|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [VOTES] Vote details for recent clusters with advisories
This LEGACY-RECENT-ADVISORIES meta-cluster includes vote details for clusters proposed after October 1999. All of these candidates have formal advisories associated with them. UNIX-VEN LINUX CERT2 MS Also, note that in the ALL-NEW meta-cluster containing the RECENT-XX clusters, I inadvertently included candidates that went to final decision. It was bound to happen sometime. Future meta-clusters will not include such candidates. - Steve --------------------- CLUSTER UNIX-VEN --------------------- UNIX-VEN (25 candidates) -------------------- Proposed: 12/13 Scheduled Proposed: 12/13 Scheduled Interim Decision: 12/27 Scheduled Final Decision: 12/31 Various problems acknowledged by Unix vendors Voters: Frech MODIFY(3) REJECT(1) REVIEWING(4) Christey NOOP(1) REJECT(1) REVIEWING(1) Cole ACCEPT(6) NOOP(2) Prosser ACCEPT(5) MODIFY(2) REVIEWING(1) Stracener ACCEPT(5) MODIFY(3) Blake ACCEPT(8) <FINAL> --> 17 <INTERIM> --> 1 <PROPOSED> --> 7 MODIFY --> 2 REJECT --> 1 REVIEWING --> 5 ================================= Candidate: CAN-1999-0684 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: HP:HPSBUX9904-097 Denial of service in Sendmail 8.8.6 in HPUX. INFERRED ACTION: CAN-1999-0684 SMC_REJECT (2 reject, 4 accept, 0 review) Current Votes: ACCEPT(2) Cole, Blake MODIFY(2) Stracener, Prosser REJECT(2) Frech, Christey Comments: Stracener> Add Ref: CIAC: J-040 Frech> Without further information and/or references, this issue looks like an Frech> ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail Frech> 8.8.6 related to accepting connections. Prosser> Might change description to indicate DoS caused by multiple connections Christey> Andre's right. This is a duplicate of CAN-1999-0684. ================================= Candidate: CAN-1999-0694 Published: Final-Decision: Interim-Decision: 20000111 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: CIAC:J-055 Reference: IBM:ERS-SVA-E01-1999:002.1 Reference: XF:aix-ptrace-halt Denial of service in AIX ptrace system call allows local users to crash the system. Modifications: ADDREF XF:aix-ptrace-halt DELREF BUGTRAQ:19990713 INFERRED ACTION: CAN-1999-0694 ACCEPT (4 accept, 3 ack, 0 review) Current Votes: ACCEPT(3) Blake, Stracener, Prosser MODIFY(1) Frech NOOP(2) Cole, Christey Comments: Frech> XF:aix-ptrace-halt Frech> Please add title to the BugTraq reference, since it was not evident to which Frech> message you were referring. Christey> I couldn't find the Bugtraq reference either, which is Christey> especially odd because the IBM advisory says that the Christey> problem was discussed in Bugtraq. Bugtraq reference deleted. ================================= Candidate: CAN-1999-0767 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: SUN:00189 Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable. INFERRED ACTION: CAN-1999-0767 SMC_REVIEW (4 accept, 2 review) Current Votes: ACCEPT(2) Cole, Blake MODIFY(2) Stracener, Frech REVIEWING(2) Prosser, Christey Comments: Stracener> Add Ref: CIAC: J-069 Frech> XF:sun-libc-lcmessages Prosser> BID 268 is an additional reference for this one as it has info on the Sun Prosser> vulnerability. However, BID 268 also includes AIX in this vulnerability and Prosser> refs APARS issued to fix a vulnerability in various 'nixs with the Natural Prosser> Language Service environmental variables NSLPATH and PATH_LOCALE depending Prosser> on the 'nix, ref CERT CA-97.10, CVE-1999-0041. However, Georgi Guninski Prosser> reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it Prosser> is possible the AIX APARs fix an earlier, similar vulnerability to the Sun Prosser> BO in LC_MESSAGES. This should probably be considered under a different Prosser> CAN. Any ideas? Christey> Given that the buffer overflows in CVE-1999-0041 are NLSPATH Christey> and PATH_LOCALE, I'd say that's good evidence that this is not Christey> the same problem. But a buffer overflow in libc in Christey> LC_MESSAGES... We must ask if these are basically the same Christey> codebase. ================================= Candidate: CAN-1999-0783 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: FreeBSD:FreeBSD-SA-98:05 Reference: CIAC:I-057 FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. INFERRED