Yahoo connection procedure that rendered GAIM useless. Unfourtunately at the same time a closer look onto the sourcecode revealed 11 more vulnerabilities.
The 12 identified problems range from simple standard stack overflows, over heap overflows to an integer overflow that can be abused to cause a heap overflow. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. But the underlying protocols are easy to implement and MIM attacks on ordinary TCP sessions is a fairly simple task.
In combination with the latest kernel vulnerabilities or the habit of users to work as root/administrator these bugs can result in remote root compromises.
Philippe Oechslin reported a denial-of-service vulnerability in oftpd. The oftpd server can be crashed by sending a PORT command containing an integer over 8 bits long (over 255).
Heimdal does not correctly validate the `transited' field of Kerberos tickets when computing the authentication path. This could allow a rogue KDC with which cross-realm relationships have been established to impersonate any KDC in the authentication path.
The Courier set of mail services use a common Unicode library. This library contains buffer overflows in the converters for two popular Japanese character encodings. These overflows may be remotely exploitable, triggered by a maliciously formatted email message that is later processed by one of the Courier mail services. From the release notes for the corrected versions of the Courier set of mail services:
iso2022jp.c: Converters became (upper-)compatible with ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and ISO-2022-JP-1 (RFC2237). Buffer overflow vulnerability (when Unicode character is out of BMP range) has been closed. Convert error handling was implemented.
shiftjis.c: Broken SHIFT_JIS converters has been fixed and became (upper-)compatible with Shifted Encoding Method (JIS X 0208:1997 Annex 1). Buffer overflow vulnerability (when Unicode character is out of BMP range) has been closed. Convert error handling was implemented.
Numerous errors in isakmpd's input packet validation lead to denial-of-service vulnerabilities. From the Rapid7 advisory:
The ISAKMP packet processing functions in OpenBSD's isakmpd daemon contain multiple payload handling flaws that allow a remote attacker to launch a denial of service attack against the daemon.
Carefully crafted ISAKMP packets will cause the isakmpd daemon to attempt out-of-bounds reads, exhaust available memory, or loop endlessly (consuming 100% of the CPU).
NOTE WELL: This issue does not affect any FreeBSD platform. It is recorded only for reference.
A denial-of-service issue was reported by Jeff Trawick. From the CVS commit log for the fix:
Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. With Apache 2.x there is no performance concern about enabling the logic for platforms which don't need it, so it is enabled everywhere except for Win32.
It was determined that this issue does not affect FreeBSD systems. From the Apache security advisory:
This issue is known to affect some versions of AIX, Solaris, and Tru64; it is known to not affect FreeBSD or Linux.
A remotely exploitable heap buffer overflow vulnerability was found in MPlayer's URL decoding code. If an attacker can cause MPlayer to visit a specially crafted URL, arbitrary code execution with the privileges of the user running MPlayer may occur. A `visit' might be caused by social engineering, or a malicious web server could use HTTP redirects which MPlayer would then process.
From the Squid advisory:
Squid versions 2.5.STABLE4 and earlier contain a bug in the "%xx" URL decoding function. It may insert a NUL character into decoded URLs, which may allow users to bypass url_regex ACLs.
A remote attacker could cause zebra/quagga to crash by sending a malformed telnet command to their management port.
Timo Sirainen reports multiple buffer overflows that may be triggered while parsing messages, as well as input validation errors that could result in disclosure of mailing list passwords.
These bugs were resolved in the August 2003 snapshot of ecartis.
Stefan Esser of e-matters Security discovered a baker's dozen of buffer overflows in Ethereal's decoders, including:
In addition, a vulnerability in the RADIUS decoder was found by Jonathan Heusser.
Finally, there is one uncredited vulnerability described by the Ethereal team as:
A zero-length Presentation protocol selector could make Ethereal crash.
Some scripts installed with xine create temporary files insecurely. It is recommended that these scripts (xine-check, xine-bugreport) not be used. They are not needed for normal operation.
Users with admin rights can severly damage an phpBB installation, potentially triggered by viewing a page with a malicious link sent by an attacker.
A security hole exists that can be used to crash the proxy and execute arbitrary code. An exploit is circulating that takes advantage of this, and in some cases succeeds in obtaining a login shell on the machine.
A remote attacker may use specially crafted IKE/ISAKMP messages to cause racoon to delete security associations. This could result in denial-of-service or possibly cause sensitive traffic to be transmitted in plaintext, depending upon configuration.
When the directive "SecFilterScanPost" is enabled, the Apache 2.x version of ModSecurity is vulnerable to an off-by-one overflow
Glenn Stewart reports a bug in wu-ftpd's ftpaccess `restricted-uid'/`restricted-gid' directives:
Users can get around the restriction to their home directory by issuing a simple chmod command on their home directory. On the next ftp log in, the user will have '/' as their root directory.
