CVE Candidates as of 20080715 ----------------------------- Candidates must be reviewed and accepted by the CVE Editorial Board before they can be added to the official CVE list. Therefore, these candidates may be modified or even rejected in the future. They are provided for use by individuals who have a need for an early numbering scheme for items that have not been fully reviewed by the Editorial Board. ====================================================== Name: CVE-1999-0001 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001 Phase: Modified (20051217) Category: SF Reference: CERT:CA-98-13-tcp-denial-of-service Reference: BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service Reference: CONFIRM:http://www.openbsd.org/errata23.html#tcpfix Reference: OSVDB:5707 Reference: URL:http://www.osvdb.org/5707 ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets. Current Votes: MODIFY(1) Frech NOOP(2) Northcutt, Wall REVIEWING(1) Christey Voter Comments: Christey> A Bugtraq posting indicates that the bug has to do with "short packets with certain options set," so the description should be modified accordingly. But is this the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Frech> XF:teardrop(338) This assignment was based solely on references to the CERT advisory. Christey> The description for BID:190, which links to CVE-1999-0052 (a FreeBSD advisory), notes that the patches provided by FreeBSD in CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without further analysis. ====================================================== Name: CVE-1999-0004 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0004 Phase: Modified (19990621-01) Category: SF Reference: CERT:CA-98.10.mime_buffer_overflows Reference: XF:outlook-long-name Reference: SUN:00175 Reference: MS:MS98-008 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-008.asp MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. Current Votes: ACCEPT(8) Magdych, Northcutt, Wall, Baker, Landfield, Cole, Dik, Collins MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Shostack Voter Comments: Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject this suggestion, I will not be devastated.) :-) Christey> This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Christey> CVE-2000-0415 may be a later rediscovery of this problem for Outlook. Dik> Sun bug 4163471, Christey> ADDREF BID:125 Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2 ====================================================== Name: CVE-1999-0015 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0015 Phase: Proposed (19990726) Category: SF Reference: CERT:CA-97.28.Teardrop_Land Reference: XF:teardrop Teardrop IP denial of service. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF: teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q154174 MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) indicate that CVE-1999-0015 was fixed in NT SP3, but CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the problems keep separate candidates because one problem appears in a different version than the other. Christey> BID:124 http://www.securityfocus.com/bid/124 Consider MSKB:Q154174 http://support.microsoft.com/support/kb/articles/q154/1/74.asp Consider BUGTRAQ:19971113 Linux IP fragment overlap bug http://www.securityfocus.com/archive/1/8014 ====================================================== Name: CVE-1999-0020 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0020 Phase: Modified (20050204) Category: SF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: MODIFY(1) Frech NOOP(4) Levy, Northcutt, Wall, Shostack REJECT(2) Christey, Baker Voter Comments: Frech> XF:lpr-bo Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo ====================================================== Name: CVE-1999-0030 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0030 Phase: Proposed (19990623) Category: SF Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul Reference: XF:sgi-xlockbo Reference: SGI:19970508-02-PX root privileges via buffer overflow in xlock command on SGI IRIX systems. Current Votes: ACCEPT(3) Ozancin, Levy, Prosser NOOP(1) Baker RECAST(1) Frech REJECT(1) Christey Voter Comments: Frech> XF:xlock-bo (also add) As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and several Linii. Also, don't you mean to cite SGI:19970502-02-PX? The one you list is login/scheme. Levy> Notice that this xlock overflow is the same as in CA-97.13. CA-97.21 simply is a reminder. Christey> As pointed out by Elias, CA-97.21 states: "For more information about vulnerabilities in xlock... see CA-97.13" CA-97.13 = CVE-1999-0038. This may also be a duplicate with CVE-1999-0306. See exploits at: http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 Sun also has this problem, at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba ====================================================== Name: CVE-1999-0033 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0033 Phase: Modified (20040811) Category: SF Reference: CERT:CA-97.18.at Reference: SUN:00160 Reference: XF:sun-atbo Command execution in Sun systems via buffer overflow in the at program. Current Votes: ACCEPT(8) Hill, Northcutt, Wall, Baker, Cole, Dik, Shostack, Collins NOOP(1) Christey RECAST(1) Frech Voter Comments: Frech> This vulnerability also manifests itself for the following platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, please add the following: Reference: XF:at-bo Dik> Sun bug 1265200, 4063161 Christey> ADDREF SGI:19971102-01-PX ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX SCO:SB.97:01 ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a Christey> CIAC:F-15 http://ciac.llnl.gov/ciac/bulletins/f-15.shtml HP:HPSBUX9502-023 Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0061 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0061 Phase: Proposed (19990630) Category: SF Reference: NAI:NAI-20 Reference: XF:bsd-lpd File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). Current Votes: ACCEPT(3) Hill, Northcutt, Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Christey> This should be split into three separate problems based on the SNI advisory. But there's newer information to further complicate things. What do we do about this one? in 1997 or so, SNI did an advisory on this problem. In early 2000, it was still discovered to be present in some Linux systems. So an SF-DISCOVERY content decision might say that this is a long enough time between the two, so this should be recorded separately. But they're the same codebase... so if we keep them in the same entry, how do we make sure that this entry reflects that some new information has been discovered? The use of dot notation may help in this regard, to use one dot for the original problem as discovered in 1997, and another dot for the resurgence of the problem in 2000. Baker> We should merge these. Christey> Perhaps this should be NAI-19 instead of NAI-20? The original Bugtraq post for the SNI advisory suggests SNI-19: BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability URL:SNI-19:BSD lpd vulnerability Also add: BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 However, archives of "NAI-0020" point to the lpd vuln. If I recall correctly, some of the NAI advisory numbers got switched when NAI acquired SNI. ====================================================== Name: CVE-1999-0076 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0076 Phase: Modified (19990925-01) Category: SF Reference: XF:ftp-args Buffer overflow in wu-ftp from PASV command causes a core dump. Current Votes: ACCEPT(3) Ozancin, Baker, Frech NOOP(1) Balinsky REVIEWING(1) Christey Voter Comments: Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability? Christey> Need to add more references and details. ====================================================== Name: CVE-1999-0078 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0078 Phase: Modified (19990621-01) Category: SF Reference: CERT:CA-96.08.pcnfsd Reference: XF:rpc-pcnfsd pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. Current Votes: ACCEPT(5) Collins, Northcutt, Landfield, Frech, Shostack NOOP(1) Baker RECAST(1) Christey Voter Comments: Christey> This candidate should be SPLIT, since there are two separate software flaws. One is a symlink race and the other is a shell metacharacter problem. Christey> The permissions part of this vulnerability appears to overlap with CVE-1999-0353 Christey> SGI:20020802-01-I ====================================================== Name: CVE-1999-0086 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0086 Phase: Interim (19990630) Category: SF Reference: ERS:ERS-SVA-E01-1998:001.1 Reference: XF:ibm-routed AIX routed allows remote users to modify sensitive files. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Prosser, Frech NOOP(1) Baker REJECT(1) Christey Voter Comments: Frech> Reference: XF:ibm-routed Prosser> This vulnerability allows debug mode to be turned on which is the problem. Should this be more specific in the description? This one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which is in the SGI cluster, shouldn't these be cross-referenced as the same vuln affects multiple OSes. Christey> This appears to be subsumed by CVE-1999-0215 ====================================================== Name: CVE-1999-0088 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0088 Phase: Proposed (19990617) Category: SF Reference: ERS:ERS-SVA-E01-1998:004.1 Reference: URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Prosser, Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Frech> ERS (and other references, BTW) explicitly stipulate 'local and remote'. Reference: XF:irix-autofsd Prosser> Include the SGI Alert as well since it is mentioned in the description. SGI Security Advisory 19981005-01-PX Christey> DUPE CVE-1999-0210? Christey> ADDREF CIAC:J-014 Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry ====================================================== Name: CVE-1999-0089 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0089 Phase: Interim (19990630) Category: SF Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: XF:ibm-libDtSvc Buffer overflow in AIX libDtSvc library can allow local users to gain root access. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Prosser, Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Reference: XF:ibm-libDtSvc Prosser> The overflow is in the dtaction utility. Also affects dtaction in the CDE on versions of SunOS (SUN 164). Probably should be specific. Christey> Same Codebase as CVE-1999-0121, so the two entries should be merged. ====================================================== Name: CVE-1999-0092 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0092 Phase: Proposed (19990623) Category: SF Reference: ERS:ERS-SVA-E01-1997:006.1 Various vulnerabilities in the AIX portmir command allows local users to obtain root access. Current Votes: ACCEPT(2) Baker, Bollinger MODIFY(1) Frech NOOP(1) Ozancin Voter Comments: Frech> XF:ibm-portmir ====================================================== Name: CVE-1999-0098 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0098 Phase: Proposed (19990726) Category: SF Reference: XF:smtp-helo-bo Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. Current Votes: MODIFY(2) Baker, Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> (Accept XF reference.) Our references do not mention hiding activities. This issue can crash the SMTP server or execute arbitrary byte-code. Is there another reference available? Christey> Should this be merged with CVE-1999-0284, which is Sendmail with SMTP HELO? Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 Baker> Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference. ====================================================== Name: CVE-1999-0104 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0104 Phase: Modified (20040811) Category: SF Reference: CERT:CA-97.28.Teardrop_Land Reference: XF:teardrop-mod A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2. Current Votes: ACCEPT(2) Wall, Frech REVIEWING(1) Christey Voter Comments: Wall> Another reference is Microsoft Knowledge Base Q179129. Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Note that the hotfix name is teardrop2, but the keywords included in the KB article specifically name bonk (CVE-1999-0258) and boink. Since teardrop2 was fixed in a slightly different version (at least in a separate patch) than Teardrop, CD:SF-LOC suggests keeping them separate. Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0105 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0105 Phase: Proposed (19990726) Category: SF finger allows recursive searches by using a long string of @ symbols. Current Votes: MODIFY(3) Shostack, Baker, Frech NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Shostack> fingerD Frech> XF:finger-bomb Christey> aka redirection or forwarding requests? (but then might overlap CVE-1999-0106) Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS. ====================================================== Name: CVE-1999-0106 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0106 Phase: Proposed (19990726) Category: SF Finger redirection allows finger bombs. Current Votes: ACCEPT(1) Northcutt MODIFY(2) Shostack, Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Shostack> fingerd allows redirection This is a larger modification, since there are two applications of the vulnerability, one that I can finger anonymously, and the other that I can finger bomb anonymously. Frech> XF:finger-bomb Christey> need more refs Baker> This should be merged with 1999-0105 ====================================================== Name: CVE-1999-0107 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0107 Phase: Modified (19991223-01) Category: SF Reference: XF:apache-dos Reference: BUGTRAQ:19971230 Apache DoS attack? Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Shostack, Northcutt, Wall REVIEWING(1) Levy REVOTE(1) Christey Voter Comments: Wall> - Although this is probably the phf hack. Frech> XF:apache-dos Christey> This sounds like the incident reported in: NTBUGTRAQ:20000810 Apache Distributed Denial of Service Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. BUGTRAQ: http://www.securityfocus.com/archive/1/10228 BUGTRAQ: http://www.securityfocus.com/archive/1/10516 ====================================================== Name: CVE-1999-0110 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0110 Phase: Interim (19990810) Category: SF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: MODIFY(1) Frech NOOP(4) Shostack, Levy, Northcutt, Wall REJECT(3) Dik, Christey, Baker Voter Comments: Frech> XF:fdformat-bo Christey> Duplicate of CVE-1999-0315 Dik> dup ====================================================== Name: CVE-1999-0114 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0114 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19990912 elm filter program Reference: BUGTRAQ:19951226 filter (elm package) security hole Reference: XF:elm-filter2 Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. Current Votes: ACCEPT(7) Shostack, Bishop, Blake, Wall, Landfield, Cole, Armstrong MODIFY(2) Baker, Frech NOOP(3) Ozancin, Christey, Northcutt REVIEWING(1) Levy Voter Comments: Frech> XF:elm-filter2 CHANGE> [Wall changed vote from NOOP to ACCEPT] Landfield> with Frech modifications Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm Need to make sure that this CERT advisory describes the right problem, especially since the CERT advisory is dated December 18, 1995 and the original Bugtraq post was December 26, 1995. Christey> BID:1802 URL:http://www.securityfocus.com/bid/1802 BID:1802 doesn't include the 1999 posting - does Security Focus think that the 1999 post describes a different vulnerability? Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? Its references point to the December 26, 1995 BUgtraq post. Also consider CIAC:G-36 and CERT:VB-95:10 Frech> DELREF:XF:elm-filter2(711) ADDREF:XF:elm-filter(402) ====================================================== Name: CVE-1999-0119 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0119 Phase: Proposed (19990728) Category: SF Windows NT 4.0 beta allows users to read and delete shares. Current Votes: MODIFY(1) Frech NOOP(2) Northcutt, Baker REJECT(1) Wall Voter Comments: Wall> Reject based on beta copy. Frech> XF:nt-beta(11) Reconsider reject, because this beta was in widespread use. ====================================================== Name: CVE-1999-0121 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0121 Phase: Proposed (19990617) Category: SF Reference: SUN:00164 Reference: ERS:ERS-SVA-E01-1997:005.1 Buffer overflow in dtaction command gives root access. Current Votes: ACCEPT(2) Dik, Northcutt MODIFY(3) Prosser, Baker, Frech REVIEWING(1) Christey Voter Comments: Frech> Reference: XF:dtaction-bo Reference: XF:sun-dtaction Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a library in AIX 4.x, but reference for this Sun vulnerability should only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Bulletin Christey> This is the Same Codebase as CVE-1999-0089, so the two entries should be merged. Frech> Replace sun-dtaction(732) with dtaction-bo(879) Baker> Merge with 1999-0089 ====================================================== Name: CVE-1999-0123 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0123 Phase: Modified (20000105-01) Category: SF Reference: XF:linux-mailx Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole Race condition in Linux mailx command allows local users to read user files. Current Votes: ACCEPT(3) Ozancin, Baker, Frech NOOP(1) Wall ====================================================== Name: CVE-1999-0127 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0127 Phase: Proposed (19990623) Category: SF Reference: CERT:CA-96.27.hp_sw_install Reference: AUSCERT:AA-96.04 Reference: XF:hpux-swinstall swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. Current Votes: ACCEPT(2) Prosser, Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> (keep current XF: reference, and add) XF:hpux-sqwmodify Christey> Perhaps this should be split, per SF-LOC. Christey> CIAC:H-81 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml HP:HPSBUX9707-064 references CERT:CA-96.27 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml The original AUSCERT advisory says that the programs "create files in an insecure manner" and "Exploit details involving this vulnerability have been made publicly available." which leads one to assume that the following original Bugtraq post provides the details for a standard symlink problem: BUGTRAQ:19961005 swinst,bug http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2 ====================================================== Name: CVE-1999-0140 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0140 Phase: Proposed (19990630) Category: SF Denial of service in RAS/PPTP on NT systems. Current Votes: ACCEPT(1) Hill MODIFY(2) Frech, Meunier NOOP(1) Baker REJECT(1) Christey Voter Comments: Meunier> Add "pptp invalid packet length in header" to distinguish from other vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be discovered in the future. Frech> XF:nt-ras-bo ONLY IF reference is to MS:MS99-016 Christey> According to my mappings, this is not the MS:MS99-016 problem referred to by Andre. However, I have yet to dig up a source. CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> This is too general to know which problem is being discussed. More precise candidates should be created. Christey> Consider adding BID:2111 ====================================================== Name: CVE-1999-0144 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0144 Phase: Modified (20010301-02) Category: SF Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 Reference: BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319029&w=2 Reference: MISC:http://cr.yp.to/qmail/venema.html Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html Reference: BID:2237 Reference: URL:http://www.securityfocus.com/bid/2237 Reference: XF:qmail-rcpt Reference: URL:http://xforce.iss.net/static/208.php Denial of service in Qmail by specifying a large number of recipients with the RCPT command. Current Votes: ACCEPT(4) Frech, Meunier, Hill, Baker REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0418 and CVE-1999-0250? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> http://cr.yp.to/qmail/venema.html Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. His page states this is not a qmail problem, rather it is a UNIX problem that many apps can consume all available memory, and that the administrator is responsible to set limits in the OS, rather than expect applications to individually prevent memory exhaustion. CAN 1999-0250 does appear to be a duplicate of this entry, based on the research I have done so far. There were two different bugtraq postings, but the second one references the first, stating that the new exploit uses perl instead of shell scripting to accomplish the same attack/exploit. Baker> http://www.securityfocus.com/archive/1/6970 http://www.securityfocus.com/archive/1/6969 http://cr.yp.to/qmail/venema.html Should probably reject CVE-1999-0250, and add these references to this Candidate. Baker> http://www.securityfocus.com/bid/2237 CHANGE> [Baker changed vote from REVIEWING to ACCEPT] Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. NOTE: the ufo.org domain was purchased by another party in 2003, so the current owner is not associated with any statements by "super@ufo.org" that were made before 2003. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BID:2237 ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." ====================================================== Name: CVE-1999-0154 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0154 Phase: Proposed (20010912) Category: SF Reference: MSKB:Q163485 Reference: MSKB:Q164059 Reference: BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP Reference: XF:http-iis-aspdot Reference: XF:http-iis-aspsource IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. Current Votes: ACCEPT(4) Frech, Stracener, Wall, Foat NOOP(3) Christey, Baker, Cole Voter Comments: Christey> This is the precursor to the problem that is identified in CVE-1999-0253. Christey> CIAC:H-48 URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml CHANGE> [Foat changed vote from NOOP to ACCEPT] ====================================================== Name: CVE-1999-0156 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0156 Phase: Proposed (19990714) Category: SF Reference: XF:ftp-pwless wu-ftpd FTP daemon allows any user and password combination. Current Votes: ACCEPT(2) Shostack, Northcutt NOOP(1) Baker RECAST(1) Frech REVIEWING(2) Christey, Prosser Voter Comments: Prosser> but so far can find no reference to this one Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie, also affects IIS FTP server). Christey> The references for XF:ftp-pwless are not specific enough, e.g. in terms of version numbers. Perhaps this candidate should be rejected due to insufficient information. ====================================================== Name: CVE-1999-0163 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0163 Phase: Proposed (19990714) Category: SF Reference: XF:smtp-pipe In older versions of Sendmail, an attacker could use a pipe character to execute root commands. Current Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Prosser NOOP(2) Christey, Baker RECAST(1) Shostack Voter Comments: Shostack> there was a 'To: |' and a 'From: |' attack, which I think are seperate. Prosser> older vulnerability, but one additional reference is- The Ultimate Sendmail Hole List by Markus Hübner @ bau2.uibk.ac.at/matic/buglist.htm '|PROGRAM ' Christey> Description needs to be more specific to distinguish between this and CVE-1999-0203, as alluded to by Adam Shostack ====================================================== Name: CVE-1999-0165 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0165 Phase: Modified (20040811) Category: SF Reference: XF:nfs-cache NFS cache poisoning. Current Votes: ACCEPT(3) Frech, Northcutt, Baker MODIFY(1) Shostack NOOP(1) Prosser REVIEWING(1) Christey Voter Comments: Shostack> need more data Christey> need more refs Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0169 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0169 Phase: Proposed (19990714) Category: SF Reference: XF:nfs-uid NFS allows attackers to read and write any file on the system by specifying a false UID. Current Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Baker REJECT(1) Shostack Voter Comments: Shostack> this is not a vulnerability but a design feature. Baker> Maybe we should reword it so that it is clear that this was a problem to something like: "A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID." ====================================================== Name: CVE-1999-0171 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0171 Phase: Proposed (19990714) Category: SF Reference: XF:syslog-flood Denial of service in syslog by sending it a large number of superfluous messages. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(1) Baker REJECT(2) Shostack, Christey Voter Comments: Shostack> design issue, not a vulnerability. Alternately, add: DOS on server by opening a large number of telnet sessions.. Christey> Duplicate of CVE-1999-0566 ====================================================== Name: CVE-1999-0186 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0186 Phase: Modified (20071119) Category: SF Reference: CONFIRM:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm Reference: SUN:00178 Reference: XF:snmp-backdoor-access In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters. Current Votes: ACCEPT(2) Dik, Baker MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr Add ISS:Hidden Community String in SNMP Implementation Christey> What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. Christey> ADDREF BID:177 Christey> ISS:19981102 Hidden community string in SNMP implementation http://xforce.iss.net/alerts/advise11.php Change description to include "hidden" Christey> XF:snmp-backdoor-access is missing. ====================================================== Name: CVE-1999-0187 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0187 Phase: Modified (20050204) Category: SF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(2) Hill, Northcutt RECAST(3) Frech, Prosser, Baker REJECT(1) Dik REVIEWING(1) Christey Voter Comments: Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() (ref CERT 97-23) and various vendor bulletins. However both of these rdist BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content decision Frech> XF:rdist-bo (error msg formation) XF:rdist-bo2 (execute code) XF:rdist-bo3 (execute user-created code) XF:rdist-sept97 (root from local) Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist), but as Mike and Andre noted, there are multiple flaws here, so a RECAST may be necessary. Dik> As currently phrasedm thissa duplicate of CVE-1999-0022 Baker> Based on our new philosophy, this should be recast/merged or re-described. ====================================================== Name: CVE-1999-0193 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0193 Phase: Proposed (19990714) Category: SF Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. Current Votes: ACCEPT(5) Shostack, Bishop, Ozancin, Northcutt, Cole MODIFY(2) Blake, Baker NOOP(4) Frech, Wall, Landfield, Armstrong REVIEWING(2) Levy, Christey Voter Comments: Frech> possibly XF:ascend-kill I can't find a reference that lists both routers in the same reference. Wall> Comment: There is a reference about the zero length TCP option in BugTraq on Feb 5, 1999 and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 mentions vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 mentions 3Com vulnerabilities, but not TCP. Too confusing withour better references. Landfield> What are the references for this ? I cannot find a means to check it out. CHANGE> [Frech changed vote from REVIEWING to NOOP] Frech> Cannot reconcile to our database without further references. Blake> I'm with Andre. I only remember and can find reference to the Ascend issue. Do we have a refernce to the 3Coms? If not, that should be removed from the description. Baker> http://xforce.iss.net/static/614.php Misc Defensive Info http://www.securityfocus.com/archive/1/5682 Misc Offensive Info http://www.securityfocus.com/archive/1/5647 Misc Defensive Info http://www.securityfocus.com/archive/1/5640 Misc Defensive Info CHANGE> [Armstrong changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-1999-0195 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0195 Phase: Modified (19991130-01) Category: SF Reference: BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1. Current Votes: ACCEPT(2) Shostack, Balinsky MODIFY(1) Frech NOOP(3) Northcutt, Wall, Baker REVIEWING(2) Levy, Christey Voter Comments: Frech> XF:rpcbind-spoof Christey> CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0461, make sure it gets XF:pmap-sset ====================================================== Name: CVE-1999-0197 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0197 Phase: Proposed (19990726) Category: SF finger 0@host on some systems may print information on some user accounts. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) Northcutt Voter Comments: Shostack> fingerd may respond to 'finger 0@host' with account info Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 Finger 0@host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host feature) ====================================================== Name: CVE-1999-0198 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0198 Phase: Proposed (19990726) Category: SF finger .@host on some systems may print information on some user accounts. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) Northcutt Voter Comments: Shostack> as above Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 Finger .@target-host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host check ) http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host feature) ====================================================== Name: CVE-1999-0200 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0200 Phase: Modified (19991130-01) Category: SF Reference: MSKB:Q137853 Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack NOOP(2) Northcutt, Wall REJECT(1) Christey REVIEWING(1) Levy Voter Comments: Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another? Frech> Other have mentioned this before, but it may be WU-FTP. POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root access without anon FTP or a regular account? POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a non-anon FTP account and gain root privs. Christey> added MSKB reference CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> The MSKB article may have confused things even more. There were reports of problems in a Windows-based FTP server called WFTP (http://www.wftpd.com/) that is not a Microsft FTP server. It's best to just kill this candidate where it stands and start fresh. ====================================================== Name: CVE-1999-0205 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0205 Phase: Modified (19990925-01) Category: SF Reference: BUGTRAQ:19990708 SM 8.6.12 Denial of service in Sendmail 8.6.11 and 8.6.12. Current Votes: ACCEPT(2) Hill, Northcutt MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(2) Ozancin, Christey Voter Comments: Frech> XF:sendmail-alias-dos Prosser> additional source Bugtraq "Re: SM 8.6.12" http://www.securityfocus.com Christey> The Bugtraq thread does not provide any proof, including a comment by Eric Allman that he hadn't been provided any details either. See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu for the thread. Christey> Change Bugtraq reference date to 19950708. ====================================================== Name: CVE-1999-0213 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0213 Phase: Modified (20001009-01) Category: SF Reference: XF:sun-libnsl Reference: SUNBUG:4305859 libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. Current Votes: ACCEPT(6) Dik, Ozancin, Hill, Blake, Landfield, Cole MODIFY(3) Frech, Levy, Baker NOOP(4) Bishop, Meunier, Wall, Armstrong REVIEWING(1) Christey Voter Comments: Frech> XF:sun-libnsl Dik> Sun bug #4305859 Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info http://www.securityfocus.com/archive/1/9749 Misc Defensive Info Christey> I don't think this is the bug that everyone thinks it is. This candidate came from CyberCop Scanner 2.4/2.5, which only reports this as a DoS problem. If SUN:00172 is an advisory for this, then it may be a duplicate of CVE-1999-0055. There appears to be overlap with other references as well. HOWEVER, this particular one deals with a DoS in rpcbind - which isn't mentioned in the sources for CVE-1999-0055. Levy> BID 148 ====================================================== Name: CVE-1999-0216 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0216 Phase: Modified (19991203-01) Category: SF Reference: BUGTRAQ:19971130 Linux inetd.. Reference: XF:linux-inetd-dos Reference: HP:HPSBUX9803-077 Reference: XF:hp-inetd Denial of service of inetd on Linux through SYN and RST packets. Current Votes: ACCEPT(1) Hill MODIFY(2) Frech, Baker RECAST(1) Meunier Voter Comments: Meunier> The location of the vulnerability, whether in the Linux kernel or the application, is debatable. Any program making the same (reasonnable) assumption is vulnerable, i.e., implements the same vulnerability: "Assumption that TCP-three-way handshake is complete after calling Linux kernel function accept(), which returns socket after getting SYN. Result is process death by SIGPIPE" Moreover, whether it results in DOS (to third parties) depends on the process that made the assumption. I think that the present entry should be split, one entry for every application that implements the vulnerability (really describing threat instances, which is what other people think about when we talk about vulnerabilities), and one entry for the Linux kernel that allows the vulnerability to happen. Frech> XF:hp-inetd XF:linux-inetd-dos Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast ====================================================== Name: CVE-1999-0220 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0220 Phase: Proposed (19990728) Category: SF Attackers can do a denial of service of IRC by crashing the server. Current Votes: NOOP(2) Northcutt, Baker REJECT(2) Frech, Christey Voter Comments: Frech> Would reconsider if any references were available. Christey> No references available, combined with extremely vague description, equals REJECT. ====================================================== Name: CVE-1999-0222 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0222 Phase: Proposed (19990714) Category: SF Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL. Current Votes: ACCEPT(1) Baker MODIFY(3) Frech, Shostack, Levy NOOP(3) Balinsky, Northcutt, Wall RECAST(1) Ziese REJECT(1) Christey Voter Comments: Shostack> I follow cisco announcements and problems pretty closely, and haven't seen this. Source? Frech> XF:cisco-web-crash Christey> XF:cisco-web-crash has no additional references. I can't find any references in Bugtraq or Cisco either. This bug is supposedly tested by at least one security product, but that product's database doesn't have any references either. So a question becomes, how did it make it into at least two security companies' databases? Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 BID 1154 Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if recast to reflect that "...after using a long url..." should be replaced with "...A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled, browsing to "http://router-ip/anytext?