ACTION: CAN-1999-0783 ACCEPT_REV (4 accept, 3 ack, 1 review) Current Votes: ACCEPT(4) Cole, Blake, Stracener, Prosser REVIEWING(1) Frech ================================= Candidate: CAN-1999-0789 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: BUGTRAQ: Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an RS6000 Reference: IBM:ERS-SVA-E01-1 Buffer overflow in AIX ftpd in the libc library. INFERRED ACTION: CAN-1999-0789 ACCEPT_REV (4 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Cole, Blake MODIFY(2) Stracener, Prosser REVIEWING(1) Frech Comments: Stracener> Add Ref: CIAC: J-072 Frech> On BUGTRAQ reference, add 19990927 as date Frech> On IBM reference, correctly cite as ERS-SVA-E01-1999:004.1 Prosser> ref should read ERS-SVA-E01-1999:004.1 Prosser> add reference BID 679 ================================= Candidate: CAN-1999-0796 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: FREEBSD:SA-98.03 FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing attacks. INFERRED ACTION: CAN-1999-0796 ACCEPT_REV (3 accept, 2 ack, 1 review) Current Votes: ACCEPT(3) Blake, Stracener, Prosser NOOP(1) Cole REVIEWING(1) Frech ================================= Candidate: CAN-1999-0911 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991208 Category: SF Reference: BUGTRAQ:19990827 ProFTPD Reference: BUGTRAQ:19990907 ProFTP-1.2.0pre4 buffer overflow -- once more Reference: FREEBSD:FreeBSD-SA-99:03 Reference: BID:612 Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0911 ACCEPT (5 accept, 2 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Cole, Blake, Stracener, Prosser MODIFY(1) Frech Comments: Frech> XF:proftpd-long-dir-bo Frech> (I already passed this to you during a BACKMAP message.) ================================= Candidate: CAN-1999-0964 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991208 Category: SF Reference: FREEBSD:FreeBSD-SA-97:01 Buffer overflow in FreeBSD setlocale in the libc module. INFERRED ACTION: CAN-1999-0964 ACCEPT_REV (4 accept, 2 ack, 1 review) Current Votes: ACCEPT(4) Cole, Blake, Stracener, Prosser REVIEWING(1) Frech --------------------- CLUSTER LINUX --------------------- LINUX (30 candidates) -------------------- Proposed: 12/13 Scheduled Proposed: 12/13 Scheduled Interim Decision: 12/27 Scheduled Final Decision: 12/31 Linux problems acknowledged by Linux vendors Voters: Christey MODIFY(2) NOOP(1) REVIEWING(1) Cole ACCEPT(2) MODIFY(3) NOOP(3) Stracener ACCEPT(4) MODIFY(3) REJECT(1) Blake ACCEPT(5) MODIFY(1) REJECT(2) <FINAL> --> 22 <INTERIM> --> 5 <PROPOSED> --> 3 ACCEPT --> 1 MODIFY --> 4 REJECT --> 2 REVIEWING --> 1 ================================= Candidate: CAN-1999-0708 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000106-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow Reference: BID:651 Buffer overflow in cfingerd allows local users to gain root privileges via a long GECOS field. Modifications: DELREF DEBIAN:19990806 CHANGEREF BUGTRAQ BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow DESC Add GECOS qualifier INFERRED ACTION: CAN-1999-0708 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Blake, Stracener MODIFY(1) Cole NOOP(1) Christey Comments: Cole> This is to general. I would add: By setting a carefully designed GECOS Cole> field it is possible to execute arbitrary code with root (or nobody ) Cole> privileges Christey> There is no associated DEBIAN reference here, as Christey> DEBIAN:19990806 refers to an older remote-only buffer overflow Christey> in the username, not GECOS. (BID:512 also discusses that Christey> remote problem, though it may not be exploitable). ================================= Candidate: CAN-1999-0712 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: CALDERA:CSSA-1999:009 Reference: XF:linux-coas A vulnerability in Caldera Open Administration System (COAS) allows the /etc/shadow password file to be made world-readable. INFERRED ACTION: CAN-1999-0712 SMC_REVIEW (3 accept, 1 review) Current Votes: ACCEPT(2) Cole, Stracener MODIFY(1) Blake REVIEWING(1) Christey Comments: Blake> This obscurely-written advisory seems to state that COAS will make the Blake> file world-readable, not that it allows the user to make it so. I hardly Blake> think that allowing the user to turn off security is a vulnerability. Christey> It's difficult to