Candidate Modified ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets. CA-98-13-tcp-denial-of-service 19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service http://www.openbsd.org/errata23.html#tcpfix 5707 Frech Northcutt, Wall Christey A Bugtraq posting indicates that the bug has to do with "short packets with certain options set," so the description should be modified accordingly. But is this the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. XF:teardrop(338) This assignment was based solely on references to the CERT advisory. The description for BID:190, which links to CVE-1999-0052 (a FreeBSD advisory), notes that the patches provided by FreeBSD in CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without further analysis. Candidate Modified MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. CA-98.10.mime_buffer_overflows outlook-long-name 00175 MS98-008 Magdych, Northcutt, Wall, Baker, Landfield, Cole, Dik, Collins Frech Christey Shostack Extremely minor, but I believe e-mail is the correct term. (If you reject this suggestion, I will not be devastated.) :-) This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 CVE-2000-0415 may be a later rediscovery of this problem for Outlook. Sun bug 4163471, ADDREF BID:125 BUGTRAQ:19980730 Long Filenames & Lotus Products URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2 Candidate Proposed Teardrop IP denial of service. CA-97.28.Teardrop_Land teardrop Wall Frech Christey XF: teardrop-mod Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. MSKB:Q154174 MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) indicate that CVE-1999-0015 was fixed in NT SP3, but CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the problems keep separate candidates because one problem appears in a different version than the other. BID:124 http://www.securityfocus.com/bid/124 Consider MSKB:Q154174 http://support.microsoft.com/support/kb/articles/q154/1/74.asp Consider BUGTRAQ:19971113 Linux IP fragment overlap bug http://www.securityfocus.com/archive/1/8014 Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Frech Levy, Northcutt, Wall, Shostack Christey, Baker XF:lpr-bo DUPE CVE-1999-0032, which includes XF:lpr-bo Candidate Proposed root privileges via buffer overflow in xlock command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.24.IRIX.xlock.buffer.overflow.vul sgi-xlockbo 19970508-02-PX Ozancin, Levy, Prosser Baker Frech Christey XF:xlock-bo (also add) As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and several Linii. Also, don't you mean to cite SGI:19970502-02-PX? The one you list is login/scheme. Notice that this xlock overflow is the same as in CA-97.13. CA-97.21 simply is a reminder. As pointed out by Elias, CA-97.21 states: "For more information about vulnerabilities in xlock... see CA-97.13" CA-97.13 = CVE-1999-0038. This may also be a duplicate with CVE-1999-0306. See exploits at: http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 Sun also has this problem, at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba Candidate Modified Command execution in Sun systems via buffer overflow in the at program. CA-97.18.at 00160 sun-atbo Hill, Northcutt, Wall, Baker, Cole, Dik, Shostack, Collins Christey Frech This vulnerability also manifests itself for the following platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, please add the following: Reference: XF:at-bo Sun bug 1265200, 4063161 ADDREF SGI:19971102-01-PX ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX SCO:SB.97:01 ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a CIAC:F-15 http://ciac.llnl.gov/ciac/bulletins/f-15.shtml HP:HPSBUX9502-023 Add period to the end of the description. Candidate Proposed File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). NAI-20 bsd-lpd Hill, Northcutt, Frech Baker Christey This should be split into three separate problems based on the SNI advisory. But there's newer information to further complicate things. What do we do about this one? in 1997 or so, SNI did an advisory on this problem. In early 2000, it was still discovered to be present in some Linux systems. So an SF-DISCOVERY content decision might say that this is a long enough time between the two, so this should be recorded separately. But they're the same codebase... so if we keep them in the same entry, how do we make sure that this entry reflects that some new information has been discovered? The use of dot notation may help in this regard, to use one dot for the original problem as discovered in 1997, and another dot for the resurgence of the problem in 2000. We should merge these. Perhaps this should be NAI-19 instead of NAI-20? The original Bugtraq post for the SNI advisory suggests SNI-19: BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability URL:SNI-19:BSD lpd vulnerability Also add: BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 However, archives of "NAI-0020" point to the lpd vuln. If I recall correctly, some of the NAI advisory numbers got switched when NAI acquired SNI. Candidate Modified Buffer overflow in wu-ftp from PASV command causes a core dump. ftp-args Ozancin, Baker, Frech Balinsky Christey Don't know what this is. Is this the LIST Core dump vulnerability? Need to add more references and details. Candidate Modified pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. CA-96.08.pcnfsd rpc-pcnfsd Collins, Northcutt, Landfield, Frech, Shostack Baker Christey This candidate should be SPLIT, since there are two separate software flaws. One is a symlink race and the other is a shell metacharacter problem. The permissions part of this vulnerability appears to overlap with CVE-1999-0353 SGI:20020802-01-I Candidate Interim AIX routed allows remote users to modify sensitive files. ERS-SVA-E01-1998:001.1 ibm-routed Northcutt, Shostack Prosser, Frech Baker Christey Reference: XF:ibm-routed This vulnerability allows debug mode to be turned on which is the problem. Should this be more specific in the description? This one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which is in the SGI cluster, shouldn't these be cross-referenced as the same vuln affects multiple OSes. This appears to be subsumed by CVE-1999-0215 Candidate Proposed IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. ERS-SVA-E01-1998:004.1 Northcutt, Shostack Prosser, Frech Baker Christey ERS (and other references, BTW) explicitly stipulate 'local and remote'. Reference: XF:irix-autofsd Include the SGI Alert as well since it is mentioned in the description. SGI Security Advisory 19981005-01-PX DUPE CVE-1999-0210? ADDREF CIAC:J-014 It does look very similar to 1999-0210. Perhaps they should be a single entry Candidate Interim Buffer overflow in AIX libDtSvc library can allow local users to gain root access. ERS-SVA-E01-1997:005.1 ibm-libDtSvc Northcutt, Shostack Prosser, Frech Baker Christey Reference: XF:ibm-libDtSvc The overflow is in the dtaction utility. Also affects dtaction in the CDE on versions of SunOS (SUN 164). Probably should be specific. Same Codebase as CVE-1999-0121, so the two entries should be merged. Candidate Proposed Various vulnerabilities in the AIX portmir command allows local users to obtain root access. ERS-SVA-E01-1997:006.1 Baker, Bollinger Frech Ozancin XF:ibm-portmir Candidate Proposed Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. smtp-helo-bo Baker, Frech Wall Christey (Accept XF reference.) Our references do not mention hiding activities. This issue can crash the SMTP server or execute arbitrary byte-code. Is there another reference available? Should this be merged with CVE-1999-0284, which is Sendmail with SMTP HELO? BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference. Candidate Modified A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2. CA-97.28.Teardrop_Land teardrop-mod Wall, Frech Christey Another reference is Microsoft Knowledge Base Q179129. Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Note that the hotfix name is teardrop2, but the keywords included in the KB article specifically name bonk (CVE-1999-0258) and boink. Since teardrop2 was fixed in a slightly different version (at least in a separate patch) than Teardrop, CD:SF-LOC suggests keeping them separate. Add period to the end of the description. Candidate Proposed finger allows recursive searches by using a long string of @ symbols. Shostack, Baker, Frech Christey Northcutt fingerD XF:finger-bomb aka redirection or forwarding requests? (but then might overlap CVE-1999-0106) should change description to indicate the recursive searching can consume enough system resources to cause a DoS. Candidate Proposed Finger redirection allows finger bombs. Northcutt Shostack, Frech Baker Christey fingerd allows redirection This is a larger modification, since there are two applications of the vulnerability, one that I can finger anonymously, and the other that I can finger bomb anonymously. XF:finger-bomb need more refs This should be merged with 1999-0105 Candidate Modified Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters. apache-dos 19971230 Apache DoS attack? Baker Frech Shostack, Northcutt, Wall Levy Christey - Although this is probably the phf hack. XF:apache-dos This sounds like the incident reported in: NTBUGTRAQ:20000810 Apache Distributed Denial of Service I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. BUGTRAQ: http://www.securityfocus.com/archive/1/10228 BUGTRAQ: http://www.securityfocus.com/archive/1/10516 Candidate Interim ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Frech Shostack, Levy, Northcutt, Wall Dik, Christey, Baker XF:fdformat-bo Duplicate of CVE-1999-0315 dup Candidate Modified Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. 19990912 elm filter program 19951226 filter (elm package) security hole elm-filter2 Shostack, Bishop, Blake, Wall, Landfield, Cole, Armstrong Baker, Frech Ozancin, Christey, Northcutt Levy XF:elm-filter2 [Wall changed vote from NOOP to ACCEPT] with Frech modifications ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm Need to make sure that this CERT advisory describes the right problem, especially since the CERT advisory is dated December 18, 1995 and the original Bugtraq post was December 26, 1995. BID:1802 URL:http://www.securityfocus.com/bid/1802 BID:1802 doesn't include the 1999 posting - does Security Focus think that the 1999 post describes a different vulnerability? XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? Its references point to the December 26, 1995 BUgtraq post. Also consider CIAC:G-36 and CERT:VB-95:10 DELREF:XF:elm-filter2(711) ADDREF:XF:elm-filter(402) Candidate Proposed Windows NT 4.0 beta allows users to read and delete shares. Frech Northcutt, Baker Wall Reject based on beta copy. XF:nt-beta(11) Reconsider reject, because this beta was in widespread use. Candidate Proposed Buffer overflow in dtaction command gives root access. 00164 ERS-SVA-E01-1997:005.1 Dik, Northcutt Prosser, Baker, Frech Christey Reference: XF:dtaction-bo Reference: XF:sun-dtaction Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a library in AIX 4.x, but reference for this Sun vulnerability should only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Bulletin This is the Same Codebase as CVE-1999-0089, so the two entries should be merged. Replace sun-dtaction(732) with dtaction-bo(879) Merge with 1999-0089 Candidate Modified Race condition in Linux mailx command allows local users to read user files. linux-mailx 19951222 mailx-5.5 (slackware /bin/mail) security hole Ozancin, Baker, Frech Wall Candidate Proposed swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. CA-96.27.hp_sw_install AA-96.04 hpux-swinstall Prosser, Baker Frech Christey (keep current XF: reference, and add) XF:hpux-sqwmodify Perhaps this should be split, per SF-LOC. CIAC:H-81 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml HP:HPSBUX9707-064 references CERT:CA-96.27 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml The original AUSCERT advisory says that the programs "create files in an insecure manner" and "Exploit details involving this vulnerability have been made publicly available." which leads one to assume that the following original Bugtraq post provides the details for a standard symlink problem: BUGTRAQ:19961005 swinst,bug http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2 Candidate Proposed Denial of service in RAS/PPTP on NT systems. Hill Frech, Meunier Baker Christey Add "pptp invalid packet length in header" to distinguish from other vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be discovered in the future. XF:nt-ras-bo ONLY IF reference is to MS:MS99-016 According to my mappings, this is not the MS:MS99-016 problem referred to by Andre. However, I have yet to dig up a source. [Christey changed vote from NOOP to REVIEWING] [Christey changed vote from REVIEWING to REJECT] This is too general to know which problem is being discussed. More precise candidates should be created. Consider adding BID:2111 Candidate Modified Denial of service in Qmail by specifying a large number of recipients with the RCPT command. 19970612 qmail-dos-2.c, another denial of service attack 19970612 Re: Denial of service (qmail-smtpd) http://cr.yp.to/qmail/venema.html http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html 2237 qmail-rcpt Frech, Meunier, Hill, Baker Christey DUPE CVE-1999-0418 and CVE-1999-0250? Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html http://cr.yp.to/qmail/venema.html Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. His page states this is not a qmail problem, rather it is a UNIX problem that many apps can consume all available memory, and that the administrator is responsible to set limits in the OS, rather than expect applications to individually prevent memory exhaustion. CAN 1999-0250 does appear to be a duplicate of this entry, based on the research I have done so far. There were two different bugtraq postings, but the second one references the first, stating that the new exploit uses perl instead of shell scripting to accomplish the same attack/exploit. http://www.securityfocus.com/archive/1/6970 http://www.securityfocus.com/archive/1/6969 http://cr.yp.to/qmail/venema.html Should probably reject CVE-1999-0250, and add these references to this Candidate. http://www.securityfocus.com/bid/2237 [Baker changed vote from REVIEWING to ACCEPT] qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. NOTE: the ufo.org domain was purchased by another party in 2003, so the current owner is not associated with any statements by "super@ufo.org" that were made before 2003. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BID:2237 ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." Candidate Proposed IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. Q163485 Q164059 19970220 ! [ADVISORY] Major Security Hole in MS ASP http-iis-aspdot http-iis-aspsource Frech, Stracener, Wall, Foat Christey, Baker, Cole This is the precursor to the problem that is identified in CVE-1999-0253. CIAC:H-48 URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml [Foat changed vote from NOOP to ACCEPT] Candidate Proposed wu-ftpd FTP daemon allows any user and password combination. ftp-pwless Shostack, Northcutt Baker Frech Christey, Prosser but so far can find no reference to this one Our records indicate that this does not necessarly affect just wu-ftp (ie, also affects IIS FTP server). The references for XF:ftp-pwless are not specific enough, e.g. in terms of version numbers. Perhaps this candidate should be rejected due to insufficient information. Candidate Proposed In older versions of Sendmail, an attacker could use a pipe character to execute root commands. smtp-pipe Frech, Northcutt Prosser Christey, Baker Shostack there was a 'To: |' and a 'From: |' attack, which I think are seperate. older vulnerability, but one additional reference