"CANDIDATE","DESCRIPTION","PHASE","REFERENCES","VOTES","COMMENTS" "Date: 20081202",,,,, "Candidates must be reviewed and accepted by the CVE Editorial Board",,,,, "before they can be added to the official CVE list. Therefore, these",,,,, "candidates may be modified or even rejected in the future. They are",,,,, "provided for use by individuals who have a need for an early",,,,, "numbering scheme for items that have not been fully reviewed by",,,,, "the Editorial Board.",,,,, ,,,,, CVE-1999-0001,Candidate,"ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.","CERT:CA-98-13-tcp-denial-of-service | BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service | CONFIRM:http://www.openbsd.org/errata23.html#tcpfix | OSVDB:5707 | URL:http://www.osvdb.org/5707",Modified (20051217)," MODIFY(1) Frech | NOOP(2) Northcutt, Wall | REVIEWING(1) Christey"," Christey> A Bugtraq posting indicates that the bug has to do with | ""short packets with certain options set,"" so the description | should be modified accordingly. | | But is this the same as CVE-1999-0052? That one is related | to nestea (CVE-1999-0257) and probably the one described in | BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release | The patch for nestea is in ip_input.c around line 750. | The patches for CVE-1999-0001 are in lines 388&446. So, | CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. | The FreeBSD patch for CVE-1999-0052 is in line 750. | So, CVE-1999-0257 and CVE-1999-0052 may be the same, though | CVE-1999-0052 should be RECAST since this bug affects Linux | and other OSes besides FreeBSD. | Frech> XF:teardrop(338) | This assignment was based solely on references to the CERT advisory. | Christey> The description for BID:190, which links to CVE-1999-0052 (a | FreeBSD advisory), notes that the patches provided by FreeBSD in | CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and | CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without | further analysis." CVE-1999-0004,Candidate,"MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook.","CERT:CA-98.10.mime_buffer_overflows | XF:outlook-long-name | SUN:00175 | MS:MS98-008 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-008.asp",Modified (19990621-01)," ACCEPT(8) Magdych, Northcutt, Wall, Baker, Landfield, Cole, Dik, Collins | MODIFY(1) Frech | NOOP(1) Christey | REVIEWING(1) Shostack"," Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject | this suggestion, I will not be devastated.) :-) | Christey> This issue seems to have been rediscovered in | BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again | http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 | | Also see | BUGTRAQ:19990320 Eudora Attachment Buffer Overflow | http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 | Christey> | CVE-2000-0415 may be a later rediscovery of this problem | for Outlook. | Dik> Sun bug 4163471, | Christey> ADDREF BID:125 | Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2" CVE-1999-0015,Candidate,"Teardrop IP denial of service.","CERT:CA-97.28.Teardrop_Land | XF:teardrop",Proposed (19990726)," ACCEPT(1) Wall | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF: teardrop-mod | Christey> Not sure how many separate ""instances"" of Teardrop there are. | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> MSKB:Q154174 | MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) | indicate that CVE-1999-0015 was fixed in NT SP3, but | CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the | problems keep separate candidates because one problem appears | in a different version than the other. | Christey> BID:124 | http://www.securityfocus.com/bid/124 | Consider MSKB:Q154174 | http://support.microsoft.com/support/kb/articles/q154/1/74.asp | Consider BUGTRAQ:19971113 Linux IP fragment overlap bug | http://www.securityfocus.com/archive/1/8014" CVE-1999-0020,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Modified (20050204)," MODIFY(1) Frech | NOOP(4) Levy, Northcutt, Wall, Shostack | REJECT(2) Christey, Baker"," Frech> XF:lpr-bo | Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo" CVE-1999-0030,Candidate,"root privileges via buffer overflow in xlock command on SGI IRIX systems.","CERT:CA-97.21.sgi_buffer_overflow | AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul | XF:sgi-xlockbo | SGI:19970508-02-PX",Proposed (19990623)," ACCEPT(3) Ozancin, Levy, Prosser | NOOP(1) Baker | RECAST(1) Frech | REJECT(1) Christey"," Frech> XF:xlock-bo (also add) | As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and | several Linii. | Also, don't you mean to cite SGI:19970502-02-PX? The one you list is | login/scheme. | Levy> Notice that this xlock overflow is the same as in | CA-97.13. CA-97.21 simply is a reminder. | Christey> As pointed out by Elias, CA-97.21 states: ""For more | information about vulnerabilities in xlock... see CA-97.13"" | CA-97.13 = CVE-1999-0038. | This may also be a duplicate with CVE-1999-0306. | | See exploits at: | | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 | | Sun also has this problem, at | http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba" CVE-1999-0033,Candidate,"Command execution in Sun systems via buffer overflow in the at program.","CERT:CA-97.18.at | SUN:00160 | XF:sun-atbo",Modified (20040811)," ACCEPT(8) Hill, Northcutt, Wall, Baker, Cole, Dik, Shostack, Collins | NOOP(1) Christey | RECAST(1) Frech"," Frech> This vulnerability also manifests itself for the following | platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, | please add the following: | Reference: XF:at-bo | Dik> Sun bug 1265200, 4063161 | Christey> ADDREF SGI:19971102-01-PX | ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX | SCO:SB.97:01 | ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a | Christey> CIAC:F-15 | http://ciac.llnl.gov/ciac/bulletins/f-15.shtml | HP:HPSBUX9502-023 | Christey> Add period to the end of the description." CVE-1999-0061,Candidate,"File creation and deletion, and remote execution, in the BSD line printer daemon (lpd).","NAI:NAI-20 | XF:bsd-lpd",Proposed (19990630)," ACCEPT(3) Hill, Northcutt, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Christey> This should be split into three separate problems based on | the SNI advisory. But there's newer information to further | complicate things. | | What do we do about this one? in 1997 or so, SNI did an | advisory on this problem. In early 2000, it was still | discovered to be present in some Linux systems. So an | SF-DISCOVERY content decision might say that this is a | long enough time between the two, so this should be recorded | separately. But they're the same codebase... so if we keep | them in the same entry, how do we make sure that this entry | reflects that some new information has been discovered? | | The use of dot notation may help in this regard, to use one | dot for the original problem as discovered in 1997, and | another dot for the resurgence of the problem in 2000. | Baker> We should merge these. | Christey> Perhaps this should be NAI-19 instead of NAI-20? | The original Bugtraq post for the SNI advisory suggests SNI-19: | BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability | URL:SNI-19:BSD lpd vulnerability | | Also add: | BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 | | However, archives of ""NAI-0020"" point to the lpd vuln. | | If I recall correctly, some of the NAI advisory numbers got | switched when NAI acquired SNI." CVE-1999-0076,Candidate,"Buffer overflow in wu-ftp from PASV command causes a core dump.","XF:ftp-args",Modified (19990925-01)," ACCEPT(3) Ozancin, Baker, Frech | NOOP(1) Balinsky | REVIEWING(1) Christey"," Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability? | Christey> Need to add more references and details." CVE-1999-0078,Candidate,"pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.","CERT:CA-96.08.pcnfsd | XF:rpc-pcnfsd",Modified (19990621-01)," ACCEPT(5) Collins, Northcutt, Landfield, Frech, Shostack | NOOP(1) Baker | RECAST(1) Christey"," Christey> This candidate should be SPLIT, since there are two separate | software flaws. One is a symlink race and the other is a | shell metacharacter problem. | Christey> The permissions part of this vulnerability appears to | overlap with CVE-1999-0353 | Christey> SGI:20020802-01-I" CVE-1999-0086,Candidate,"AIX routed allows remote users to modify sensitive files.","ERS:ERS-SVA-E01-1998:001.1 | XF:ibm-routed",Interim (19990630)," ACCEPT(2) Northcutt, Shostack | MODIFY(2) Prosser, Frech | NOOP(1) Baker | REJECT(1) Christey"," Frech> Reference: XF:ibm-routed | Prosser> This vulnerability allows debug mode to be turned on which is | the problem. Should this be more specific in the description? This | one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which | is in the SGI cluster, shouldn't these be cross-referenced as the same | vuln affects multiple OSes. | Christey> This appears to be subsumed by CVE-1999-0215" CVE-1999-0088,Candidate,"IRIX and AIX automountd services (autofsd) allow remote users to execute root commands.","ERS:ERS-SVA-E01-1998:004.1 | URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt",Proposed (19990617)," ACCEPT(2) Northcutt, Shostack | MODIFY(2) Prosser, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Frech> ERS (and other references, BTW) explicitly stipulate 'local and | remote'. | Reference: XF:irix-autofsd | Prosser> Include the SGI Alert as well since it is mentioned in the | description. | SGI Security Advisory 19981005-01-PX | Christey> DUPE CVE-1999-0210? | Christey> ADDREF CIAC:J-014 | Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry" CVE-1999-0089,Candidate,"Buffer overflow in AIX libDtSvc library can allow local users to gain root access.","ERS:ERS-SVA-E01-1997:005.1 | XF:ibm-libDtSvc",Interim (19990630)," ACCEPT(2) Northcutt, Shostack | MODIFY(2) Prosser, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Frech> Reference: XF:ibm-libDtSvc | Prosser> The overflow is in the dtaction utility. Also affects | dtaction in the CDE on versions of SunOS (SUN 164). Probably should be | specific. | Christey> Same Codebase as CVE-1999-0121, so the two entries should be | merged." CVE-1999-0092,Candidate,"Various vulnerabilities in the AIX portmir command allows local users to obtain root access.","ERS:ERS-SVA-E01-1997:006.1",Proposed (19990623)," ACCEPT(2) Baker, Bollinger | MODIFY(1) Frech | NOOP(1) Ozancin"," Frech> XF:ibm-portmir" CVE-1999-0098,Candidate,"Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities.","XF:smtp-helo-bo",Proposed (19990726)," MODIFY(2) Baker, Frech | NOOP(1) Wall | REVIEWING(1) Christey"," Frech> (Accept XF reference.) | Our references do not mention hiding activities. This issue can crash the | SMTP server or execute arbitrary byte-code. Is there another reference | available? | Christey> Should this be merged with CVE-1999-0284, which is Sendmail | with SMTP HELO? | Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole | http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 | BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole | http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 | Baker> Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference." CVE-1999-0104,Candidate,"A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2.","CERT:CA-97.28.Teardrop_Land | XF:teardrop-mod",Modified (20040811)," ACCEPT(2) Wall, Frech | REVIEWING(1) Christey"," Wall> Another reference is Microsoft Knowledge Base Q179129. | Christey> Not sure how many separate ""instances"" of Teardrop there are. | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> MSKB:Q179129 | http://support.microsoft.com/support/kb/articles/q179/1/29.asp | Christey> MSKB:Q179129 | http://support.microsoft.com/support/kb/articles/q179/1/29.asp | Note that the hotfix name is teardrop2, but the keywords | included in the KB article specifically name bonk | (CVE-1999-0258) and boink. | Since teardrop2 was fixed in a slightly different version | (at least in a separate patch) than Teardrop, CD:SF-LOC | suggests keeping them separate. | Christey> Add period to the end of the description." CVE-1999-0105,Candidate,"finger allows recursive searches by using a long string of @ symbols.","",Proposed (19990726)," MODIFY(3) Shostack, Baker, Frech | NOOP(1) Christey | REJECT(1) Northcutt"," Shostack> fingerD | Frech> XF:finger-bomb | Christey> aka redirection or forwarding requests? (but then might | overlap CVE-1999-0106) | Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS." CVE-1999-0106,Candidate,"Finger redirection allows finger bombs.","",Proposed (19990726)," ACCEPT(1) Northcutt | MODIFY(2) Shostack, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Shostack> fingerd allows redirection | This is a larger modification, since there are two applications of the | vulnerability, one that I can finger anonymously, and the other that I | can finger bomb anonymously. | Frech> XF:finger-bomb | Christey> need more refs | Baker> This should be merged with 1999-0105" CVE-1999-0107,Candidate,"Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.","XF:apache-dos | BUGTRAQ:19971230 Apache DoS attack?",Modified (19991223-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(3) Shostack, Northcutt, Wall | REVIEWING(1) Levy | REVOTE(1) Christey"," Wall> - Although this is probably the phf hack. | Frech> XF:apache-dos | Christey> This sounds like the incident reported in: | NTBUGTRAQ:20000810 Apache Distributed Denial of Service | Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. | BUGTRAQ: http://www.securityfocus.com/archive/1/10228 | BUGTRAQ: http://www.securityfocus.com/archive/1/10516" CVE-1999-0110,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Interim (19990810)," MODIFY(1) Frech | NOOP(4) Shostack, Levy, Northcutt, Wall | REJECT(3) Dik, Christey, Baker"," Frech> XF:fdformat-bo | Christey> Duplicate of CVE-1999-0315 | Dik> dup" CVE-1999-0114,Candidate,"Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack.","BUGTRAQ:19990912 elm filter program | BUGTRAQ:19951226 filter (elm package) security hole | XF:elm-filter2",Modified (20000106-01)," ACCEPT(7) Shostack, Bishop, Blake, Wall, Landfield, Cole, Armstrong | MODIFY(2) Baker, Frech | NOOP(3) Ozancin, Christey, Northcutt | REVIEWING(1) Levy"," Frech> XF:elm-filter2 | CHANGE> [Wall changed vote from NOOP to ACCEPT] | Landfield> with Frech modifications | Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory | Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm | Need to make sure that this CERT advisory describes the right | problem, especially since the CERT advisory is dated December | 18, 1995 and the original Bugtraq post was December 26, 1995. | Christey> BID:1802 | URL:http://www.securityfocus.com/bid/1802 | BID:1802 doesn't include the 1999 posting - does Security | Focus think that the 1999 post describes a different | vulnerability? | Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? | Its references point to the December 26, 1995 BUgtraq post. | | Also consider CIAC:G-36 and CERT:VB-95:10 | Frech> DELREF:XF:elm-filter2(711) | ADDREF:XF:elm-filter(402)" CVE-1999-0119,Candidate,"Windows NT 4.0 beta allows users to read and delete shares.","",Proposed (19990728)," MODIFY(1) Frech | NOOP(2) Northcutt, Baker | REJECT(1) Wall"," Wall> Reject based on beta copy. | Frech> XF:nt-beta(11) | Reconsider reject, because this beta was in widespread use." CVE-1999-0121,Candidate,"Buffer overflow in dtaction command gives root access.","SUN:00164 | ERS:ERS-SVA-E01-1997:005.1",Proposed (19990617)," ACCEPT(2) Dik, Northcutt | MODIFY(3) Prosser, Baker, Frech | REVIEWING(1) Christey"," Frech> Reference: XF:dtaction-bo | Reference: XF:sun-dtaction | Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a | library in AIX 4.x, but reference for this Sun vulnerability should | only reflect the Sun Bulletin or the CIAC I-032 version of the Sun | Bulletin | Christey> This is the Same Codebase as CVE-1999-0089, so the two entries | should be merged. | Frech> Replace sun-dtaction(732) with dtaction-bo(879) | Baker> Merge with 1999-0089" CVE-1999-0123,Candidate,"Race condition in Linux mailx command allows local users to read user files.","XF:linux-mailx | BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole",Modified (20000105-01)," ACCEPT(3) Ozancin, Baker, Frech | NOOP(1) Wall", CVE-1999-0127,Candidate,"swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.","CERT:CA-96.27.hp_sw_install | AUSCERT:AA-96.04 | XF:hpux-swinstall",Proposed (19990623)," ACCEPT(2) Prosser, Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> (keep current XF: reference, and add) | XF:hpux-sqwmodify | Christey> Perhaps this should be split, per SF-LOC. | Christey> CIAC:H-81 | http://ciac.llnl.gov/ciac/bulletins/h-81.shtml | HP:HPSBUX9707-064 references CERT:CA-96.27 | http://ciac.llnl.gov/ciac/bulletins/h-81.shtml | | The original AUSCERT advisory says that the programs ""create | files in an insecure manner"" and ""Exploit details involving | this vulnerability have been made publicly available."" which | leads one to assume that the following original Bugtraq post | provides the details for a standard symlink problem: | | BUGTRAQ:19961005 swinst,bug | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2" CVE-1999-0140,Candidate,"Denial of service in RAS/PPTP on NT systems.","",Proposed (19990630)," ACCEPT(1) Hill | MODIFY(2) Frech, Meunier | NOOP(1) Baker | REJECT(1) Christey"," Meunier> Add ""pptp invalid packet length in header"" to distinguish from other | vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be | discovered in the future. | Frech> XF:nt-ras-bo | ONLY IF reference is to MS:MS99-016 | Christey> According to my mappings, this is not the MS:MS99-016 problem | referred to by Andre. However, I have yet to dig up a | source. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | CHANGE> [Christey changed vote from REVIEWING to REJECT] | Christey> This is too general to know which problem is being discussed. | More precise candidates should be created. | Christey> Consider adding BID:2111" CVE-1999-0144,Candidate,"Denial of service in Qmail by specifying a large number of recipients with the RCPT command.","BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 | BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319029&w=2 | MISC:http://cr.yp.to/qmail/venema.html | MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | BID:2237 | URL:http://www.securityfocus.com/bid/2237 | XF:qmail-rcpt | URL:http://xforce.iss.net/static/208.php",Modified (20010301-02)," ACCEPT(4) Frech, Meunier, Hill, Baker | REVIEWING(1) Christey"," Christey> DUPE CVE-1999-0418 and CVE-1999-0250? | Christey> Dan Bernstein, author of Qmail, says that this is not a | vulnerability in qmail because Unix has built-in resource | limits that can restrict the size of a qmail process; other | limits can be specified by the administrator. See | http://cr.yp.to/qmail/venema.html | | Significant discussion of this issue took place on the qmail | list. The fundamental question appears to be whether | application software should set its own limits, or rely | on limits set by the parent operating system (in this case, | UNIX). Also, some people said that the only problem was that | the suggested configuration was not well documented, but this | was refuted by others. | | See the following threads at | http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | ""Denial of service (qmail-smtpd)"" | ""qmail-dos-2.c, another denial of service"" | ""[PATCH] denial of service"" | ""just another qmail denial-of-service"" | ""the UNIX way"" | ""Time for a reality check"" | | Also see Bugtraq threads on a different vulnerability that | is related to this topic: | BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding | http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html | Baker> http://cr.yp.to/qmail/venema.html | Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. | His page states this is not a qmail problem, rather it is a UNIX problem | that many apps can consume all available memory, and that the administrator | is responsible to set limits in the OS, rather than expect applications to | individually prevent memory exhaustion. CAN 1999-0250 does appear to | be a duplicate of this entry, based on the research I have done so far. | There were two different bugtraq postings, but the second one references | the first, stating that the new exploit uses perl instead of shell scripting | to accomplish the same attack/exploit. | Baker> http://www.securityfocus.com/archive/1/6970 | http://www.securityfocus.com/archive/1/6969 | http://cr.yp.to/qmail/venema.html | | Should probably reject CVE-1999-0250, and add these references to this | Candidate. | Baker> http://www.securityfocus.com/bid/2237 | CHANGE> [Baker changed vote from REVIEWING to ACCEPT] | Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) | in ""BUGTRAQ:19970612 Denial of service (qmail-smtpd)"", does not | use any RCPT commands. Instead, it sends long strings | of ""X"" characters. A followup by ""super@UFO.ORG"" includes | an exploit that claims to do the same thing; however, that | exploit does not send long strings of X characters - it sends | a large number of RCPT commands. It appears that super@ufo.org | followed up to the wrong message. | | NOTE: the ufo.org domain was purchased by another party in | 2003, so the current owner is not associated with any | statements by ""super@ufo.org"" that were made before 2003. | | qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) | in ""BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"" | sends a large number of RCPT commands. | | ADDREF BID:2237 | ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) | | Also see a related thread: | BUGTRAQ:19990308 SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 | | This also describes a problem with mail servers not being able | to handle too many ""RCPT TO"" requests. A followup message | notes that application-level protection is used in Sendmail | to prevent this: | BUGTRAQ:19990309 Re: SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 | The person further says, ""This attack can easily be | prevented with configuration methods.""" CVE-1999-0154,Candidate,"IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.","MSKB:Q163485 | MSKB:Q164059 | BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP | XF:http-iis-aspdot | XF:http-iis-aspsource",Proposed (20010912)," ACCEPT(4) Frech, Stracener, Wall, Foat | NOOP(3) Christey, Baker, Cole"," Christey> This is the precursor to the problem that is identified in | CVE-1999-0253. | Christey> CIAC:H-48 | URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml | CHANGE> [Foat changed vote from NOOP to ACCEPT]" CVE-1999-0156,Candidate,"wu-ftpd FTP daemon allows any user and password combination.","XF:ftp-pwless",Proposed (19990714)," ACCEPT(2) Shostack, Northcutt | NOOP(1) Baker | RECAST(1) Frech | REVIEWING(2) Christey, Prosser"," Prosser> but so far can find no reference to this one | Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie, | also affects IIS FTP server). | Christey> The references for XF:ftp-pwless are not specific enough, | e.g. in terms of version numbers. Perhaps this candidate | should be rejected due to insufficient information." CVE-1999-0163,Candidate,"In older versions of Sendmail, an attacker could use a pipe character to execute root commands.","XF:smtp-pipe",Proposed (19990714)," ACCEPT(2) Frech, Northcutt | MODIFY(1) Prosser | NOOP(2) Christey, Baker | RECAST(1) Shostack"," Shostack> there was a 'To: |' and a 'From: |' attack, which I | think are seperate. | Prosser> older vulnerability, but one additional reference is- | The Ultimate Sendmail Hole List by Markus Hübner @ | bau2.uibk.ac.at/matic/buglist.htm | '|PROGRAM ' | Christey> Description needs to be more specific to distinguish between | this and CVE-1999-0203, as alluded to by Adam Shostack" CVE-1999-0165,Candidate,"NFS cache poisoning.","XF:nfs-cache",Modified (20040811)," ACCEPT(3) Frech, Northcutt, Baker | MODIFY(1) Shostack | NOOP(1) Prosser | REVIEWING(1) Christey"," Shostack> need more data | Christey> need more refs | Christey> Add period to the end of the description." CVE-1999-0169,Candidate,"NFS allows attackers to read and write any file on the system by specifying a false UID.","XF:nfs-uid",Proposed (19990714)," ACCEPT(2) Frech, Northcutt | MODIFY(1) Baker | REJECT(1) Shostack"," Shostack> this is not a vulnerability but a design feature. | Baker> Maybe we should reword it so that it is clear that this was a problem to something like: | | ""A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID.""" CVE-1999-0171,Candidate,"Denial of service in syslog by sending it a large number of superfluous messages.","XF:syslog-flood",Proposed (19990714)," ACCEPT(2) Frech, Northcutt | NOOP(1) Baker | REJECT(2) Shostack, Christey"," Shostack> design issue, not a vulnerability. Alternately, add: | DOS on server by opening a large number of telnet sessions.. | Christey> Duplicate of CVE-1999-0566" CVE-1999-0186,Candidate,"In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters.","CONFIRM:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm | SUN:00178 | XF:snmp-backdoor-access",Modified (20071119)," ACCEPT(2) Dik, Baker | MODIFY(1) Frech | NOOP(1) Wall | REVIEWING(1) Christey"," Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr | Add ISS:Hidden Community String in SNMP Implementation | Christey> What is the proper level of abstraction to use here? Should | we have a separate entry for each different default community | string? See: | http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and | http://cve.mitre.org/Board_Sponsors/archives/msg00250.html | http://cve.mitre.org/Board_Sponsors/archives/msg00251.html | | Until the associated content decisions have been approved | by the Editorial Board, this candidate cannot be accepted | for inclusion in CVE. | Christey> ADDREF BID:177 | Christey> ISS:19981102 Hidden community string in SNMP implementation | http://xforce.iss.net/alerts/advise11.php | | Change description to include ""hidden"" | Christey> XF:snmp-backdoor-access is missing." CVE-1999-0187,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Modified (20050204)," ACCEPT(2) Hill, Northcutt | RECAST(3) Frech, Prosser, Baker | REJECT(1) Dik | REVIEWING(1) Christey"," Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in | rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() | (ref CERT 97-23) and various vendor bulletins. However both of these rdist | BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, | FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content | decision | Frech> XF:rdist-bo (error msg formation) | XF:rdist-bo2 (execute code) | XF:rdist-bo3 (execute user-created code) | XF:rdist-sept97 (root from local) | Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in | CERT:CA-97.23.rdist), but as Mike and Andre noted, there | are multiple flaws here, so a RECAST may be necessary. | Dik> As currently phrasedm thissa duplicate of CVE-1999-0022 | Baker> Based on our new philosophy, this