Matt Zimmerman discovered that the cause of the bug was a missing check for a restricted user within a code path that is executed only when a certain error is encountered.
Jon Orton reports a memory leak in Apache 2's mod_ssl. A remote attacker may issue HTTP requests on an HTTPS port, causing an error. Due to a bug in processing this condition, memory associated with the connection is not freed. Repeated requests can result in consuming all available memory resources, probably resulting in termination of the Apache process.
Ulf Härnhammar discovered several vulnerabilities in GNU Anubis.
Ulf notes that these vulnerabilities can be exploited by a malicious IDENT server as a denial-of-service attack.
A number of buffer overflows were recently discovered in XFree86, prompted by initial discoveries by iDEFENSE. These buffer overflows are present in the font alias handling. An attacker with authenticated access to a running X server may exploit these vulnerabilities to obtain root privileges on the machine running the X server.
Steve Kemp reports (in a Debian bug submission):
Due to improper bounds checking it is possible for a malicious user to gain a shell with membership group 'games'. (The binary is installed setgid games).
Environmental variables are used without being bounds-checked in any way, from the source code:
highscore.c: /* Use the environment variable if it exists */ if ((str = getenv("XBOING_SCORE_FILE")) != NULL) strcpy(filename, str); else strcpy(filename, HIGH_SCORE_FILE); misc.c: if ((ptr = getenv("HOME")) != NULL) (void) strcpy(dest, ptr);Neither of these checks are boundschecked, and will allow arbitary shell code to be run.
Ulf Härnhammar reported four bugs in metamail: two are format string bugs and two are buffer overflows. The bugs are in SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().
These vulnerabilities could be triggered by a maliciously formatted email message if `metamail' or `splitmail' is used to process it, possibly resulting in arbitrary code execution with the privileges of the user reading mail.
Ulf Härnhammar reports multiple buffer overflows in Emil, some of which are triggered during the parsing of attachment filenames. In addition, some format string bugs are present in the error reporting code.
Depending upon local configuration, these vulnerabilities may be exploited using specially crafted messages in order to execute arbitrary code running with the privileges of the user invoking Emil.
Anyone can get admin's username and password's md5 hash via a single web request. A working example is provided in the advisory.
The authors of UUDeview report repairing two buffer overflows in their software.
Henning Brauer discovered a programming error in Apache 1.3's mod_access that results in the netmasks in IP address access control rules being interpreted incorrectly on 64-bit, big-endian platforms. In some cases, this could cause a `deny from' IP address access control rule including a netmask to fail.
An attacker may cause Apache with mod_python to crash by using a specially constructed query string.
In 2003, two vulnerabilities were discovered in mpg123 that could result in remote code execution when using untrusted input or streaming from an untrusted server.
Dave Jones discovered a denial-of-service vulnerability in fetchmail. An email message containing a very long line could cause fetchmail to segfault due to missing NUL termination in transact.c.
Eric Raymond decided not to mention this issue in the release notes for fetchmail 6.2.5, but it was fixed there.
A malformed message could cause mailman to crash.
Dirk Mueller reports:
I've found a cross-site scripting vulnerability in the admin interface of mailman 2.1.3 that allows, under certain circumstances, for anyone to retrieve the (valid) session cookie.
From the 2.1.3 release notes:
Closed a cross-site scripting exploit in the create cgi script.
From the 2.1.1 release notes:
Closed a cross-site scripting vulnerability in the user options page.
Multiple researchers have discovered multiple SQL injection vulnerabilities in some versions of Php-Nuke. These vulnerabilities may lead to information disclosure, compromise of the Php-Nuke site, or compromise of the back-end database.
Ulf Härnhammar discovered an exploitable vulnerability in lbreakout2's environmental variable handling. In several instances, the contents of the HOME environmental variable are copied to a stack or global buffer without range checking. A local attacker may use this vulnerability to acquire group-ID `games' privileges.
An exploit for this vulnerability has been published by ``Li0n7 voila fr''.
Ulf Härnhammar discovered a format string bug in hsftp's file listing code may allow a malicious server to cause arbitrary code execution by the client.
An attacker can cause an assertion to trigger by sending a long User-Agent field in a request.
Yuuichi Teranishi reported a crash in libxml2's URI handling when a long URL is supplied. The implementation in nanohttp.c and nanoftp.c uses a 4K stack buffer, and longer URLs will overwrite the stack. This could result in denial-of-service or arbitrary code execution in applications using libxml2 to parse documents.
Lack of proper input validation in phpMyAdmin may allow an attacker to obtain the contents of any file on the target system that is readable by the web server.
Jedi/Sector One <j@pureftpd.org> reported the following on the full-disclosure list:
Every document is stored in multiple parts according to its sections (description, body, etc) in databases. And when the content has to be sent to the client, UdmDocToTextBuf() concatenates those parts together and skips metadata.