is- The Ultimate Sendmail Hole List by Markus Hübner @ bau2.uibk.ac.at/matic/buglist.htm '|PROGRAM ' Description needs to be more specific to distinguish between this and CVE-1999-0203, as alluded to by Adam Shostack Candidate Modified NFS cache poisoning. nfs-cache Frech, Northcutt, Baker Shostack Prosser Christey need more data need more refs Add period to the end of the description. Candidate Proposed NFS allows attackers to read and write any file on the system by specifying a false UID. nfs-uid Frech, Northcutt Baker Shostack this is not a vulnerability but a design feature. Maybe we should reword it so that it is clear that this was a problem to something like: "A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID." Candidate Proposed Denial of service in syslog by sending it a large number of superfluous messages. syslog-flood Frech, Northcutt Baker Shostack, Christey design issue, not a vulnerability. Alternately, add: DOS on server by opening a large number of telnet sessions.. Duplicate of CVE-1999-0566 Candidate Modified In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm 00178 snmp-backdoor-access Dik, Baker Frech Wall Christey Change XF:snmp-backdoor-access to XF:sol-hidden-commstr Add ISS:Hidden Community String in SNMP Implementation What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. ADDREF BID:177 ISS:19981102 Hidden community string in SNMP implementation http://xforce.iss.net/alerts/advise11.php Change description to include "hidden" XF:snmp-backdoor-access is missing. Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Hill, Northcutt Frech, Prosser, Baker Dik Christey The Sun Patches in Ref roll-up fixes for an earlier BO in rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() (ref CERT 97-23) and various vendor bulletins. However both of these rdist BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content decision XF:rdist-bo (error msg formation) XF:rdist-bo2 (execute code) XF:rdist-bo3 (execute user-created code) XF:rdist-sept97 (root from local) Duplicate of CVE-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist), but as Mike and Andre noted, there are multiple flaws here, so a RECAST may be necessary. As currently phrasedm thissa duplicate of CVE-1999-0022 Based on our new philosophy, this should be recast/merged or re-described. Candidate Proposed Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. Shostack, Bishop, Ozancin, Northcutt, Cole Blake, Baker Frech, Wall, Landfield, Armstrong Levy, Christey possibly XF:ascend-kill I can't find a reference that lists both routers in the same reference. Comment: There is a reference about the zero length TCP option in BugTraq on Feb 5, 1999 and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 mentions vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 mentions 3Com vulnerabilities, but not TCP. Too confusing withour better references. What are the references for this ? I cannot find a means to check it out. [Frech changed vote from REVIEWING to NOOP] Cannot reconcile to our database without further references. I'm with Andre. I only remember and can find reference to the Ascend issue. Do we have a refernce to the 3Coms? If not, that should be removed from the description. http://xforce.iss.net/static/614.php Misc Defensive Info http://www.securityfocus.com/archive/1/5682 Misc Offensive Info http://www.securityfocus.com/archive/1/5647 Misc Defensive Info http://www.securityfocus.com/archive/1/5640 Misc Defensive Info [Armstrong changed vote from REVIEWING to NOOP] Candidate Modified Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1. 19990128 rpcbind: deceive, enveigle and obfuscate Shostack, Balinsky Frech Northcutt, Wall, Baker Levy, Christey XF:rpcbind-spoof CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0461, make sure it gets XF:pmap-sset Candidate Proposed finger 0@host on some systems may print information on some user accounts. Baker Frech, Shostack Northcutt fingerd may respond to 'finger 0@host' with account info Need more reference to establish this 'exposure'. [Frech changed vote from REVIEWING to MODIFY] XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 Finger 0@host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host feature) Candidate Proposed finger .@host on some systems may print information on some user accounts. Baker Frech, Shostack Northcutt as above Need more reference to establish this 'exposure'. [Frech changed vote from REVIEWING to MODIFY] XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 Finger .@target-host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host check ) http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host feature) Candidate Modified Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password. Q137853 Baker Frech, Shostack Northcutt, Wall Christey Levy WFTP is not sufficient; is this wu-, ws-, war-, or another? Other have mentioned this before, but it may be WU-FTP. POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root access without anon FTP or a regular account? POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a non-anon FTP account and gain root privs. added MSKB reference [Christey changed vote from REVOTE to REJECT] The MSKB article may have confused things even more. There were reports of problems in a Windows-based FTP server called WFTP (http://www.wftpd.com/) that is not a Microsft FTP server. It's best to just kill this candidate where it stands and start fresh. Candidate Modified Denial of service in Sendmail 8.6.11 and 8.6.12. 19990708 SM 8.6.12 Hill, Northcutt Frech, Prosser Baker Ozancin, Christey XF:sendmail-alias-dos additional source Bugtraq "Re: SM 8.6.12" http://www.securityfocus.com The Bugtraq thread does not provide any proof, including a comment by Eric Allman that he hadn't been provided any details either. See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu for the thread. Change Bugtraq reference date to 19950708. Candidate Modified libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. sun-libnsl 4305859 Dik, Ozancin, Hill, Blake, Landfield, Cole Frech, Levy, Baker Bishop, Meunier, Wall, Armstrong Christey XF:sun-libnsl Sun bug #4305859 http://xforce.iss.net/static/1204.php Misc Defensive Info http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info http://www.securityfocus.com/archive/1/9749 Misc Defensive Info I don't think this is the bug that everyone thinks it is. This candidate came from CyberCop Scanner 2.4/2.5, which only reports this as a DoS problem. If SUN:00172 is an advisory for this, then it may be a duplicate of CVE-1999-0055. There appears to be overlap with other references as well. HOWEVER, this particular one deals with a DoS in rpcbind - which isn't mentioned in the sources for CVE-1999-0055. BID 148 Candidate Modified Denial of service of inetd on Linux through SYN and RST packets. 19971130 Linux inetd.. linux-inetd-dos HPSBUX9803-077 hp-inetd Hill Frech, Baker Meunier The location of the vulnerability, whether in the Linux kernel or the application, is debatable. Any program making the same (reasonnable) assumption is vulnerable, i.e., implements the same vulnerability: "Assumption that TCP-three-way handshake is complete after calling Linux kernel function accept(), which returns socket after getting SYN. Result is process death by SIGPIPE" Moreover, whether it results in DOS (to third parties) depends on the process that made the assumption. I think that the present entry should be split, one entry for every application that implements the vulnerability (really describing threat instances, which is what other people think about when we talk about vulnerabilities), and one entry for the Linux kernel that allows the vulnerability to happen. XF:hp-inetd XF:linux-inetd-dos Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast Candidate Proposed Attackers can do a denial of service of IRC by crashing the server. Northcutt, Baker Frech, Christey Would reconsider if any references were available. No references available, combined with extremely vague description, equals REJECT. Candidate Proposed Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL. Baker Frech, Shostack, Levy Balinsky, Northcutt, Wall Ziese Christey I follow cisco announcements and problems pretty closely, and haven't seen this. Source? XF:cisco-web-crash XF:cisco-web-crash has no additional references. I can't find any references in Bugtraq or Cisco either. This bug is supposedly tested by at least one security product, but that product's database doesn't have any references either. So a question becomes, how did it make it into at least two security companies' databases? BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 BID 1154 The vulnerability is addressed by a vendor acknowledgement. This one, if recast to reflect that "...after using a long url..." should be replaced with "...A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled, browsing to "http://router-ip/anytext?