"CVE Version 20061101",,,,, "Date: 20080624",,,,, "Name","Status","Description","References","Phase","Votes","Comments" "Candidates must be reviewed and accepted by the CVE Editorial Board",,,,,, "before they can be added to the official CVE list. Therefore, these",,,,,, "candidates may be modified or even rejected in the future. They are",,,,,, "provided for use by individuals who have a need for an early",,,,,, "numbering scheme for items that have not been fully reviewed by",,,,,, "the Editorial Board.",,,,,, ,,,,,, CVE-1999-0001,Candidate,"ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.","CERT:CA-98-13-tcp-denial-of-service | BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service | CONFIRM:http://www.openbsd.org/errata23.html#tcpfix | OSVDB:5707 | URL:http://www.osvdb.org/5707",Modified (20051217)," MODIFY(1) Frech | NOOP(2) Northcutt, Wall | REVIEWING(1) Christey"," Christey> A Bugtraq posting indicates that the bug has to do with | ""short packets with certain options set,"" so the description | should be modified accordingly. | | But is this the same as CVE-1999-0052? That one is related | to nestea (CVE-1999-0257) and probably the one described in | BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release | The patch for nestea is in ip_input.c around line 750. | The patches for CVE-1999-0001 are in lines 388&446. So, | CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. | The FreeBSD patch for CVE-1999-0052 is in line 750. | So, CVE-1999-0257 and CVE-1999-0052 may be the same, though | CVE-1999-0052 should be RECAST since this bug affects Linux | and other OSes besides FreeBSD. | Frech> XF:teardrop(338) | This assignment was based solely on references to the CERT advisory. | Christey> The description for BID:190, which links to CVE-1999-0052 (a | FreeBSD advisory), notes that the patches provided by FreeBSD in | CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and | CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without | further analysis." CVE-1999-0002,Entry,"Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.","SGI:19981006-01-I | URL:ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I | CERT:CA-98.12.mountd | CIAC:J-006 | URL:http://www.ciac.org/ciac/bulletins/j-006.shtml | BID:121 | URL:http://www.securityfocus.com/bid/121 | XF:linux-mountd-bo",,, CVE-1999-0003,Entry,"Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).","NAI:NAI-29 | CERT:CA-98.11.tooltalk | SGI:19981101-01-A | URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-A | SGI:19981101-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-PX | XF:aix-ttdbserver | XF:tooltalk | BID:122 | URL:http://www.securityfocus.com/bid/122",,, CVE-1999-0004,Candidate,"MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook.","CERT:CA-98.10.mime_buffer_overflows | XF:outlook-long-name | SUN:00175 | MS:MS98-008 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-008.asp",Modified (19990621-01)," ACCEPT(8) Magdych, Northcutt, Wall, Baker, Landfield, Cole, Dik, Collins | MODIFY(1) Frech | NOOP(1) Christey | REVIEWING(1) Shostack"," Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject | this suggestion, I will not be devastated.) :-) | Christey> This issue seems to have been rediscovered in | BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again | http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 | | Also see | BUGTRAQ:19990320 Eudora Attachment Buffer Overflow | http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 | Christey> | CVE-2000-0415 may be a later rediscovery of this problem | for Outlook. | Dik> Sun bug 4163471, | Christey> ADDREF BID:125 | Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2" CVE-1999-0005,Entry,"Arbitrary command execution via IMAP buffer overflow in authenticate command.","CERT:CA-98.09.imapd | SUN:00177 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/177 | BID:130 | URL:http://www.securityfocus.com/bid/130 | XF:imap-authenticate-bo",,, CVE-1999-0006,Entry,"Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command.","CERT:CA-98.08.qpopper_vul | SGI:19980801-01-I | URL:ftp://patches.sgi.com/support/free/security/advisories/19980801-01-I | AUSCERT:AA-98.01 | XF:qpopper-pass-overflow | BID:133 | URL:http://www.securityfocus.com/bid/133",,, CVE-1999-0007,Entry,"Information from SSL-encrypted sessions via PKCS #1.","CERT:CA-98.07.PKCS | MS:MS98-002 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-002.mspx | XF:nt-ssl-fix",,, CVE-1999-0008,Entry,"Buffer overflow in NIS+, in Sun's rpc.nisd program.","CERT:CA-98.06.nisd | SUN:00170 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/170 | ISS:June10,1998 | XF:nisd-bo-check",,, CVE-1999-0009,Entry,"Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.","SGI:19980603-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX | HP:HPSBUX9808-083 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 | SUN:00180 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180 | CERT:CA-98.05.bind_problems | XF:bind-bo | BID:134 | URL:http://www.securityfocus.com/bid/134",,, CVE-1999-0010,Entry,"Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.","CERT:CA-98.05.bind_problems | SGI:19980603-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX | HP:HPSBUX9808-083 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 | XF:bind-dos",,, CVE-1999-0011,Entry,"Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.","CERT:CA-98.05.bind_problems | SGI:19980603-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX | HP:HPSBUX9808-083 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 | SUN:00180 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180 | XF:bind-axfr-dos",,, CVE-1999-0012,Entry,"Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names.","CERT:CA-98.04.Win32.WebServers | XF:nt-web8.3",,, CVE-1999-0013,Entry,"Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user.","CERT:CA-98.03.ssh-agent | NAI:NAI-24 | XF:ssh-agent",,, CVE-1999-0014,Entry,"Unauthorized privileged access or denial of service via dtappgather program in CDE.","HP:HPSBUX9801-075 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-075 | SUN:00185 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/185 | CERT:CA-98.02.CDE",,, CVE-1999-0015,Candidate,"Teardrop IP denial of service.","CERT:CA-97.28.Teardrop_Land | XF:teardrop",Proposed (19990726)," ACCEPT(1) Wall | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF: teardrop-mod | Christey> Not sure how many separate ""instances"" of Teardrop there are. | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> MSKB:Q154174 | MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) | indicate that CVE-1999-0015 was fixed in NT SP3, but | CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the | problems keep separate candidates because one problem appears | in a different version than the other. | Christey> BID:124 | http://www.securityfocus.com/bid/124 | Consider MSKB:Q154174 | http://support.microsoft.com/support/kb/articles/q154/1/74.asp | Consider BUGTRAQ:19971113 Linux IP fragment overlap bug | http://www.securityfocus.com/archive/1/8014" CVE-1999-0016,Entry,"Land IP denial of service.","CERT:CA-97.28.Teardrop_Land | FREEBSD:FreeBSD-SA-98:01 | HP:HPSBUX9801-076 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-076 | CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml | XF:cisco-land | XF:land | XF:95-verv-tcp | XF:land-patch | XF:ver-tcpip-sys",,, CVE-1999-0017,Entry,"FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.","CERT:CA-97.27.FTP_bounce | XF:ftp-bounce | XF:ftp-privileged-port",,, CVE-1999-0018,Entry,"Buffer overflow in statd allows root privileges.","CERT:CA-97.26.statd | AUSCERT:AA-97.29 | XF:statd | BID:127 | URL:http://www.securityfocus.com/bid/127",,, CVE-1999-0019,Entry,"Delete or create a file via rpc.statd, due to invalid information.","CERT:CA-96.09.rpc.statd | XF:rpc-stat | SUN:00135 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/135",,, CVE-1999-0020,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Modified (20050204)," MODIFY(1) Frech | NOOP(4) Levy, Northcutt, Wall, Shostack | REJECT(2) Christey, Baker"," Frech> XF:lpr-bo | Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo" CVE-1999-0021,Entry,"Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program.","BUGTRAQ:19971010 Security flaw in Count.cgi (wwwcount) | CERT:CA-97.24.Count_cgi | XF:http-cgi-count | BID:128 | URL:http://www.securityfocus.com/bid/128",,, CVE-1999-0022,Entry,"Local user gains root privileges via buffer overflow in rdist, via expstr() function.","CERT:CA-97.23.rdist | SUN:00179 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/179 | XF:rdist-bo3 | XF:rdist-sept97",,, CVE-1999-0023,Entry,"Local user gains root privileges via buffer overflow in rdist, via lookup() function.","CERT:CA-96.14.rdist_vul | XF:rdist-bo | XF:rdist-bo2",,, CVE-1999-0024,Entry,"DNS cache poisoning via BIND, by predictable query IDs.","CERT:CA-97.22.bind | XF:bind | NAI:NAI-11",,, CVE-1999-0025,Entry,"root privileges via buffer overflow in df command on SGI IRIX systems.","CERT:CA-1997-21 | URL:http://www.cert.org/advisories/CA-1997-21.html | AUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul | SGI:SGI:19970505-01-A | SGI:SGI:19970505-02-PX | CERT-VN:VU#20851 | URL:http://www.kb.cert.org/vuls/id/20851 | BID:346 | URL:http://www.securityfocus.com/bid/346 | XF:df-bo(440) | URL:http://xforce.iss.net/xforce/xfdb/440",,, CVE-1999-0026,Entry,"root privileges via buffer overflow in pset command on SGI IRIX systems.","CERT:CA-97.21.sgi_buffer_overflow | AUSCERT:AA-97.20.IRIX.pset.buffer.overflow.vul | XF:pset-bo",,, CVE-1999-0027,Entry,"root privileges via buffer overflow in eject command on SGI IRIX systems.","CERT:CA-97.21.sgi_buffer_overflow | AUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul | XF:eject-bo",,, CVE-1999-0028,Entry,"root privileges via buffer overflow in login/scheme command on SGI IRIX systems.","CERT:CA-97.21.sgi_buffer_overflow | AUSCERT:AA-97.22.IRIX.login.scheme.buffer.overflow.vul | XF:sgi-schemebo",,, CVE-1999-0029,Entry,"root privileges via buffer overflow in ordist command on SGI IRIX systems.","CERT:CA-97.21.sgi_buffer_overflow | AUSCERT:AA-97.23-IRIX.ordist.buffer.overflow.vul | XF:ordist-bo",,, CVE-1999-0030,Candidate,"root privileges via buffer overflow in xlock command on SGI IRIX systems.","CERT:CA-97.21.sgi_buffer_overflow | AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul | XF:sgi-xlockbo | SGI:19970508-02-PX",Proposed (19990623)," ACCEPT(3) Ozancin, Levy, Prosser | NOOP(1) Baker | RECAST(1) Frech | REJECT(1) Christey"," Frech> XF:xlock-bo (also add) | As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and | several Linii. | Also, don't you mean to cite SGI:19970502-02-PX? The one you list is | login/scheme. | Levy> Notice that this xlock overflow is the same as in | CA-97.13. CA-97.21 simply is a reminder. | Christey> As pointed out by Elias, CA-97.21 states: ""For more | information about vulnerabilities in xlock... see CA-97.13"" | CA-97.13 = CVE-1999-0038. | This may also be a duplicate with CVE-1999-0306. | | See exploits at: | | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 | | Sun also has this problem, at | http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba" CVE-1999-0031,Entry,"JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability.","CERT:CA-97.20.javascript | HP:HPSBUX9707-065 | URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html",,, CVE-1999-0032,Entry,"Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.","BUGTRAQ:19960813 Possible bufferoverflow condition in lpr, xterm and xload | BUGTRAQ:19961025 Linux & BSD's lpr exploit | MLIST:[freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit | MLIST:[linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program. | CERT:CA-97.19.bsdlp | AUSCERT:AA-96.12 | CIAC:H-08 | CIAC:I-042 | URL:http://www.ciac.org/ciac/bulletins/i-042.shtml | SGI:19980402-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980402-01-PX | BID:707 | URL:http://www.securityfocus.com/bid/707 | XF:bsd-lprbo2 | XF:bsd-lprbo | XF:lpr-bo",,, CVE-1999-0033,Candidate,"Command execution in Sun systems via buffer overflow in the at program.","CERT:CA-97.18.at | SUN:00160 | XF:sun-atbo",Modified (20040811)," ACCEPT(8) Hill, Northcutt, Wall, Baker, Cole, Dik, Shostack, Collins | NOOP(1) Christey | RECAST(1) Frech"," Frech> This vulnerability also manifests itself for the following | platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, | please add the following: | Reference: XF:at-bo | Dik> Sun bug 1265200, 4063161 | Christey> ADDREF SGI:19971102-01-PX | ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX | SCO:SB.97:01 | ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a | Christey> CIAC:F-15 | http://ciac.llnl.gov/ciac/bulletins/f-15.shtml | HP:HPSBUX9502-023 | Christey> Add period to the end of the description." CVE-1999-0034,Entry,"Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.","CERT:CA-97.17.sperl | XF:perl-suid",,, CVE-1999-0035,Entry,"Race condition in signal handling routine in ftpd, allowing read/write arbitrary files.","XF:ftp-ftpd | CERT:CA-97.16.ftpd | AUSCERT:AA-97.03",,, CVE-1999-0036,Entry,"IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files.","CERT:CA-97.15.sgi_login | AUSCERT:AA-97.12 | CIAC:H-106 | URL:http://www.ciac.org/ciac/bulletins/h-106.shtml | SGI:19970508-02-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19970508-02-PX | OSVDB:990 | URL:http://www.osvdb.org/990 | XF:sgi-lockout(557) | URL:http://xforce.iss.net/xforce/xfdb/557",,, CVE-1999-0037,Entry,"Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail.","CERT:CA-97.14.metamail | XF:metamail-header-commands",,, CVE-1999-0038,Entry,"Buffer overflow in xlock program allows local users to execute commands as root.","CERT:CA-97.13.xlock | XF:xlock-bo",,, CVE-1999-0039,Entry,"webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter.","BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in | BUGTRAQ:19970507 Re: SGI Advisory: webdist.cgi | CERT:CA-1997-12 | URL:http://www.cert.org/advisories/CA-1997-12.html | AUSCERT:AA-97.14 | SGI:19970501-02-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX | BID:374 | URL:http://www.securityfocus.com/bid/374 | OSVDB:235 | URL:http://www.osvdb.org/235 | XF:http-sgi-webdist(333) | URL:http://xforce.iss.net/xforce/xfdb/333",,, CVE-1999-0040,Entry,"Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.","CERT:CA-97.11.libXt | XF:libXt-bo",,, CVE-1999-0041,Entry,"Buffer overflow in NLS (Natural Language Service).","CERT:CA-97.10.nls | XF:nls-bo",,, CVE-1999-0042,Entry,"Buffer overflow in University of Washington's implementation of IMAP and POP servers.","NAI:NAI-21 | CERT:CA-97.09.imap_pop | XF:popimap-bo",,, CVE-1999-0043,Entry,"Command execution via shell metachars in INN daemon (innd) 1.5 using ""newgroup"" and ""rmgroup"" control messages, and others.","CERT:CA-97.08.innd | XF:inn-controlmsg",,, CVE-1999-0044,Entry,"fsdump command in IRIX allows local users to obtain root access by modifying sensitive files.","SGI:19970301-01-P | URL:ftp://patches.sgi.com/support/free/security/advisories/19970301-01-P | XF:sgi-fsdump",,, CVE-1999-0045,Entry,"List of arbitrary files on Web host via nph-test-cgi script.","CERT:CA-97.07.nph-test-cgi_script | XF:http-cgi-nph",,, CVE-1999-0046,Entry,"Buffer overflow of rlogin program using TERM environmental variable.","CERT:CA-97.06.rlogin-term | XF:rlogin-termbo",,, CVE-1999-0047,Entry,"MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4.","CERT:CA-97.05.sendmail | BID:685 | URL:http://www.securityfocus.com/bid/685 | XF:sendmail-mime-bo2",,, CVE-1999-0048,Entry,"Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges.","CERT:CA-97.04.talkd | FREEBSD:FreeBSD-SA-96:21 | AUSCERT:AA-97.01 | SUN:00147 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/147 | XF:talkd-bo | XF:netkit-talkd",,, CVE-1999-0049,Entry,"Csetup under IRIX allows arbitrary file creation or overwriting.","XF:sgi-csetup | CERT:CA-97.03.csetup",,, CVE-1999-0050,Entry,"Buffer overflow in HP-UX newgrp program.","CERT:CA-97.02.hp_newgrp | AUSCERT:AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability | XF:hp-newgrpbo",,, CVE-1999-0051,Entry,"Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.","XF:sgi-licensemanager | CERT:CA-97.01.flex_lm | AUSCERT:AA-96.03",,, CVE-1999-0052,Entry,"IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash.","FREEBSD:FreeBSD-SA-98:08 | OSVDB:908 | URL:http://www.osvdb.org/908 | XF:freebsd-ip-frag-dos(1389) | URL:http://xforce.iss.net/xforce/xfdb/1389",,, CVE-1999-0053,Entry,"TCP RST denial of service in FreeBSD.","FREEBSD:FreeBSD-SA-98:07 | OSVDB:6094 | URL:http://www.osvdb.org/6094",,, CVE-1999-0054,Entry,"Sun's ftpd daemon can be subjected to a denial of service.","SUN:00171 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/171 | XF:sun-ftpd",,, CVE-1999-0055,Entry,"Buffer overflows in Sun libnsl allow root access.","SUN:00172 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172 | AIXAPAR:IX80543 | URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX80543&apar=only | RSI:RSI.0005.05-14-98.SUN.LIBNSL | XF:sun-libnsl",,, CVE-1999-0056,Entry,"Buffer overflow in Sun's ping program can give root access to local users.","SUN:00174 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/174 | XF:sun-ping",,, CVE-1999-0057,Entry,"Vacation program allows command execution by remote users through a sendmail command.","NAI:NAI-19 | XF:vacation | HP:HPSBUX9811-087 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9811-087",,, CVE-1999-0058,Entry,"Buffer overflow in PHP cgi program, php.cgi allows shell access.","NAI:NAI-12 | BID:712 | URL:http://www.securityfocus.com/bid/712 | XF:http-cgi-phpbo",,, CVE-1999-0059,Entry,"IRIX fam service allows an attacker to obtain a list of all files on the server.","NAI:NAI-16 | BID:353 | URL:http://www.securityfocus.com/bid/353 | OSVDB:164 | URL:http://www.osvdb.org/164 | XF:irix-fam(325) | URL:http://xforce.iss.net/xforce/xfdb/325",,, CVE-1999-0060,Entry,"Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool.","NAI:NAI-26 | XF:ascend-config-kill | ASCEND:http://www.ascend.com/2695.html",,, CVE-1999-0061,Candidate,"File creation and deletion, and remote execution, in the BSD line printer daemon (lpd).","NAI:NAI-20 | XF:bsd-lpd",Proposed (19990630)," ACCEPT(3) Hill, Northcutt, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Christey> This should be split into three separate problems based on | the SNI advisory. But there's newer information to further | complicate things. | | What do we do about this one? in 1997 or so, SNI did an | advisory on this problem. In early 2000, it was still | discovered to be present in some Linux systems. So an | SF-DISCOVERY content decision might say that this is a | long enough time between the two, so this should be recorded | separately. But they're the same codebase... so if we keep | them in the same entry, how do we make sure that this entry | reflects that some new information has been discovered? | | The use of dot notation may help in this regard, to use one | dot for the original problem as discovered in 1997, and | another dot for the resurgence of the problem in 2000. | Baker> We should merge these. | Christey> Perhaps this should be NAI-19 instead of NAI-20? | The original Bugtraq post for the SNI advisory suggests SNI-19: | BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability | URL:SNI-19:BSD lpd vulnerability | | Also add: | BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 | | However, archives of ""NAI-0020"" point to the lpd vuln. | | If I recall correctly, some of the NAI advisory numbers got | switched when NAI acquired SNI." CVE-1999-0062,Entry,"The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage.","XF:openbsd-chpass | NAI:NAI-28 | OSVDB:7559 | URL:http://www.osvdb.org/7559",,, CVE-1999-0063,Entry,"Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port.","AUSCERT:ESB-98.197 | CISCO:http://www.cisco.com/warp/public/770/iossyslog-pub.shtml | XF:cisco-syslog-crash",,, CVE-1999-0064,Entry,"Buffer overflow in AIX lquerylv program gives root access to local users.","BUGTRAQ:May28,1997 | XF:lquerylv-bo",,, CVE-1999-0065,Entry,"Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands.","SUN:00181 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/181 | XF:hp-dtmail",,, CVE-1999-0066,Entry,"AnyForm CGI remote execution.","BUGTRAQ:19950731 SECURITY HOLE: ""AnyForm"" CGI | BID:719 | URL:http://www.securityfocus.com/bid/719 | XF:http-cgi-anyform",,, CVE-1999-0067,Entry,"phf CGI program allows remote command execution through shell metacharacters.","BUGTRAQ:19960923 PHF Attacks - Fun and games for the whole family | CERT:CA-1996-06 | URL:http://www.cert.org/advisories/CA-1996-06.html | AUSCERT:AA-96.01 | BID:629 | URL:http://www.securityfocus.com/bid/629 | OSVDB:136 | URL:http://www.osvdb.org/136 | XF:http-cgi-phf",,, CVE-1999-0068,Entry,"CGI PHP mylog script allows an attacker to read any file on the target server.","BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts | XF:http-cgi-php-mylog | BID:713 | URL:http://www.securityfocus.com/bid/713 | OSVDB:3396 | URL:http://www.osvdb.org/3396",,, CVE-1999-0069,Entry,"Solaris ufsrestore buffer overflow.","SUN:00169 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/169 | XF:sun-ufsrestore | OSVDB:8158 | URL:http://www.osvdb.org/8158",,, CVE-1999-0070,Entry,"test-cgi program allows an attacker to list files on the server.","XF:http-cgi-test",,, CVE-1999-0071,Entry,"Apache httpd cookie buffer overflow for versions 1.1.1 and earlier.","XF:http-apache-cookie | NAI:NAI-2",,, CVE-1999-0072,Entry,"Buffer overflow in AIX xdat gives root access to local users.","ERS:ERS-SVA-E01-1997:004.1 | XF:ibm-xdat",,, CVE-1999-0073,Entry,"Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.","CERT:CA-95:14.Telnetd_Environment_Vulnerability | XF:linkerbug",,, CVE-1999-0074,Entry,"Listening TCP ports are sequentially allocated, allowing spoofing attacks.","XF:seqport",,, CVE-1999-0075,Entry,"PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password.","BUGTRAQ:19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd | XF:ftp-pasvcore | OSVDB:5742 | URL:http://www.osvdb.org/5742",,, CVE-1999-0076,Candidate,"Buffer overflow in wu-ftp from PASV command causes a core dump.","XF:ftp-args",Modified (19990925-01)," ACCEPT(3) Ozancin, Baker, Frech | NOOP(1) Balinsky | REVIEWING(1) Christey"," Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability? | Christey> Need to add more references and details." CVE-1999-0077,Entry,"Predictable TCP sequence numbers allow spoofing.","XF:tcp-seq-predict(139) | URL:http://xforce.iss.net/static/139.php",,, CVE-1999-0078,Candidate,"pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.","CERT:CA-96.08.pcnfsd | XF:rpc-pcnfsd",Modified (19990621-01)," ACCEPT(5) Collins, Northcutt, Landfield, Frech, Shostack | NOOP(1) Baker | RECAST(1) Christey"," Christey> This candidate should be SPLIT, since there are two separate | software flaws. One is a symlink race and the other is a | shell metacharacter problem. | Christey> The permissions part of this vulnerability appears to | overlap with CVE-1999-0353 | Christey> SGI:20020802-01-I" CVE-1999-0079,Entry,"Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports.","XF:ftp-pasv-dos | XF:ftp-pasvdos",,, CVE-1999-0080,Entry,"Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the ""site exec"" command.","BUGTRAQ:19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd) | CERT:CA-95:16.wu-ftpd.vul | XF:ftp-execdotdot",,, CVE-1999-0081,Entry,"wu-ftp allows files to be overwritten via the rnfr command.","XF:ftp-rnfr",,, CVE-1999-0082,Entry,"CWD ~root command in ftpd allows root access.","XF:ftp-cwd | FarmerVenema:Improving the Security of Your Site by Breaking Into it | URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html",,, CVE-1999-0083,Entry,"getcwd() file descriptor leak in FTP.","XF:cwdleak",,, CVE-1999-0084,Entry,"Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.","XF:nfs-mknod(78) | URL:http://xforce.iss.net/xforce/xfdb/78",,, CVE-1999-0085,Entry,"Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname.","BUGTRAQ:19960821 rwhod buffer overflow | XF:rwhod(119) | URL:http://xforce.iss.net/xforce/xfdb/119 | XF:rwhod-vuln(118) | URL:http://xforce.iss.net/xforce/xfdb/118",,, CVE-1999-0086,Candidate,"AIX routed allows remote users to modify sensitive files.","ERS:ERS-SVA-E01-1998:001.1 | XF:ibm-routed",Interim (19990630)," ACCEPT(2) Northcutt, Shostack | MODIFY(2) Prosser, Frech | NOOP(1) Baker | REJECT(1) Christey"," Frech> Reference: XF:ibm-routed | Prosser> This vulnerability allows debug mode to be turned on which is | the problem. Should this be more specific in the description? This | one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which | is in the SGI cluster, shouldn't these be cross-referenced as the same | vuln affects multiple OSes. | Christey> This appears to be subsumed by CVE-1999-0215" CVE-1999-0087,Entry,"Denial of service in AIX telnet can freeze a system and prevent users from accessing the server.","XF:ibm-telnetdos | ERS:ERS-SVA-E01-1998:003.1 | OSVDB:7992 | URL:http://www.osvdb.org/7992",,, CVE-1999-0088,Candidate,"IRIX and AIX automountd services (autofsd) allow remote users to execute root commands.","ERS:ERS-SVA-E01-1998:004.1 | URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt",Proposed (19990617)," ACCEPT(2) Northcutt, Shostack | MODIFY(2) Prosser, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Frech> ERS (and other references, BTW) explicitly stipulate 'local and | remote'. | Reference: XF:irix-autofsd | Prosser> Include the SGI Alert as well since it is mentioned in the | description. | SGI Security Advisory 19981005-01-PX | Christey> DUPE CVE-1999-0210? | Christey> ADDREF CIAC:J-014 | Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry" CVE-1999-0089,Candidate,"Buffer overflow in AIX libDtSvc library can allow local users to gain root access.","ERS:ERS-SVA-E01-1997:005.1 | XF:ibm-libDtSvc",Interim (19990630)," ACCEPT(2) Northcutt, Shostack | MODIFY(2) Prosser, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Frech> Reference: XF:ibm-libDtSvc | Prosser> The overflow is in the dtaction utility. Also affects | dtaction in the CDE on versions of SunOS (SUN 164). Probably should be | specific. | Christey> Same Codebase as CVE-1999-0121, so the two entries should be | merged." CVE-1999-0090,Entry,"Buffer overflow in AIX rcp command allows local users to obtain root access.","ERS:ERS-SVA-E01-1997:005.1 | XF:ibm-rcp",,, CVE-1999-0091,Entry,"Buffer overflow in AIX writesrv command allows local users to obtain root access.","ERS:ERS-SVA-E01-1997:005.1 | XF:ibm-writesrv",,, CVE-1999-0092,Candidate,"Various vulnerabilities in the AIX portmir command allows local users to obtain root access.","ERS:ERS-SVA-E01-1997:006.1",Proposed (19990623)," ACCEPT(2) Baker, Bollinger | MODIFY(1) Frech | NOOP(1) Ozancin"," Frech> XF:ibm-portmir" CVE-1999-0093,Entry,"AIX