write the description based on what's in Christey> the advisory. If COAS inadvertently changes permissions Christey> without user confirmation, then it should be ACCEPTed with Christey> appropriate modification to the description. ================================= Candidate: CAN-1999-0742 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: DEBIAN:19990623 Reference: BID:480 The Debian mailman package uses weak authentication, which allows attackers to gain privileges. Modifications: ADDREF BID:480 INFERRED ACTION: CAN-1999-0742 ACCEPT_ACK (2 accept, 2 ack, 0 review) Current Votes: ACCEPT(2) Blake, Stracener NOOP(1) Cole ================================= Candidate: CAN-1999-0743 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: XF:trn-symlinks Reference: DEBIAN:19990823c Reference: SUSE:19990824 Security hole in trn Trn allows local users to overwrite other users' files via symlinks. Modifications: ADDREF SUSE:19990824 Security hole in trn INFERRED ACTION: CAN-1999-0743 ACCEPT_ACK (2 accept, 3 ack, 0 review) Current Votes: ACCEPT(1) Blake MODIFY(1) Stracener NOOP(1) Cole Comments: Stracener> Add Ref: SUSE: Security hole in trn 24.08.99 ================================= Candidate: CAN-1999-0748 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: REDHAT:RHSA-1999:017-01 Buffer overflows in Red Hat net-tools package. INFERRED ACTION: CAN-1999-0748 REJECT (1 reject, 2 accept, 0 review) Current Votes: ACCEPT(2) Cole, Stracener REJECT(1) Blake Comments: Blake> RHSA-1999:017-01 describes "potential security problem fixed" in the Blake> absence of knowing whether or not the problems actually existed, I don't Blake> think we have an entry here. ================================= Candidate: CAN-1999-0768 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: BID:602 Reference: REDHAT:RHSA-1999:030-02 Reference: SUSE:19990829 Security hole in cron Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable. INFERRED ACTION: CAN-1999-0768 ACCEPT (3 accept, 3 ack, 0 review) Current Votes: ACCEPT(1) Blake MODIFY(3) Cole, Christey, Stracener Comments: Cole> I would be a little clear, By utilizing the MAILTO environment variable, a Cole> buffer can be overflown in the cron_popen() function, allowing an attacker Cole> to execute arbitrary code. Christey> Although the descriptions don't reflect it, CAN-1999-0872 and Christey> CAN-1999-0768 are different. One has to do with a buffer Christey> overflow; the other deals with a user supplying their own Christey> Sendmail config file. BID:602 and BID:611 show this. Stracener> Add Ref: SUSE: Security hole in cron 29.08.1999: ================================= Candidate: CAN-1999-0811 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes Reference: REDHAT:RHSA-1999:022-02 Reference: CALDERA:CSSA-1999:018.0 Reference: SUSE:19990816 Security hole in Samba Reference: DEBIAN:19990731 Samba Reference: XF:samba-message-bo Reference: BID:536 Buffer overflow in Samba smbd program via a malformed message command. Modifications: DESC add details ADDREF CALDERA:CSSA-1999:018.0 ADDREF SUSE:19990816 Security hole in Samba ADDREF DEBIAN:19990731 Samba ADDREF XF:samba-message-bo ADDREF BID:536 INFERRED ACTION: CAN-1999-0811 ACCEPT_ACK (2 accept, 5 ack, 0 review) Current Votes: ACCEPT(1) Blake MODIFY(1) Stracener NOOP(1) Cole Comments: Stracener> Add Ref: CALDERA: CSSA-1999:018.0 Stracener> Add Ref: DEBIAN: Samba [31-Jul-1999] Stracener> Add Ref: SUSE: Security hole in Samba 16.08.1999 ================================= Candidate: CAN-1999-0872 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991208 Category: SF Reference: BID:759 Reference: BID:611 Reference: REDHAT:RHSA-1999:030-02 Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file. INFERRED ACTION: CAN-1999-0872 REJECT (2 reject, 1 accept, 0 review) Current Votes: MODIFY(2) Cole, Christey REJECT(2) Blake, Stracener Comments: Cole> 611 is the mail to listed above but 759 is for the mail from and Cole> should be listed as a separate vulenrability. Blake> This does not appear materially different from CAN-1999-0768 Christey> Although the descriptions don't reflect it, CAN-1999-0872 and Christey> CAN-1999-0768 are different. One has to do with a buffer Christey> overflow; the other deals with a user supplying their own Christey> Sendmail config file. BID:602 and BID:611 