/" is attempted, and the enable password is supplied when requested. This defect can be exploited to produce a denial of service (DoS) attack." Then I can accept this and mark it as "Verfied by my Company". If it can't be recast because this (long uri) is diffferent then our release (special url construction). [Christey changed vote from REVIEWING to REJECT] Elias Levy's suggested reference is CVE-2000-0380. I don't think that Kevin's description is really addressing this either. The lack of references and a specific description make this candidate unusable, so it should be rejected. Candidate Proposed Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. Northcutt Frech Baker Christey Too general, and no references. XF:nt-frag(528) See reference from BugTraq Mailing List, "A New Fragmentation Attack" at http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net Candidate Modified Denial of service in Windows NT IIS server using ..\.. Q115052 Shostack, Baker Frech, Wall Northcutt Christey Levy Denial of service in Windows NT IIS Server 1.0 using ..\... Source: Microsoft Knowledge Base Article Q115052 - IIS Server. XF:http-dotdot (not necessarily IIS?) DELREF XF:http-dotdot - it deals with a read/access dot dot problem. This actually looks like XF:iis-dot-dot-crash(1638) http://xforce.iss.net/static/1638.php If so, include the version number (2.0) [Christey changed vote from REVOTE to REJECT] Bill Wall intended to suggest Q155052, but the affected IIS version there is 1.0; the effect is to read files, so this sounds like a directory traversal problem, instead of an inability to process certain strings. As a result, this candidate is too general, since it could apply to 2 different problems, so it should be REJECTed. Consider adding BID:2218 Candidate Modified Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. 19990317 Re: SLMail 2.6 DoS - Imail also Levy, Baker Christey, Northcutt, Landfield Frech Ozancin XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) XF:smtp-vrfy-bo (many mail packages) (There is no way I will have access to these systems) Some sources report that VRFY and EXPN are both affected. Candidate Modified Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. Hill, Northcutt Frech Prosser Baker Christey Unable to provide a match due to vague/insufficient description/references. Possible matches are: XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) XF:http-ncsa-longurl (highest probability) CVE-1999-0235 is the one associated with XF:http-ncsa-longurl More research is necessary for this one. Since this has no references at all, and is vague and we have a CAN for the most likely issue, we should kill this one Candidate Modified Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access. CA-95:04 F-11 Hill, Prosser, Northcutt Frech Christey, Baker XF:http-ncsa-longurl CVE-1999-0235 has the same ref's as CVE-1999-0267 Not to mention, the X-force listings of http-ncsa-longurl and http-port both refer to the same problem. This should be rejected as 1999-0267 is the same problem. Candidate Proposed php.cgi allows attackers to read any file on the system. http-cgi-phpfileread Frech, Collins, Prosser, Northcutt, Baker Christey additional source AUSCERT External Security Bulletin ESB-97.047 http://www.auscert.org.au ADDREF BUGTRAQ:19970416 Update on PHP/FI hole URL:http://www.dataguard.no/bugtraq/1997_2/0069.html The attacker specifies the filename as an argument to the program. Add "PHP/FI" to description to facilitate search. AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 Consider adding BID:2250 Candidate Proposed Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. Northcutt Baker Frech Would reconsider if any references were available. Candidate Modified Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm. http-xguess-cookie Hill, Northcutt, Proctor Frech, Prosser Baker Christey Also add to references: XF:sol-mkcookie additional source Bugtraq "X11 cookie hijacker" http://www.securityfocus.com The cookie hijacker thread has to do with stealing cookies through a file with bad permissions. I'm not sure the X-Force reference identifies this problem either. CIAC:G-04 URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml SGI:19960601-01-I URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I CERT:VB-95:08 Candidate Modified Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords. 19951222 mailx-5.5 (slackware /bin/mail) security hole linux-pop3d Baker Frech Shostack, Christey, Northcutt, Wall Levy Ambiguous description: need more detail. Possibly: XF:linux-pop3d (mktemp() leads to reading e-mail) At first glance this might look like CVE-1999-0123 or CVE-1999-0125, however this particular candidate arises out of a brief mention of the problem in a larger posting which discusses CVE-1999-0123 (which may be the same bug as CVE-1999-0125). See the following phrase in the Bugtraq post: "one such example of this is in.pop3d" However, the original source of this candidate's description explicitly mentions shadowed passwords, though it has no references to help out here. Candidate Proposed Linux cfingerd could be exploited to gain root access. Shostack Levy, Northcutt, Wall, Baker Frech, Christey This has no sources; neither does the original database that this entry came from. It's a likely duplicate of CVE-1999-0813. I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. [Frech changed vote from REVIEWING to REJECT] If the reference I previously supplied is correct, then it appears as if the poster modified the source using authorized access to make it vulnerable. Modifying the source in this manner does not qualify as being listed a vulnerability. I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. Candidate Proposed HP Remote Watch allows a remote user to gain root access. hp-remote Frech, Hill, Prosser, Northcutt Baker Christey Comment: Determine if it's RemoteWatch or Remote Watch. HP:HPSBUX9610-039 alludes to multiple vulnerabilities in Remote Watch (the advisory uses two words, not one, for the "Remote Watch" name) ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit) URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com agree that the advisory mentions two vulnerabilities in Remote Watch, one being a socket connection and other with the showdisk utility which seems to be a suid vulnerability. Never get much details on this anywhere since the recommendation is to remove the program since it is obsolete and superceded by later tools. Believe the biggest concern here is to just not run the tool at all. CIAC:H-16 Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp And possibly AUSCERT:AA-96.07 at ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul Also BUGTRAQ:19961013 BoS: SOD remote exploit http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2 Include "remwatch" in the description to facilitate search. Candidate Proposed Windows NT RSHSVC program allows remote users to execute arbitrary commands. Baker Frech, Wall Shostack, Northcutt Christey Levy Windows NT Rshsvc.exe from the Windows NT Resource Kit allows remote users to execute arbitrary commands. Source: rshsvc.txt from the Windows NT Resource Kit. XF:rsh-svc MSKB:Q158320, last reviewed in January 1999, refers to a case where remote users coming from authorized machines are allowed access regardless of what .rhosts says. XF:rsh-svc refers to a bug circa 1997 where any remote entity could execute commands as system. Candidate Modified Denial of service in Qmail through long SMTP commands. 