nslookup command allows local users to obtain root access by not dropping privileges correctly.","ERS:ERS-SVA-E01-1997:008.1 | XF:ibm-nslookup",,, CVE-1999-0094,Entry,"AIX piodmgrsu command allows local users to gain additional group privileges.","ERS:ERS-SVA-E01-1997:007.1 | XF:ibm-piodmgrsu",,, CVE-1999-0095,Entry,"The debug command in Sendmail is enabled, allowing attackers to execute commands as root.","CERT:CA-88.01 | CERT:CA-93.14 | BID:1 | URL:http://www.securityfocus.com/bid/1 | OSVDB:195 | URL:http://www.osvdb.org/195 | XF:smtp-debug",,, CVE-1999-0096,Entry,"Sendmail decode alias can be used to overwrite sensitive files.","CERT:CA-93.16 | CERT:CA-95.05 | CIAC:A-13 | CIAC:A-14 | SUN:00122 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/122&type=0&nav=sec.sba | XF:smtp-dcod",,, CVE-1999-0097,Entry,"The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).","ERS:ERS-SVA-E01-1997:009.1 | XF:ibm-ftp",,, CVE-1999-0098,Candidate,"Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities.","XF:smtp-helo-bo",Proposed (19990726)," MODIFY(2) Baker, Frech | NOOP(1) Wall | REVIEWING(1) Christey"," Frech> (Accept XF reference.) | Our references do not mention hiding activities. This issue can crash the | SMTP server or execute arbitrary byte-code. Is there another reference | available? | Christey> Should this be merged with CVE-1999-0284, which is Sendmail | with SMTP HELO? | Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole | http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 | BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole | http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 | Baker> Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference." CVE-1999-0099,Entry,"Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.","CERT:CA-95.13.syslog.vul | XF:smtp-syslog",,, CVE-1999-0100,Entry,"Remote access in AIX innd 1.5.1, using control messages.","ERS:ERS-SVA-E01-1997:002.1 | XF:inn-controlmsg",,, CVE-1999-0101,Entry,"Buffer overflow in AIX and Solaris ""gethostbyname"" library call allows root access through corrupt DNS host names.","ERS:ERS-SVA-E01-1997:001.1 | ERS:ERS-SVA-E01-1996:007.1 | SUN:00137a | CIAC:H-13 | URL:http://ciac.llnl.gov/ciac/bulletins/h-13.shtml | NAI:NAI-1 | XF:ghbn-bo",,, CVE-1999-0102,Entry,"Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line.","XF:slmail-fromheader-overflow",,, CVE-1999-0103,Entry,"Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.","CERT:CA-96.01.UDP_service_denial | XF:echo | XF:chargen | XF:chargen-patch",,, CVE-1999-0104,Candidate,"A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2.","CERT:CA-97.28.Teardrop_Land | XF:teardrop-mod",Modified (20040811)," ACCEPT(2) Wall, Frech | REVIEWING(1) Christey"," Wall> Another reference is Microsoft Knowledge Base Q179129. | Christey> Not sure how many separate ""instances"" of Teardrop there are. | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> MSKB:Q179129 | http://support.microsoft.com/support/kb/articles/q179/1/29.asp | Christey> MSKB:Q179129 | http://support.microsoft.com/support/kb/articles/q179/1/29.asp | Note that the hotfix name is teardrop2, but the keywords | included in the KB article specifically name bonk | (CVE-1999-0258) and boink. | Since teardrop2 was fixed in a slightly different version | (at least in a separate patch) than Teardrop, CD:SF-LOC | suggests keeping them separate. | Christey> Add period to the end of the description." CVE-1999-0105,Candidate,"finger allows recursive searches by using a long string of @ symbols.","",Proposed (19990726)," MODIFY(3) Shostack, Baker, Frech | NOOP(1) Christey | REJECT(1) Northcutt"," Shostack> fingerD | Frech> XF:finger-bomb | Christey> aka redirection or forwarding requests? (but then might | overlap CVE-1999-0106) | Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS." CVE-1999-0106,Candidate,"Finger redirection allows finger bombs.","",Proposed (19990726)," ACCEPT(1) Northcutt | MODIFY(2) Shostack, Frech | RECAST(1) Baker | REVIEWING(1) Christey"," Shostack> fingerd allows redirection | This is a larger modification, since there are two applications of the | vulnerability, one that I can finger anonymously, and the other that I | can finger bomb anonymously. | Frech> XF:finger-bomb | Christey> need more refs | Baker> This should be merged with 1999-0105" CVE-1999-0107,Candidate,"Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.","XF:apache-dos | BUGTRAQ:19971230 Apache DoS attack?",Modified (19991223-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(3) Shostack, Northcutt, Wall | REVIEWING(1) Levy | REVOTE(1) Christey"," Wall> - Although this is probably the phf hack. | Frech> XF:apache-dos | Christey> This sounds like the incident reported in: | NTBUGTRAQ:20000810 Apache Distributed Denial of Service | Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. | BUGTRAQ: http://www.securityfocus.com/archive/1/10228 | BUGTRAQ: http://www.securityfocus.com/archive/1/10516" CVE-1999-0108,Entry,"The printers program in IRIX has a buffer overflow that gives root access to local users.","BUGTRAQ:another day, another buffer overflow... | XF:printers-bo",,, CVE-1999-0109,Entry,"Buffer overflow in ffbconfig in Solaris 2.5.1.","SUN:00140 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/140 | AUSCERT:AA-97.06 | XF:ffbconfig-bo",,, CVE-1999-0110,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Interim (19990810)," MODIFY(1) Frech | NOOP(4) Shostack, Levy, Northcutt, Wall | REJECT(3) Dik, Christey, Baker"," Frech> XF:fdformat-bo | Christey> Duplicate of CVE-1999-0315 | Dik> dup" CVE-1999-0111,Entry,"RIP v1 is susceptible to spoofing.","XF:rip",,, CVE-1999-0112,Entry,"Buffer overflow in AIX dtterm program for the CDE.","BUGTRAQ:19970520 AIX 4.2 dtterm exploit | XF:dtterm-bo(878) | URL:http://xforce.iss.net/xforce/xfdb/878",,, CVE-1999-0113,Entry,"Some implementations of rlogin allow root access if given a -froot parameter.","BUGTRAQ:19940729 -froot??? (AIX rlogin bug) | CERT:CA-94.09.bin.login.vulnerability | CIAC:E-26 | BID:458 | URL:http://www.securityfocus.com/bid/458 | XF:rlogin-froot",,, CVE-1999-0114,Candidate,"Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack.","BUGTRAQ:19990912 elm filter program | BUGTRAQ:19951226 filter (elm package) security hole | XF:elm-filter2",Modified (20000106-01)," ACCEPT(7) Shostack, Bishop, Blake, Wall, Landfield, Cole, Armstrong | MODIFY(2) Baker, Frech | NOOP(3) Ozancin, Christey, Northcutt | REVIEWING(1) Levy"," Frech> XF:elm-filter2 | CHANGE> [Wall changed vote from NOOP to ACCEPT] | Landfield> with Frech modifications | Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory | Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm | Need to make sure that this CERT advisory describes the right | problem, especially since the CERT advisory is dated December | 18, 1995 and the original Bugtraq post was December 26, 1995. | Christey> BID:1802 | URL:http://www.securityfocus.com/bid/1802 | BID:1802 doesn't include the 1999 posting - does Security | Focus think that the 1999 post describes a different | vulnerability? | Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? | Its references point to the December 26, 1995 BUgtraq post. | | Also consider CIAC:G-36 and CERT:VB-95:10 | Frech> DELREF:XF:elm-filter2(711) | ADDREF:XF:elm-filter(402)" CVE-1999-0115,Entry,"AIX bugfiler program allows local users to gain root access.","BUGTRAQ:19970909 AIX bugfiler | XF:ibm-bugfiler | BID:1800 | URL:http://www.securityfocus.com/bid/1800",,, CVE-1999-0116,Entry,"Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.","CERT:CA-96.21.tcp_syn.flooding | SGI:19961202-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19961202-01-PX | SUN:00136 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/136",,, CVE-1999-0117,Entry,"AIX passwd allows local users to gain root access.","XF:ibm-passwd | CERT:CA-92:07.AIX.passwd.vulnerability",,, CVE-1999-0118,Entry,"AIX infod allows local users to gain root access through an X display.","BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91158980826979&w=2 | XF:aix-infod",,, CVE-1999-0119,Candidate,"Windows NT 4.0 beta allows users to read and delete shares.","",Proposed (19990728)," MODIFY(1) Frech | NOOP(2) Northcutt, Baker | REJECT(1) Wall"," Wall> Reject based on beta copy. | Frech> XF:nt-beta(11) | Reconsider reject, because this beta was in widespread use." CVE-1999-0120,Entry,"Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.","SUN:00126 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/126 | CERT:CA-94.06.utmp.vulnerability | XF:utmp-write",,, CVE-1999-0121,Candidate,"Buffer overflow in dtaction command gives root access.","SUN:00164 | ERS:ERS-SVA-E01-1997:005.1",Proposed (19990617)," ACCEPT(2) Dik, Northcutt | MODIFY(3) Prosser, Baker, Frech | REVIEWING(1) Christey"," Frech> Reference: XF:dtaction-bo | Reference: XF:sun-dtaction | Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a | library in AIX 4.x, but reference for this Sun vulnerability should | only reflect the Sun Bulletin or the CIAC I-032 version of the Sun | Bulletin | Christey> This is the Same Codebase as CVE-1999-0089, so the two entries | should be merged. | Frech> Replace sun-dtaction(732) with dtaction-bo(879) | Baker> Merge with 1999-0089" CVE-1999-0122,Entry,"Buffer overflow in AIX lchangelv gives root access.","BUGTRAQ:Jul21,1999 | XF:lchangelv-bo",,, CVE-1999-0123,Candidate,"Race condition in Linux mailx command allows local users to read user files.","XF:linux-mailx | BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole",Modified (20000105-01)," ACCEPT(3) Ozancin, Baker, Frech | NOOP(1) Wall", CVE-1999-0124,Entry,"Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon.","CERT:CA-93:11.UMN.UNIX.gopher.vulnerability | XF:gopher-vuln",,, CVE-1999-0125,Entry,"Buffer overflow in SGI IRIX mailx program.","XF:sgi-mailx-bo | SGI:19980605-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19980605-01-PX",,, CVE-1999-0126,Entry,"SGI IRIX buffer overflow in xterm and Xaw allows root access.","CERT:VB-98.04.xterm.Xaw | CIAC:J-010 | URL:http://www.ciac.org/ciac/bulletins/j-010.shtml | XF:xfree86-xterm-xaw | XF:xfree86-xaw",,, CVE-1999-0127,Candidate,"swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.","CERT:CA-96.27.hp_sw_install | AUSCERT:AA-96.04 | XF:hpux-swinstall",Proposed (19990623)," ACCEPT(2) Prosser, Baker | MODIFY(1) Frech | NOOP(1) Christey"," Frech> (keep current XF: reference, and add) | XF:hpux-sqwmodify | Christey> Perhaps this should be split, per SF-LOC. | Christey> CIAC:H-81 | http://ciac.llnl.gov/ciac/bulletins/h-81.shtml | HP:HPSBUX9707-064 references CERT:CA-96.27 | http://ciac.llnl.gov/ciac/bulletins/h-81.shtml | | The original AUSCERT advisory says that the programs ""create | files in an insecure manner"" and ""Exploit details involving | this vulnerability have been made publicly available."" which | leads one to assume that the following original Bugtraq post | provides the details for a standard symlink problem: | | BUGTRAQ:19961005 swinst,bug | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2" CVE-1999-0128,Entry,"Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.","XF:ping-death | CERT:CA-96.26.ping",,, CVE-1999-0129,Entry,"Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.","CERT:CA-96.25.sendmail_groups",,, CVE-1999-0130,Entry,"Local users can start Sendmail in daemon mode and gain root privileges.","CERT:CA-96.24.sendmail.daemon.mode | BID:716 | URL:http://www.securityfocus.com/bid/716 | XF:sendmail-daemon-mode",,, CVE-1999-0131,Entry,"Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users.","CERT:CA-96.20.sendmail_vul | XF:smtp-875bo | BID:717 | URL:http://www.securityfocus.com/bid/717",,, CVE-1999-0132,Entry,"Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.","CERT:CA-1996-19 | URL:http://www.cert.org/advisories/CA-1996-19.html | OSVDB:11723 | URL:http://www.osvdb.org/11723 | XF:expreserve(401) | URL:http://xforce.iss.net/xforce/xfdb/401",,, CVE-1999-0133,Entry,"fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access.","CERT:CA-96.18.fm_fls | XF:fmaker-logfile",,, CVE-1999-0134,Entry,"vold in Solaris 2.x allows local users to gain root access.","XF:sol-voldtmp | CERT:CA-96.17.Solaris_vold_vul | AUSCERT:AL-96.04 | OSVDB:8159 | URL:http://www.osvdb.org/8159",,, CVE-1999-0135,Entry,"admintool in Solaris allows a local user to write to arbitrary files and gain root access.","XF:sun-admintool | CERT:CA-96.16.Solaris_admintool_vul | AUSCERT:AL-96.03",,, CVE-1999-0136,Entry,"Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access.","XF:sol-KCMSvuln | AUSCERT:AL-96.02 | CERT:CA-96.15.Solaris_KCMS_vul",,, CVE-1999-0137,Entry,"The dip program on many Linux systems allows local users to gain root access via a buffer overflow.","XF:linux-dipbo | CERT:CA-96.13.dip_vul | XF:dip-bo",,, CVE-1999-0138,Entry,"The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.","CERT:CA-96.12.suidperl_vul | XF:sperl-suid",,, CVE-1999-0139,Entry,"Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access.","XF:sol-mkcookie | RSI:RSI.0012.12-03-98.SOLARIS.MKCOOKIE | OSVDB:8205 | URL:http://www.osvdb.org/8205",,, CVE-1999-0140,Candidate,"Denial of service in RAS/PPTP on NT systems.","",Proposed (19990630)," ACCEPT(1) Hill | MODIFY(2) Frech, Meunier | NOOP(1) Baker | REJECT(1) Christey"," Meunier> Add ""pptp invalid packet length in header"" to distinguish from other | vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be | discovered in the future. | Frech> XF:nt-ras-bo | ONLY IF reference is to MS:MS99-016 | Christey> According to my mappings, this is not the MS:MS99-016 problem | referred to by Andre. However, I have yet to dig up a | source. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | CHANGE> [Christey changed vote from REVIEWING to REJECT] | Christey> This is too general to know which problem is being discussed. | More precise candidates should be created. | Christey> Consider adding BID:2111" CVE-1999-0141,Entry,"Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet.","XF:http-java-applet | CERT:CA-96.07.java_bytecode_verifier | SUN:00134 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/134",,, CVE-1999-0142,Entry,"The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts.","CERT:CA-96.05.java_applet_security_mgr | XF:http-java-appletsecmgr",,, CVE-1999-0143,Entry,"Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.","CERT:CA-96.03.kerberos_4_key_server | XF:kerberos-bf",,, CVE-1999-0144,Candidate,"Denial of service in Qmail by specifying a large number of recipients with the RCPT command.","BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 | BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319029&w=2 | MISC:http://cr.yp.to/qmail/venema.html | MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | BID:2237 | URL:http://www.securityfocus.com/bid/2237 | XF:qmail-rcpt | URL:http://xforce.iss.net/static/208.php",Modified (20010301-02)," ACCEPT(4) Frech, Meunier, Hill, Baker | REVIEWING(1) Christey"," Christey> DUPE CVE-1999-0418 and CVE-1999-0250? | Christey> Dan Bernstein, author of Qmail, says that this is not a | vulnerability in qmail because Unix has built-in resource | limits that can restrict the size of a qmail process; other | limits can be specified by the administrator. See | http://cr.yp.to/qmail/venema.html | | Significant discussion of this issue took place on the qmail | list. The fundamental question appears to be whether | application software should set its own limits, or rely | on limits set by the parent operating system (in this case, | UNIX). Also, some people said that the only problem was that | the suggested configuration was not well documented, but this | was refuted by others. | | See the following threads at | http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | ""Denial of service (qmail-smtpd)"" | ""qmail-dos-2.c, another denial of service"" | ""[PATCH] denial of service"" | ""just another qmail denial-of-service"" | ""the UNIX way"" | ""Time for a reality check"" | | Also see Bugtraq threads on a different vulnerability that | is related to this topic: | BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding | http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html | Baker> http://cr.yp.to/qmail/venema.html | Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. | His page states this is not a qmail problem, rather it is a UNIX problem | that many apps can consume all available memory, and that the administrator | is responsible to set limits in the OS, rather than expect applications to | individually prevent memory exhaustion. CAN 1999-0250 does appear to | be a duplicate of this entry, based on the research I have done so far. | There were two different bugtraq postings, but the second one references | the first, stating that the new exploit uses perl instead of shell scripting | to accomplish the same attack/exploit. | Baker> http://www.securityfocus.com/archive/1/6970 | http://www.securityfocus.com/archive/1/6969 | http://cr.yp.to/qmail/venema.html | | Should probably reject CVE-1999-0250, and add these references to this | Candidate. | Baker> http://www.securityfocus.com/bid/2237 | CHANGE> [Baker changed vote from REVIEWING to ACCEPT] | Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) | in ""BUGTRAQ:19970612 Denial of service (qmail-smtpd)"", does not | use any RCPT commands. Instead, it sends long strings | of ""X"" characters. A followup by ""super@UFO.ORG"" includes | an exploit that claims to do the same thing; however, that | exploit does not send long strings of X characters - it sends | a large number of RCPT commands. It appears that super@ufo.org | followed up to the wrong message. | | NOTE: the ufo.org domain was purchased by another party in | 2003, so the current owner is not associated with any | statements by ""super@ufo.org"" that were made before 2003. | | qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) | in ""BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"" | sends a large number of RCPT commands. | | ADDREF BID:2237 | ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) | | Also see a related thread: | BUGTRAQ:19990308 SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 | | This also describes a problem with mail servers not being able | to handle too many ""RCPT TO"" requests. A followup message | notes that application-level protection is used in Sendmail | to prevent this: | BUGTRAQ:19990309 Re: SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 | The person further says, ""This attack can easily be | prevented with configuration methods.""" CVE-1999-0145,Entry,"Sendmail WIZ command enabled, allowing root access.","CERT:CA-1990-11 | URL:http://www.cert.org/advisories/CA-1990-11.html | CERT:CA-1993-14 | URL:http://www.cert.org/advisories/CA-1993-14.html | BUGTRAQ:19950206 sendmail wizard thing... | URL:http://www2.dataguard.no/bugtraq/1995_1/0332.html | FarmerVenema:Improving the Security of Your Site by Breaking Into it | URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html",,, CVE-1999-0146,Entry,"The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file.","BUGTRAQ:19970715 Bug CGI campas | BID:1975 | URL:http://www.securityfocus.com/bid/1975 | XF:http-cgi-campas(298) | URL:http://xforce.iss.net/xforce/xfdb/298",,, CVE-1999-0147,Entry,"The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands.","XF:http-cgi-glimpse | AUSCERT:AA-97.28",,, CVE-1999-0148,Entry,"The handler CGI program in IRIX allows arbitrary command execution.","SGI:19970501-02-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX | BID:380 | URL:http://www.securityfocus.com/bid/380 | XF:http-sgi-handler",,, CVE-1999-0149,Entry,"The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack.","BUGTRAQ:19970420 IRIX 6.x /cgi-bin/wrap bug | SGI:19970501-02-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX | BID:373 | URL:http://www.securityfocus.com/bid/373 | OSVDB:247 | URL:http://www.osvdb.org/247 | XF:http-sgi-wrap(290) | URL:http://xforce.iss.net/xforce/xfdb/290",,, CVE-1999-0150,Entry,"The Perl fingerd program allows arbitrary command execution from remote users.","XF:perl-fingerd",,, CVE-1999-0151,Entry,"The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access.","CERT:CA-95.07a.REVISED.satan.vul | CERT:CA-95.06.satan.vul",,, CVE-1999-0152,Entry,"The DG/UX finger daemon allows remote command execution through shell metacharacters.","BUGTRAQ:19970811 dgux in.fingerd vulnerability | XF:dgux-fingerd",,, CVE-1999-0153,Entry,"Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke.","XF:win-oob | OSVDB:1666 | URL:http://www.osvdb.org/1666",,, CVE-1999-0154,Candidate,"IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.","MSKB:Q163485 | MSKB:Q164059 | BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP | XF:http-iis-aspdot | XF:http-iis-aspsource",Proposed (20010912)," ACCEPT(4) Frech, Stracener, Wall, Foat | NOOP(3) Christey, Baker, Cole"," Christey> This is the precursor to the problem that is identified in | CVE-1999-0253. | Christey> CIAC:H-48 | URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml | CHANGE> [Foat changed vote from NOOP to ACCEPT]" CVE-1999-0155,Entry,"The ghostscript command with the -dSAFER option allows remote attackers to execute commands.","XF:gscript-dsafer | CERT:CA-95.10.ghostscript",,, CVE-1999-0156,Candidate,"wu-ftpd FTP daemon allows any user and password combination.","XF:ftp-pwless",Proposed (19990714)," ACCEPT(2) Shostack, Northcutt | NOOP(1) Baker | RECAST(1) Frech | REVIEWING(2) Christey, Prosser"," Prosser> but so far can find no reference to this one | Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie, | also affects IIS FTP server). | Christey> The references for XF:ftp-pwless are not specific enough, | e.g. in terms of version numbers. Perhaps this candidate | should be rejected due to insufficient information." CVE-1999-0157,Entry,"Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service.","CISCO:http://www.cisco.com/warp/public/770/nifrag.shtml | XF:cisco-fragmented-attacks | OSVDB:1097 | URL:http://www.osvdb.org/1097",,, CVE-1999-0158,Entry,"Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known.","CISCO:20010913 Cisco PIX Firewall Manager File Exposure | URL:http://www.cisco.com/warp/public/770/pixmgrfile-pub.shtml | XF:cisco-pix-file-exposure | OSVDB:685 | URL:http://www.osvdb.org/685",,, CVE-1999-0159,Entry,"Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases.","CISCO:http://www.cisco.com/warp/public/770/ioslogin-pub.shtml | XF:cisco-ios-crash",,, CVE-1999-0160,Entry,"Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections.","CISCO:19971001 Vulnerabilities in Cisco CHAP Authentication | CIAC:I-002A | OSVDB:1099 | URL:http://www.osvdb.org/1099 | XF:cisco-chap",,, CVE-1999-0161,Entry,"In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.","CISCO:http://www.cisco.com/warp/public/707/1.html | XF:cisco-acl-tacacs | OSVDB:797 | URL:http://www.osvdb.org/797",,, CVE-1999-0162,Entry,"The ""established"" keyword in some Cisco IOS software allowed an attacker to bypass filtering.","CISCO:19950601 ""Established"" Keyword May Allow Packets to Bypass Filter | XF:cisco-acl-established",,, CVE-1999-0163,Candidate,"In older versions of Sendmail, an attacker could use a pipe character to execute root commands.","XF:smtp-pipe",Proposed (19990714)," ACCEPT(2) Frech, Northcutt | MODIFY(1) Prosser | NOOP(2) Christey, Baker | RECAST(1) Shostack"," Shostack> there was a 'To: |' and a 'From: |' attack, which I | think are seperate. | Prosser> older vulnerability, but one additional reference is- | The Ultimate Sendmail Hole List by Markus Hübner @ | bau2.uibk.ac.at/matic/buglist.htm | '|PROGRAM ' | Christey> Description needs to be more specific to distinguish between | this and CVE-1999-0203, as alluded to by Adam Shostack" CVE-1999-0164,Entry,"A race condition in the Solaris ps command allows an attacker to overwrite critical files.","XF:sol-pstmprace | AUSCERT:AA-95.07 | CERT:CA-95.09.Solaris.ps.vul | OSVDB:8346 | URL:http://www.osvdb.org/8346",,, CVE-1999-0165,Candidate,"NFS cache poisoning.","XF:nfs-cache",Modified (20040811)," ACCEPT(3) Frech, Northcutt, Baker | MODIFY(1) Shostack | NOOP(1) Prosser | REVIEWING(1) Christey"," Shostack> need more data | Christey> need more refs | Christey> Add period to the end of the description." CVE-1999-0166,Entry,"NFS allows users to use a ""cd .."" command to access other directories besides the exported file system.","XF:nfs-cd",,, CVE-1999-0167,Entry,"In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.","XF:nfs-guess | CERT:CA-91.21.SunOS.NFS.Jumbo.and.fsirand",,, CVE-1999-0168,Entry,"The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions.","XF:nfs-portmap",,, CVE-1999-0169,Candidate,"NFS allows attackers to read and write any file on the system by specifying a false UID.","XF:nfs-uid",Proposed (19990714)," ACCEPT(2) Frech, Northcutt | MODIFY(1) Baker | REJECT(1) Shostack"," Shostack> this is not a vulnerability but a design feature. | Baker> Maybe we should reword it so that it is clear that this was a problem to something like: | | ""A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID.""" CVE-1999-0170,Entry,"Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list.","XF:nfs-ultrix",,, CVE-1999-0171,Candidate,"Denial of service in syslog by sending it a large number of superfluous messages.","XF:syslog-flood",Proposed (19990714)," ACCEPT(2) Frech, Northcutt | NOOP(1) Baker | REJECT(2) Shostack, Christey"," Shostack> design issue, not a vulnerability. Alternately, add: | DOS on server by opening a large number of telnet sessions.. | Christey> Duplicate of CVE-1999-0566" CVE-1999-0172,Entry,"FormMail CGI program allows remote execution of commands.","XF:http-cgi-formmail-exe | BUGTRAQ:Aug02,1995",,, CVE-1999-0173,Entry,"FormMail CGI program can be used by web servers other than the host server that the program resides on.","XF:http-cgi-formmail-use",,, CVE-1999-0174,Entry,"The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.","BUGTRAQ:19970208 view-source | XF:http-cgi-viewsrc",,, CVE-1999-0175,Entry,"The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server.","XF:http-nov-convert",,, CVE-1999-0176,Entry,"The Webgais program allows a remote user to execute arbitrary commands.","BUGTRAQ:Jul10,1997 | XF:http-webgais-query",,, CVE-1999-0177,Entry,"The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs.","NTBUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable | NTBUGTRAQ:19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable | BUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable | XF:http-website-uploader",,, CVE-1999-0178,Entry,"Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string.","BUGTRAQ:19970106 Re: signal handling | URL:http://archives.neohapsis.com/archives/bugtraq/1997_1/0021.html | BID:2078 | URL:http://www.securityfocus.com/bid/2078 | OSVDB:8 | URL:http://www.osvdb.org/8 | XF:http-website-winsample(295) | URL:http://xforce.iss.net/xforce/xfdb/295",,, CVE-1999-0179,Entry,"Windows NT crashes or