show this. Stracener> This is a duplicate of candidate CAN-1999-0768. --------------------- CLUSTER CERT2 --------------------- CERT2 (26 candidates) -------------------- Proposed: 12/8 Scheduled Proposed: 12/6 Scheduled Interim Decision: 12/20 Scheduled Final Decision: 12/24 Other CERT advisories not covered in the CERT cluster Voters: Frech MODIFY(3) Ozancin ACCEPT(3) Cole ACCEPT(3) Armstrong ACCEPT(2) NOOP(1) Prosser ACCEPT(2) RECAST(1) Stracener ACCEPT(2) MODIFY(1) <FINAL> --> 23 <INTERIM> --> 1 <PROPOSED> --> 2 MODIFY --> 2 RECAST --> 1 ================================= Candidate: CAN-1999-0696 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991125 Category: SF Reference: CIAC:J-051 Reference: SUN:00188 Reference: CERT:CA-99-08 Reference: HP:00102 Reference: COMPAQ:SSRT0614U_RPC_CMSD Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd) INFERRED ACTION: CAN-1999-0696 RECAST (1 recast, 5 accept, 0 review) Current Votes: ACCEPT(3) Cole, Armstrong, Ozancin MODIFY(2) Frech, Stracener RECAST(1) Prosser Comments: Frech> XF:sun-cmsd-bo Prosser> Correct me if I am wrong as I don't have the facilities to test this, but Prosser> Sun originally reported this vulnerability in Sun Bulletin 0166, Mar 1998. Prosser> The CVE Board accepted it as CVE-1999-0320. The 00188 Sun Bulletin in July Prosser> 1999 is an exact dupe of the 98 bulletin with the exception of some Prosser> additional patches for CDE on later versions of SunOS/Solaris. The CERT and Prosser> other vendor alerts are additional information on this BO for other vendor's Prosser> systems(why it took over a year?), but we already have a CVE number Prosser> outstanding for this vulnerability. Are these seperate vulnerabilities? Or Prosser> the same one just found to affect more than originally thought? If so, Prosser> recommend merging this CAN into the existing CVE, and just adjust the Prosser> description in the existing CVE to reflect the additional vulnerable vendor Prosser> systems. Prosser> Additional reference: BID 486 and 524 Stracener> Redundant references to J-051. ================================= Candidate: CAN-1999-0955 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: CERT:CA-94.08 Reference: CIAC:E-17 Reference: XF:ftp-exec Race condition in wu-ftpd and BSDI ftpd allows remote attackers gain root access via the SITE EXEC command. Modifications: ADDREF XF:ftp-exec INFERRED ACTION: CAN-1999-0955 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener MODIFY(1) Frech Comments: Cole> There are actually two vulnerabilities listed in this CERT. I am assuming Cole> that the other one is listed in a different CVE. Frech> XF:ftp-exec ================================= Candidate: CAN-1999-0959 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991208 Category: SF Reference: AUSCERT:AA-97-05 Reference: SGI:19980301-01-PX IRIX startmidi and stopmidi programs allow local users to modify arbitrary files via a symlink attack. CONTENT-DECISIONS: SF-EXEC, SF-LOC INFERRED ACTION: CAN-1999-0959 ACCEPT (5 accept, 3 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Cole, Ozancin, Prosser, Stracener MODIFY(1) Frech NOOP(1) Armstrong Comments: Frech> XF:irix-startmidi-file-creation --------------------- CLUSTER MS --------------------- MS (45 candidates) -------------------- Proposed: 12/8 Scheduled Proposed: 12/6 Scheduled Interim Decision: 12/20 Scheduled Final Decision: 12/24 Some Microsoft Advisories in 1999 Voters: Wall ACCEPT(11) Frech MODIFY(11) Ozancin ACCEPT(9) NOOP(2) Christey NOOP(2) REVIEWING(2) Cole ACCEPT(4) MODIFY(1) RECAST(1) REJECT(5) Prosser ACCEPT(11) Stracener ACCEPT(7) MODIFY(4) <FINAL> --> 34 <INTERIM> --> 4 <PROPOSED> --> 7 MODIFY --> 3 RECAST --> 1 REJECT --> 5 REVIEWING --> 2 ================================= Candidate: CAN-1999-0668 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991123 Category: SF Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs Reference: MS:MS99-032 Reference: CIAC:J-064 Reference: BID:598 Reference: XF:ms-scriptlet-eyedog-unsafe Reference: MSKB:Q240308 The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. Modifications: ADDREF XF:ms-scriptlet-eyedog-unsafe ADDREF MSKB:Q240308 INFERRED ACTION: CAN-1999-0668 SMC_REVIEW (6 accept, 1 review) Current Votes: ACCEPT(4) Cole, Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener REVIEWING(1) Christey Comments: Frech> XF:ms-scriptlet-eyedog-unsafe Wall> Note: Was this not CVE 199-0376? Stracener> Add Ref: MSKB Q240308 Christey> Should CAN-1999-0669 and 668 be merged? If not, then this is Christey> a reason for not merging CAN-1999-0988 and CAN-1999-0828. ================================= Candidate: CAN-1999-0669 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991123 Category: SF Reference: MS:MS99-032 Reference: CIAC:J-064 Reference: XF:ms-scriptlet-eyedog-unsafe Reference: MSKB:Q240308 The Eyedog ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. Modifications: XF:ms-scriptlet-eyedog-unsafe MSKB:Q240308 INFERRED ACTION: CAN-1999-0669 SMC_REVIEW (6 accept, 1 review) Current Votes: ACCEPT(4) Cole, Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener REVIEWING(1) Christey Comments: Frech> XF:ms-scriptlet-eyedog-unsafe Stracener> Add Ref: MSKB Q240308 Christey> Should CAN-1999-0669 and 668 be merged? If not, then this is Christey> a reason for not merging CAN-1999-0988 and CAN-1999-0828. ================================= Candidate: CAN-1999-0670 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991123 Category: SF Reference: MS:MS99-032 Reference: CIAC:J-064 Buffer overflow in the Eyedog ActiveX control allows a remote attacker to execute arbitrary commands. INFERRED ACTION: CAN-1999-0670 REJECT (1 reject, 5 accept, 0 review) Current Votes: ACCEPT(3) Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener REJECT(1) Cole Comments: Frech> XF:ie-eyedog-bo Cole> Based on the references and information listed this is the same as Cole> CAN-1999-0669 Stracener> Add Ref: MSKB Q240308 ================================= Candidate: CAN-1999-0736 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991125 Category: SF Reference: L0PHT:May7,1999 Reference: MS:MS99-013 Reference: MSKB:Q232449 Reference: MSKB:Q231368 The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0736 ACCEPT (6 accept, 3 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Wall, Prosser, Ozancin, Stracener MODIFY(2) Frech, Cole Comments: Frech> XF:iis-samples-showcode Cole> There are several sample files that allow this. I would quote Cole> showcode.asp but make it more generic. Prosser> (Modify) Prosser> Have a question on this and on the following three candidates as well. All Prosser> of these are part of the file viewers utilities that allow unauthorized Prosser> files reading, but MSKB Q231368 also mentioned the diagnostics Prosser> program,Winmsdp.exe, as another vulnerable viewer in this same set of Prosser> viewers. If we are going to split out the seperate viewer tools then Prosser> shouldn't there should be a seperate CAN for Winmsdp.exe also. ================================= Candidate: CAN-1999-0737 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-013 Reference: MSKB:Q231656 The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0737 REJECT (1 reject, 5 accept, 0 review) HAS_CDS Current Votes: ACCEPT(4) Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech REJECT(1) Cole Comments: Frech> XF:iis-samples-viewcode Cole> I would combine this with the previous. Prosser> (modify) Prosser> See comments in 0736 above ================================= Candidate: CAN-1999-0738 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-013 Reference: MSKB:Q232449 Reference: MSKB:Q231368 The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0738 REJECT (1 reject, 5 accept, 0 review) HAS_CDS Current Votes: ACCEPT(4) Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech REJECT(1) Cole Comments: Frech> XF:iis-samples-code Cole> Same as above Prosser> (modify) Prosser> See comments in 0736 above ================================= Candidate: CAN-1999-0739 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-013 Reference: MSKB:Q232449 Reference: MSKB:Q231368 The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0739 REJECT (1 reject, 5 accept, 0 review) HAS_CDS Current Votes: ACCEPT(4) Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech REJECT(1) Cole Comments: Frech> XF:iis-samples-codebrws Cole> Same as above. Prosser> (modify) Prosser> See comments in 0736 above ================================= Candidate: CAN-1999-0874 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS99-019 Reference: MSKB:Q234905 Reference: EEYE:AD06081999 