19970612 qmail-dos-2.c, another denial of service attack http://cr.yp.to/qmail/venema.html http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html qmail-leng Meunier, Hill Frech Baker Christey XF:qmail-rcpt DUPE CVE-1999-0418 and CVE-1999-0144? Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html This appears to be the same vulnerability listed in CAN 1999-0144. In reading through both bugtraq postings, the one that is referenced by 0144 is based on a shell code exploit to cause memory exhaustion. The bugtraq posting referenced by this entry refers explicitly to the prior posting for 0144, and states that the same effect could be accomplished by a perl exploit, which was then attached. http://www.securityfocus.com/archive/1/6969 CVE-1999-0144 http://www.securityfocus.com/archive/1/6970 CVE-1999-0250 Both references should be added to CVE-1999-0144, and CVE-1999-0250 should likely be rejected. [Baker changed vote from REVIEWING to REJECT] XF:qmail-leng no longer exists; check with Andre to see if they regarded it as a duplicate as well. qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd) ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." Candidate Modified IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. http-iis-2e 19970319 Frech, Bishop, Collins, Blake, Northcutt, Baker, Landfield, Cole, Armstrong LeBlanc Ozancin, Prosser, Wall Christey This is a problem that was introduced after patching a previous dot bug with the iis-fix hotfix (see CVE-1999-0154). Since the hotfix introduced the problem, this should be treated as a seaprate issue. Agree with the comment. - this one is so old, I don't remember it at all and can't verify or deny the issue. If you can find some documentation that says we fixed it (KB article, hotfix, something), then I would change this to ACCEPT [Christey changed vote from NOOP to REVIEWING] BID:1814 URL:http://www.securityfocus.com/bid/1814 Candidate Proposed A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information. Hidden SNMP community in HP OpenView hpov-hidden-snmp-comm Frech, Baker Wall Christey What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. Candidate Proposed Buffer overflow in ircd allows arbitrary command execution. Hill, Northcutt, Baker Frech Prosser Christey XF:irc-bo This is too general and doesn't have any references. The XF reference doesn't appear toe xist any more. Perhaps this reference would help: BUGTRAQ:19970701 ircd buffer overflow It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post. Candidate Proposed Nestea variation of teardrop IP fragmentation denial of service. Wall Frech Christey XF:nestea-linux-dos Not sure how many separate "instances" of Teardrop and its ilk. Also see comments on CVE-1999-0001. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Is CVE-1999-0001 the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Also see BUGTRAQ:19990909 CISCO and nestea. Finally, note that there is no fundamental difference between nestea and nestea2/nestea-v2; they are different ports that exploit the same problem. The original nestea advisory is at http://www.technotronic.com/rhino9/advisories/06.htm but notice that the suggested fix is in line 375 of ip_fragment.c, not ip_input.c. See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. BUGTRAQ:19980501 nestea does other things http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2 BUGTRAQ:19980508 nestea2 and HP Jet Direct cards. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2 BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2 Nestea source code is in MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html Candidate Proposed Bonk variation of teardrop IP fragmentation denial of service. Frech, Wall Christey Reference Q179129 XF:teardrop-mod Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. BUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2 NTBUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2 NTBUGTRAQ:19980109 Re: Bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2 NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2 BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2 CIAC:I-031a http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml CERT summary CS-98.02 implies that bonk, boink, and newtear all exploit the same vulnerability. Candidate Modified Netmanager Chameleon SMTPd has several buffer overflows that cause a crash. 19980504 Netmanage Holes http://www.insecure.org/sploits/netmanage.chameleon.overflows.html Baker Frech, Landfield Ozancin, Christey, Northcutt XF:chamelion-smtp-dos - Specify what "a crash" means. ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site) Consider adding BID:2387 Candidate Modified Progressive Networks Real Video server (pnserver) can be crashed remotely. 19980115 pnserver exploit.. 19980817 Re: Real Audio Server Version 5 bug? Blake, Northcutt, Baker Frech Prosser Christey Problem confirmed by RealServer vendor (URL listed in Bugtraq posting), but may be multiple codebases since several Real Audio servers are affected. Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow. See CVE-1999-0896 [Frech changed vote from REVIEWING to MODIFY] ADDREF XF:realvideo-telnet-dos Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage. Dik, Baker Frech Ozancin Prosser Christey XF:sun-loadmodule XF:sun-modload (CERT CA-93.18 very old!) Believe the reference given, 95-12, is referencing a later loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the same as the HP patches are 100448-02 for the 93 loadmodule/modload vulnerability and 100448-03 for the 95 loadmodule vulnerability which normally indicated a patch update. Looks like the original patch either didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell much beyond that and this is my opinion only as have no way to check it. Which one is this CVE referencing? I accept both. There are three similar Sun bug ids associated with the patches. 1076118 loadmodule has a security vulnerability 1148753 loadmodule has a security vulnerability 1222192 loadmodule has a security vulnerability as well as: 1137491 Ancient stuff. Add period to the end of the description. [Christey changed vote from NOOP to REVIEWING] This is distinct from CVE-1999-1584 - CVE-1999-1584 is for CA-93.18. [Christey changed vote from REVIEWING to REJECT] This candidate combines two separate issues. It uses the CERT alert reference from 1995, from one issue, but a description that is associated with a separate issue. Candidate Modified The Java Web Server would allow remote users to obtain the source code for CGI programs. 19970716 Viewable .jhtml source with JavaWebServer Dik, Collins, Blake, Northcutt, Wall, Baker, Cole Frech Armstrong, Bishop, Christey, Prosser, Landfield Ozancin Acknowledged by vendor at http://www.sun.com/software/jwebserver/techinfo/jws112info.html. Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/7260 Misc Defensive Info http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info BID:1891 URL:http://www.securityfocus.com/bid/1891 Add version number (1.1 beta) and details of attack (appending a . or a \) The Sun URL referenced by Dave Baker no longer exists, so I wasn't able to verify that it addressed the problem described in the Bugtraq post. This might not even be Sun's "Java Web Server," as CVE-2001-0186 describes some product called "Free Java Web Server" There appears to be some confusion. The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed in 1.1.2 (get foo.jthml source by appending "." of "\" to URL) There are other bugs that give access and that require a configuration change. http://www.sun.com/software/jwebserver/techinfo/security_advisory.html Need to make sure to create CAN's for the other bugs, as documented in: NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2 BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2 The reported bugs are: 1) file read by appending %20 2) Directly call /servlet/file URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html #2 is explicitly mentioned in the Sun advisory for CVE-1999-0283. [Frech changed vote from REVIEWING to MODIFY] XF:javawebserver-cgi-source(5383) Candidate Proposed Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command. smtp-helo-bo Blake, Northcutt Frech, Ozancin, Levy Baker Christey "Windows NT-based mail servers" (A trademark thing, and for clarification) XF:mdaemon-helo-bo XF:lotus-notes-helo-crash XF:slmail-helo-overflow XF:smtp-helo-bo (mentions several products) XF:smtp-exchangedos - Need one per software. Each one should be its own vulnerability. => Windows NT is correct These are probably multiple codebases, so we'll need to use dot notation. Also need to see if this should be merged with CVE-1999-0098 (Sendmail SMTP HELO). Candidate Proposed Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection. Hill Wall, Baker Frech, Christey No references, no information. [Frech changed vote from REVIEWING to REJECT] No references; closest documented match is with CVE-2001-0346, but that's for Windows 2000. Candidate Proposed In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages. Armstrong, Shostack, Cole Levy, Blake, Wall Bishop, Ozancin, Northcutt, Baker, Landfield Frech Christey In some NT web servers, appending a dot at the end of a URL may allows attackers to read source code for active pages. Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears in Browser" In the meantime, reword description as 'Windows NT' (trademark issue) Q163485 does not refer to a space, it refers to a dot. However, I don't have other references. Reading source code with a dot appended is in CVE-1999-0154, which will be proposed. A subsequent bug similar to the dot bug is CVE-1999-0253. NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014 NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019 BID 273 Reference: http://www.allaire.com/handlers/index.cfm?ID=10967 [Christey changed vote from NOOP to REVIEWING] [Frech changed vote from REVIEWING to REJECT] BID articles) Candidate Proposed Vulnerability in the Wguest CGI program. Frech, Shostack Levy, Blake, Northcutt, Wall Christey, Baker allows file reading XF:http-cgi-webcom-guestbook CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Mnemonix says that he had previously reported on a similar problem. Let's refer to the NTBugtraq posting as CVE-1999-0467. We will refer to the "previous report" as CVE-1999-0287, which could be found at: http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html 0287 describes an exploit via the "template" hidden variable. The exploit describes manually editing the HTML form to change the filename to read from the template variable. The exploit as described in 0467 encodes the template variable directly into the URL. However, hidden variables are also encoded into the URL, which would have looked the same to the web server regardless of the exploit. Therefore 0287 and 0467 are the same. BID:2024 Candidate Modified ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack. 19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme Cole, Dik, Levy, Northcutt Frech Shostack, Christey, Baker ADDREF BID:1441 URL:http://www.securityfocus.com/bid/1441 If you run with "-ypset", then you're always insecure. With ypsetme, only root on the local host can run ypset in Solaris 2.x+. Probably true for SunOS 4, hence my vote. [Frech changed vote from REVIEWING to MODIFY] ADDREF XF:ypbind-ypset-root [Dik changed vote from REVIEWING to ACCEPT] This vulnerability does exist in SunOS 4.x in non default configurations. In Solaris 2.x, the vulnerability only applies to files named "cache_binding" and not all files ending in .2 Both releases are not vulnerable in the default configuration (both disabllow ypset by default which prevents this problem from occurring) Candidate Proposed buffer overflow in HP xlock program. hp-xlock Frech, Northcutt, Baker Prosser Shostack Christey This is another of those with multiple affected OSs. Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt, HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150 XF:hp-xlock points to SGI:19970502-02-PX which says this is the same problem as in CERT:CA-97.13, which is CVE-1999-0038. Candidate Modified Buffer overflow in HP-UX cstm program allows local users to gain root privileges. 19961116 This week: turn me on, dead man hpux-cstm-bo Frech, Northcutt Shostack, Prosser, Baker Christey only ref I can find is an old SOD exploit on www.outpost9.com MERGE CVE-1999-0336 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. See the original post: http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org Candidate Modified Buffer overflow in Linux su command gives root access to local users. 19990818 slackware-3.5 /bin/su buffer overflow su-bo Frech, Hill, Northcutt Prosser Baker Christey DUPE CVE-1999-0845? Also, ADDREF XF:unixware-su-username-bo A report summary by Aleph One states that nobody was able to confirm this problem on any Linux distribution. If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these. Sounds like the same bug however... XF:su-bo no longer seems to exist. How about XF:linux-subo(734) ? http://xforce.iss.net/static/734.php BID:475 also seems to describe the same problem (http://www.securityfocus.com/bid/475) in which case, vsyslog is blamed in: BUGTRAQ:19971220 Linux vsyslog() overflow http://www.securityfocus.com/archive/1/8274 Candidate Proposed Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting. xmcd-tiflestr Frech, Hill, Northcutt Prosser, Baker Christey BUGTRAQ:19961126 Security Problems in XMCD 2.1 A followup to this post says that xmcd is not suid here. Candidate Modified Linux bdash game has a buffer overflow that allows local users to gain root access. 19940101 (No Subject) bdash-bo Baker Frech Shostack, Northcutt, Wall Levy XF:bdash-bo Candidate Modified Buffer overflow in Internet Explorer 4.0(1). msie-bo Northcutt, Baker Frech, Shostack Prosser Christey, LeBlanc this is a high cardinality item needs to be more specific. Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague duplicate) Description (from xfdb): Some versions of Internet Explorer for Windows contain a vulnerability that may crash the broswer when a malicious web site contains a certain kind of URL (that begins with "mk://") with more characters than the browser supports. The description is too vague. too vague Add period to the end of the description. Candidate Modified HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack. RSI.0009.09-08-98.HP-UX.OMNIBACK HPSBUX9810-085 omniback-remote Frech, Baker Prosser Christey additional source HP Security Bulletin 85 http://us-support.external.hp.com http://europe-support.external.hp.com Two separate bugs, so SF-LOC says this candidate should be split ADDREF CIAC:J-007 URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml Candidate Modified Buffer overflow in mstm in HP-UX allows local users to gain root access. 19961116 This week: turn me on, dead man hpux-mstm-bo Frech, Northcutt Shostack, Prosser, Baker Christey same as CVE-1999-0307, only ref I can find is an old SOD exploit on www.outpost9.com MERGE CVE-1999-0307 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. Candidate Proposed Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. Cole, Blake Frech, Wall Landfield, Bishop, Ozancin, Northcutt Meunier Armstrong, Levy, LeBlanc, Baker Christey Invalid ICMP datagram fragments causes a denial of service in Windows 95 and Windows NT systems. Reference: Q154174. Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. It is a modified teardrop 2 attack. XF:nt-ssping ADDREF XF:ping-death ADDREF XF:teardrop-mod ADDREF XF:mpeix-echo-request-dos I can't tell whether the Jolt exploit at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net is exploiting any different flaw than teardrop does. [Christey changed vote from NOOP to REVIEWING] Jolt (original) is basically just a fragmented oversized ICMP that kills Win boxes ala Ping of Death. Teardrop is altering the offset in fragmented tcp packets so that the end of subsequent fragments is inside first packet... Teardrop 2 is UDP packets, if I remember right. Seems like Jolt (original, not jolt 2) is just exploit code that creates a ping of death (CVE 1999-0128) I tend to agree with Baker. [Armstrong changed vote from REVIEWING to REJECT] This code does not use fragment overlap. It is simply a large ICMP echo request. See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. This is a hodge-podge of DoS attacks. Jolt isn't the same thing as ping of death - POD was an oversized ICMP packet, Jolt froze Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes. Teardrop and teardrop2 were related attacks (usually ICMP frag attacks), but each of these is a distinct vulnerability, affected a discrete group of systems, and should have distinct CVE numbers. CVE entries should be precise as to what the problem is. I agree with Leblanc in that Jolt is multi-faceted. Jolt has characteristics of Ping of Death AND teardrop, but it doesn't do either exactly. Moreover, it sends a truncated IP fragment. I disagree with Armstrong; jolt uses overlapping fragments. It's not a simple ping of death either. It may be that the author's intent was to construct a "super attack" somehow combining elements of other vulnerabilities to try to make it more potent. In any case it succeeded in confusing the CVE board :-). I notice that Jolt uses echo replies (type 0) instead of echo requests (to get past firewalls?). Jolt is peculiar in that it also sends numerous overlapping fragments. The "Pascal Simulator" :-) says it sends: - 172 fragments of length 400 with offset starting at 5120 and > 3)), which eventually results in sending fragments inside an already > 3) is greater than 5120, which occurs when n is reaches 108. This would look a bit like TearDrop if fragments were reassembled on-the-fly. - 1 fragment such that the total length of all the fragments is greater than 65535 (my calculation is 172*380 + 418 = 65778; the comment about 65538 must be wrong). The last packet is size 418 according to the IP header but the buffer is of size 400. The sendto takes as argument the size of the buffer so a truncated packet is sent. So, I am not sure if the problem is because the last packet doesn't extend to the payload it says it has or because the total size of all fragments is greater than 65535. The author says it may take more than one sending, so perhaps this has to do with an incorrect error handling and recovery. One would need to experiment and isolate each of those characteristics and test them independently. Inasmuch as each of those things is likely a different vulnerability, then I agree with Leblanc that this entry should be split. I'll try that if I ever get bored. Jolt 2 should also have a different entry (see below). Jolt 2 runs in an infinite loop, sending the same fragmented IP packet, which can pretend to be "ICMP" or "UDP" data; however this is meaningless, as it's just a late fragment of an IP packet. The attack works only as long as packets are sent. According to http://www.securityfocus.com/archive/1/62170 the packets are truncated, and would overflow over the 65535 byte limit, which is similar to Jolt. Note that Jolt does send that much data whereas jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it has weaker consequences, I believe that it's a different vulnerability. "Jolt 2 vulnerability causes a temporary denial-of-service in Windows-type OSes" would be a title for it. Candidate Modified Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character. 19990126 Javascript ecurity bug in Internet Explorer 19990126 Javascript ecurity bug in Internet Explorer Levy, LeBlanc, Northcutt, Baker Frech, Prosser Christey this is a modified Cross-Frame vulnerability that circumvents the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012 http://www.microsoft.com/security/bulletins/ms99-012.asp Duplicate of CVE-1999-0490? If Prosser is correct that this is MS99-012, accept BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2 BID:197 URL:http://www.securityfocus.com/bid/197 [Frech changed vote from REVIEWING to MODIFY] XF:ie-window-spoof(2069) Candidate Proposed ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption. Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software controlit-passwd-encrypt Frech, Baker Northcutt, Wall Ozancin Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses weak encryption. Candidate Proposed Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message. Jan27,1999 MS99-002 Ozancin, Wall, Baker Frech Christey XF:word97-template-macro CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2 BID:196 http://www.securityfocus.com/bid/196 MSKB:Q214652 http://support.microsoft.com/support/kb/articles/q214/6/52.asp Candidate Proposed ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book. Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software controlit-bookfile-access Frech, Baker Northcutt, Wall Ozancin Candidate Proposed ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords. 19990127 UNIX shell modem access vulnerabilities ptylogin-dos Cole, Frech Baker XF:ptylogin-dos Should say "... lock out a modem, ..." rather than "... locking out modems..." Candidate Modified MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely. 19990130 Security Advisory for Internet Information Server 4 with Site Jan29,1999 Landfield, Cole, Collins, Blake, Northcutt, Wall Frech, LeBlanc, Baker Armstrong, Ozancin, Christey, Prosser I can't find the original Bugtraq posting (it appears that mnemonix discovered the problem). - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a BUGTRAQ posting we can't find could be anything. Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type THis is the URL for the Bugtraq posting. It was cross posted to NT Bugtraq as well, but identical text. It was Mnemonix... BID:1811 URL:http://www.securityfocus.com/bid/1811 CHANGEREF BUGTRAQ add "Server 2." to the subject. Also standardize NTBUGTRAQ reference title. Add "uploadn.asp" to the description. [Frech changed vote from REVIEWING to MODIFY] XF:siteserver-user-dir-permissions(5384) Candidate Proposed NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging. Jan29,1999 Baker Frech Northcutt, Wall XF:compulink-pw-laserfiche(1679) Normalize BUGTRAQ reference to: BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords Candidate Modified Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data. 19990204 Microsoft Access 97 Stores Database Password as Plaintext LeBlanc, Baker Frech Northcutt, Wall [Frech changed vote from REVIEWING to MODIFY] XF:access-weak-passwords(1774) An older published reference (from our own Adam) would be better: ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0" http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192 07028.1462108427&hitnum=1 Candidate Modified In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files. 00184 165 Dik, Prosser, Northcutt, Baker Frech Christey Reference: XF:sun-man ADDREF CIAC:J-028 Is the Linux man symlink problem the same as the one for Sun? See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1 Also see BID:305 sun bug 4154565 Candidate Proposed super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access. 