should be recast/merged or re-described." CVE-1999-0193,Candidate,"Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option.","",Proposed (19990714)," ACCEPT(5) Shostack, Bishop, Ozancin, Northcutt, Cole | MODIFY(2) Blake, Baker | NOOP(4) Frech, Wall, Landfield, Armstrong | REVIEWING(2) Levy, Christey"," Frech> possibly XF:ascend-kill | I can't find a reference that lists both routers in the same reference. | Wall> Comment: There is a reference about the zero length TCP option in BugTraq on | Feb 5, 1999 | and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 | mentions | vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 | mentions | 3Com vulnerabilities, but not TCP. Too confusing withour better references. | Landfield> What are the references for this ? I cannot find a means to check it out. | CHANGE> [Frech changed vote from REVIEWING to NOOP] | Frech> Cannot reconcile to our database without further references. | Blake> I'm with Andre. I only remember and can find reference to the Ascend | issue. Do we have a refernce to the 3Coms? If not, that should be | removed from the description. | Baker> http://xforce.iss.net/static/614.php Misc Defensive Info | http://www.securityfocus.com/archive/1/5682 Misc Offensive Info | http://www.securityfocus.com/archive/1/5647 Misc Defensive Info | http://www.securityfocus.com/archive/1/5640 Misc Defensive Info | CHANGE> [Armstrong changed vote from REVIEWING to NOOP]" CVE-1999-0195,Candidate,"Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.","BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate",Modified (19991130-01)," ACCEPT(2) Shostack, Balinsky | MODIFY(1) Frech | NOOP(3) Northcutt, Wall, Baker | REVIEWING(2) Levy, Christey"," Frech> XF:rpcbind-spoof | Christey> CVE-1999-0195 = CVE-1999-0461 ? | If this is approved over CVE-1999-0461, make sure it gets | XF:pmap-sset" CVE-1999-0197,Candidate,"finger 0@host on some systems may print information on some user accounts.","",Proposed (19990726)," ACCEPT(1) Baker | MODIFY(2) Frech, Shostack | REJECT(1) Northcutt"," Shostack> fingerd may respond to 'finger 0@host' with account info | Frech> Need more reference to establish this 'exposure'. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:finger-unused-accounts(8378) | We're entering it into our database solely to track | competition. The only references seem to be product listings: | http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 | Finger 0@host check) | http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) | http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host | feature)" CVE-1999-0198,Candidate,"finger .@host on some systems may print information on some user accounts.","",Proposed (19990726)," ACCEPT(1) Baker | MODIFY(2) Frech, Shostack | REJECT(1) Northcutt"," Shostack> as above | Frech> Need more reference to establish this 'exposure'. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:finger-unused-accounts(8378) | We're entering it into our database solely to track | competition. The only references seem to be product listings: | http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 | Finger .@target-host check) | http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host | check ) | http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host | feature)" CVE-1999-0200,Candidate,"Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password.","MSKB:Q137853",Modified (19991130-01)," ACCEPT(1) Baker | MODIFY(2) Frech, Shostack | NOOP(2) Northcutt, Wall | REJECT(1) Christey | REVIEWING(1) Levy"," Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another? | Frech> Other have mentioned this before, but it may be WU-FTP. | POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root | access without anon FTP or a regular account? | POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a | non-anon FTP account and gain root privs. | Christey> added MSKB reference | CHANGE> [Christey changed vote from REVOTE to REJECT] | Christey> The MSKB article may have confused things even more. There | were reports of problems in a Windows-based FTP server called | WFTP (http://www.wftpd.com/) that is not a Microsft FTP | server. It's best to just kill this candidate where it | stands and start fresh." CVE-1999-0205,Candidate,"Denial of service in Sendmail 8.6.11 and 8.6.12.","BUGTRAQ:19990708 SM 8.6.12",Modified (19990925-01)," ACCEPT(2) Hill, Northcutt | MODIFY(2) Frech, Prosser | NOOP(1) Baker | REVIEWING(2) Ozancin, Christey"," Frech> XF:sendmail-alias-dos | Prosser> additional source | Bugtraq | ""Re: SM 8.6.12"" | http://www.securityfocus.com | Christey> The Bugtraq thread does not provide any proof, including a | comment by Eric Allman that he hadn't been provided any | details either. | | See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu | for the thread. | Christey> Change Bugtraq reference date to 19950708." CVE-1999-0213,Candidate,"libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind.","XF:sun-libnsl | SUNBUG:4305859",Modified (20001009-01)," ACCEPT(6) Dik, Ozancin, Hill, Blake, Landfield, Cole | MODIFY(3) Frech, Levy, Baker | NOOP(4) Bishop, Meunier, Wall, Armstrong | REVIEWING(1) Christey"," Frech> XF:sun-libnsl | Dik> Sun bug #4305859 | Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info | http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info | http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info | http://www.securityfocus.com/archive/1/9749 Misc Defensive Info | Christey> I don't think this is the bug that everyone thinks it is. | This candidate came from CyberCop Scanner 2.4/2.5, which | only reports this as a DoS problem. If SUN:00172 is an | advisory for this, then it may be a duplicate of | CVE-1999-0055. There appears to be overlap with other | references as well. HOWEVER, this particular one deals with a | DoS in rpcbind - which isn't mentioned in the sources for | CVE-1999-0055. | Levy> BID 148" CVE-1999-0216,Candidate,"Denial of service of inetd on Linux through SYN and RST packets.","BUGTRAQ:19971130 Linux inetd.. | XF:linux-inetd-dos | HP:HPSBUX9803-077 | XF:hp-inetd",Modified (19991203-01)," ACCEPT(1) Hill | MODIFY(2) Frech, Baker | RECAST(1) Meunier"," Meunier> The location of the vulnerability, whether in the Linux kernel or the | application, is debatable. Any program making the same (reasonnable) | assumption is vulnerable, i.e., implements the same vulnerability: | ""Assumption that TCP-three-way handshake is complete after calling Linux | kernel function accept(), which returns socket after getting SYN. Result | is process death by SIGPIPE"" | Moreover, whether it results in DOS (to third parties) depends on the | process that made the assumption. | I think that the present entry should be split, one entry for every | application that implements the vulnerability (really describing threat | instances, which is what other people think about when we talk about | vulnerabilities), and one entry for the Linux kernel that allows the | vulnerability to happen. | Frech> XF:hp-inetd | XF:linux-inetd-dos | Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast" CVE-1999-0220,Candidate,"Attackers can do a denial of service of IRC by crashing the server.","",Proposed (19990728)," NOOP(2) Northcutt, Baker | REJECT(2) Frech, Christey"," Frech> Would reconsider if any references were available. | Christey> No references available, combined with extremely vague | description, equals REJECT." CVE-1999-0222,Candidate,"Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL.","",Proposed (19990714)," ACCEPT(1) Baker | MODIFY(3) Frech, Shostack, Levy | NOOP(3) Balinsky, Northcutt, Wall | RECAST(1) Ziese | REJECT(1) Christey"," Shostack> I follow cisco announcements and problems pretty closely, and haven't | seen this. Source? | Frech> XF:cisco-web-crash | Christey> XF:cisco-web-crash has no additional references. I can't find | any references in Bugtraq or Cisco either. This bug is | supposedly tested by at least one security product, but that | product's database doesn't have any references either. So | a question becomes, how did it make it into at least two | security companies' databases? | Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 | BID 1154 | Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if | recast to reflect that ""...after using a long url..."" should be replaced | with | ""...A defect in multiple releases of Cisco IOS software will cause a Cisco | router or switch to halt and reload if the IOS HTTP service is enabled, | browsing to ""http://router-ip/anytext?/"" is attempted, and the enable | password is supplied when requested. This defect can be exploited to produce | a denial of service (DoS) attack."" | Then I can accept this and mark it as ""Verfied by my Company"". If it can't | be recast because this (long uri) is diffferent then our release (special | url construction). | CHANGE> [Christey changed vote from REVIEWING to REJECT] | Christey> Elias Levy's suggested reference is CVE-2000-0380. | I don't think that Kevin's description is really addressing | this either. The lack of references and a specific | description make this candidate unusable, so it should be | rejected." CVE-1999-0226,Candidate,"Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.","",Proposed (19990728)," ACCEPT(1) Northcutt | MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Christey"," Christey> Too general, and no references. | Frech> XF:nt-frag(528) | See reference from BugTraq Mailing List, ""A New Fragmentation Attack"" at | http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms | g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net" CVE-1999-0229,Candidate,"Denial of service in Windows NT IIS server using ..\..","MSKB:Q115052",Modified (19991228-02)," ACCEPT(2) Shostack, Baker | MODIFY(2) Frech, Wall | NOOP(1) Northcutt | REJECT(1) Christey | REVIEWING(1) Levy"," Wall> Denial of service in Windows NT IIS Server 1.0 using ..\... | Source: Microsoft Knowledge Base Article Q115052 - IIS Server. | Frech> XF:http-dotdot (not necessarily IIS?) | Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot | problem. | Christey> This actually looks like XF:iis-dot-dot-crash(1638) | http://xforce.iss.net/static/1638.php | If so, include the version number (2.0) | | CHANGE> [Christey changed vote from REVOTE to REJECT] | Christey> Bill Wall intended to suggest Q155052, but the affected | IIS version there is 1.0; the effect is to read files, | so this sounds like a directory traversal problem, | instead of an inability to process certain strings. | | As a result, this candidate is too general, since it could | apply to 2 different problems, so it should be REJECTed. | Christey> Consider adding BID:2218" CVE-1999-0231,Candidate,"Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access.","BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also",Modified (19991207-01)," ACCEPT(2) Levy, Baker | NOOP(3) Christey, Northcutt, Landfield | RECAST(1) Frech | REVIEWING(1) Ozancin"," Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) | XF:smtp-vrfy-bo (many mail packages) | Northcutt> (There is no way I will have access to these systems) | Christey> Some sources report that VRFY and EXPN are both affected." CVE-1999-0232,Candidate,"Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.","",Modified (19991220-01)," ACCEPT(2) Hill, Northcutt | MODIFY(1) Frech | NOOP(1) Prosser | REJECT(1) Baker | REVIEWING(1) Christey"," Frech> Unable to provide a match due to vague/insufficient description/references. | Possible matches are: | XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) | XF:http-ncsa-longurl (highest probability) | Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl | More research is necessary for this one. | Baker> Since this has no references at all, and is vague and we have a | CAN for the most likely issue, we should kill this one" CVE-1999-0235,Candidate,"Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.","CERT:CA-95:04 | CIAC:F-11",Modified (19991220-01)," ACCEPT(3) Hill, Prosser, Northcutt | MODIFY(1) Frech | REJECT(2) Christey, Baker"," Frech> XF:http-ncsa-longurl | Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267 | Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both | refer to the same problem. This should be rejected as 1999-0267 is the same problem." CVE-1999-0238,Candidate,"php.cgi allows attackers to read any file on the system.","XF:http-cgi-phpfileread",Proposed (19990623)," ACCEPT(5) Frech, Collins, Prosser, Northcutt, Baker | NOOP(1) Christey"," Prosser> additional source | AUSCERT External Security Bulletin ESB-97.047 | http://www.auscert.org.au | Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole | URL:http://www.dataguard.no/bugtraq/1997_2/0069.html | The attacker specifies the filename as an argument to the | program. | Add ""PHP/FI"" to description to facilitate search. | AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 | Christey> Consider adding BID:2250" CVE-1999-0240,Candidate,"Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy.","",Proposed (19990728)," ACCEPT(1) Northcutt | NOOP(1) Baker | REJECT(1) Frech"," Frech> Would reconsider if any references were available." CVE-1999-0241,Candidate,"Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.","XF:http-xguess-cookie",Modified (19990925-01)," ACCEPT(3) Hill, Northcutt, Proctor | MODIFY(2) Frech, Prosser | NOOP(1) Baker | REVIEWING(1) Christey"," Frech> Also add to references: | XF:sol-mkcookie | Prosser> additional source | Bugtraq | ""X11 cookie