locks up when a Samba client executes a ""cd .."" command on a file share.","MSKB:Q140818 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q140818 | XF:nt-samba-dotdot | XF:nt-351 | XF:nt-35",,, CVE-1999-0180,Entry,"in.rshd allows users to login with a NULL username and execute commands.","XF:rsh-null",,, CVE-1999-0181,Entry,"The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands.","XF:walld",,, CVE-1999-0182,Entry,"Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password.","CIAC:H-110 | URL:http://www.ciac.org/ciac/bulletins/h-110.shtml | CERT:VB-97.10.samba | XF:nt-samba-bo",,, CVE-1999-0183,Entry,"Linux implementations of TFTP would allow access to files outside the restricted directory.","XF:linux-tftp",,, CVE-1999-0184,Entry,"When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records.","XF:dns-updates",,, CVE-1999-0185,Entry,"In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution.","SUN:00156 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/156 | XF:sun-ftpd/logind",,, CVE-1999-0186,Candidate,"In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters.","CONFIRM:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm | SUN:00178 | XF:snmp-backdoor-access",Modified (20071119)," ACCEPT(2) Dik, Baker | MODIFY(1) Frech | NOOP(1) Wall | REVIEWING(1) Christey"," Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr | Add ISS:Hidden Community String in SNMP Implementation | Christey> What is the proper level of abstraction to use here? Should | we have a separate entry for each different default community | string? See: | http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and | http://cve.mitre.org/Board_Sponsors/archives/msg00250.html | http://cve.mitre.org/Board_Sponsors/archives/msg00251.html | | Until the associated content decisions have been approved | by the Editorial Board, this candidate cannot be accepted | for inclusion in CVE. | Christey> ADDREF BID:177 | Christey> ISS:19981102 Hidden community string in SNMP implementation | http://xforce.iss.net/alerts/advise11.php | | Change description to include ""hidden"" | Christey> XF:snmp-backdoor-access is missing." CVE-1999-0187,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Modified (20050204)," ACCEPT(2) Hill, Northcutt | RECAST(3) Frech, Prosser, Baker | REJECT(1) Dik | REVIEWING(1) Christey"," Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in | rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() | (ref CERT 97-23) and various vendor bulletins. However both of these rdist | BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, | FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content | decision | Frech> XF:rdist-bo (error msg formation) | XF:rdist-bo2 (execute code) | XF:rdist-bo3 (execute user-created code) | XF:rdist-sept97 (root from local) | Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in | CERT:CA-97.23.rdist), but as Mike and Andre noted, there | are multiple flaws here, so a RECAST may be necessary. | Dik> As currently phrasedm thissa duplicate of CVE-1999-0022 | Baker> Based on our new philosophy, this should be recast/merged or re-described." CVE-1999-0188,Entry,"The passwd command in Solaris can be subjected to a denial of service.","SUN:00182 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/182 | XF:sun-passwd-dos",,, CVE-1999-0189,Entry,"Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111.","NAI:NAI-15 | SUN:00142 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/142 | XF:rpc-32771",,, CVE-1999-0190,Entry,"Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.","SUN:00167 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/167 | XF:sun-rpcbind",,, CVE-1999-0191,Entry,"IIS newdsn.exe CGI script allows remote users to overwrite files.","XF:http-cgi-newdsn | OSVDB:275 | URL:http://www.osvdb.org/275",,, CVE-1999-0192,Entry,"Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable.","SNI:SNI-20 | XF:bsd-tel-tgetent",,, CVE-1999-0193,Candidate,"Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option.","",Proposed (19990714)," ACCEPT(5) Shostack, Bishop, Ozancin, Northcutt, Cole | MODIFY(2) Blake, Baker | NOOP(4) Frech, Wall, Landfield, Armstrong | REVIEWING(2) Levy, Christey"," Frech> possibly XF:ascend-kill | I can't find a reference that lists both routers in the same reference. | Wall> Comment: There is a reference about the zero length TCP option in BugTraq on | Feb 5, 1999 | and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 | mentions | vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 | mentions | 3Com vulnerabilities, but not TCP. Too confusing withour better references. | Landfield> What are the references for this ? I cannot find a means to check it out. | CHANGE> [Frech changed vote from REVIEWING to NOOP] | Frech> Cannot reconcile to our database without further references. | Blake> I'm with Andre. I only remember and can find reference to the Ascend | issue. Do we have a refernce to the 3Coms? If not, that should be | removed from the description. | Baker> http://xforce.iss.net/static/614.php Misc Defensive Info | http://www.securityfocus.com/archive/1/5682 Misc Offensive Info | http://www.securityfocus.com/archive/1/5647 Misc Defensive Info | http://www.securityfocus.com/archive/1/5640 Misc Defensive Info | CHANGE> [Armstrong changed vote from REVIEWING to NOOP]" CVE-1999-0194,Entry,"Denial of service in in.comsat allows attackers to generate messages.","XF:comsat",,, CVE-1999-0195,Candidate,"Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.","BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate",Modified (19991130-01)," ACCEPT(2) Shostack, Balinsky | MODIFY(1) Frech | NOOP(3) Northcutt, Wall, Baker | REVIEWING(2) Levy, Christey"," Frech> XF:rpcbind-spoof | Christey> CVE-1999-0195 = CVE-1999-0461 ? | If this is approved over CVE-1999-0461, make sure it gets | XF:pmap-sset" CVE-1999-0196,Entry,"websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable).","BUGTRAQ:19970704 Vulnerability in websendmail | BID:2077 | URL:http://www.securityfocus.com/bid/2077 | OSVDB:237 | URL:http://www.osvdb.org/237 | XF:http-webgais-smail",,, CVE-1999-0197,Candidate,"finger 0@host on some systems may print information on some user accounts.","",Proposed (19990726)," ACCEPT(1) Baker | MODIFY(2) Frech, Shostack | REJECT(1) Northcutt"," Shostack> fingerd may respond to 'finger 0@host' with account info | Frech> Need more reference to establish this 'exposure'. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:finger-unused-accounts(8378) | We're entering it into our database solely to track | competition. The only references seem to be product listings: | http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 | Finger 0@host check) | http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) | http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host | feature)" CVE-1999-0198,Candidate,"finger .@host on some systems may print information on some user accounts.","",Proposed (19990726)," ACCEPT(1) Baker | MODIFY(2) Frech, Shostack | REJECT(1) Northcutt"," Shostack> as above | Frech> Need more reference to establish this 'exposure'. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:finger-unused-accounts(8378) | We're entering it into our database solely to track | competition. The only references seem to be product listings: | http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 | Finger .@target-host check) | http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host | check ) | http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host | feature)" CVE-1999-0200,Candidate,"Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password.","MSKB:Q137853",Modified (19991130-01)," ACCEPT(1) Baker | MODIFY(2) Frech, Shostack | NOOP(2) Northcutt, Wall | REJECT(1) Christey | REVIEWING(1) Levy"," Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another? | Frech> Other have mentioned this before, but it may be WU-FTP. | POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root | access without anon FTP or a regular account? | POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a | non-anon FTP account and gain root privs. | Christey> added MSKB reference | CHANGE> [Christey changed vote from REVOTE to REJECT] | Christey> The MSKB article may have confused things even more. There | were reports of problems in a Windows-based FTP server called | WFTP (http://www.wftpd.com/) that is not a Microsft FTP | server. It's best to just kill this candidate where it | stands and start fresh." CVE-1999-0201,Entry,"A quote cwd command on FTP servers can reveal the full path of the home directory of the ""ftp"" user.","XF:ftp-home",,, CVE-1999-0202,Entry,"The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.","XF:ftp-exectar",,, CVE-1999-0203,Entry,"In Sendmail, attackers can gain root privileges via SMTP by specifying an improper ""mail from"" address and an invalid ""rcpt to"" address that would cause the mail to bounce to a program.","CERT:CA-95.08 | CIAC:E-03 | XF:smtp-sendmail-version5",,, CVE-1999-0204,Entry,"Sendmail 8.6.9 allows remote attackers to execute root commands, using ident.","XF:ident-bo | CIAC:F-13",,, CVE-1999-0205,Candidate,"Denial of service in Sendmail 8.6.11 and 8.6.12.","BUGTRAQ:19990708 SM 8.6.12",Modified (19990925-01)," ACCEPT(2) Hill, Northcutt | MODIFY(2) Frech, Prosser | NOOP(1) Baker | REVIEWING(2) Ozancin, Christey"," Frech> XF:sendmail-alias-dos | Prosser> additional source | Bugtraq | ""Re: SM 8.6.12"" | http://www.securityfocus.com | Christey> The Bugtraq thread does not provide any proof, including a | comment by Eric Allman that he hadn't been provided any | details either. | | See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu | for the thread. | Christey> Change Bugtraq reference date to 19950708." CVE-1999-0206,Entry,"MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access.","XF:sendmail-mime-bo | AUSCERT:AA-96.06a",,, CVE-1999-0207,Entry,"Remote attacker can execute commands through Majordomo using the Reply-To field and a ""lists"" command.","XF:majordomo-exe | CERT:CA-94.11.majordomo.vulnerabilities",,, CVE-1999-0208,Entry,"rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.","XF:rpc-update | CERT:CA-95.17.rpc.ypupdated.vul",,, CVE-1999-0209,Entry,"The SunView (SunTools) selection_svc facility allows remote users to read files.","CERT:CA-90.05.sunselection.vulnerability | BID:8 | URL:http://www.securityfocus.com/bid/8 | XF:selsvc",,, CVE-1999-0210,Entry,"Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters.","BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88053459921223&w=2 | BUGTRAQ:19990103 SUN almost has a clue! (automountd) | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2 | HP:HPSBUX9910-104 | URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9910-104 | CERT:CA-99-05 | URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html | BID:235 | URL:http://www.securityfocus.com/bid/235",,, CVE-1999-0211,Entry,"Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone.","CERT:CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability | BID:24 | URL:http://www.securityfocus.com/bid/24",,, CVE-1999-0212,Entry,"Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server.","SUN:00168 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/168 | CIAC:I-048 | URL:http://www.ciac.org/ciac/bulletins/i-048.shtml | XF:sun-mountd",,, CVE-1999-0213,Candidate,"libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind.","XF:sun-libnsl | SUNBUG:4305859",Modified (20001009-01)," ACCEPT(6) Dik, Ozancin, Hill, Blake, Landfield, Cole | MODIFY(3) Frech, Levy, Baker | NOOP(4) Bishop, Meunier, Wall, Armstrong | REVIEWING(1) Christey"," Frech> XF:sun-libnsl | Dik> Sun bug #4305859 | Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info | http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info | http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info | http://www.securityfocus.com/archive/1/9749 Misc Defensive Info | Christey> I don't think this is the bug that everyone thinks it is. | This candidate came from CyberCop Scanner 2.4/2.5, which | only reports this as a DoS problem. If SUN:00172 is an | advisory for this, then it may be a duplicate of | CVE-1999-0055. There appears to be overlap with other | references as well. HOWEVER, this particular one deals with a | DoS in rpcbind - which isn't mentioned in the sources for | CVE-1999-0055. | Levy> BID 148" CVE-1999-0214,Entry,"Denial of service by sending forged ICMP unreachable packets.","XF:icmp-unreachable",,, CVE-1999-0215,Entry,"Routed allows attackers to append data to files.","SGI:19981004-01-PX | URL:ftp://patches.sgi.com/support/free/security/advisories/19981004-01-PX | CIAC:J-012 | URL:http://www.ciac.org/ciac/bulletins/j-012.shtml | XF:ripapp",,, CVE-1999-0216,Candidate,"Denial of service of inetd on Linux through SYN and RST packets.","BUGTRAQ:19971130 Linux inetd.. | XF:linux-inetd-dos | HP:HPSBUX9803-077 | XF:hp-inetd",Modified (19991203-01)," ACCEPT(1) Hill | MODIFY(2) Frech, Baker | RECAST(1) Meunier"," Meunier> The location of the vulnerability, whether in the Linux kernel or the | application, is debatable. Any program making the same (reasonnable) | assumption is vulnerable, i.e., implements the same vulnerability: | ""Assumption that TCP-three-way handshake is complete after calling Linux | kernel function accept(), which returns socket after getting SYN. Result | is process death by SIGPIPE"" | Moreover, whether it results in DOS (to third parties) depends on the | process