19990225 SUPER buffer overflow linux-super-logging-bo 342 Landfield, Cole, Frech, Ozancin, Levy, Blake, Baker Bishop Armstrong, Wall Christey Is this the same as CVE-1999-0373? They both have the same X-Force reference. BID:342 suggests that there are two. http://www.debian.org/security/1999/19990215a suggests that there are two. However, CVE-1999-0373 is written up in a fashion that is too general; and both XF:linux-super-bo and XF:linux-super-logging-bo refer to CVE-1999-0373. CVE-1999-0373 may need to be split. From what I can surmise, ISS released the original advisory (attached to linux-super-bo), and Sekure SDI expanded on it by releasing another related overflow in syslog (which is linux-super-logging-bo). When I was originally assigning these issues, I placed both XF references and the ISS advisory on the -0373 candidate, since there was nothing else available. Based on the information above, I'd request that XF:linux-super-logging-bo be removed from CVE-1999-0373. Given Andre's feedback, these are different issues. CVE-1999-0373 does not need to be split because the ISS reference is sufficient to distinguish that CVE from this candidate; however, the CVE-1999-0373 description should probably be modified slightly. (as indicated by Christey) [Cole changed vote from NOOP to ACCEPT] [Christey changed vote from NOOP to REVIEWING] There are 2 bugs, as confirmed by the super author at: BUGTRAQ:19990226 Buffer Overflow in Super (new) http://www.securityfocus.com/archive/1/12713 BID:397 also seems to cover this one, and it may cover CVE-1999-0373 as well. Candidate Modified Buffer overflow in the bootp server in the Debian Linux netstd package. 19990104 19990103 [SECURITY] New versions of netstd fixes buffer overflows 324 Ozancin, Stracener, Baker Frech Christey Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 has January 1999 dates associated with it, while CVE-1999-0798 was reported in late December. Also, is this the same line of code as CVE-1999-0914? Both are in the netstd package, it could look like a library problem. However, deep in the changelog in the netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes the following entry: +netstd (3.07-7slink.1) frozen; urgency=high + + * bootpd: Applied patch from Redhat as well as a fix for the overflow in + report() (fixes #30675). + * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow + bugs. + + -- Herbert Xu <herbert@debian.org> Sat, 19 Dec 1998 14:36:48 +1100 This tells me that two separate bugs are involved. Note that Red Hat posted *some* fix for *some* bootp problem in June 1998. See: http://www.redhat.com/support/errata/rh42-errata-general.html#bootp XF:debian-netstd-bo Further analysis indicates that this is a duplicate of CVE-1999-0799 [Christey changed vote from REJECT to REVIEWING] The fix information for BID:324 suggests that there are two overflows, one of which is in handle_request (bootpd.c) and is likely related to a file name; but there is another issue in report (report.c) which also looks like a straightforward overflow, which would suggest that this is not a duplicate of CVE-1999-0798 or CVE-1999-0799. Note: see comments for CVE-1999-0798 which explain how that candidate is not related to CVE-1999-0799. Candidate Proposed DPEC Online Courseware allows an attacker to change another user's password without knowing the original password. 19990115 DPEC Online Courseware Baker Christey Frech If I understand the issue, this HIGHCARD involves insecure web programming. If I don't understand, mark this as my first NOOP. CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com ADDREF BID:565 URL:http://www.securityfocus.com/vdb/bottom.html?vid=565 Candidate Proposed The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext. Jan21,1999 Jan21,1999 Northcutt Frech Baker Wall Reject based on beta copy. XF:quakenbush-pw-appraiser(1652) Candidate Modified In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login. 19990123 SSH 1.x and 2.x Daemon 19990124 SSH Daemon ssh-exp-account-access Baker Frech Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet released. v1.2.26 should be substituted in the description for '27. XF:ssh-exp-account-access Candidate Modified The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands. 19990124 Mirc 5.5 'DCC Server' hole mirc-dcc-metachar-filename Baker Frech XF:mirc-dcc-metachar-filename Candidate Modified Denial of service in Linux 2.2.0 running the ldd command on a core file. 19990127 2.2.0 SECURITY (fwd) linux-kernel-ldd-dos 344 Baker Frech BUGTRAQ:Jan27,1999 (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22& msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com) XF:linux-kernel-ldd-dos Candidate Modified A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files. 19990202 [patch] /proc race fixes for 2.2.1 (fwd) linux-race-condition-proc Baker Frech XF:linux-race-condition-proc Candidate Proposed Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege. Feb19,1999 digital-networker-bo Baker Frech In description, change 'which' to 'that'. Candidate Proposed Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access. Feb19,1999 sco-startup-scripts Baker, Frech Christey, Wall Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not 19 February) does not mention gaining root access... it says a local user could "delete or overwrite arbitrary files on the system." By overwriting arbitrary files, one could then gain root access. I agree with a minor description change to reflect this. Normalize Bugtraq reference to: BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p). http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2 Also, SCO:SB-99.17 ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c Candidate Proposed Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection. 19990308 SMTP server account probing Cole Frech Baker, Foat, Wall Christey DUPE CVE-1999-0144 and CVE-1999-0250? XF:smtp-rctpto-dos(7499) Candidate Modified When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service. 19990319 Microsoft's SMTP service broken/stupid smtp-4xx-error-dos Baker Frech, LeBlanc Christey XF:smtp-4xx-error-dos - if we can find a KB or something that shows that this wasn't just user error, I'd vote ACCEPT. David Lemson, Microsoft SMTP Service Program Manager, posted a followup that said "We have confirmed this as a problem..." http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2 Candidate Proposed The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing. 19990319 The default permissions on /dev/kmem is insecure. Frech Baker Christey XF:linux-dev-kmem-spoof DUPE CVE-1999-0414 XF:linux-dev-kmem-spoof does not exist. *Now* XF:linux-dev-kmem-spoof(3500) exists... Candidate Proposed Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names. 19990320 Eudora Attachment Buffer Overflow eudora-long-attachments Baker Frech Christey Change version number to 4.2beta. Second to last paragraph in bugtraq reference states: "Both the Win 95 and Win NT versions, along with the 4.2 beta of Eudora are affected." This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Is this a duplicate/subsumed by CVE-1999-0004? Candidate Modified Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service. 19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug linux-zerolength-fragment Baker Frech Christey XF:linux-zerolength-fragment Consider adding BID:2247 Candidate Proposed XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. 19990331 Bug in xfs 359 Baker Frech Christey XF:xfree86-xfs-symlink-dos Is this the same problem as CVE-1999-0433? CVE-1999-0433 deals with a symlink attack on one file (/tmp/.X11-unix), while xfs (this candidate) deals with /tmp/.font-unix XF:xfree86-xfs-symlink-dos doesn't exist. ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable Note: Debian's advisory says that this is not a problem for Debian. Candidate