Unfortunately, that function lacks bounds checking and a buffer overflow can be triggered by indexing a large enough document.
'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c . S->val length depends on the length of the original document and on the indexer settings (the sample configuration file has low limits that work around the bug, though).
Exploitation should be easy, moreover textbuf points to the stack.
libtool attempts to create a temporary directory in which to write scratch files needed during processing. A malicious user may create a symlink and then manipulate the directory so as to write to files to which she normally has no permissions.
This has been reported as a ``symlink vulnerability'', although I do not think that is an accurate description.
This vulnerability could possibly be used on a multi-user system to gain elevated privileges, e.g. root builds some packages, and another user successfully exploits this vulnerability to write to a system file.
The seti@home client contains a buffer overflow in the HTTP response handler. A malicious, spoofed seti@home server can exploit this buffer overflow to cause remote code execution on the client. Exploit programs are widely available.
icecast 1.3.11 and earlier contained numerous security vulnerabilities, the most severe allowing a remote attacker to execute arbitrary code as root.
According to the author:
Fixed security loophole which allowed remote clients to access arbitrary files on our system.
The Chinese Console Environment contains exploitable buffer overflows.
Niels Heinen reports that ChiTeX installs set-user-id root executables that invoked system(3) without setting up the environment, trivially allowing local root compromise.
Kris Kennaway reports a remotely exploitable buffer overflow in newmail.c. Mike Silbersack submitted the fix.
An attacker may send an email message containing a specially constructed URL that will execute arbitrary commands when viewed.
An attacker may send a specially-formatted email message that will cause pine to crash.
Pine versions prior to 4.58 are affected by two vulnerabilities discovered by iDEFENSE, a buffer overflow in mailview.c and an integer overflow in strings.c. Both vulnerabilities can result in arbitrary code execution when processing a malicious message.
When rsync is run in server mode, a buffer overflow could allow a remote attacker to execute arbitrary code with the privileges of the rsync server. Anonymous rsync servers are at the highest risk.
From the Samba 3.0.2 release notes:
Security Announcement: It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script.
clamav will exit when a programming assertion is not met. A malformed uuencoded message can trigger this assertion, allowing an attacker to trivially crash clamd or other components of clamav.
Mutt 1.4 contains a buffer overflow that could be exploited with a specially formed message, causing Mutt to crash or possibly execute arbitrary code.
From the Apache-SSL security advisory:
If configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate.
All the attacker needed is the "one-line DN" of a valid user, as used by faked basic auth in Apache-SSL, and the fixed password ("password" by default).
Jonathan Heusser discovered vulnerabilities in tcpdump's L2TP, ISAKMP, and RADIUS protocol handlers. These vulnerabilities may be used by an attacker to crash a running `tcpdump' process.
The Debian security team reported a pair of vulnerabilities in fsp:
A vulnerability was discovered in fsp, client utilities for File Service Protocol (FSP), whereby a remote user could both escape from the FSP root directory (CAN-2003-1022), and also overflow a fixed-length buffer to execute arbitrary code (CAN-2004-0011).
A small, fixed-size stack buffer is used to construct a filename based on a received control message. This could result in a stack buffer overflow.
A buffer overflow exists in the ProFTPD code that handles translation of newline characters during ASCII-mode file uploads. An attacker may exploit this buffer overflow by uploading a specially crafted file, resulting in code execution and ultimately a remote root compromise.
Any ElGamal sign+encrypt keys created by GnuPG contain a cryptographic weakness that may allow someone to obtain the private key. These keys should be considered unusable and should be revoked.
The following summary was written by Werner Koch, GnuPG author:
Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds.
...
Please take immediate action and revoke your ElGamal signing keys. Furthermore you should take whatever measures necessary to limit the damage done for signed or encrypted documents using that key.
Note that the standard keys as generated by GnuPG (DSA and ElGamal encryption) as well as RSA keys are NOT vulnerable. Note also that ElGamal signing keys cannot be generated without the use of a special flag to enable hidden options and even then overriding a warning message about this key type. See below for details on how to identify vulnerable keys.
Mathopd contains a buffer overflow in the prepare_reply() function that may be remotely exploitable.
A buffer overflow exists in lftp which may be triggered when requesting a directory listing from a malicious server over HTTP.
An authenticated user may trigger a format string vulnerability present in qpopper's UIDL code, resulting in arbitrary code execution with group ID `mail' privileges.
Fetchmail can be crashed by a malicious email message.
Applications utilizing pam_smb can be compromised by any user who can enter a password. In many cases, this is a remote root compromise.
libmcrypt does incomplete input validation, leading to several buffer overflow vuxml. Additionally, a memory leak is present. Both of these problems may be exploited in a denial-of-service attack.