that made the assumption. | I think that the present entry should be split, one entry for every | application that implements the vulnerability (really describing threat | instances, which is what other people think about when we talk about | vulnerabilities), and one entry for the Linux kernel that allows the | vulnerability to happen. | Frech> XF:hp-inetd | XF:linux-inetd-dos | Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast" CVE-1999-0217,Entry,"Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems.","XF:udp-bomb",,, CVE-1999-0218,Entry,"Livingston portmaster machines could be rebooted via a series of commands.","XF:portmaster-reboot",,, CVE-1999-0219,Entry,"Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command.","NTBUGTRAQ:19990503 Buffer overflows in FTP Serv-U 2.5 | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92574916930144&w=2 | NTBUGTRAQ:19990504 Re: Buffer overflows in FTP Serv-U 2.5 | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92582581330282&w=2 | BUGTRAQ:19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT | BID:269 | URL:http://www.securityfocus.com/bid/269 | XF:ftp-servu(205) | URL:http://xforce.iss.net/xforce/xfdb/205",,, CVE-1999-0220,Candidate,"Attackers can do a denial of service of IRC by crashing the server.","",Proposed (19990728)," NOOP(2) Northcutt, Baker | REJECT(2) Frech, Christey"," Frech> Would reconsider if any references were available. | Christey> No references available, combined with extremely vague | description, equals REJECT." CVE-1999-0221,Entry,"Denial of service of Ascend routers through port 150 (remote administration).","XF:ascend-150-kill",,, CVE-1999-0222,Candidate,"Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL.","",Proposed (19990714)," ACCEPT(1) Baker | MODIFY(3) Frech, Shostack, Levy | NOOP(3) Balinsky, Northcutt, Wall | RECAST(1) Ziese | REJECT(1) Christey"," Shostack> I follow cisco announcements and problems pretty closely, and haven't | seen this. Source? | Frech> XF:cisco-web-crash | Christey> XF:cisco-web-crash has no additional references. I can't find | any references in Bugtraq or Cisco either. This bug is | supposedly tested by at least one security product, but that | product's database doesn't have any references either. So | a question becomes, how did it make it into at least two | security companies' databases? | Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 | BID 1154 | Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if | recast to reflect that ""...after using a long url..."" should be replaced | with | ""...A defect in multiple releases of Cisco IOS software will cause a Cisco | router or switch to halt and reload if the IOS HTTP service is enabled, | browsing to ""http://router-ip/anytext?/"" is attempted, and the enable | password is supplied when requested. This defect can be exploited to produce | a denial of service (DoS) attack."" | Then I can accept this and mark it as ""Verfied by my Company"". If it can't | be recast because this (long uri) is diffferent then our release (special | url construction). | CHANGE> [Christey changed vote from REVIEWING to REJECT] | Christey> Elias Levy's suggested reference is CVE-2000-0380. | I don't think that Kevin's description is really addressing | this either. The lack of references and a specific | description make this candidate unusable, so it should be | rejected." CVE-1999-0223,Entry,"Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry.","BUGTRAQ:19961109 Syslogd and Solaris 2.4 | SUNBUG:1249320 | CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches | XF:sol-syslogd-crash | BID:1878 | URL:http://www.securityfocus.com/bid/1878",,, CVE-1999-0224,Entry,"Denial of service in Windows NT messenger service through a long username.","XF:nt-messenger",,, CVE-1999-0225,Entry,"Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size.","NAI:19980214 Windows NT Logon Denial of Service | URL:http://www.nai.com/nai_labs/asp_set/advisory/25_windows_nt_dos_adv.asp | MSKB:Q180963 | URL:http://www.microsoft.com/technet/support/kb.asp?ID=180963 | XF:nt-logondos",,, CVE-1999-0226,Candidate,"Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.","",Proposed (19990728)," ACCEPT(1) Northcutt | MODIFY(1) Frech | NOOP(1) Baker | REJECT(1) Christey"," Christey> Too general, and no references. | Frech> XF:nt-frag(528) | See reference from BugTraq Mailing List, ""A New Fragmentation Attack"" at | http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms | g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net" CVE-1999-0227,Entry,"Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service.","MSKB:Q154087 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154087 | XF:nt-lsass-crash",,, CVE-1999-0228,Entry,"Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.","XF:nt-rpc-ver | MSKB:Q162567 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q162567",,, CVE-1999-0229,Candidate,"Denial of service in Windows NT IIS server using ..\..","MSKB:Q115052",Modified (19991228-02)," ACCEPT(2) Shostack, Baker | MODIFY(2) Frech, Wall | NOOP(1) Northcutt | REJECT(1) Christey | REVIEWING(1) Levy"," Wall> Denial of service in Windows NT IIS Server 1.0 using ..\... | Source: Microsoft Knowledge Base Article Q115052 - IIS Server. | Frech> XF:http-dotdot (not necessarily IIS?) | Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot | problem. | Christey> This actually looks like XF:iis-dot-dot-crash(1638) | http://xforce.iss.net/static/1638.php | If so, include the version number (2.0) | | CHANGE> [Christey changed vote from REVOTE to REJECT] | Christey> Bill Wall intended to suggest Q155052, but the affected | IIS version there is 1.0; the effect is to read files, | so this sounds like a directory traversal problem, | instead of an inability to process certain strings. | | As a result, this candidate is too general, since it could | apply to 2 different problems, so it should be REJECTed. | Christey> Consider adding BID:2218" CVE-1999-0230,Entry,"Buffer overflow in Cisco 7xx routers through the telnet service.","CISCO:http://www.cisco.com/warp/public/770/pwbuf-pub.shtml | OSVDB:1102 | URL:http://www.osvdb.org/1102",,, CVE-1999-0231,Candidate,"Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access.","BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also",Modified (19991207-01)," ACCEPT(2) Levy, Baker | NOOP(3) Christey, Northcutt, Landfield | RECAST(1) Frech | REVIEWING(1) Ozancin"," Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) | XF:smtp-vrfy-bo (many mail packages) | Northcutt> (There is no way I will have access to these systems) | Christey> Some sources report that VRFY and EXPN are both affected." CVE-1999-0232,Candidate,"Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.","",Modified (19991220-01)," ACCEPT(2) Hill, Northcutt | MODIFY(1) Frech | NOOP(1) Prosser | REJECT(1) Baker | REVIEWING(1) Christey"," Frech> Unable to provide a match due to vague/insufficient description/references. | Possible matches are: | XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) | XF:http-ncsa-longurl (highest probability) | Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl | More research is necessary for this one. | Baker> Since this has no references at all, and is vague and we have a | CAN for the most likely issue, we should kill this one" CVE-1999-0233,Entry,"IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.","MSKB:Q148188 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q148188 | MSKB:Q155056 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q155056 | XF:http-iis-cmd",,, CVE-1999-0234,Entry,"Bash treats any character with a value of 255 as a command separator.","XF:bash-cmd | CERT:CA-96.22.bash_vuls",,, CVE-1999-0235,Candidate,"Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.","CERT:CA-95:04 | CIAC:F-11",Modified (19991220-01)," ACCEPT(3) Hill, Prosser, Northcutt | MODIFY(1) Frech | REJECT(2) Christey, Baker"," Frech> XF:http-ncsa-longurl | Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267 | Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both | refer to the same problem. This should be rejected as 1999-0267 is the same problem." CVE-1999-0236,Entry,"ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.","XF:http-scriptalias",,, CVE-1999-0237,Entry,"Remote execution of arbitrary commands through Guestbook CGI program.","XF:http-cgi-guestbook | CERT:VB-97.02",,, CVE-1999-0238,Candidate,"php.cgi allows attackers to read any file on the system.","XF:http-cgi-phpfileread",Proposed (19990623)," ACCEPT(5) Frech, Collins, Prosser, Northcutt, Baker | NOOP(1) Christey"," Prosser> additional source | AUSCERT External Security Bulletin ESB-97.047 | http://www.auscert.org.au | Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole | URL:http://www.dataguard.no/bugtraq/1997_2/0069.html | The attacker specifies the filename as an argument to the | program. | Add ""PHP/FI"" to description to facilitate search. | AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 | Christey> Consider adding BID:2250" CVE-1999-0239,Entry,"Netscape FastTrack Web server lists files when a lowercase ""get"" command is used instead of an uppercase GET.","XF:fastrack-get-directory-list | OSVDB:122 | URL:http://www.osvdb.org/122",,, CVE-1999-0240,Candidate,"Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy.","",Proposed (19990728)," ACCEPT(1) Northcutt | NOOP(1) Baker | REJECT(1) Frech"," Frech> Would reconsider if any references were available." CVE-1999-0241,Candidate,"Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.","XF:http-xguess-cookie",Modified (19990925-01)," ACCEPT(3) Hill, Northcutt, Proctor | MODIFY(2) Frech, Prosser | NOOP(1) Baker | REVIEWING(1) Christey"," Frech> Also add to references: | XF:sol-mkcookie | Prosser> additional source | Bugtraq | ""X11 cookie hijacker"" | http://www.securityfocus.com | Christey> The cookie hijacker thread has to do with stealing cookies | through a file with bad permissions. I'm not sure the | X-Force reference identifies this problem either. | Christey> CIAC:G-04 | URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml | SGI:19960601-01-I | URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I | CERT:VB-95:08" CVE-1999-0242,Candidate,"Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords.","BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole | XF:linux-pop3d",Modified (20000106-01)," ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(4) Shostack, Christey, Northcutt, Wall | REVIEWING(1) Levy"," Frech> Ambiguous description: need more detail. Possibly: | XF:linux-pop3d (mktemp() leads to reading e-mail) | Christey> At first glance this might look like CVE-1999-0123 or | CVE-1999-0125, however this particular candidate arises out | of a brief mention of the problem in a larger posting which | discusses CVE-1999-0123 (which may be the same bug as | CVE-1999-0125). See the following phrase in the Bugtraq | post: ""one such example of this is in.pop3d"" | | However, the original source of this candidate's description | explicitly mentions shadowed passwords, though it has no | references to help out here." CVE-1999-0243,Candidate,"Linux cfingerd could be exploited to gain root access.","",Proposed (19990714)," ACCEPT(1) Shostack | NOOP(4) Levy, Northcutt, Wall, Baker | REJECT(2) Frech, Christey"," Christey> This has no sources; neither does the original database that | this entry came from. It's a likely duplicate of | CVE-1999-0813. | Frech> I disagree on the dupe; see Linux-Security Mailing List, | ""[linux-security] Cfinger (Yet more :)"" at | http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as | if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains | to 1.4.x and below and shows up two years later. | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Frech> If the reference I previously supplied is correct, then | it appears as if the poster modified the source using authorized | access to make it vulnerable. Modifying the source in this manner | does not qualify as being listed a vulnerability. | I disagree on the dupe; see Linux-Security Mailing List, | ""[linux-security] Cfinger (Yet more :)"" at | http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as | if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains | to 1.4.x and below and shows up two years later." CVE-1999-0244,Entry,"Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root.","NAI:NAI-23 | XF:radius-accounting-overflow",,, CVE-1999-0245,Entry,"Some configurations of NIS+ in Linux allowed attackers to log in as the user ""+"".","BUGTRAQ:19950907 Linux NIS security problem hole and fix | XF:linux-plus",,, CVE-1999-0246,Candidate,"HP Remote Watch allows a remote user to gain root access.","XF:hp-remote",Proposed (19990630)," ACCEPT(4) Frech, Hill, Prosser, Northcutt | NOOP(1) Baker | RECAST(1) Christey"," Frech> Comment: Determine if it's RemoteWatch or Remote Watch. | Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in | Remote Watch (the advisory uses two words, not one, for the | ""Remote Watch"" name) | | ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit) | URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com | Prosser> agree that the advisory mentions two vulnerabilities in Remote | Watch, one being a socket connection and other with the showdisk utility | which seems to be a suid vulnerability. Never get much details on this | anywhere since the recommendation is to remove the program since it is | obsolete and superceded by later tools. Believe