hijacker"" | http://www.securityfocus.com | Christey> The cookie hijacker thread has to do with stealing cookies | through a file with bad permissions. I'm not sure the | X-Force reference identifies this problem either. | Christey> CIAC:G-04 | URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml | SGI:19960601-01-I | URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I | CERT:VB-95:08" CVE-1999-0242,Candidate,"Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords.","BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole | XF:linux-pop3d",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(4) Shostack, Christey, Northcutt, Wall | REVIEWING(1) Levy"," Frech> Ambiguous description: need more detail. Possibly: | XF:linux-pop3d (mktemp() leads to reading e-mail) | Christey> At first glance this might look like CVE-1999-0123 or | CVE-1999-0125, however this particular candidate arises out | of a brief mention of the problem in a larger posting which | discusses CVE-1999-0123 (which may be the same bug as | CVE-1999-0125). See the following phrase in the Bugtraq | post: ""one such example of this is in.pop3d"" | | However, the original source of this candidate's description | explicitly mentions shadowed passwords, though it has no | references to help out here." CVE-1999-0243,Candidate,"Linux cfingerd could be exploited to gain root access.","",Proposed (19990714)," ACCEPT(1) Shostack | NOOP(4) Levy, Northcutt, Wall, Baker | REJECT(2) Frech, Christey"," Christey> This has no sources; neither does the original database that | this entry came from. It's a likely duplicate of | CVE-1999-0813. | Frech> I disagree on the dupe; see Linux-Security Mailing List, | ""[linux-security] Cfinger (Yet more :)"" at | http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as | if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains | to 1.4.x and below and shows up two years later. | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Frech> If the reference I previously supplied is correct, then | it appears as if the poster modified the source using authorized | access to make it vulnerable. Modifying the source in this manner | does not qualify as being listed a vulnerability. | I disagree on the dupe; see Linux-Security Mailing List, | ""[linux-security] Cfinger (Yet more :)"" at | http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as | if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains | to 1.4.x and below and shows up two years later." CVE-1999-0246,Candidate,"HP Remote Watch allows a remote user to gain root access.","XF:hp-remote",Proposed (19990630)," ACCEPT(4) Frech, Hill, Prosser, Northcutt | NOOP(1) Baker | RECAST(1) Christey"," Frech> Comment: Determine if it's RemoteWatch or Remote Watch. | Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in | Remote Watch (the advisory uses two words, not one, for the | ""Remote Watch"" name) | | ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit) | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com | Prosser> agree that the advisory mentions two vulnerabilities in Remote | Watch, one being a socket connection and other with the showdisk utility | which seems to be a suid vulnerability. Never get much details on this | anywhere since the recommendation is to remove the program since it is | obsolete and superceded by later tools. Believe the biggest concern here is | to just not run the tool at all. | Christey> CIAC:H-16 | Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp | And possibly AUSCERT:AA-96.07 at | ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul | Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2 | Include ""remwatch"" in the description to facilitate search." CVE-1999-0249,Candidate,"Windows NT RSHSVC program allows remote users to execute arbitrary commands.","",Proposed (19990714)," ACCEPT(1) Baker | MODIFY(2) Frech, Wall | NOOP(2) Shostack, Northcutt | RECAST(1) Christey | REVIEWING(1) Levy"," Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows | remote | users to execute arbitrary commands. | Source: rshsvc.txt from the Windows NT Resource Kit. | Frech> XF:rsh-svc | Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case | where remote users coming from authorized machines are | allowed access regardless of what .rhosts says. XF:rsh-svc | refers to a bug circa 1997 where any remote entity could | execute commands as system." CVE-1999-0250,Candidate,"Denial of service in Qmail through long SMTP commands.","BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 | MISC:http://cr.yp.to/qmail/venema.html | MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | XF:qmail-leng",Modified (20010301-01)," ACCEPT(2) Meunier, Hill | MODIFY(1) Frech | REJECT(1) Baker | REVIEWING(1) Christey"," Frech> XF:qmail-rcpt | Christey> DUPE CVE-1999-0418 and CVE-1999-0144? | Christey> Dan Bernstein, author of Qmail, says that this is not a | vulnerability in qmail because Unix has built-in resource | limits that can restrict the size of a qmail process; other | limits can be specified by the administrator. See | http://cr.yp.to/qmail/venema.html | | Significant discussion of this issue took place on the qmail | list. The fundamental question appears to be whether | application software should set its own limits, or rely | on limits set by the parent operating system (in this case, | UNIX). Also, some people said that the only problem was that | the suggested configuration was not well documented, but this | was refuted by others. | | See the following threads at | http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | ""Denial of service (qmail-smtpd)"" | ""qmail-dos-2.c, another denial of service"" | ""[PATCH] denial of service"" | ""just another qmail denial-of-service"" | ""the UNIX way"" | ""Time for a reality check"" | | Also see Bugtraq threads on a different vulnerability that | is related to this topic: | BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding | http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html | Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading | through both bugtraq postings, the one that is referenced by 0144 is | based on a shell code exploit to cause memory exhaustion. The bugtraq | posting referenced by this entry refers explicitly to the prior | posting for 0144, and states that the same effect could be | accomplished by a perl exploit, which was then attached. | Baker> http://www.securityfocus.com/archive/1/6969 CVE-1999-0144 | http://www.securityfocus.com/archive/1/6970 CVE-1999-0250 | | Both references should be added to CVE-1999-0144, and CVE-1999-0250 | should likely be rejected. | CHANGE> [Baker changed vote from REVIEWING to REJECT] | Christey> XF:qmail-leng no longer exists; check with Andre to see if they | regarded it as a duplicate as well. | | qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) | in ""BUGTRAQ:19970612 Denial of service (qmail-smtpd)"", does not | use any RCPT commands. Instead, it sends long strings | of ""X"" characters. A followup by ""super@UFO.ORG"" includes | an exploit that claims to do the same thing; however, that | exploit does not send long strings of X characters - it sends | a large number of RCPT commands. It appears that super@ufo.org | followed up to the wrong message. | | qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) | in ""BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"" | sends a large number of RCPT commands. | | ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd) | ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | | Also see a related thread: | BUGTRAQ:19990308 SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 | | This also describes a problem with mail servers not being able | to handle too many ""RCPT TO"" requests. A followup message | notes that application-level protection is used in Sendmail | to prevent this: | BUGTRAQ:19990309 Re: SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 | The person further says, ""This attack can easily be | prevented with configuration methods.""" CVE-1999-0253,Candidate,"IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.","XF:http-iis-2e | L0PHT:19970319",Modified (20000106-01)," ACCEPT(9) Frech, Bishop, Collins, Blake, Northcutt, Baker, Landfield, Cole, Armstrong | MODIFY(1) LeBlanc | NOOP(3) Ozancin, Prosser, Wall | REVIEWING(1) Christey"," Christey> This is a problem that was introduced after patching a | previous dot bug with the iis-fix hotfix (see CVE-1999-0154). | Since the hotfix introduced the problem, this should be | treated as a seaprate issue. | Wall> Agree with the comment. | LeBlanc> - this one is so old, I don't remember it at all and can't verify or | deny the issue. If you can find some documentation that says we fixed it (KB | article, hotfix, something), then I would change this to ACCEPT | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> BID:1814 | URL:http://www.securityfocus.com/bid/1814" CVE-1999-0254,Candidate,"A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information.","ISS:Hidden SNMP community in HP OpenView | XF:hpov-hidden-snmp-comm",Proposed (19990726)," ACCEPT(2) Frech, Baker | NOOP(1) Wall | REVIEWING(1) Christey"," Christey> What is the proper level of abstraction to use here? Should | we have a separate entry for each different default community | string? See: | http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and | http://cve.mitre.org/Board_Sponsors/archives/msg00250.html | http://cve.mitre.org/Board_Sponsors/archives/msg00251.html | | Until the associated content decisions have been approved | by the Editorial Board, this candidate cannot be accepted | for inclusion in CVE." CVE-1999-0255,Candidate,"Buffer overflow in ircd allows arbitrary command execution.","",Proposed (19990623)," ACCEPT(3) Hill, Northcutt, Baker | MODIFY(1) Frech | NOOP(1) Prosser | REJECT(1) Christey"," Frech> XF:irc-bo | Christey> This is too general and doesn't have any references. The | XF reference doesn't appear toe xist any more. | | Perhaps this reference would help: | BUGTRAQ:19970701 ircd buffer overflow | Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post." CVE-1999-0257,Candidate,"Nestea variation of teardrop IP fragmentation denial of service.","",Proposed (19990726)," ACCEPT(1) Wall | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF:nestea-linux-dos | Christey> Not sure how many separate ""instances"" of Teardrop | and its ilk. Also see comments on CVE-1999-0001. | | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | | Is CVE-1999-0001 the same as CVE-1999-0052? That one is related | to nestea (CVE-1999-0257) and probably the one described in | BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release | The patch for nestea is in ip_input.c around line 750. | The patches for CVE-1999-0001 are in lines 388&446. So, | CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. | The FreeBSD patch for CVE-1999-0052 is in line 750. | So, CVE-1999-0257 and CVE-1999-0052 may be the same, though | CVE-1999-0052 should be RECAST since this bug affects Linux | and other OSes besides FreeBSD. | | Also see BUGTRAQ:19990909 CISCO and nestea. | | Finally, note that there is no fundamental difference between | nestea and nestea2/nestea-v2; they are different ports that | exploit the same problem. | | The original nestea advisory is at | http://www.technotronic.com/rhino9/advisories/06.htm | but notice that the suggested fix is in line 375 of | ip_fragment.c, not ip_input.c. | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> BUGTRAQ:19980501 nestea does other things | http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2 | BUGTRAQ:19980508 nestea2 and HP Jet Direct cards. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2 | BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2 | | Nestea source code is in | MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html" CVE-1999-0258,Candidate,"Bonk variation of teardrop IP fragmentation denial of service.","",Proposed (19990726)," MODIFY(2) Frech, Wall | REVIEWING(1) Christey"," Wall> Reference Q179129 | Frech> XF:teardrop-mod | Christey> Not sure how many separate ""instances"" of Teardrop there are. | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> BUGTRAQ:19980108 bonk.c | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2 | NTBUGTRAQ:19980108 bonk.c | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2 | NTBUGTRAQ:19980109 Re: Bonk.c | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2 | NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2 | BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2 | CIAC:I-031a | http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml | | CERT summary CS-98.02 implies that bonk, boink, and newtear | all exploit the same vulnerability." CVE-1999-0261,Candidate,"Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.","BUGTRAQ:19980504 Netmanage Holes | MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html",Modified (20000827-01)," ACCEPT(1) Baker | MODIFY(2) Frech, Landfield | NOOP(3) Ozancin, Christey, Northcutt"," Frech> XF:chamelion-smtp-dos | Landfield> - Specify what ""a crash"" means. | Christey> ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site) | Christey> Consider adding BID:2387" CVE-1999-0271,Candidate,"Progressive Networks Real Video server (pnserver) can be crashed remotely.","BUGTRAQ:19980115 pnserver exploit.. | BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?",Modified (19990925-01)," ACCEPT(3) Blake, Northcutt, Baker | MODIFY(1) Frech | NOOP(1) Prosser | REVIEWING(1) Christey"," Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq | posting), but may be multiple codebases since several | Real Audio servers are affected. | | Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow. | See CVE-1999-0896 | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> ADDREF XF:realvideo-telnet-dos" CVE-1999-0282,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Modified (20050830)," ACCEPT(2) Dik, Baker | MODIFY(1) Frech | NOOP(1) Ozancin | RECAST(1) Prosser | REJECT(1) Christey"," Frech> XF:sun-loadmodule | XF:sun-modload (CERT CA-93.18 very old!) | Prosser> Believe the reference given, 95-12, is referencing a later | loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an | earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories | for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the | same as the HP patches are 100448-02 for the 93 loadmodule/modload | vulnerability and 100448-03 for the 95 loadmodule vulnerability which | normally indicated a patch update. Looks like the original patch either | didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell | much beyond that and this is my opinion only as have no way to check it. | Which one is this CVE referencing? I accept both. | Dik> There are three similar Sun bug ids associated with the patches. | 1076118 loadmodule has a security vulnerability | 1148753 loadmodule has a security vulnerability | 1222192 loadmodule has a security vulnerability | as well as: | 1137491 | Ancient stuff. | Christey> Add period to the end of the description. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> This is distinct from CVE-1999-1584 - CVE-1999-1584 is for | CA-93.18. | CHANGE> [Christey changed vote from REVIEWING to REJECT] | Christey> This candidate combines two separate issues. It uses the CERT | alert reference from 1995, from one issue, but a description that | is associated with a separate issue." CVE-1999-0283,Candidate,"The Java Web Server would allow remote users to obtain the source code for CGI programs.","BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2",Modified (19991203-01)," ACCEPT(7) Dik, Collins, Blake, Northcutt, Wall, Baker, Cole | MODIFY(1) Frech | NOOP(5) Armstrong, Bishop, Christey, Prosser, Landfield | REVIEWING(1) Ozancin"," Wall> Acknowledged by vendor at | http://www.sun.com/software/jwebserver/techinfo/jws112info.html. | Baker> Vulnerability Reference (HTML) Reference Type | http://www.securityfocus.com/archive/1/7260 Misc Defensive Info | http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info | Christey> BID:1891 | URL:http://www.securityfocus.com/bid/1891 | Christey> Add version number (1.1 beta) and details of attack (appending | a . or a \) | | The Sun URL referenced by Dave Baker no longer exists, so I | wasn't able to verify that it addressed the problem described | in the Bugtraq post. This might not even be Sun's | ""Java Web Server,"" as CVE-2001-0186 describes some product | called ""Free Java Web Server"" | Dik> There appears to be some confusion. | | The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed | in 1.1.2 (get foo.jthml source by appending ""."" of ""\"" to URL) | | There are other bugs that give access and that require a configuration | change. | | http://www.sun.com/software/jwebserver/techinfo/security_advisory.html | Christey> Need to make sure to create CAN's for the other bugs, | as documented in: | NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS | http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2 | BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS | http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2 | The reported bugs are: | 1) file read by appending %20 | 2) Directly call /servlet/file | URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html | #2 is explicitly mentioned in the Sun advisory for | CVE-1999-0283. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:javawebserver-cgi-source(5383)" CVE-1999-0284,Candidate,"Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command.","XF:smtp-helo-bo",Proposed (19990623)," ACCEPT(2) Blake, Northcutt | MODIFY(3) Frech, Ozancin, Levy | NOOP(1) Baker | REVIEWING(1) Christey"," Frech> ""Windows NT-based mail servers"" (A trademark thing, and for clarification) | XF:mdaemon-helo-bo | XF:lotus-notes-helo-crash | XF:slmail-helo-overflow | XF:smtp-helo-bo (mentions several products) | XF:smtp-exchangedos | Levy> - Need one per software. Each one should be its own | vulnerability. | Ozancin> => Windows NT is correct | Christey> These are probably multiple codebases, so we'll need to use | dot notation. Also need to see if this should be merged | with CVE-1999-0098 (Sendmail SMTP HELO)." CVE-1999-0285,Candidate,"Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.","",Proposed (19990630)," ACCEPT(1) Hill | NOOP(2) Wall, Baker | REJECT(2) Frech, Christey"," Christey> No references, no information. | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Frech> No references; closest documented match is with | CVE-2001-0346, but that's for Windows 2000." CVE-1999-0286,Candidate,"In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages.","",Proposed (19990714)," ACCEPT(3) Armstrong, Shostack, Cole | MODIFY(3) Levy, Blake, Wall | NOOP(5) Bishop, Ozancin, Northcutt, Baker, Landfield | REJECT(1) Frech | REVIEWING(1) Christey"," Wall> In some NT web servers, appending a dot at the end of a URL may | allows attackers to read source code for active pages. | Source: MS Knowledge Base Article Q163485 - ""Active Server Pages Script Appears | in Browser"" | Frech> In the meantime, reword description as 'Windows NT' (trademark issue) | Christey> Q163485 does not refer to a space, it refers to a dot. | However, I don't have other references. | | Reading source code with a dot appended is in CVE-1999-0154, | which will be proposed. A subsequent bug similar to the | dot bug is CVE-1999-0253. | Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014 | NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019 | BID 273 | Blake> Reference: http://www.allaire.com/handlers/index.cfm?ID=10967 | CHANGE> [Christey changed vote from NOOP to REVIEWING] | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Frech> BID articles)" CVE-1999-0287,Candidate,"Vulnerability in the Wguest CGI program.","",Proposed (19990714)," MODIFY(2) Frech, Shostack | NOOP(4) Levy, Blake, Northcutt, Wall | REJECT(2) Christey, Baker"," Shostack> allows file reading | Frech> XF:http-cgi-webcom-guestbook | Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In | NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers | Mnemonix says that he had previously reported on a similar | problem. Let's refer to the NTBugtraq posting as | CVE-1999-0467. We will refer to the ""previous report"" as | CVE-1999-0287, which could be found at: | http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html | | 0287 describes an exploit via the ""template"" hidden variable. | The exploit describes manually editing the HTML form to | change the filename to read from the template variable. | | The exploit as described in 0467 encodes the template variable | directly into the URL. However, hidden variables are also | encoded into the URL, which would have looked the same to | the web server regardless of the exploit. Therefore 0287 | and 0467 are the same. | Christey> BID:2024" CVE-1999-0298,Candidate,"ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack.","NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme | URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp",Modified (20000524-01)," ACCEPT(4) Cole, Dik, Levy, Northcutt | MODIFY(1) Frech | NOOP(3) Shostack, Christey, Baker"," Christey> ADDREF BID:1441 | URL:http://www.securityfocus.com/bid/1441 | Dik> If you run with ""-ypset"", then you're always insecure. | With ypsetme, only root on the local host | can run ypset in Solaris 2.x+. | Probably true for SunOS 4, hence my vote. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> ADDREF XF:ypbind-ypset-root | CHANGE> [Dik changed vote from REVIEWING to ACCEPT] | Dik> This vulnerability does exist in SunOS 4.x in non default configurations. | In Solaris 2.x, the vulnerability only applies to files named ""cache_binding"" | and not all files ending in .2 | Both releases are not vulnerable in the default configuration (both | disabllow ypset by default which prevents this problem from occurring)" CVE-1999-0306,Candidate,"buffer overflow in HP xlock program.","XF:hp-xlock",Proposed (19990714)," ACCEPT(3) Frech, Northcutt, Baker | MODIFY(1) Prosser | NOOP(1) Shostack | REJECT(1) Christey"," Prosser> This is another of those with multiple affected OSs. | Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt, | HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150 | Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is | the same problem as in CERT:CA-97.13, which is CVE-1999-0038." CVE-1999-0307,Candidate,"Buffer overflow in HP-UX cstm program allows local users to gain root privileges.","BUGTRAQ:19961116 This week: turn me on, dead man | XF:hpux-cstm-bo",Modified (19991207-01)," ACCEPT(2) Frech, Northcutt | NOOP(3) Shostack, Prosser, Baker | RECAST(1) Christey"," Prosser> only ref I can find is an old SOD exploit on | www.outpost9.com | Christey> MERGE CVE-1999-0336 (the exact exploit works with both | cstm and mstm, which are clearly part of the same package, | so CD:SF-EXEC says to merge them.) | | Also, there does not seem to be any recognition of this problem | by HP. The only other information besides the Bugtraq post | is the SOD exploit. | | See the original post: | http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org" CVE-1999-0317,Candidate,"Buffer overflow in Linux su command gives root access to local users.","BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow | XF:su-bo",Modified (19991216-01)," ACCEPT(3) Frech, Hill, Northcutt | NOOP(1) Prosser | RECAST(1) Baker | REVIEWING(1) Christey"," Christey> DUPE CVE-1999-0845? | Also, ADDREF XF:unixware-su-username-bo | A report summary by Aleph One states that nobody was able to | confirm this problem on any Linux distribution. | Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these. | Sounds like the same bug however... | Christey> XF:su-bo no longer seems to exist. | How about XF:linux-subo(734) ? | http://xforce.iss.net/static/734.php | | BID:475 also seems to describe the same problem | (http://www.securityfocus.com/bid/475) in which case, | vsyslog is blamed in: | BUGTRAQ:19971220 Linux vsyslog() overflow | http://www.securityfocus.com/archive/1/8274" CVE-1999-0319,Candidate,"Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting.","XF:xmcd-tiflestr",Proposed (19990623)," ACCEPT(3) Frech, Hill, Northcutt | NOOP(2) Prosser, Baker | REVIEWING(1) Christey"," Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1 | A followup to this post says that xmcd is not suid here." CVE-1999-0330,Candidate,"Linux bdash game has a buffer overflow that allows local users to gain root access.","BUGTRAQ:19940101 (No Subject) | XF:bdash-bo",Modified (20000105-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(3) Shostack, Northcutt, Wall | REVIEWING(1) Levy"," Frech> XF:bdash-bo" CVE-1999-0331,Candidate,"Buffer overflow in Internet Explorer 4.0(1).","XF:msie-bo",Modified (20040811)," ACCEPT(2) Northcutt, Baker | MODIFY(2) Frech, Shostack | RECAST(1) Prosser | REJECT(2) Christey, LeBlanc"," Shostack> this is a high cardinality item | Prosser> needs to be more specific. | Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague | duplicate) | Description (from xfdb): Some versions of Internet Explorer for Windows | contain a vulnerability that may crash the broswer when a malicious web site | contains a certain kind of URL (that begins with ""mk://"") with more | characters than the browser supports. | Christey> The description is too vague. | LeBlanc> too vague | Christey> Add period to the end of the description." CVE-1999-0333,Candidate,"HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack.","RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK | HP:HPSBUX9810-085 | XF:omniback-remote",Modified (19990925-01)," ACCEPT(2) Frech, Baker | MODIFY(1) Prosser | RECAST(1) Christey"," Prosser> additional source | HP Security Bulletin 85 | http://us-support.external.hp.com | http://europe-support.external.hp.com | Christey> Two separate bugs, so SF-LOC says this candidate should be | split | Christey> ADDREF CIAC:J-007 | URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml" CVE-1999-0336,Candidate,"Buffer overflow in mstm in HP-UX allows local users to gain root access.","BUGTRAQ:19961116 This week: turn me on, dead man | XF:hpux-mstm-bo",Modified (19991207-01)," ACCEPT(2) Frech, Northcutt | NOOP(3) Shostack, Prosser, Baker | RECAST(1) Christey"," Prosser> same as CVE-1999-0307, only ref I can find is an old SOD | exploit on www.outpost9.com | Christey> MERGE CVE-1999-0307 (the exact exploit works with both | cstm and mstm, which are clearly part of the same package, | so CD:SF-EXEC says to merge them.) | | Also, there does not seem to be any recognition of this problem | by HP. The only other information besides the Bugtraq post | is the SOD exploit." CVE-1999-0345,Candidate,"Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems.","",Proposed (19990728)," ACCEPT(2) Cole, Blake | MODIFY(2) Frech, Wall | NOOP(4) Landfield, Bishop, Ozancin, Northcutt | RECAST(1) Meunier | REJECT(4) Armstrong, Levy, LeBlanc, Baker | REVIEWING(1) Christey"," Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and | Windows NT systems. | Reference: Q154174. | Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. | It is a modified teardrop 2 attack. | Frech> XF:nt-ssping | ADDREF XF:ping-death | ADDREF XF:teardrop-mod | ADDREF XF:mpeix-echo-request-dos | Christey> I can't tell whether the Jolt exploit at: | | http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net | | is exploiting any different flaw than teardrop does. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Baker> Jolt (original) is basically just a fragmented oversized ICMP that | kills Win boxes ala Ping of Death. | Teardrop is altering the offset in fragmented tcp packets so that the | end of subsequent fragments is inside first packet... | Teardrop 2 is UDP packets, if I remember right. | Seems like Jolt (original, not jolt 2) is just exploit code that | creates a ping of death (CVE 1999-0128) | Levy> I tend to agree with Baker. | CHANGE> [Armstrong changed vote from REVIEWING to REJECT] | Armstrong> This code does not use fragment overlap. It is simply a large ICMP echo request. | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same | thing as ping of death - POD was an oversized ICMP packet, Jolt froze | Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes. | Teardrop and teardrop2 were related attacks (usually ICMP frag attacks), | but each of these is a distinct vulnerability, affected a discrete group | of systems, and should have distinct CVE numbers. CVE entries should be | precise as to what the problem is. | Meunier> I agree with Leblanc in that Jolt is multi-faceted. Jolt has | characteristics of Ping of Death AND teardrop, but it doesn't do | either exactly. Moreover, it sends a truncated IP fragment. I | disagree with Armstrong; jolt uses overlapping fragments. It's not a | simple ping of death either. It may be that the author's intent was | to construct a ""super attack"" somehow combining elements of other | vulnerabilities to try to make it more potent. In any case it | succeeded in confusing the CVE board :-). | | I notice that Jolt uses echo replies (type 0) instead of echo | requests (to get past firewalls?). Jolt is peculiar in that it also | sends numerous overlapping fragments. The ""Pascal Simulator"" :-) says | it sends: | | - 172 fragments of length 400 with offset starting at 5120 and | increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)), | which eventually results in sending fragments inside an already | covered area once ((n* 380) >> 3) is greater than 5120, which occurs | when n is reaches 108. This would look a bit like TearDrop if | fragments were reassembled on-the-fly. | | - 1 fragment such that the total length of all the fragments | is greater than 65535 (my calculation is 172*380 + 418 = 65778; the | comment about 65538 must be wrong). The last packet is size 418 | according to the IP header but the buffer is of size 400. The sendto | takes as argument the size of the buffer so a truncated packet is | sent. | | So, I am not sure if the problem is because the last packet | doesn't extend to the payload it says it has or because the total size | of all fragments is greater than 65535. The author says it may take | more than one sending, so perhaps this has to do with an incorrect | error handling and recovery. One would need to experiment and isolate | each of those characteristics and test them independently. Inasmuch | as each of those things is likely a different vulnerability, then I | agree with Leblanc that this entry should be split. I'll try that if | I ever get bored. Jolt 2 should also have a different entry (see | below). | | Jolt 2 runs in an infinite loop, sending the same fragmented | IP packet, which can pretend to be ""ICMP"" or ""UDP"" data; however this | is meaningless, as it's just a late fragment of an IP packet. The | attack works only as long as packets are sent. According to | http://www.securityfocus.com/archive/1/62170 the packets are | truncated, and would overflow over the 65535 byte limit, which is | similar to Jolt. Note that Jolt does send that much data whereas | jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it | has weaker consequences, I believe that it's a different | vulnerability. | | ""Jolt 2 vulnerability causes a temporary denial-of-service in | Windows-type OSes"" would be a title for it." CVE-1999-0347,Candidate,"Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a ""%01"" character in an ""about:"" Javascript URL, which causes Internet Explorer to use the domain specified after the character.","BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 | NTBUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2",Modified (20051028)," ACCEPT(4) Levy, LeBlanc, Northcutt, Baker | MODIFY(2) Frech, Prosser | REVIEWING(1) Christey"," Prosser> this is a modified Cross-Frame vulnerability that circumvents | the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012 | http://www.microsoft.com/security/bulletins/ms99-012.asp | Christey> Duplicate of CVE-1999-0490? | LeBlanc> If Prosser is correct that this is MS99-012, accept | Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 | NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2 | BID:197 | URL:http://www.securityfocus.com/bid/197 | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:ie-window-spoof(2069)" CVE-1999-0352,Candidate,"ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption.","ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software | XF:controlit-passwd-encrypt",Proposed (19990721)," ACCEPT(2) Frech, Baker | NOOP(2) Northcutt, Wall | RECAST(1) Ozancin"," Ozancin> Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses | weak encryption." CVE-1999-0354,Candidate,"Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message.","NTBUGTRAQ:Jan27,1999 | MS:MS99-002 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-002.asp",Proposed (19990623)," ACCEPT(3) Ozancin, Wall, Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:word97-template-macro | Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2 | BID:196 | http://www.securityfocus.com/bid/196 | Christey> MSKB:Q214652 | http://support.microsoft.com/support/kb/articles/q214/6/52.asp" CVE-1999-0356,Candidate,"ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book.","ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software | XF:controlit-bookfile-access",Proposed (19990721)," ACCEPT(2) Frech, Baker | NOOP(2) Northcutt, Wall | RECAST(1) Ozancin", CVE-1999-0359,Candidate,"ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords.","BUGTRAQ:19990127 UNIX shell modem access vulnerabilities | XF:ptylogin-dos",Proposed (20010214)," ACCEPT(2) Cole, Frech | MODIFY(1) Baker"," Frech> XF:ptylogin-dos | Baker> Should say ""... lock out a modem, ..."" rather than ""... locking out modems...""" CVE-1999-0360,Candidate,"MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely.","BUGTRAQ:19990130 Security Advisory for Internet Information Server 4 with Site | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91763097004101&w=2 | NTBUGTRAQ:Jan29,1999",Modified (20000530-01)," ACCEPT(6) Landfield, Cole, Collins, Blake, Northcutt, Wall | MODIFY(3) Frech, LeBlanc, Baker | NOOP(4) Armstrong, Ozancin, Christey, Prosser"," Christey> I can't find the original Bugtraq posting (it appears that | mnemonix discovered the problem). | LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a | BUGTRAQ posting we can't find could be anything. | Baker> Vulnerability Reference (HTML) Reference Type | http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type | THis is the URL for the Bugtraq posting. It was cross posted to | NT Bugtraq as well, but identical text. It was Mnemonix... | Christey> BID:1811 | URL:http://www.securityfocus.com/bid/1811 | Christey> CHANGEREF BUGTRAQ add ""Server 2."" to the subject. | Also standardize NTBUGTRAQ reference title. | Christey> Add ""uploadn.asp"" to the description. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:siteserver-user-dir-permissions(5384)" CVE-1999-0361,Candidate,"NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging.","BUGTRAQ:Jan29,1999",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(2) Northcutt, Wall"," Frech> XF:compulink-pw-laserfiche(1679) | Normalize BUGTRAQ reference to: | BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords" CVE-1999-0364,Candidate,"Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.","BUGTRAQ:19990204 Microsoft Access 97 Stores Database Password as Plaintext | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91816470220259&w=2",Modified (20000426-01)," ACCEPT(2) LeBlanc, Baker | MODIFY(1) Frech | NOOP(2) Northcutt, Wall"," CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:access-weak-passwords(1774) | An older published reference (from our own Adam) would be | better: | ailab.coderpunks Newsgroup, 1998/06/23 ""Re: MS Access 2.0"" | http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192 | 07028.1462108427&hitnum=1" CVE-1999-0370,Candidate,"In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files.","SUN:00184 | BID:165 | URL:http://www.securityfocus.com/bid/165",Modified (19991210-01)," ACCEPT(4) Dik, Prosser, Northcutt, Baker | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> Reference: XF:sun-man | Christey> ADDREF CIAC:J-028 | | Is the Linux man symlink problem the same as the one for Sun? | See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1 | Also see BID:305 | Dik> sun bug 4154565" CVE-1999-0381,Candidate,"super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.","BUGTRAQ:19990225 SUPER buffer overflow | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet | XF:linux-super-logging-bo | BID:342 | URL:http://www.securityfocus.com/bid/342",Proposed (19990726)," ACCEPT(7) Landfield, Cole, Frech, Ozancin, Levy, Blake, Baker | MODIFY(1) Bishop | NOOP(2) Armstrong, Wall | REVIEWING(1) Christey"," Christey> Is this the same as CVE-1999-0373? They both have the same | X-Force reference. | | BID:342 suggests that there are two. | | http://www.debian.org/security/1999/19990215a suggests | that there are two. However, CVE-1999-0373 is written up in | a fashion that is too general; and both XF:linux-super-bo and | XF:linux-super-logging-bo refer to CVE-1999-0373. | CVE-1999-0373 may need to be split. | | Frech> From what I can surmise, ISS released the original advisory (attached to | linux-super-bo), and Sekure SDI expanded on it by releasing another related | overflow in syslog (which is linux-super-logging-bo). | | When I was originally assigning these issues, I placed both XF references | and the ISS advisory on the -0373 candidate, since there was nothing else | available. Based on the information above, I'd request that | XF:linux-super-logging-bo be removed from CVE-1999-0373. | Christey> Given Andre's feedback, these are different issues. | CVE-1999-0373 does not need to be split because the ISS | reference is sufficient to distinguish that CVE from this | candidate; however, the CVE-1999-0373 description should | probably be modified slightly. | Bishop> (as indicated by Christey) | CHANGE> [Cole changed vote from NOOP to ACCEPT] | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> There are 2 bugs, as confirmed by the super author at: | BUGTRAQ:19990226 Buffer Overflow in Super (new) | http://www.securityfocus.com/archive/1/12713 | BID:397 also seems to cover this one, and it may cover | CVE-1999-0373 as well." CVE-1999-0389,Candidate,"Buffer overflow in the bootp server in the Debian Linux netstd package.","DEBIAN:19990104 | BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows | BID:324 | URL:http://www.securityfocus.com/bid/324",Modified (19991207-01)," ACCEPT(3) Ozancin, Stracener, Baker | MODIFY(1) Frech | REVIEWING(1) Christey"," Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 | has January 1999 dates associated with it, while CVE-1999-0798 | was reported in late December. | | Also, is this the same line of code as CVE-1999-0914? Both are in | the netstd package, it could look like a library problem. | | However, deep in the changelog in the | netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes | the following entry: | | +netstd (3.07-7slink.1) frozen; urgency=high | + | + * bootpd: Applied patch from Redhat as well as a fix for the overflow in | + report() (fixes #30675). | + * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow | + bugs. | + | + -- Herbert Xu Sat, 19 Dec 1998 14:36:48 +1100 | | This tells me that two separate bugs are involved. | | Note that Red Hat posted *some* fix for *some* bootp problem | in June 1998. See: | http://www.redhat.com/support/errata/rh42-errata-general.html#bootp | Frech> XF:debian-netstd-bo | Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799 | CHANGE> [Christey changed vote from REJECT to REVIEWING] | Christey> The fix information for BID:324 suggests that there are two | overflows, one of which is in handle_request (bootpd.c) and is | likely related to a file name; but there is another issue in | report (report.c) which also looks like a straightforward | overflow, which would suggest that this is not a duplicate of | CVE-1999-0798 or CVE-1999-0799. | | Note: see comments for CVE-1999-0798 which explain how that | candidate is not related to CVE-1999-0799." CVE-1999-0394,Candidate,"DPEC Online Courseware allows an attacker to change another user's password without knowing the original password.","BUGTRAQ:19990115 DPEC Online Courseware",Proposed (19990728)," ACCEPT(1) Baker | NOOP(1) Christey | REJECT(1) Frech"," Frech> If I understand