Reference: CERT:CA-99-07 Reference: CIAC:J-048 Buffer overflow in IIS via a malformed request for files with .HTR, .IDC, or .STM extensions. INFERRED ACTION: CAN-1999-0874 RECAST (1 recast, 5 accept, 0 review) Current Votes: ACCEPT(4) Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech RECAST(1) Cole Comments: Frech> XF:iis-htr-overflow Cole> This description is very general and covers about 5 different Cole> exploits with IIS. Cole> The thing to remember is that with Microsoft there are so many Cole> vulenrabilities that Cole> you must be very specific. I would add the following: Cole> Microsoft has released a patch that eliminates a vulnerability in Cole> the Taskpads feature, which is provided as Cole> part of the Microsoft® Windows® 98 Resource Kit, Windows 98 Cole> Resource Kit Sampler, and BackOffice® Cole> Resource Kit, second edition. The vulnerability could allow a Cole> malicious web site operator to run executables Cole> on the computer of a visiting user. Only customers who have Cole> installed one of the affected products and who Cole> surf the web using the machines on which they are installed are at Cole> risk from this vulnerability. ================================= Candidate: CAN-1999-0898 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS99-047 Reference: MSKB:Q243649 Reference: XF:nt-printer-spooler-bo Reference: BID:768 Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request. Modifications: ADDREF XF:nt-printer-spooler-bo ADDREF BID:768 INFERRED ACTION: CAN-1999-0898 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(4) Cole, Wall, Prosser, Stracener MODIFY(1) Frech NOOP(2) Ozancin, Christey Comments: Frech> XF:nt-printer-spooler-bo Prosser> (Modify) Prosser> This maybe should be seperated into two entries. One for the DoS which is Prosser> just done with random data and one for the more experienced attack of Prosser> gaining privileges on the host. Christey> While the advisory is not entirely explicit, the difference Christey> between the DoS and the command execution is only in effect, Christey> and appears to be in the same line of code, so the SF-LOC Christey> content decision applies here. ================================= Candidate: CAN-1999-0899 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS99-047 Reference: MSKB:Q243649 Reference: BID:769 Reference: XF:nt-printer-spooler-bo The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider. Modifications: ADDREF XF:nt-printer-spooler-bo ADDREF BID:769 INFERRED ACTION: CAN-1999-0899 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(4) Cole, Wall, Prosser, Stracener MODIFY(1) Frech NOOP(2) Ozancin, Christey Comments: Frech> XF:nt-printer-spooler-bo Cole> Cole> [Originally rejected; vote changed to ACCEPT based on feedback] Cole> This should be combined with the previous one to state it can cause Cole> a denial of service Cole> or allow commands to ve executed. Just because a vulnerability can Cole> be exploited in different ways Cole> does not mean there should be separate entries since the underlying Cole> exploit is the same. Christey> This is different than CAN-1999-0898 because 898 is a buffer Christey> overflow, while this one is incorrect permissions. They Christey> are different bugs, so should have separate entries. Note Christey> that MS99-047 also discriminates between these two candidates, Christey> i.e. it contains the phrase "A second vulnerability exists..." Christey> and goes on to describe CAN-1999-0899. ================================= Candidate: CAN-1999-0910 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS99-035 Reference: BID:625 Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user. INFERRED ACTION: CAN-1999-0910 REJECT (1 reject, 5 accept, 0 review) Current Votes: ACCEPT(3) Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener REJECT(1) Cole Comments: Frech> XF:siteserver-cis-cookie-cache Cole> Whether cookies are a vulnerbality is a debate for another time, the Cole> question here is whether the Cole> expiration feature is a vulnerability and I do not think it is Cole> because the underlying concerns for this Cole> are present even without this feature. The expiration feature does Cole> not add any new vulenrabilities Cole> that are not already present with cookies. Stracener> Add Ref: MSKB Q238647
|
||||