the biggest concern here is | to just not run the tool at all. | Christey> CIAC:H-16 | Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp | And possibly AUSCERT:AA-96.07 at | ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul | Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit | http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2 | Include ""remwatch"" in the description to facilitate search." CVE-1999-0247,Entry,"Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands.","NAI:19970721 INN news server vulnerabilities | URL:http://www.nai.com/nai_labs/asp_set/advisory/17_inn_avd.asp | BID:1443 | URL:http://www.securityfocus.com/bid/1443 | XF:inn-bo",,, CVE-1999-0248,Entry,"A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials.","MISC:http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html | CONFIRM:http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1",,, CVE-1999-0249,Candidate,"Windows NT RSHSVC program allows remote users to execute arbitrary commands.","",Proposed (19990714)," ACCEPT(1) Baker | MODIFY(2) Frech, Wall | NOOP(2) Shostack, Northcutt | RECAST(1) Christey | REVIEWING(1) Levy"," Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows | remote | users to execute arbitrary commands. | Source: rshsvc.txt from the Windows NT Resource Kit. | Frech> XF:rsh-svc | Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case | where remote users coming from authorized machines are | allowed access regardless of what .rhosts says. XF:rsh-svc | refers to a bug circa 1997 where any remote entity could | execute commands as system." CVE-1999-0250,Candidate,"Denial of service in Qmail through long SMTP commands.","BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 | MISC:http://cr.yp.to/qmail/venema.html | MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | XF:qmail-leng",Modified (20010301-01)," ACCEPT(2) Meunier, Hill | MODIFY(1) Frech | REJECT(1) Baker | REVIEWING(1) Christey"," Frech> XF:qmail-rcpt | Christey> DUPE CVE-1999-0418 and CVE-1999-0144? | Christey> Dan Bernstein, author of Qmail, says that this is not a | vulnerability in qmail because Unix has built-in resource | limits that can restrict the size of a qmail process; other | limits can be specified by the administrator. See | http://cr.yp.to/qmail/venema.html | | Significant discussion of this issue took place on the qmail | list. The fundamental question appears to be whether | application software should set its own limits, or rely | on limits set by the parent operating system (in this case, | UNIX). Also, some people said that the only problem was that | the suggested configuration was not well documented, but this | was refuted by others. | | See the following threads at | http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html | ""Denial of service (qmail-smtpd)"" | ""qmail-dos-2.c, another denial of service"" | ""[PATCH] denial of service"" | ""just another qmail denial-of-service"" | ""the UNIX way"" | ""Time for a reality check"" | | Also see Bugtraq threads on a different vulnerability that | is related to this topic: | BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding | http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html | Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading | through both bugtraq postings, the one that is referenced by 0144 is | based on a shell code exploit to cause memory exhaustion. The bugtraq | posting referenced by this entry refers explicitly to the prior | posting for 0144, and states that the same effect could be | accomplished by a perl exploit, which was then attached. | Baker> http://www.securityfocus.com/archive/1/6969 CVE-1999-0144 | http://www.securityfocus.com/archive/1/6970 CVE-1999-0250 | | Both references should be added to CVE-1999-0144, and CVE-1999-0250 | should likely be rejected. | CHANGE> [Baker changed vote from REVIEWING to REJECT] | Christey> XF:qmail-leng no longer exists; check with Andre to see if they | regarded it as a duplicate as well. | | qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) | in ""BUGTRAQ:19970612 Denial of service (qmail-smtpd)"", does not | use any RCPT commands. Instead, it sends long strings | of ""X"" characters. A followup by ""super@UFO.ORG"" includes | an exploit that claims to do the same thing; however, that | exploit does not send long strings of X characters - it sends | a large number of RCPT commands. It appears that super@ufo.org | followed up to the wrong message. | | qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) | in ""BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"" | sends a large number of RCPT commands. | | ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd) | ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack | | Also see a related thread: | BUGTRAQ:19990308 SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 | | This also describes a problem with mail servers not being able | to handle too many ""RCPT TO"" requests. A followup message | notes that application-level protection is used in Sendmail | to prevent this: | BUGTRAQ:19990309 Re: SMTP server account probing | http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 | The person further says, ""This attack can easily be | prevented with configuration methods.""" CVE-1999-0251,Entry,"Denial of service in talk program allows remote attackers to disrupt a user's display.","XF:talkd-flash",,, CVE-1999-0252,Entry,"Buffer overflow in listserv allows arbitrary command execution.","XF:smtp-listserv",,, CVE-1999-0253,Candidate,"IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.","XF:http-iis-2e | L0PHT:19970319",Modified (20000106-01)," ACCEPT(9) Frech, Bishop, Collins, Blake, Northcutt, Baker, Landfield, Cole, Armstrong | MODIFY(1) LeBlanc | NOOP(3) Ozancin, Prosser, Wall | REVIEWING(1) Christey"," Christey> This is a problem that was introduced after patching a | previous dot bug with the iis-fix hotfix (see CVE-1999-0154). | Since the hotfix introduced the problem, this should be | treated as a seaprate issue. | Wall> Agree with the comment. | LeBlanc> - this one is so old, I don't remember it at all and can't verify or | deny the issue. If you can find some documentation that says we fixed it (KB | article, hotfix, something), then I would change this to ACCEPT | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> BID:1814 | URL:http://www.securityfocus.com/bid/1814" CVE-1999-0254,Candidate,"A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information.","ISS:Hidden SNMP community in HP OpenView | XF:hpov-hidden-snmp-comm",Proposed (19990726)," ACCEPT(2) Frech, Baker | NOOP(1) Wall | REVIEWING(1) Christey"," Christey> What is the proper level of abstraction to use here? Should | we have a separate entry for each different default community | string? See: | http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and | http://cve.mitre.org/Board_Sponsors/archives/msg00250.html | http://cve.mitre.org/Board_Sponsors/archives/msg00251.html | | Until the associated content decisions have been approved | by the Editorial Board, this candidate cannot be accepted | for inclusion in CVE." CVE-1999-0255,Candidate,"Buffer overflow in ircd allows arbitrary command execution.","",Proposed (19990623)," ACCEPT(3) Hill, Northcutt, Baker | MODIFY(1) Frech | NOOP(1) Prosser | REJECT(1) Christey"," Frech> XF:irc-bo | Christey> This is too general and doesn't have any references. The | XF reference doesn't appear toe xist any more. | | Perhaps this reference would help: | BUGTRAQ:19970701 ircd buffer overflow | Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post." CVE-1999-0256,Entry,"Buffer overflow in War FTP allows remote execution of commands.","XF:war-ftpd | OSVDB:875 | URL:http://www.osvdb.org/875",,, CVE-1999-0257,Candidate,"Nestea variation of teardrop IP fragmentation denial of service.","",Proposed (19990726)," ACCEPT(1) Wall | MODIFY(1) Frech | REVIEWING(1) Christey"," Frech> XF:nestea-linux-dos | Christey> Not sure how many separate ""instances"" of Teardrop | and its ilk. Also see comments on CVE-1999-0001. | | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | | Is CVE-1999-0001 the same as CVE-1999-0052? That one is related | to nestea (CVE-1999-0257) and probably the one described in | BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release | The patch for nestea is in ip_input.c around line 750. | The patches for CVE-1999-0001 are in lines 388&446. So, | CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. | The FreeBSD patch for CVE-1999-0052 is in line 750. | So, CVE-1999-0257 and CVE-1999-0052 may be the same, though | CVE-1999-0052 should be RECAST since this bug affects Linux | and other OSes besides FreeBSD. | | Also see BUGTRAQ:19990909 CISCO and nestea. | | Finally, note that there is no fundamental difference between | nestea and nestea2/nestea-v2; they are different ports that | exploit the same problem. | | The original nestea advisory is at | http://www.technotronic.com/rhino9/advisories/06.htm | but notice that the suggested fix is in line 375 of | ip_fragment.c, not ip_input.c. | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> BUGTRAQ:19980501 nestea does other things | http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2 | BUGTRAQ:19980508 nestea2 and HP Jet Direct cards. | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2 | BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2 | | Nestea source code is in | MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html" CVE-1999-0258,Candidate,"Bonk variation of teardrop IP fragmentation denial of service.","",Proposed (19990726)," MODIFY(2) Frech, Wall | REVIEWING(1) Christey"," Wall> Reference Q179129 | Frech> XF:teardrop-mod | Christey> Not sure how many separate ""instances"" of Teardrop there are. | See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | Christey> BUGTRAQ:19980108 bonk.c | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2 | NTBUGTRAQ:19980108 bonk.c | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2 | NTBUGTRAQ:19980109 Re: Bonk.c | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2 | NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks | URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2 | BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2 | CIAC:I-031a | http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml | | CERT summary CS-98.02 implies that bonk, boink, and newtear | all exploit the same vulnerability." CVE-1999-0259,Entry,"cfingerd lists all users on a system via search.**@target.","BUGTRAQ:19970523 cfingerd vulnerability | XF:cfinger-user-enumeration",,, CVE-1999-0260,Entry,"The jj CGI program allows command execution via shell metacharacters.","BUGTRAQ:19961224 jj cgi | XF:http-cgi-jj",,, CVE-1999-0261,Candidate,"Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.","BUGTRAQ:19980504 Netmanage Holes | MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html",Modified (20000827-01)," ACCEPT(1) Baker | MODIFY(2) Frech, Landfield | NOOP(3) Ozancin, Christey, Northcutt"," Frech> XF:chamelion-smtp-dos | Landfield> - Specify what ""a crash"" means. | Christey> ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site) | Christey> Consider adding BID:2387" CVE-1999-0262,Entry,"Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.","BUGTRAQ:19980804 remote exploit in faxsurvey cgi-script | BUGTRAQ:19980804 PATCH: faxsurvey | BID:2056 | URL:http://www.securityfocus.com/bid/2056 | XF:http-cgi-faxsurvey(1532) | URL:http://xforce.iss.net/xforce/xfdb/1532",,, CVE-1999-0263,Entry,"Solaris SUNWadmap can be exploited to obtain root access.","SUN:00173 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/173 | XF:sun-sunwadmap",,, CVE-1999-0264,Entry,"htmlscript CGI program allows remote read access to files.","XF:http-htmlscript-file-access | BUGTRAQ:Jan27,1998",,, CVE-1999-0265,Entry,"ICMP redirect messages may crash or lock up a host.","MSKB:Q154174 | URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154174 | ISS:ICMP Redirects Against Embedded Controllers | XF:icmp-redirect",,, CVE-1999-0266,Entry,"The info2www CGI script allows remote file access or remote command execution.","BUGTRAQ:19980303 Vulnerabilites in some versions of info2www CGI | BID:1995 | URL:http://www.securityfocus.com/bid/1995 | XF:http-cgi-info2www",,, CVE-1999-0267,Entry,"Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution.","XF:http-port | CERT:CA-95.04.NCSA.http.daemon.for.unix.vulnerability",,, CVE-1999-0268,Entry,"MetaInfo MetaWeb web server allows users to upload, execute, and read scripts.","BUGTRAQ:19980630 Security vulnerabilities in MetaInfo products | BUGTRAQ:19980703 Followup to MetaInfo vulnerabilities | OSVDB:110 | URL:http://www.osvdb.org/110 | OSVDB:3969 | URL:http://www.osvdb.org/3969 | XF:metaweb-server-dot-attack",,, CVE-1999-0269,Entry,"Netscape Enterprise servers may list files through the PageServices query.","XF:netscape-server-pageservices",,, CVE-1999-0270,Entry,"Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as ""pfdisplay"") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files.","BUGTRAQ:19980317 IRIX performer_tools bug | SGI:19980401-01-P | URL:ftp://patches.sgi.com/support/free/security/advisories/19980401-01-P | CIAC:I-041 | URL:http://www.ciac.org/ciac/bulletins/i-041.shtml | BID:64 | URL:http://www.securityfocus.com/bid/64 | OSVDB:134 | URL:http://www.osvdb.org/134 | XF:sgi-pfdispaly(810) | URL:http://xforce.iss.net/xforce/xfdb/810",,, CVE-1999-0271,Candidate,"Progressive Networks