the issue, this HIGHCARD involves insecure web programming. | If I don't understand, mark this as my first NOOP. | Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com | ADDREF BID:565 | URL:http://www.securityfocus.com/vdb/bottom.html?vid=565" CVE-1999-0397,Candidate,"The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.","L0PHT:Jan21,1999 | BUGTRAQ:Jan21,1999",Proposed (19990728)," ACCEPT(1) Northcutt | MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Wall"," Wall> Reject based on beta copy. | Frech> XF:quakenbush-pw-appraiser(1652)" CVE-1999-0398,Candidate,"In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login.","BUGTRAQ:19990123 SSH 1.x and 2.x Daemon | BUGTRAQ:19990124 SSH Daemon | XF:ssh-exp-account-access",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet | released. v1.2.26 should be substituted in the description for '27. | XF:ssh-exp-account-access" CVE-1999-0399,Candidate,"The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands.","BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole | XF:mirc-dcc-metachar-filename",Modified (20000105-01)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> XF:mirc-dcc-metachar-filename" CVE-1999-0400,Candidate,"Denial of service in Linux 2.2.0 running the ldd command on a core file.","BUGTRAQ:19990127 2.2.0 SECURITY (fwd) | XF:linux-kernel-ldd-dos | BID:344 | URL:http://www.securityfocus.com/bid/344",Modified (20000105-01)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> BUGTRAQ:Jan27,1999 | (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22& | msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com) | XF:linux-kernel-ldd-dos" CVE-1999-0401,Candidate,"A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.","BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd) | XF:linux-race-condition-proc",Modified (20000105-01)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> XF:linux-race-condition-proc" CVE-1999-0406,Candidate,"Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege.","BUGTRAQ:Feb19,1999 | XF:digital-networker-bo",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> In description, change 'which' to 'that'." CVE-1999-0411,Candidate,"Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access.","BUGTRAQ:Feb19,1999 | XF:sco-startup-scripts",Proposed (19990726)," MODIFY(2) Baker, Frech | NOOP(2) Christey, Wall"," Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not | 19 February) does not mention gaining root access... it says a local user | could | ""delete or overwrite arbitrary files on the system."" | Baker> By overwriting arbitrary files, one could then gain root access. I agree with a minor description change to reflect this. | Christey> Normalize Bugtraq reference to: | BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p). | http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2 | Also, SCO:SB-99.17 | ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c" CVE-1999-0418,Candidate,"Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many ""RCPT TO"" commands in the same connection.","BUGTRAQ:19990308 SMTP server account probing | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2",Proposed (20010912)," ACCEPT(1) Cole | MODIFY(1) Frech | NOOP(3) Baker, Foat, Wall | REVIEWING(1) Christey"," Christey> DUPE CVE-1999-0144 and CVE-1999-0250? | Frech> XF:smtp-rctpto-dos(7499)" CVE-1999-0419,Candidate,"When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service.","BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid | XF:smtp-4xx-error-dos",Modified (20000105-01)," ACCEPT(1) Baker | MODIFY(2) Frech, LeBlanc | REVIEWING(1) Christey"," Frech> XF:smtp-4xx-error-dos | LeBlanc> - if we can find a KB or something that shows that this wasn't just | user error, I'd vote ACCEPT. | Christey> David Lemson, Microsoft SMTP Service Program Manager, | posted a followup that said ""We have confirmed this as a | problem..."" | http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2" CVE-1999-0426,Candidate,"The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing.","BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure.",Proposed (19990728)," MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Christey"," Frech> XF:linux-dev-kmem-spoof | Christey> DUPE CVE-1999-0414 | XF:linux-dev-kmem-spoof does not exist. | Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists..." CVE-1999-0427,Candidate,"Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names.","BUGTRAQ:19990320 Eudora Attachment Buffer Overflow | XF:eudora-long-attachments",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq | reference states: ""Both the Win 95 and Win NT versions, along with the 4.2 | beta of Eudora are affected."" | Christey> This issue seems to have been rediscovered in | BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again | http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 | | Also see | BUGTRAQ:19990320 Eudora Attachment Buffer Overflow | http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 | | Is this a duplicate/subsumed by CVE-1999-0004?" CVE-1999-0431,Candidate,"Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.","BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug | XF:linux-zerolength-fragment",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:linux-zerolength-fragment | Christey> Consider adding BID:2247" CVE-1999-0434,Candidate,"XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.","BUGTRAQ:19990331 Bug in xfs | BID:359 | URL:http://www.securityfocus.com/bid/359",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:xfree86-xfs-symlink-dos | Christey> Is this the same problem as CVE-1999-0433? CVE-1999-0433 | deals with a symlink attack on one file (/tmp/.X11-unix), | while xfs (this candidate) deals with /tmp/.font-unix | XF:xfree86-xfs-symlink-dos doesn't exist. | Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable | Note: Debian's advisory says that this is not a problem for Debian." CVE-1999-0435,Candidate,"MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM.","HP:HPSBUX9903-096",Proposed (19990623)," ACCEPT(2) Baker, Ozancin | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:hp-servicegaurd | Christey> ADDREF CIAC:J-039 | Christey> Note the typo in Andre's suggested reference. | Normalize to XF:hp-serviceguard(2046)" CVE-1999-0443,Candidate,"Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password.","BUGTRAQ:19990409 Patrol security bugs | URL:http://www.securityfocus.com/archive/1/13204 | XF:bmc-patrol-replay",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> Change ""Patrol management software"" to ""The PATROL management product from | BMC Software""." CVE-1999-0444,Candidate,"Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files.","BUGTRAQ:19990412 ARP problem in Windows9X/NT | XF:windows-arp-dos",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech"," Frech> ADDREF: XF:windows-arp-dos" CVE-1999-0450,Candidate,"In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe) .","BUGTRAQ:19990122 Perl.exe and IIS security advisory | BID:194 | URL:http://www.securityfocus.com/bid/194",Proposed (19990726)," ACCEPT(2) Ozancin, Wall | NOOP(2) Baker, Christey | REJECT(2) Frech, LeBlanc"," Frech> Can't find in database. | Christey> This looks like another discovery of CVE-2000-0071 | LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information, | and it does not repro - | GET /bogus.pl HTTP/1.0 | HTTP/1.1 404 Object Not Found | Server: Microsoft-IIS/5.0 | Date: Thu, 05 Oct 2000 21:04:20 GMT | Content-Length: 3243 | Content-Type: text/html | No path is returned whatsoever. This may have been a problem on some version | of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable. | Let's try and figure out what version had the problem, whether it is | intrinsic to IIS or the result of adding a 3rd party implementation of perl, | and when it got fixed, then we can try again. | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Christey> Add ""no-such-file.pl"" as an example to the desc, to facilitate | search (it's used by CGI scanners and in the original example)" CVE-1999-0451,Candidate,"Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.","BUGTRAQ:Jan19,1999 | BID:343 | URL:http://www.securityfocus.com/bid/343",Proposed (19990726)," ACCEPT(2) Baker, Ozancin | MODIFY(1) Frech | NOOP(1) Wall"," CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:linux-ports-dos(8364)" CVE-1999-0452,Candidate,"A service or application has a backdoor password that was placed there by the developer.","",Proposed (19990726)," ACCEPT(2) Baker, Wall | REJECT(1) Frech"," Frech> Much too broad. Also may be HIGHCARD (or will be in the future). | Baker> I think we want to address this using the dot notation idea. We do need to address this, just not a separate entry for every single occurance." CVE-1999-0453,Candidate,"An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP).","BUGTRAQ:19990118 Remote Cisco Identification",Modified (20040512-02)," ACCEPT(2) Baker, Balinsky | MODIFY(1) Frech | NOOP(2) Northcutt, Wall | REVIEWING(1) Christey"," Frech> XF:cisco-ident(2289) | ADDREF BUGTRAQ:19990118 Remote Cisco Identification | In description, probably better to use ""Cisco"" as product/company name. | Balinsky> CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity. | Christey> There may be a slight abstraction problem here, e.g. look | at the candidate for queso/nmap; also see followup Bugtraq post | from ""Basement Research"" on 19990120 which says that there are | many other features in Cisco products that allow remote | identification. | Christey> fix typo: ""Dicsovery""" CVE-1999-0454,Candidate,"A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.","",Proposed (19990728)," MODIFY(1) Frech | NOOP(2) Christey, Wall | REJECT(2) Baker, Northcutt"," Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced | ways to accomplish this. To pursue making the world signature free | is as much a vulnerability as having signatures, nay more. | Frech> XF:decod-nmap(2053) | XF:decod-queso(2048) | Christey> Add ""fingerprinting"" to facilitate search. | Some references: | MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html | BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask | http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2 | BUGTRAQ:19990222 Preventing remote OS detection | http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2 | BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper | http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2 | BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD, | http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2 | BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs) | http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2 | BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with | http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2 | BUGTRAQ:20000609 p0f - passive os fingerprinting tool | http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2 | Baker> I think we can probably reject this as the corollary is that you can identify OS from a IP/TCP packet sent by a system, looking at various parts of the SYN packet. Unless we believe that all systems should always use identical packet header/identical responses, in which case the protocol should not permit variation." CVE-1999-0455,Candidate,"The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.","ALLAIRE:ASB-001 | XF:coldfusion-expression-evaluator | BID:115 | URL:http://www.securityfocus.com/bid/115",Modified (19991210-01)," ACCEPT(3) Frech, Ozancin, Balinsky | MODIFY(1) Wall | NOOP(1) Baker | REVIEWING(1) Christey"," Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues) | make application plural since there are three sample applications | (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm). | Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here. | Since there are 3 separate ""executables"" with the same | (or similar) problem, we need to make sure that CD:SF-EXEC | determines what to do here. There is evidence that some | of these .cfm scripts have an ""include"" file, and if so, | then CD:SF-LOC says that we shouldn't make separate entries | for each of these scripts. On the other hand, the initial | L0pht discovery didn't include all 3 of these scripts, and | as far as I can tell, Allaire had patched the first problem | before the others were discovered. So, CD:DISCOVERY-DATE | may argue that we should split these because the problems | were discovered and patched at different times. | | In any case, this candidate can not be accepted until the | Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC, | and CD:DISCOVERY-DATE content decisions." CVE-1999-0459,Candidate,"Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot.","XF:linux-milo-halt",Proposed (19990728)," ACCEPT(1) Frech | NOOP(2) Baker, Northcutt | REJECT(1) Wall"," Wall> Reject based on beta copy." CVE-1999-0460,Candidate,"Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service.","BUGTRAQ:19990218 Linux autofs overflow in 2.0.36+ | BID:312 | URL:http://www.securityfocus.com/bid/312",Proposed (19990726)," ACCEPT(2) Baker, Ozancin | MODIFY(1) Frech | NOOP(1) Wall"," CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:linux-autofs-bo(8365)" CVE-1999-0461,Candidate,"Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address.","",Proposed (19990728)," MODIFY(1) Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Frech> ADDREF XF:pmap-sset | Christey> CVE-1999-0195 = CVE-1999-0461 ? | If this is approved over CVE-1999-0195, make sure