/" is attempted, and the enable password is supplied when requested. This defect can be exploited to produce a denial of service (DoS) attack." Then I can accept this and mark it as "Verfied by my Company". If it can't be recast because this (long uri) is diffferent then our release (special url construction). CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> Elias Levy's suggested reference is CVE-2000-0380. I don't think that Kevin's description is really addressing this either. The lack of references and a specific description make this candidate unusable, so it should be rejected. ====================================================== Name: CVE-1999-0226 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0226 Phase: Proposed (19990728) Category: SF Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) Christey Voter Comments: Christey> Too general, and no references. Frech> XF:nt-frag(528) See reference from BugTraq Mailing List, "A New Fragmentation Attack" at http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net ====================================================== Name: CVE-1999-0229 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0229 Phase: Modified (19991228-02) Category: SF Reference: MSKB:Q115052 Denial of service in Windows NT IIS server using ..\.. Current Votes: ACCEPT(2) Shostack, Baker MODIFY(2) Frech, Wall NOOP(1) Northcutt REJECT(1) Christey REVIEWING(1) Levy Voter Comments: Wall> Denial of service in Windows NT IIS Server 1.0 using ..\... Source: Microsoft Knowledge Base Article Q115052 - IIS Server. Frech> XF:http-dotdot (not necessarily IIS?) Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot problem. Christey> This actually looks like XF:iis-dot-dot-crash(1638) http://xforce.iss.net/static/1638.php If so, include the version number (2.0) CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> Bill Wall intended to suggest Q155052, but the affected IIS version there is 1.0; the effect is to read files, so this sounds like a directory traversal problem, instead of an inability to process certain strings. As a result, this candidate is too general, since it could apply to 2 different problems, so it should be REJECTed. Christey> Consider adding BID:2218 ====================================================== Name: CVE-1999-0231 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0231 Phase: Modified (19991207-01) Category: SF Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. Current Votes: ACCEPT(2) Levy, Baker NOOP(3) Christey, Northcutt, Landfield RECAST(1) Frech REVIEWING(1) Ozancin Voter Comments: Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) XF:smtp-vrfy-bo (many mail packages) Northcutt> (There is no way I will have access to these systems) Christey> Some sources report that VRFY and EXPN are both affected. ====================================================== Name: CVE-1999-0232 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0232 Phase: Modified (19991220-01) Category: SF Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. Current Votes: ACCEPT(2) Hill, Northcutt MODIFY(1) Frech NOOP(1) Prosser REJECT(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Unable to provide a match due to vague/insufficient description/references. Possible matches are: XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) XF:http-ncsa-longurl (highest probability) Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl More research is necessary for this one. Baker> Since this has no references at all, and is vague and we have a CAN for the most likely issue, we should kill this one ====================================================== Name: CVE-1999-0235 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0235 Phase: Modified (19991220-01) Category: SF Reference: CERT:CA-95:04 Reference: CIAC:F-11 Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access. Current Votes: ACCEPT(3) Hill, Prosser, Northcutt MODIFY(1) Frech REJECT(2) Christey, Baker Voter Comments: Frech> XF:http-ncsa-longurl Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267 Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both refer to the same problem. This should be rejected as 1999-0267 is the same problem. ====================================================== Name: CVE-1999-0238 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0238 Phase: Proposed (19990623) Category: SF Reference: XF:http-cgi-phpfileread php.cgi allows attackers to read any file on the system. Current Votes: ACCEPT(5) Frech, Collins, Prosser, Northcutt, Baker NOOP(1) Christey Voter Comments: Prosser> additional source AUSCERT External Security Bulletin ESB-97.047 http://www.auscert.org.au Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole URL:http://www.dataguard.no/bugtraq/1997_2/0069.html The attacker specifies the filename as an argument to the program. Add "PHP/FI" to description to facilitate search. AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 Christey> Consider adding BID:2250 ====================================================== Name: CVE-1999-0240 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0240 Phase: Proposed (19990728) Category: SF Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. Current Votes: ACCEPT(1) Northcutt NOOP(1) Baker REJECT(1) Frech Voter Comments: Frech> Would reconsider if any references were available. ====================================================== Name: CVE-1999-0241 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0241 Phase: Modified (19990925-01) Category: SF Reference: XF:http-xguess-cookie Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm. Current Votes: ACCEPT(3) Hill, Northcutt, Proctor MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Also add to references: XF:sol-mkcookie Prosser> additional source Bugtraq "X11 cookie hijacker" http://www.securityfocus.com Christey> The cookie hijacker thread has to do with stealing cookies through a file with bad permissions. I'm not sure the X-Force reference identifies this problem either. Christey> CIAC:G-04 URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml SGI:19960601-01-I URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I CERT:VB-95:08 ====================================================== Name: CVE-1999-0242 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0242 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole Reference: XF:linux-pop3d Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Shostack, Christey, Northcutt, Wall REVIEWING(1) Levy Voter Comments: Frech> Ambiguous description: need more detail. Possibly: XF:linux-pop3d (mktemp() leads to reading e-mail) Christey> At first glance this might look like CVE-1999-0123 or CVE-1999-0125, however this particular candidate arises out of a brief mention of the problem in a larger posting which discusses CVE-1999-0123 (which may be the same bug as CVE-1999-0125). See the following phrase in the Bugtraq post: "one such example of this is in.pop3d" However, the original source of this candidate's description explicitly mentions shadowed passwords, though it has no references to help out here. ====================================================== Name: CVE-1999-0243 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0243 Phase: Proposed (19990714) Category: SF Linux cfingerd could be exploited to gain root access. Current Votes: ACCEPT(1) Shostack NOOP(4) Levy, Northcutt, Wall, Baker REJECT(2) Frech, Christey Voter Comments: Christey> This has no sources; neither does the original database that this entry came from. It's a likely duplicate of CVE-1999-0813. Frech> I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> If the reference I previously supplied is correct, then it appears as if the poster modified the source using authorized access to make it vulnerable. Modifying the source in this manner does not qualify as being listed a vulnerability. I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. ====================================================== Name: CVE-1999-0246 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0246 Phase: Proposed (19990630) Category: SF Reference: XF:hp-remote HP Remote Watch allows a remote user to gain root access. Current Votes: ACCEPT(4) Frech, Hill, Prosser, Northcutt NOOP(1) Baker RECAST(1) Christey Voter Comments: Frech> Comment: Determine if it's RemoteWatch or Remote Watch. Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in Remote Watch (the advisory uses two words, not one, for the "Remote Watch" name) ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit) URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com Prosser> agree that the advisory mentions two vulnerabilities in Remote Watch, one being a socket connection and other with the showdisk utility which seems to be a suid vulnerability. Never get much details on this anywhere since the recommendation is to remove the program since it is obsolete and superceded by later tools. Believe the biggest concern here is to just not run the tool at all. Christey> CIAC:H-16 Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp And possibly AUSCERT:AA-96.07 at ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2 Include "remwatch" in the description to facilitate search. ====================================================== Name: CVE-1999-0249 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0249 Phase: Proposed (19990714) Category: SF Windows NT RSHSVC program allows remote users to execute arbitrary commands. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Wall NOOP(2) Shostack, Northcutt RECAST(1) Christey REVIEWING(1) Levy Voter Comments: Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows remote users to execute arbitrary commands. Source: rshsvc.txt from the Windows NT Resource Kit. Frech> XF:rsh-svc Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case where remote users coming from authorized machines are allowed access regardless of what .rhosts says. XF:rsh-svc refers to a bug circa 1997 where any remote entity could execute commands as system. ====================================================== Name: CVE-1999-0250 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0250 Phase: Modified (20010301-01) Category: SF Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 Reference: MISC:http://cr.yp.to/qmail/venema.html Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html Reference: XF:qmail-leng Denial of service in Qmail through long SMTP commands. Current Votes: ACCEPT(2) Meunier, Hill MODIFY(1) Frech REJECT(1) Baker REVIEWING(1) Christey Voter Comments: Frech> XF:qmail-rcpt Christey> DUPE CVE-1999-0418 and CVE-1999-0144? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading through both bugtraq postings, the one that is referenced by 0144 is based on a shell code exploit to cause memory exhaustion. The bugtraq posting referenced by this entry refers explicitly to the prior posting for 0144, and states that the same effect could be accomplished by a perl exploit, which was then attached. Baker> http://www.securityfocus.com/archive/1/6969 CVE-1999-0144 http://www.securityfocus.com/archive/1/6970 CVE-1999-0250 Both references should be added to CVE-1999-0144, and CVE-1999-0250 should likely be rejected. CHANGE> [Baker changed vote from REVIEWING to REJECT] Christey> XF:qmail-leng no longer exists; check with Andre to see if they regarded it as a duplicate as well. qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd) ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." ====================================================== Name: CVE-1999-0253 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0253 Phase: Modified (20000106-01) Category: SF Reference: XF:http-iis-2e Reference: L0PHT:19970319 IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. Current Votes: ACCEPT(9) Frech, Bishop, Collins, Blake, Northcutt, Baker, Landfield, Cole, Armstrong MODIFY(1) LeBlanc NOOP(3) Ozancin, Prosser, Wall REVIEWING(1) Christey Voter Comments: Christey> This is a problem that was introduced after patching a previous dot bug with the iis-fix hotfix (see CVE-1999-0154). Since the hotfix introduced the problem, this should be treated as a seaprate issue. Wall> Agree with the comment. LeBlanc> - this one is so old, I don't remember it at all and can't verify or deny the issue. If you can find some documentation that says we fixed it (KB article, hotfix, something), then I would change this to ACCEPT CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:1814 URL:http://www.securityfocus.com/bid/1814 ====================================================== Name: CVE-1999-0254 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0254 Phase: Proposed (19990726) Category: SF Reference: ISS:Hidden SNMP community in HP OpenView Reference: XF:hpov-hidden-snmp-comm A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information. Current Votes: ACCEPT(2) Frech, Baker NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Christey> What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. ====================================================== Name: CVE-1999-0255 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0255 Phase: Proposed (19990623) Category: SF Buffer overflow in ircd allows arbitrary command execution. Current Votes: ACCEPT(3) Hill, Northcutt, Baker MODIFY(1) Frech NOOP(1) Prosser REJECT(1) Christey Voter Comments: Frech> XF:irc-bo Christey> This is too general and doesn't have any references. The XF reference doesn't appear toe xist any more. Perhaps this reference would help: BUGTRAQ:19970701 ircd buffer overflow Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post. ====================================================== Name: CVE-1999-0257 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0257 Phase: Proposed (19990726) Category: SF Nestea variation of teardrop IP fragmentation denial of service. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF:nestea-linux-dos Christey> Not sure how many separate "instances" of Teardrop and its ilk. Also see comments on CVE-1999-0001. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Is CVE-1999-0001 the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Also see BUGTRAQ:19990909 CISCO and nestea. Finally, note that there is no fundamental difference between nestea and nestea2/nestea-v2; they are different ports that exploit the same problem. The original nestea advisory is at http://www.technotronic.com/rhino9/advisories/06.htm but notice that the suggested fix is in line 375 of ip_fragment.c, not ip_input.c. Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> BUGTRAQ:19980501 nestea does other things http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2 BUGTRAQ:19980508 nestea2 and HP Jet Direct cards. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2 BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2 Nestea source code is in MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html ====================================================== Name: CVE-1999-0258 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0258 Phase: Proposed (19990726) Category: SF Bonk variation of teardrop IP fragmentation denial of service. Current Votes: MODIFY(2) Frech, Wall REVIEWING(1) Christey Voter Comments: Wall> Reference Q179129 Frech> XF:teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> BUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2 NTBUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2 NTBUGTRAQ:19980109 Re: Bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2 NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2 BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2 CIAC:I-031a http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml CERT summary CS-98.02 implies that bonk, boink, and newtear all exploit the same vulnerability. ====================================================== Name: CVE-1999-0261 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0261 Phase: Modified (20000827-01) Category: SF Reference: BUGTRAQ:19980504 Netmanage Holes Reference: MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html Netmanager Chameleon SMTPd has several buffer overflows that cause a crash. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Landfield NOOP(3) Ozancin, Christey, Northcutt Voter Comments: Frech> XF:chamelion-smtp-dos Landfield> - Specify what "a crash" means. Christey> ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site) Christey> Consider adding BID:2387 ====================================================== Name: CVE-1999-0271 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0271 Phase: Modified (19990925-01) Category: SF Reference: BUGTRAQ:19980115 pnserver exploit.. Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug? Progressive Networks Real Video server (pnserver) can be crashed remotely. Current Votes: ACCEPT(3) Blake, Northcutt, Baker MODIFY(1) Frech NOOP(1) Prosser REVIEWING(1) Christey Voter Comments: Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq posting), but may be multiple codebases since several Real Audio servers are affected. Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow. See CVE-1999-0896 CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:realvideo-telnet-dos ====================================================== Name: CVE-1999-0282 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0282 Phase: Modified (20050830) Category: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(2) Dik, Baker MODIFY(1) Frech NOOP(1) Ozancin RECAST(1) Prosser REJECT(1) Christey Voter Comments: Frech> XF:sun-loadmodule XF:sun-modload (CERT CA-93.18 very old!) Prosser> Believe the reference given, 95-12, is referencing a later loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the same as the HP patches are 100448-02 for the 93 loadmodule/modload vulnerability and 100448-03 for the 95 loadmodule vulnerability which normally indicated a patch update. Looks like the original patch either didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell much beyond that and this is my opinion only as have no way to check it. Which one is this CVE referencing? I accept both. Dik> There are three similar Sun bug ids associated with the patches. 1076118 loadmodule has a security vulnerability 1148753 loadmodule has a security vulnerability 1222192 loadmodule has a security vulnerability as well as: 1137491 Ancient stuff. Christey> Add period to the end of the description. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> This is distinct from CVE-1999-1584 - CVE-1999-1584 is for CA-93.18. CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> This candidate combines two separate issues. It uses the CERT alert reference from 1995, from one issue, but a description that is associated with a separate issue. ====================================================== Name: CVE-1999-0283 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0283 Phase: Modified (19991203-01) Category: SF Reference: BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2 The Java Web Server would allow remote users to obtain the source code for CGI programs. Current Votes: ACCEPT(7) Dik, Collins, Blake, Northcutt, Wall, Baker, Cole MODIFY(1) Frech NOOP(5) Armstrong, Bishop, Christey, Prosser, Landfield REVIEWING(1) Ozancin Voter Comments: Wall> Acknowledged by vendor at http://www.sun.com/software/jwebserver/techinfo/jws112info.html. Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/7260 Misc Defensive Info http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info Christey> BID:1891 URL:http://www.securityfocus.com/bid/1891 Christey> Add version number (1.1 beta) and details of attack (appending a . or a \) The Sun URL referenced by Dave Baker no longer exists, so I wasn't able to verify that it addressed the problem described in the Bugtraq post. This might not even be Sun's "Java Web Server," as CVE-2001-0186 describes some product called "Free Java Web Server" Dik> There appears to be some confusion. The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed in 1.1.2 (get foo.jthml source by appending "." of "\" to URL) There are other bugs that give access and that require a configuration change. http://www.sun.com/software/jwebserver/techinfo/security_advisory.html Christey> Need to make sure to create CAN's for the other bugs, as documented in: NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2 BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2 The reported bugs are: 1) file read by appending %20 2) Directly call /servlet/file URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html #2 is explicitly mentioned in the Sun advisory for CVE-1999-0283. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:javawebserver-cgi-source(5383) ====================================================== Name: CVE-1999-0284 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0284 Phase: Proposed (19990623) Category: SF Reference: XF:smtp-helo-bo Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command. Current Votes: ACCEPT(2) Blake, Northcutt MODIFY(3) Frech, Ozancin, Levy NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification) XF:mdaemon-helo-bo XF:lotus-notes-helo-crash XF:slmail-helo-overflow XF:smtp-helo-bo (mentions several products) XF:smtp-exchangedos Levy> - Need one per software. Each one should be its own vulnerability. Ozancin> => Windows NT is correct Christey> These are probably multiple codebases, so we'll need to use dot notation. Also need to see if this should be merged with CVE-1999-0098 (Sendmail SMTP HELO). ====================================================== Name: CVE-1999-0285 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0285 Phase: Proposed (19990630) Category: SF Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection. Current Votes: ACCEPT(1) Hill NOOP(2) Wall, Baker REJECT(2) Frech, Christey Voter Comments: Christey> No references, no information. CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> No references; closest documented match is with CVE-2001-0346, but that's for Windows 2000. ====================================================== Name: CVE-1999-0286 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0286 Phase: Proposed (19990714) Category: SF In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages. Current Votes: ACCEPT(3) Armstrong, Shostack, Cole MODIFY(3) Levy, Blake, Wall NOOP(5) Bishop, Ozancin, Northcutt, Baker, Landfield REJECT(1) Frech REVIEWING(1) Christey Voter Comments: Wall> In some NT web servers, appending a dot at the end of a URL may allows attackers to read source code for active pages. Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears in Browser" Frech> In the meantime, reword description as 'Windows NT' (trademark issue) Christey> Q163485 does not refer to a space, it refers to a dot. However, I don't have other references. Reading source code with a dot appended is in CVE-1999-0154, which will be proposed. A subsequent bug similar to the dot bug is CVE-1999-0253. Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014 NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019 BID 273 Blake> Reference: http://www.allaire.com/handlers/index.cfm?ID=10967 CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> BID articles) ====================================================== Name: CVE-1999-0287 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0287 Phase: Proposed (19990714) Category: SF Vulnerability in the Wguest CGI program. Current Votes: MODIFY(2) Frech, Shostack NOOP(4) Levy, Blake, Northcutt, Wall REJECT(2) Christey, Baker Voter Comments: Shostack> allows file reading Frech> XF:http-cgi-webcom-guestbook Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Mnemonix says that he had previously reported on a similar problem. Let's refer to the NTBugtraq posting as CVE-1999-0467. We will refer to the "previous report" as CVE-1999-0287, which could be found at: http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html 0287 describes an exploit via the "template" hidden variable. The exploit describes manually editing the HTML form to change the filename to read from the template variable. The exploit as described in 0467 encodes the template variable directly into the URL. However, hidden variables are also encoded into the URL, which would have looked the same to the web server regardless of the exploit. Therefore 0287 and 0467 are the same. Christey> BID:2024 ====================================================== Name: CVE-1999-0298 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0298 Phase: Modified (20000524-01) Category: SF Reference: NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack. Current Votes: ACCEPT(4) Cole, Dik, Levy, Northcutt MODIFY(1) Frech NOOP(3) Shostack, Christey, Baker Voter Comments: Christey> ADDREF BID:1441 URL:http://www.securityfocus.com/bid/1441 Dik> If you run with "-ypset", then you're always insecure. With ypsetme, only root on the local host can run ypset in Solaris 2.x+. Probably true for SunOS 4, hence my vote. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:ypbind-ypset-root CHANGE> [Dik changed vote from REVIEWING to ACCEPT] Dik> This vulnerability does exist in SunOS 4.x in non default configurations. In Solaris 2.x, the vulnerability only applies to files named "cache_binding" and not all files ending in .2 Both releases are not vulnerable in the default configuration (both disabllow ypset by default which prevents this problem from occurring) ====================================================== Name: CVE-1999-0306 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0306 Phase: Proposed (19990714) Category: SF Reference: XF:hp-xlock buffer overflow in HP xlock program. Current Votes: ACCEPT(3) Frech, Northcutt, Baker MODIFY(1) Prosser NOOP(1) Shostack REJECT(1) Christey Voter Comments: Prosser> This is another of those with multiple affected OSs. Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt, HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150 Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is the same problem as in CERT:CA-97.13, which is CVE-1999-0038. ====================================================== Name: CVE-1999-0307 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0307 Phase: Modified (19991207-01) Category: SF Reference: BUGTRAQ:19961116 This week: turn me on, dead man Reference: XF:hpux-cstm-bo Buffer overflow in HP-UX cstm program allows local users to gain root privileges. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(3) Shostack, Prosser, Baker RECAST(1) Christey Voter Comments: Prosser> only ref I can find is an old SOD exploit on www.outpost9.com Christey> MERGE CVE-1999-0336 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. See the original post: http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org ====================================================== Name: CVE-1999-0317 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0317 Phase: Modified (19991216-01) Category: SF Reference: BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow Reference: XF:su-bo Buffer overflow in Linux su command gives root access to local users. Current Votes: ACCEPT(3) Frech, Hill, Northcutt NOOP(1) Prosser RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0845? Also, ADDREF XF:unixware-su-username-bo A report summary by Aleph One states that nobody was able to confirm this problem on any Linux distribution. Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these. Sounds like the same bug however... Christey> XF:su-bo no longer seems to exist. How about XF:linux-subo(734) ? http://xforce.iss.net/static/734.php BID:475 also seems to describe the same problem (http://www.securityfocus.com/bid/475) in which case, vsyslog is blamed in: BUGTRAQ:19971220 Linux vsyslog() overflow http://www.securityfocus.com/archive/1/8274 ====================================================== Name: CVE-1999-0319 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0319 Phase: Proposed (19990623) Category: SF Reference: XF:xmcd-tiflestr Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting. Current Votes: ACCEPT(3) Frech, Hill, Northcutt NOOP(2) Prosser, Baker REVIEWING(1) Christey Voter Comments: Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1 A followup to this post says that xmcd is not suid here. ====================================================== Name: CVE-1999-0330 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0330 Phase: Modified (20000105-01) Category: SF Reference: BUGTRAQ:19940101 (No Subject) Reference: XF:bdash-bo Linux bdash game has a buffer overflow that allows local users to gain root access. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Shostack, Northcutt, Wall REVIEWING(1) Levy Voter Comments: Frech> XF:bdash-bo ====================================================== Name: CVE-1999-0331 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0331 Phase: Modified (20040811) Category: SF Reference: XF:msie-bo Buffer overflow in Internet Explorer 4.0(1). Current Votes: ACCEPT(2) Northcutt, Baker MODIFY(2) Frech, Shostack RECAST(1) Prosser REJECT(2) Christey, LeBlanc Voter Comments: Shostack> this is a high cardinality item Prosser> needs to be more specific. Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague duplicate) Description (from xfdb): Some versions of Internet Explorer for Windows contain a vulnerability that may crash the broswer when a malicious web site contains a certain kind of URL (that begins with "mk://") with more characters than the browser supports. Christey> The description is too vague. LeBlanc> too vague Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0333 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0333 Phase: Modified (19990925-01) Category: SF Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK Reference: HP:HPSBUX9810-085 Reference: XF:omniback-remote HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack. Current Votes: ACCEPT(2) Frech, Baker MODIFY(1) Prosser RECAST(1) Christey Voter Comments: Prosser> additional source HP Security Bulletin 85 http://us-support.external.hp.com http://europe-support.external.hp.com Christey> Two separate bugs, so SF-LOC says this candidate should be split Christey> ADDREF CIAC:J-007 URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml ====================================================== Name: CVE-1999-0336 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0336 Phase: Modified (19991207-01) Category: SF Reference: BUGTRAQ:19961116 This week: turn me on, dead man Reference: XF:hpux-mstm-bo Buffer overflow in mstm in HP-UX allows local users to gain root access. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(3) Shostack, Prosser, Baker RECAST(1) Christey Voter Comments: Prosser> same as CVE-1999-0307, only ref I can find is an old SOD exploit on www.outpost9.com Christey> MERGE CVE-1999-0307 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. ====================================================== Name: CVE-1999-0345 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0345 Phase: Proposed (19990728) Category: SF Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. Current Votes: ACCEPT(2) Cole, Blake MODIFY(2) Frech, Wall NOOP(4) Landfield, Bishop, Ozancin, Northcutt RECAST(1) Meunier REJECT(4) Armstrong, Levy, LeBlanc, Baker REVIEWING(1) Christey Voter Comments: Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and Windows NT systems. Reference: Q154174. Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. It is a modified teardrop 2 attack. Frech> XF:nt-ssping ADDREF XF:ping-death ADDREF XF:teardrop-mod ADDREF XF:mpeix-echo-request-dos Christey> I can't tell whether the Jolt exploit at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net is exploiting any different flaw than teardrop does. CHANGE> [Christey changed vote from NOOP to REVIEWING] Baker> Jolt (original) is basically just a fragmented oversized ICMP that kills Win boxes ala Ping of Death. Teardrop is altering the offset in fragmented tcp packets so that the end of subsequent fragments is inside first packet... Teardrop 2 is UDP packets, if I remember right. Seems like Jolt (original, not jolt 2) is just exploit code that creates a ping of death (CVE 1999-0128) Levy> I tend to agree with Baker. CHANGE> [Armstrong changed vote from REVIEWING to REJECT] Armstrong> This code does not use fragment overlap. It is simply a large ICMP echo request. Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same thing as ping of death - POD was an oversized ICMP packet, Jolt froze Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes. Teardrop and teardrop2 were related attacks (usually ICMP frag attacks), but each of these is a distinct vulnerability, affected a discrete group of systems, and should have distinct CVE numbers. CVE entries should be precise as to what the problem is. Meunier> I agree with Leblanc in that Jolt is multi-faceted. Jolt has characteristics of Ping of Death AND teardrop, but it doesn't do either exactly. Moreover, it sends a truncated IP fragment. I disagree with Armstrong; jolt uses overlapping fragments. It's not a simple ping of death either. It may be that the author's intent was to construct a "super attack" somehow combining elements of other vulnerabilities to try to make it more potent. In any case it succeeded in confusing the CVE board :-). I notice that Jolt uses echo replies (type 0) instead of echo requests (to get past firewalls?). Jolt is peculiar in that it also sends numerous overlapping fragments. The "Pascal Simulator" :-) says it sends: - 172 fragments of length 400 with offset starting at 5120 and increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)), which eventually results in sending fragments inside an already covered area once ((n* 380) >> 3) is greater than 5120, which occurs when n is reaches 108. This would look a bit like TearDrop if fragments were reassembled on-the-fly. - 1 fragment such that the total length of all the fragments is greater than 65535 (my calculation is 172*380 + 418 = 65778; the comment about 65538 must be wrong). The last packet is size 418 according to the IP header but the buffer is of size 400. The sendto takes as argument the size of the buffer so a truncated packet is sent. So, I am not sure if the problem is because the last packet doesn't extend to the payload it says it has or because the total size of all fragments is greater than 65535. The author says it may take more than one sending, so perhaps this has to do with an incorrect error handling and recovery. One would need to experiment and isolate each of those characteristics and test them independently. Inasmuch as each of those things is likely a different vulnerability, then I agree with Leblanc that this entry should be split. I'll try that if I ever get bored. Jolt 2 should also have a different entry (see below). Jolt 2 runs in an infinite loop, sending the same fragmented IP packet, which can pretend to be "ICMP" or "UDP" data; however this is meaningless, as it's just a late fragment of an IP packet. The attack works only as long as packets are sent. According to http://www.securityfocus.com/archive/1/62170 the packets are truncated, and would overflow over the 65535 byte limit, which is similar to Jolt. Note that Jolt does send that much data whereas jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it has weaker consequences, I believe that it's a different vulnerability. "Jolt 2 vulnerability causes a temporary denial-of-service in Windows-type OSes" would be a title for it. ====================================================== Name: CVE-1999-0347 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0347 Phase: Modified (20051028) Category: SF Reference: BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 Reference: NTBUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2 Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character. Current Votes: ACCEPT(4) Levy, LeBlanc, Northcutt, Baker MODIFY(2) Frech, Prosser REVIEWING(1) Christey Voter Comments: Prosser> this is a modified Cross-Frame vulnerability that circumvents the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012 http://www.microsoft.com/security/bulletins/ms99-012.asp Christey> Duplicate of CVE-1999-0490? LeBlanc> If Prosser is correct that this is MS99-012, accept Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2 BID:197 URL:http://www.securityfocus.com/bid/197 CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ie-window-spoof(2069) ====================================================== Name: CVE-1999-0352 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0352 Phase: Proposed (19990721) Category: SF Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: XF:controlit-passwd-encrypt ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption. Current Votes: ACCEPT(2) Frech, Baker NOOP(2) Northcutt, Wall RECAST(1) Ozancin Voter Comments: Ozancin> Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses weak encryption. ====================================================== Name: CVE-1999-0354 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0354 Phase: Proposed (19990623) Category: SF Reference: NTBUGTRAQ:Jan27,1999 Reference: MS:MS99-002 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-002.asp Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message. Current Votes: ACCEPT(3) Ozancin, Wall, Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:word97-template-macro Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2 BID:196 http://www.securityfocus.com/bid/196 Christey> MSKB:Q214652 http://support.microsoft.com/support/kb/articles/q214/6/52.asp ====================================================== Name: CVE-1999-0356 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0356 Phase: Proposed (19990721) Category: SF Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: XF:controlit-bookfile-access ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book. Current Votes: ACCEPT(2) Frech, Baker NOOP(2) Northcutt, Wall RECAST(1) Ozancin ====================================================== Name: CVE-1999-0359 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0359 Phase: Proposed (20010214) Category: SF Reference: BUGTRAQ:19990127 UNIX shell modem access vulnerabilities Reference: XF:ptylogin-dos ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords. Current Votes: ACCEPT(2) Cole, Frech MODIFY(1) Baker Voter Comments: Frech> XF:ptylogin-dos Baker> Should say "... lock out a modem, ..." rather than "... locking out modems..." ====================================================== Name: CVE-1999-0360 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0360 Phase: Modified (20000530-01) Category: SF Reference: BUGTRAQ:19990130 Security Advisory for Internet Information Server 4 with Site Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91763097004101&w=2 Reference: NTBUGTRAQ:Jan29,1999 MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely. Current Votes: ACCEPT(6) Landfield, Cole, Collins, Blake, Northcutt, Wall MODIFY(3) Frech, LeBlanc, Baker NOOP(4) Armstrong, Ozancin, Christey, Prosser Voter Comments: Christey> I can't find the original Bugtraq posting (it appears that mnemonix discovered the problem). LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a BUGTRAQ posting we can't find could be anything. Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type THis is the URL for the Bugtraq posting. It was cross posted to NT Bugtraq as well, but identical text. It was Mnemonix... Christey> BID:1811 URL:http://www.securityfocus.com/bid/1811 Christey> CHANGEREF BUGTRAQ add "Server 2." to the subject. Also standardize NTBUGTRAQ reference title. Christey> Add "uploadn.asp" to the description. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:siteserver-user-dir-permissions(5384) ====================================================== Name: CVE-1999-0361 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0361 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:Jan29,1999 NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Northcutt, Wall Voter Comments: Frech> XF:compulink-pw-laserfiche(1679) Normalize BUGTRAQ reference to: BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords ====================================================== Name: CVE-1999-0364 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0364 Phase: Modified (20000426-01) Category: SF Reference: BUGTRAQ:19990204 Microsoft Access 97 Stores Database Password as Plaintext Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91816470220259&w=2 Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data. Current Votes: ACCEPT(2) LeBlanc, Baker MODIFY(1) Frech NOOP(2) Northcutt, Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:access-weak-passwords(1774) An older published reference (from our own Adam) would be better: ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0" http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192 07028.1462108427&hitnum=1 ====================================================== Name: CVE-1999-0370 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0370 Phase: Modified (19991210-01) Category: SF Reference: SUN:00184 Reference: BID:165 Reference: URL:http://www.securityfocus.com/bid/165 In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files. Current Votes: ACCEPT(4) Dik, Prosser, Northcutt, Baker MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> Reference: XF:sun-man Christey> ADDREF CIAC:J-028 Is the Linux man symlink problem the same as the one for Sun? See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1 Also see BID:305 Dik> sun bug 4154565 ====================================================== Name: CVE-1999-0381 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0381 Phase: Proposed (19990726) Category: SF Reference: BUGTRAQ:19990225 SUPER buffer overflow Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet Reference: XF:linux-super-logging-bo Reference: BID:342 Reference: URL:http://www.securityfocus.com/bid/342 super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access. Current Votes: ACCEPT(7) Landfield, Cole, Frech, Ozancin, Levy, Blake, Baker MODIFY(1) Bishop NOOP(2) Armstrong, Wall REVIEWING(1) Christey Voter Comments: Christey> Is this the same as CVE-1999-0373? They both have the same X-Force reference. BID:342 suggests that there are two. http://www.debian.org/security/1999/19990215a suggests that there are two. However, CVE-1999-0373 is written up in a fashion that is too general; and both XF:linux-super-bo and XF:linux-super-logging-bo refer to CVE-1999-0373. CVE-1999-0373 may need to be split. Frech> From what I can surmise, ISS released the original advisory (attached to linux-super-bo), and Sekure SDI expanded on it by releasing another related overflow in syslog (which is linux-super-logging-bo). When I was originally assigning these issues, I placed both XF references and the ISS advisory on the -0373 candidate, since there was nothing else available. Based on the information above, I'd request that XF:linux-super-logging-bo be removed from CVE-1999-0373. Christey> Given Andre's feedback, these are different issues. CVE-1999-0373 does not need to be split because the ISS reference is sufficient to distinguish that CVE from this candidate; however, the CVE-1999-0373 description should probably be modified slightly. Bishop> (as indicated by Christey) CHANGE> [Cole changed vote from NOOP to ACCEPT] CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> There are 2 bugs, as confirmed by the super author at: BUGTRAQ:19990226 Buffer Overflow in Super (new) http://www.securityfocus.com/archive/1/12713 BID:397 also seems to cover this one, and it may cover CVE-1999-0373 as well. ====================================================== Name: CVE-1999-0389 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0389 Phase: Modified (19991207-01) Category: SF Reference: DEBIAN:19990104 Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows Reference: BID:324 Reference: URL:http://www.securityfocus.com/bid/324 Buffer overflow in the bootp server in the Debian Linux netstd package. Current Votes: ACCEPT(3) Ozancin, Stracener, Baker MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 has January 1999 dates associated with it, while CVE-1999-0798 was reported in late December. Also, is this the same line of code as CVE-1999-0914? Both are in the netstd package, it could look like a library problem. However, deep in the changelog in the netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes the following entry: +netstd (3.07-7slink.1) frozen; urgency=high + + * bootpd: Applied patch from Redhat as well as a fix for the overflow in + report() (fixes #30675). + * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow + bugs. + + -- Herbert Xu Sat, 19 Dec 1998 14:36:48 +1100 This tells me that two separate bugs are involved. Note that Red Hat posted *some* fix for *some* bootp problem in June 1998. See: http://www.redhat.com/support/errata/rh42-errata-general.html#bootp Frech> XF:debian-netstd-bo Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799 CHANGE> [Christey changed vote from REJECT to REVIEWING] Christey> The fix information for BID:324 suggests that there are two overflows, one of which is in handle_request (bootpd.c) and is likely related to a file name; but there is another issue in report (report.c) which also looks like a straightforward overflow, which would suggest that this is not a duplicate of CVE-1999-0798 or CVE-1999-0799. Note: see comments for CVE-1999-0798 which explain how that candidate is not related to CVE-1999-0799. ====================================================== Name: CVE-1999-0394 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0394 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990115 DPEC Online Courseware DPEC Online Courseware allows an attacker to change another user's password without knowing the original password. Current Votes: ACCEPT(1) Baker NOOP(1) Christey REJECT(1) Frech Voter Comments: Frech> If I understand the issue, this HIGHCARD involves insecure web programming. If I don't understand, mark this as my first NOOP. Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com ADDREF BID:565 URL:http://www.securityfocus.com/vdb/bottom.html?vid=565 ====================================================== Name: CVE-1999-0397 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0397 Phase: Proposed (19990728) Category: SF Reference: L0PHT:Jan21,1999 Reference: BUGTRAQ:Jan21,1999 The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext. Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) Wall Voter Comments: Wall> Reject based on beta copy. Frech> XF:quakenbush-pw-appraiser(1652) ====================================================== Name: CVE-1999-0398 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0398 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19990123 SSH 1.x and 2.x Daemon Reference: BUGTRAQ:19990124 SSH Daemon Reference: XF:ssh-exp-account-access In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet released. v1.2.26 should be substituted in the description for '27. XF:ssh-exp-account-access ====================================================== Name: CVE-1999-0399 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0399 Phase: Modified (20000105-01) Category: SF Reference: BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole Reference: XF:mirc-dcc-metachar-filename The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> XF:mirc-dcc-metachar-filename ====================================================== Name: CVE-1999-0400 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0400 Phase: Modified (20000105-01) Category: SF Reference: BUGTRAQ:19990127 2.2.0 SECURITY (fwd) Reference: XF:linux-kernel-ldd-dos Reference: BID:344 Reference: URL:http://www.securityfocus.com/bid/344 Denial of service in Linux 2.2.0 running the ldd command on a core file. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> BUGTRAQ:Jan27,1999 (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22& msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com) XF:linux-kernel-ldd-dos ====================================================== Name: CVE-1999-0401 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0401 Phase: Modified (20000105-01) Category: SF Reference: BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd) Reference: XF:linux-race-condition-proc A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> XF:linux-race-condition-proc ====================================================== Name: CVE-1999-0406 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0406 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:Feb19,1999 Reference: XF:digital-networker-bo Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> In description, change 'which' to 'that'. ====================================================== Name: CVE-1999-0411 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0411 Phase: Proposed (19990726) Category: SF Reference: BUGTRAQ:Feb19,1999 Reference: XF:sco-startup-scripts Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access. Current Votes: MODIFY(2) Baker, Frech NOOP(2) Christey, Wall Voter Comments: Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not 19 February) does not mention gaining root access... it says a local user could "delete or overwrite arbitrary files on the system." Baker> By overwriting arbitrary files, one could then gain root access. I agree with a minor description change to reflect this. Christey> Normalize Bugtraq reference to: BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p). http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2 Also, SCO:SB-99.17 ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c ====================================================== Name: CVE-1999-0418 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0418 Phase: Proposed (20010912) Category: SF Reference: BUGTRAQ:19990308 SMTP server account probing Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection. Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Baker, Foat, Wall REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0144 and CVE-1999-0250? Frech> XF:smtp-rctpto-dos(7499) ====================================================== Name: CVE-1999-0419 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0419 Phase: Modified (20000105-01) Category: SF Reference: BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid Reference: XF:smtp-4xx-error-dos When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, LeBlanc REVIEWING(1) Christey Voter Comments: Frech> XF:smtp-4xx-error-dos LeBlanc> - if we can find a KB or something that shows that this wasn't just user error, I'd vote ACCEPT. Christey> David Lemson, Microsoft SMTP Service Program Manager, posted a followup that said "We have confirmed this as a problem..." http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2 ====================================================== Name: CVE-1999-0426 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0426 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure. The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing. Current Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) Christey Voter Comments: Frech> XF:linux-dev-kmem-spoof Christey> DUPE CVE-1999-0414 XF:linux-dev-kmem-spoof does not exist. Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists... ====================================================== Name: CVE-1999-0427 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0427 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990320 Eudora Attachment Buffer Overflow Reference: XF:eudora-long-attachments Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq reference states: "Both the Win 95 and Win NT versions, along with the 4.2 beta of Eudora are affected." Christey> This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Is this a duplicate/subsumed by CVE-1999-0004? ====================================================== Name: CVE-1999-0431 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0431 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug Reference: XF:linux-zerolength-fragment Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:linux-zerolength-fragment Christey> Consider adding BID:2247 ====================================================== Name: CVE-1999-0434 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0434 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990331 Bug in xfs Reference: BID:359 Reference: URL:http://www.securityfocus.com/bid/359 XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:xfree86-xfs-symlink-dos Christey> Is this the same problem as CVE-1999-0433? CVE-1999-0433 deals with a symlink attack on one file (/tmp/.X11-unix), while xfs (this candidate) deals with /tmp/.font-unix XF:xfree86-xfs-symlink-dos doesn't exist. Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable Note: Debian's advisory says that this is not a problem for Debian. ====================================================== Name: CVE-1999-0435 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0435 Phase: Proposed (19990623) Category: SF Reference: HP:HPSBUX9903-096 MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:hp-servicegaurd Christey> ADDREF CIAC:J-039 Christey> Note the typo in Andre's suggested reference. Normalize to XF:hp-serviceguard(2046) ====================================================== Name: CVE-1999-0443 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0443 Phase: Proposed (19990728) Category: SF Reference: BUGTRAQ:19990409 Patrol security bugs Reference: URL:http://www.securityfocus.com/archive/1/13204 Reference: XF:bmc-patrol-replay Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> Change "Patrol management software" to "The PATROL management product from BMC Software". ====================================================== Name: CVE-1999-0444 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0444 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19990412 ARP problem in Windows9X/NT Reference: XF:windows-arp-dos Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech Voter Comments: Frech> ADDREF: XF:windows-arp-dos ====================================================== Name: CVE-1999-0450 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0450 Phase: Proposed (19990726) Category: SF Reference: BUGTRAQ:19990122 Perl.exe and IIS security advisory Reference: BID:194 Reference: URL:http://www.securityfocus.com/bid/194 In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe) . Current Votes: ACCEPT(2) Ozancin, Wall NOOP(2) Baker, Christey REJECT(2) Frech, LeBlanc Voter Comments: Frech> Can't find in database. Christey> This looks like another discovery of CVE-2000-0071 LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information, and it does not repro - GET /bogus.pl HTTP/1.0 HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Thu, 05 Oct 2000 21:04:20 GMT Content-Length: 3243 Content-Type: text/html No path is returned whatsoever. This may have been a problem on some version of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable. Let's try and figure out what version had the problem, whether it is intrinsic to IIS or the result of adding a 3rd party implementation of perl, and when it got fixed, then we can try again. CHANGE> [Frech changed vote from REVIEWING to REJECT] Christey> Add "no-such-file.pl" as an example to the desc, to facilitate search (it's used by CGI scanners and in the original example) ====================================================== Name: CVE-1999-0451 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0451 Phase: Proposed (19990726) Category: SF Reference: BUGTRAQ:Jan19,1999 Reference: BID:343 Reference: URL:http://www.securityfocus.com/bid/343 Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-ports-dos(8364) ====================================================== Name: CVE-1999-0452 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0452 Phase: Proposed (19990726) Category: SF A service or application has a backdoor password that was placed there by the developer. Current Votes: ACCEPT(2) Baker, Wall REJECT(1) Frech Voter Comments: Frech> Much too broad. Also may be HIGHCARD (or will be in the future). Baker> I think we want to address this using the dot notation idea. We do need to address this, just not a separate entry for every single occurance. ====================================================== Name: CVE-1999-0453 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0453 Phase: Modified (20040512-02) Category: SF Reference: BUGTRAQ:19990118 Remote Cisco Identification An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP). Current Votes: ACCEPT(2) Baker, Balinsky MODIFY(1) Frech NOOP(2) Northcutt, Wall REVIEWING(1) Christey Voter Comments: Frech> XF:cisco-ident(2289) ADDREF BUGTRAQ:19990118 Remote Cisco Identification In description, probably better to use "Cisco" as product/company name. Balinsky> CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity. Christey> There may be a slight abstraction problem here, e.g. look at the candidate for queso/nmap; also see followup Bugtraq post from "Basement Research" on 19990120 which says that there are many other features in Cisco products that allow remote identification. Christey> fix typo: "Dicsovery" ====================================================== Name: CVE-1999-0454 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0454 Phase: Proposed (19990728) Category: SF A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso. Current Votes: MODIFY(1) Frech NOOP(2) Christey, Wall REJECT(2) Baker, Northcutt Voter Comments: Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced ways to accomplish this. To pursue making the world signature free is as much a vulnerability as having signatures, nay more. Frech> XF:decod-nmap(2053) XF:decod-queso(2048) Christey> Add "fingerprinting" to facilitate search. Some references: MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2 BUGTRAQ:19990222 Preventing remote OS detection http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2 BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2 BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD, http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2 BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs) http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2 BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2 BUGTRAQ:20000609 p0f - passive os fingerprinting tool http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2 Baker> I think we can probably reject this as the corollary is that you can identify OS from a IP/TCP packet sent by a system, looking at various parts of the SYN packet. Unless we believe that all systems should always use identical packet header/identical responses, in which case the protocol should not permit variation. ====================================================== Name: CVE-1999-0455 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0455 Phase: Modified (19991210-01) Category: SF Reference: ALLAIRE:ASB-001 Reference: XF:coldfusion-expression-evaluator Reference: BID:115 Reference: URL:http://www.securityfocus.com/bid/115 The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly. Current Votes: ACCEPT(3) Frech, Ozancin, Balinsky MODIFY(1) Wall NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues) make application plural since there are three sample applications (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm). Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here. Since there are 3 separate "executables" with the same (or similar) problem, we need to make sure that CD:SF-EXEC determines what to do here. There is evidence that some of these .cfm scripts have an "include" file, and if so, then CD:SF-LOC says that we shouldn't make separate entries for each of these scripts. On the other hand, the initial L0pht discovery didn't include all 3 of these scripts, and as far as I can tell, Allaire had patched the first problem before the others were discovered. So, CD:DISCOVERY-DATE may argue that we should split these because the problems were discovered and patched at different times. In any case, this candidate can not be accepted until the Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC, and CD:DISCOVERY-DATE content decisions. ====================================================== Name: CVE-1999-0459 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0459 Phase: Proposed (19990728) Category: SF Reference: XF:linux-milo-halt Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot. Current Votes: ACCEPT(1) Frech NOOP(2) Baker, Northcutt REJECT(1) Wall Voter Comments: Wall> Reject based on beta copy. ====================================================== Name: CVE-1999-0460 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0460 Phase: Proposed (19990726) Category: SF Reference: BUGTRAQ:19990218 Linux autofs overflow in 2.0.36+ Reference: BID:312 Reference: URL:http://www.securityfocus.com/bid/312 Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service. Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-autofs-bo(8365) ====================================================== Name: CVE-1999-0461 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0461 Phase: Proposed (19990728) Categor