Real Video server (pnserver) can be crashed remotely.","BUGTRAQ:19980115 pnserver exploit.. | BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?",Modified (19990925-01)," ACCEPT(3) Blake, Northcutt, Baker | MODIFY(1) Frech | NOOP(1) Prosser | REVIEWING(1) Christey"," Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq | posting), but may be multiple codebases since several | Real Audio servers are affected. | | Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow. | See CVE-1999-0896 | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> ADDREF XF:realvideo-telnet-dos" CVE-1999-0272,Entry,"Denial of service in Slmail v2.5 through the POP3 port.","XF:slmail-username-bo",,, CVE-1999-0273,Entry,"Denial of service through Solaris 2.5.1 telnet by sending ^D characters.","XF:sun-telnet-kill",,, CVE-1999-0274,Entry,"Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made.","NAI:NAI-5 | XF:nt-dns-dos",,, CVE-1999-0275,Entry,"Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.","XF:nt-dnscrash | XF:nt-dnsver | MS:Q169461",,, CVE-1999-0276,Entry,"mSQL v2.0.1 and below allows remote execution through a buffer overflow.","XF:msql-debug-bo | SEKURE:sekure.01-99.msql",,, CVE-1999-0277,Entry,"The WorkMan program can be used to overwrite any file to get root access.","XF:workman | CERT:CA-96.23.workman_vul",,, CVE-1999-0278,Entry,"In IIS, remote attackers can obtain source code for ASP files by appending ""::$DATA"" to the URL.","MS:MS98-003 | URL:http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx | XF:iis-asp-data-check | OVAL:oval:org.mitre.oval:def:913 | URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:913",,, CVE-1999-0279,Entry,"Excite for Web Servers (EWS) allows remote command execution via shell metacharacters.","BUGTRAQ:19971217 CGI security hole in EWS (Excite for Web Servers) | BUGTRAQ:19980115 Excite announcement | CERT:VB-98.01.excite | XF:excite-cgi-search-vuln",,, CVE-1999-0280,Entry,"Remote command execution in Microsoft Internet Explorer using .lnk and .url files.","NTBUGTRAQ:19970317 Internet Explorer Bug #4 | CIAC:H-38 | XF:http-ie-lnkurl",,, CVE-1999-0281,Entry,"Denial of service in IIS using long URLs.","XF:http-iis-longurl",,, CVE-1999-0282,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Modified (20050830)," ACCEPT(2) Dik, Baker | MODIFY(1) Frech | NOOP(1) Ozancin | RECAST(1) Prosser | REJECT(1) Christey"," Frech> XF:sun-loadmodule | XF:sun-modload (CERT CA-93.18 very old!) | Prosser> Believe the reference given, 95-12, is referencing a later | loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an | earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories | for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the | same as the HP patches are 100448-02 for the 93 loadmodule/modload | vulnerability and 100448-03 for the 95 loadmodule vulnerability which | normally indicated a patch update. Looks like the original patch either | didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell | much beyond that and this is my opinion only as have no way to check it. | Which one is this CVE referencing? I accept both. | Dik> There are three similar Sun bug ids associated with the patches. | 1076118 loadmodule has a security vulnerability | 1148753 loadmodule has a security vulnerability | 1222192 loadmodule has a security vulnerability | as well as: | 1137491 | Ancient stuff. | Christey> Add period to the end of the description. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> This is distinct from CVE-1999-1584 - CVE-1999-1584 is for | CA-93.18. | CHANGE> [Christey changed vote from REVIEWING to REJECT] | Christey> This candidate combines two separate issues. It uses the CERT | alert reference from 1995, from one issue, but a description that | is associated with a separate issue." CVE-1999-0283,Candidate,"The Java Web Server would allow remote users to obtain the source code for CGI programs.","BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2",Modified (19991203-01)," ACCEPT(7) Dik, Collins, Blake, Northcutt, Wall, Baker, Cole | MODIFY(1) Frech | NOOP(5) Armstrong, Bishop, Christey, Prosser, Landfield | REVIEWING(1) Ozancin"," Wall> Acknowledged by vendor at | http://www.sun.com/software/jwebserver/techinfo/jws112info.html. | Baker> Vulnerability Reference (HTML) Reference Type | http://www.securityfocus.com/archive/1/7260 Misc Defensive Info | http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info | Christey> BID:1891 | URL:http://www.securityfocus.com/bid/1891 | Christey> Add version number (1.1 beta) and details of attack (appending | a . or a \) | | The Sun URL referenced by Dave Baker no longer exists, so I | wasn't able to verify that it addressed the problem described | in the Bugtraq post. This might not even be Sun's | ""Java Web Server,"" as CVE-2001-0186 describes some product | called ""Free Java Web Server"" | Dik> There appears to be some confusion. | | The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed | in 1.1.2 (get foo.jthml source by appending ""."" of ""\"" to URL) | | There are other bugs that give access and that require a configuration | change. | | http://www.sun.com/software/jwebserver/techinfo/security_advisory.html | Christey> Need to make sure to create CAN's for the other bugs, | as documented in: | NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS | http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2 | BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS | http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2 | The reported bugs are: | 1) file read by appending %20 | 2) Directly call /servlet/file | URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html | #2 is explicitly mentioned in the Sun advisory for | CVE-1999-0283. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:javawebserver-cgi-source(5383)" CVE-1999-0284,Candidate,"Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command.","XF:smtp-helo-bo",Proposed (19990623)," ACCEPT(2) Blake, Northcutt | MODIFY(3) Frech, Ozancin, Levy | NOOP(1) Baker | REVIEWING(1) Christey"," Frech> ""Windows NT-based mail servers"" (A trademark thing, and for clarification) | XF:mdaemon-helo-bo | XF:lotus-notes-helo-crash | XF:slmail-helo-overflow | XF:smtp-helo-bo (mentions several products) | XF:smtp-exchangedos | Levy> - Need one per software. Each one should be its own | vulnerability. | Ozancin> => Windows NT is correct | Christey> These are probably multiple codebases, so we'll need to use | dot notation. Also need to see if this should be merged | with CVE-1999-0098 (Sendmail SMTP HELO)." CVE-1999-0285,Candidate,"Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.","",Proposed (19990630)," ACCEPT(1) Hill | NOOP(2) Wall, Baker | REJECT(2) Frech, Christey"," Christey> No references, no information. | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Frech> No references; closest documented match is with | CVE-2001-0346, but that's for Windows 2000." CVE-1999-0286,Candidate,"In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages.","",Proposed (19990714)," ACCEPT(3) Armstrong, Shostack, Cole | MODIFY(3) Levy, Blake, Wall | NOOP(5) Bishop, Ozancin, Northcutt, Baker, Landfield | REJECT(1) Frech | REVIEWING(1) Christey"," Wall> In some NT web servers, appending a dot at the end of a URL may | allows attackers to read source code for active pages. | Source: MS Knowledge Base Article Q163485 - ""Active Server Pages Script Appears | in Browser"" | Frech> In the meantime, reword description as 'Windows NT' (trademark issue) | Christey> Q163485 does not refer to a space, it refers to a dot. | However, I don't have other references. | | Reading source code with a dot appended is in CVE-1999-0154, | which will be proposed. A subsequent bug similar to the | dot bug is CVE-1999-0253. | Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014 | NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019 | BID 273 | Blake> Reference: http://www.allaire.com/handlers/index.cfm?ID=10967 | CHANGE> [Christey changed vote from NOOP to REVIEWING] | CHANGE> [Frech changed vote from REVIEWING to REJECT] | Frech> BID articles)" CVE-1999-0287,Candidate,"Vulnerability in the Wguest CGI program.","",Proposed (19990714)," MODIFY(2) Frech, Shostack | NOOP(4) Levy, Blake, Northcutt, Wall | REJECT(2) Christey, Baker"," Shostack> allows file reading | Frech> XF:http-cgi-webcom-guestbook | Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In | NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers | Mnemonix says that he had previously reported on a similar | problem. Let's refer to the NTBugtraq posting as | CVE-1999-0467. We will refer to the ""previous report"" as | CVE-1999-0287, which could be found at: | http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html | | 0287 describes an exploit via the ""template"" hidden variable. | The exploit describes manually editing the HTML form to | change the filename to read from the template variable. | | The exploit as described in 0467 encodes the template variable | directly into the URL. However, hidden variables are also | encoded into the URL, which would have looked the same to | the web server regardless of the exploit. Therefore 0287 | and 0467 are the same. | Christey> BID:2024" CVE-1999-0288,Entry,"The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets.","NTBUGTRAQ:19970801 WINS flooding | BUGTRAQ:19970801 WINS flooding | BUGTRAQ:19970815 Re: WINS flooding | MISC:http://safenetworks.com/Windows/wins.html | MSKB:155701 | XF:nt-winsupd-fix(1233) | URL:http://xforce.iss.net/xforce/xfdb/1233",,, CVE-1999-0289,Entry,"The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL.","",,, CVE-1999-0290,Entry,"The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost.","BUGTRAQ:19980221 WinGate DoS | BUGTRAQ:19980326 WinGate Intermediary Fix/Update | XF:wingate-dos",,, CVE-1999-0291,Entry,"The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication.","XF:wingate-unpassworded",,, CVE-1999-0292,Entry,"Denial of service through Winpopup using large user names.","XF:nt-winpopup",,, CVE-1999-0293,Entry,"AAA authentication on Cisco systems allows attackers to execute commands without authorization.","CISCO:http://www.cisco.com/warp/public/770/aaapair-pub.shtml | XF:cisco-ios-aaa-auth",,, CVE-1999-0294,Entry,"All records in a WINS database can be deleted through SNMP for a denial of service.","XF:nt-wins-snmp2",,, CVE-1999-0295,Entry,"Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges.","XF:sun-sysdef | SUN:00157 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/157",,, CVE-1999-0296,Entry,"Solaris volrmmount program allows attackers to read any file.","SUN:00162 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/162 | XF:sun-volrmmount",,, CVE-1999-0297,Entry,"Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.","NAI:NAI-3 | AUSCERT:AA-96.21 | CIAC:H-17 | XF:vixie-cron",,, CVE-1999-0298,Candidate,"ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack.","NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme | URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp",Modified (20000524-01)," ACCEPT(4) Cole, Dik, Levy, Northcutt | MODIFY(1) Frech | NOOP(3) Shostack, Christey, Baker"," Christey> ADDREF BID:1441 | URL:http://www.securityfocus.com/bid/1441 | Dik> If you run with ""-ypset"", then you're always insecure. | With ypsetme, only root on the local host | can run ypset in Solaris 2.x+. | Probably true for SunOS 4, hence my vote. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> ADDREF XF:ypbind-ypset-root | CHANGE> [Dik changed vote from REVIEWING to ACCEPT] | Dik> This vulnerability does exist in SunOS 4.x in non default configurations. | In Solaris 2.x, the vulnerability only applies to files named ""cache_binding"" | and not all files ending in .2 | Both releases are not vulnerable in the default configuration (both | disabllow ypset by default which prevents this problem from occurring)" CVE-1999-0299,Entry,"Buffer overflow in FreeBSD lpd through long DNS hostnames.","NAI:NAI-9 | OSVDB:6093 | URL:http://www.osvdb.org/6093",,, CVE-1999-0300,Entry,"nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers.","SUN:00155 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/155 | XF:sun-niscache",,, CVE-1999-0301,Entry,"Buffer overflow in SunOS/Solaris ps command.","SUN:00149 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/149 | AUSCERT:AUSCERT-97.17 | XF:sun-ps2bo",,, CVE-1999-0302,Entry,"SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server.","SUN:00176 | URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/176 | XF:sun-ftp-server",,, CVE-1999-0303,Entry,"Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.","XF:bnu-uucpd-bo | RSI:RSI.0002.05-18-98.BNU.UUCPD",,, CVE-1999-0304,Entry,"mmap function in BSD allows local attackers in the kmem group to modify memory through devices.","XF:bsd-mmap | FREEBSD:FreeBSD-SA-98:02",,, CVE-1999-0305,Entry,"The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections.","OPENBSD:Feb15,1998 ""IP Source Routing Problem"" | MISC:http://www.openbsd.org/advisories/sourceroute.txt | OSVDB:11502 | URL:http://www.osvdb.org/11502 | XF:bsd-sourceroute(736) | URL:http://xforce.iss.net/xforce/xfdb/736",,, CVE-1999-0306,Candidate,"buffer overflow in HP xlock program.","XF:hp-xlock",Proposed (19990714)," ACCEPT(3) Frech, Northcutt, Baker | MODIFY(1) Prosser | NOOP(1) Shostack | REJECT(1) Christey"," Prosser> This is another of those with multiple affected OSs. | Refs: CA-97.13, http://207.237.120.45/linux/xlock-exp