it gets | XF:pmap-sset | Baker> THis does appear to be a duplicate. We should accept 1999-0195, since it already has the votes and get rid of this one" CVE-1999-0462,Candidate,"suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk.","BUGTRAQ:19990114 Secuity hole with perl (suidperl) and nosuid mounts on Linux | BID:339 | URL:http://www.securityfocus.com/bid/339",Proposed (19990728)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:perl-suidperl-bo | Christey> XF:perl-suidperl-bo doesn't exist." CVE-1999-0465,Candidate,"Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter.","XF:http-img-overflow",Proposed (19990728)," ACCEPT(2) Frech, Northcutt | NOOP(1) Baker | REJECT(2) LeBlanc, Wall"," Wall> Reject based on client-side DoS | LeBlanc> Client side DOS" CVE-1999-0467,Candidate,"The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the ""template"" parameter.","NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers | XF:http-cgi-webcom-guestbook",Modified (20000106-01)," ACCEPT(4) Landfield, Frech, Ozancin, Blake | NOOP(3) Baker, Christey, Northcutt"," Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In | NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers | Mnemonix says that he had previously reported on a similar | problem. Let's refer to the NTBugtraq posting as | CVE-1999-0467. We will refer to the ""previous report"" as | CVE-1999-0287, which can be found at: | http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html | | 0287 describes an exploit via the ""template"" hidden variable. | The exploit describes manually editing the HTML form to | change the filename to read from the template variable. | | The exploit as described in 0467 encodes the template variable | directly into the URL. However, hidden variables are also | encoded into the URL, which would have looked the same to | the web server regardless of the exploit. Therefore 0287 | and 0467 are the same. | Christey> | The CD:SF-EXEC content decision also applies here. We have 2 | programs, wguest.exe and rguest.exe, which appear to have the | same problem. CD:SF-EXEC needs to be accepted by the Editorial | Board before this candidate can be converted into a CVE | entry. When finalized, CD:SF-EXEC will decide whether | this candidate should be split or not. | Christey> BID:2024" CVE-1999-0469,Candidate,"Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client.","BUGTRAQ:19990409 IE 5.0 security vulnerabilities - %01 bug again | XF:ie-window-spoof",Proposed (19990728)," ACCEPT(1) Wall | NOOP(2) Baker, Northcutt | REJECT(3) Frech, Christey, LeBlanc"," Wall> Reference: Microsoft Security Bulletin MS99-012 | Christey> DUPE CVE-1999-0488 | Frech> Defer to Christey's vote. | However, XF:ie-mshtml-crossframe(2216) assigned to CVE-1999-0488. | LeBlanc> Duplicate" CVE-1999-0476,Candidate,"A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user.","BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client | XF:sco-termvision-password",Proposed (19990721)," ACCEPT(3) Baker, Frech, Ozancin | NOOP(3) LeBlanc, Northcutt, Wall", CVE-1999-0477,Candidate,"The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly.","L0PHT:Cold Fusion App Server | XF:coldfusion-expression-evaluator | BID:115 | URL:http://www.securityfocus.com/bid/115",Modified (19991210-01)," ACCEPT(4) Baker, Frech, Ozancin, Christey | REJECT(1) Wall"," Wall> Duplicate of 0455 | Christey> CVE-1999-0477 and CVE-1999-0455 were discovered at different | times. Also, the attack was different. So ""Same Attack"" and | ""Same Time of Discovery"" dictate that these should remain | separate." CVE-1999-0480,Candidate,"Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack.","BUGTRAQ:19980315 Midnight Commander /tmp race",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:midnight-commander-symlink-dos | Christey> XF:midnight-commander-symlink-dos(3505)" CVE-1999-0486,Candidate,"Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash.","BUGTRAQ:19990420 AOL Instant Messenger URL Crash",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> XF:aol-im. | Christey> XF:aol-im appears to be related to the problem discussed in | BUGTRAQ:19980224 AOL Instant Messanger Bug | | This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash" CVE-1999-0488,Candidate,"Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the ""cross frame"" vulnerability.","MS:MS99-012 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp",Modified (19991205-01)," ACCEPT(2) Baker, Landfield | MODIFY(2) Frech, Wall | NOOP(2) Ozancin, Christey"," Frech> XF:ie-mshtml-crossframe | Wall> (source: MSKB:Q168485) | Christey> CVE-1999-0469 appears to be a duplicate; prefer this one over | that one, since this one has an MS advisory. Confirm with | Microsoft that these are really duplicates. | | Also review CVE-1999-0487, which appears to be a similar | bug." CVE-1999-0489,Candidate,"MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of ""untrusted scripted paste"" as described in MS:MS98-013.","MS:MS99-015 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-015.asp",Modified (19991205-01)," ACCEPT(1) Levy | MODIFY(1) Wall | NOOP(2) Baker, Ozancin | RECAST(1) Prosser | REJECT(1) Christey | REVIEWING(1) Frech"," Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a | clipboard in either. | I cannot proceed on this one without further clarification. | Wall> (source: MS:MS99-012) | Prosser> agree with Andre here. The Untrusted Scripted paste | vulnerability was originally addressed in MS98-015 and it is in the file | upload intrinsic control in which an attacker can paste the name of a file | on the target's drive in the control and a form submission would then send | that file from the attacked machine to the remote web site. This one has | nothing to do with the clipboard. What the advisory mentioned here, | MS99-012, does is replace the MSHTML parsing engine which is supposed to fix | the original Untrusted Scripted Paste issue and a variant, as well as the | two Cross-Frame variants and a privacy issue in IMG SRC. | The vulnerability that allowed reading of a user's clipboard is the Forms | 2.0 Active X control vulnerability discussed in MS99-01 | Christey> The advisory should have been listed as MS99-012. | CVE-1999-0468 describes the untrusted scripted paste problem | in MS99-012. | Frech> Pending response to guidance request. 12/6/01." CVE-1999-0490,Candidate,"MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag.","MS:MS99-012 | URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp",Modified (19991205-01)," ACCEPT(2) Landfield, Wall | MODIFY(1) Frech | NOOP(2) Baker, Ozancin | REVIEWING(1) Christey"," Frech> XF:ie-scriplet-fileread | Christey> Duplicate of CVE-1999-0347?" CVE-1999-0492,Candidate,"The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.","BUGTRAQ:Apr23,1999",Proposed (19990726)," ACCEPT(3) Armstrong, Collins, Northcutt | MODIFY(4) Baker, Frech, Shostack, Blake | NOOP(4) Landfield, Cole, Christey, Wall | REVIEWING(1) Ozancin"," Shostack> isn't that what finger is supposed to do? | Landfield> Maybe we need a new category of ""unsafe system utilities and protocols"" | Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid | usernames on the target system based on its responses to finger queries. | Christey> CHANGEREF BUGTRAQ [canonicalize] | BUGTRAQ:19990423 Ffingerd privacy issues | http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2 | | Here's the nature of the problem. | (1) FFingerd allows users to decide not to be fingered, | printing a message ""That user does not want to be fingered"" | (2) If the fingered user does not exist, then FFingerd's | intended default is to print that the user does not | want to be fingered; however, the error message has a | period at the end. | Thus, ffingerd can allow someone to determine who valid users | on the server are, *in spite of* the intended functionality of | ffingerd itself. Thus this exposure should be viewed in light | of the intended functionality of the application, as opposed | to the common usage of the finger protocol in general. | | Also, the vendor posted a followup and said that a patch was | available. See: | http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2 | Baker> Vulnerability Reference (HTML) Reference Type | http://www.securityfocus.com/archive/1/13422 Misc Defensive Info | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:ffinger-user-info(5393)" CVE-1999-0495,Candidate,"A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares.","",Proposed (19990728)," ACCEPT(6) Baker, Cole, Collins, Ozancin, Blake, Northcutt | MODIFY(1) Frech | NOOP(4) Landfield, Armstrong, Bishop, Wall | REVIEWING(2) Levy, Christey"," Frech> XF:nb-dotdotknown(837) | References would be appreciated. We've got no reference for this issue; | confidence rating is consequently low. | Levy> Some refernces: | http://www.securityfocus.com/archive/1/3894 | http://www.securityfocus.com/archive/1/3533 | http://www.securityfocus.com/archive/1/3535" CVE-1999-0497,Candidate,"Anonymous FTP is enabled.","",Modified (20040811)," ACCEPT(1) Shostack | MODIFY(1) Frech | NOOP(2) Baker, Christey | REJECT(1) Northcutt"," Frech> ftp-anon(52) at http://xforce.iss.net/static/52.php | ftp-anon2(543) at http://xforce.iss.net/static/543.php | Christey> Add period to the end of the description. | Baker> DOn't know about this, but it may be the only easy way to allow access to data for some folks." CVE-1999-0498,Candidate,"TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files.","CERT:CA-91.18.Active.Internet.tftp.Attacks",Modified (19990925-01)," ACCEPT(3) Hill, Blake, Northcutt | MODIFY(1) Frech | NOOP(1) Baker | REVIEWING(1) Christey"," Frech> XF:linux-tftp | Christey> XF:linux-tftp refers to CVE-1999-0183" CVE-1999-0499,Candidate,"NETBIOS share information may be published through SNMP registry keys in NT.","",Proposed (19990721)," ACCEPT(5) Baker, Shostack, Ozancin, Northcutt, Wall | MODIFY(1) Frech | REJECT(1) LeBlanc"," Frech> Change wording to 'Windows NT.' | XF:snmp-netbios | LeBlanc> Share info can be obtained via SNMP queries, but I question | whether this is a vulnerability. The system can be configured not to do | this, and one may argue that SNMP itself is an insecure configuration. | Furthermore, the share information isn't published via registry keys - | the description could refer to more than one actual issue. SNMP is meant | to allow people to obtain information about systems. I'm willing to | discuss this with the rest of the board." CVE-1999-0501,Candidate,"A Unix account has a guessable password.","",Proposed (19990714)," ACCEPT(3) Baker, Shostack, Northcutt | RECAST(2) Frech, Meunier | REVIEWING(1) Christey"," Frech> Guessable falls into the class of CVE-1999-0502, since I can guess a | default, null, etc. password. | Suggest changing to something like ""has an existing non-default password | that can be guessed."" | I'm also including default passwords in this entry. | In that vein, we show the following references: | XF:user-password | XF:passwd-username | XF:default-unix-sync | XF:default-unix-4dgifts | XF:default-unix-bin | XF:default-unix-daemon | XF:default-unix-lp | XF:default-unix-me | XF:default-unix-nuucp | XF:default-unix-root | XF:default-unix-toor | XF:default-unix-tour | XF:default-unix-tty | XF:default-unix-uucp | Christey> This candidate is affected by the CD:CF-PASS content decision, | which determines the appropriate level of abstraction to | use for password problems. CD:CF-PASS needs to be accepted | by the Editorial Board before this candidate can be | converted into a CVE entry; the final version of CD:CF-PASS | may require using a different LOA than this candidate is | currently using. | CHANGE> [Meunier changed vote from ACCEPT to RECAST] | Meunier> This relates only to account password technology, so this candidate is | independent of the operating system, application, web site or other | application of this technology. The appropriate (natural) level of | abstraction is therefore without specifying that it is for UNIX. | Change the description to ""An account has a guessable password other | than default, null, blank."" This should satisfy Andre's objection. | | This Candidate should be merged with any candidate relating to | account password technology where ""Unix"" in the original description | can be replaced by something else." CVE-1999-0502,Candidate,"A Unix account has a default, null, blank, or missing password.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF:passwd-blank | XF:no-pass | XF:dict | XF:sgi-accounts | XF:linux-caldera-lisa | Christey> This candidate is affected by the CD:CF-PASS content decision, | which determines the appropriate level of abstraction to | use for password problems. CD:CF-PASS needs to be accepted | by the Editorial Board before this candidate can be | converted into a CVE entry; the final version of CD:CF-PASS | may require using a different LOA than this candidate is | currently using." CVE-1999-0503,Candidate,"A Windows NT local user or administrator account has a guessable password.","",Proposed (19990714)," ACCEPT(4) Baker, Shostack, Meunier, Northcutt | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> Note: I am assuming that this entry includes Windows 2000 accounts and | machine/service accounts listed in User Manager. | XF:nt-guess-admin | XF:nt-guess-user | XF:nt-guess-guest | XF:nt-guessed-operpwd | XF:nt-guessed-powerwd | XF:nt-guessed-disabled | XF:nt-guessed-backup | XF:nt-guessed-acctoper-pwd | XF:nt-adminuserpw | XF:nt-guestuserpw | XF:nt-accountuserpw