CVE version: 20061101 CVE Candidates as of 20081202 Candidates must be reviewed and accepted by the CVE Editorial Board before they can be added to the official CVE list. Therefore, these candidates may be modified or even rejected in the future. They are provided for use by individuals who have a need for an early numbering scheme for items that have not been fully reviewed by the Editorial Board. ====================================================== Name: CVE-1999-0001 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001 Phase: Modified (20051217) Category: SF Reference: CERT:CA-98-13-tcp-denial-of-service Reference: BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service Reference: CONFIRM:http://www.openbsd.org/errata23.html#tcpfix Reference: OSVDB:5707 Reference: URL:http://www.osvdb.org/5707 ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets. Current Votes: MODIFY(1) Frech NOOP(2) Northcutt, Wall REVIEWING(1) Christey Voter Comments: Christey> A Bugtraq posting indicates that the bug has to do with "short packets with certain options set," so the description should be modified accordingly. But is this the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Frech> XF:teardrop(338) This assignment was based solely on references to the CERT advisory. Christey> The description for BID:190, which links to CVE-1999-0052 (a FreeBSD advisory), notes that the patches provided by FreeBSD in CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without further analysis. ====================================================== Name: CVE-1999-0002 Status: Entry Reference: SGI:19981006-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I Reference: CERT:CA-98.12.mountd Reference: CIAC:J-006 Reference: URL:http://www.ciac.org/ciac/bulletins/j-006.shtml Reference: BID:121 Reference: URL:http://www.securityfocus.com/bid/121 Reference: XF:linux-mountd-bo Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems. ====================================================== Name: CVE-1999-0003 Status: Entry Reference: NAI:NAI-29 Reference: CERT:CA-98.11.tooltalk Reference: SGI:19981101-01-A Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-A Reference: SGI:19981101-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-PX Reference: XF:aix-ttdbserver Reference: XF:tooltalk Reference: BID:122 Reference: URL:http://www.securityfocus.com/bid/122 Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd). ====================================================== Name: CVE-1999-0004 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0004 Phase: Modified (19990621-01) Category: SF Reference: CERT:CA-98.10.mime_buffer_overflows Reference: XF:outlook-long-name Reference: SUN:00175 Reference: MS:MS98-008 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-008.asp MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. Current Votes: ACCEPT(8) Magdych, Northcutt, Wall, Baker, Landfield, Cole, Dik, Collins MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Shostack Voter Comments: Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject this suggestion, I will not be devastated.) :-) Christey> This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Christey> CVE-2000-0415 may be a later rediscovery of this problem for Outlook. Dik> Sun bug 4163471, Christey> ADDREF BID:125 Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2 ====================================================== Name: CVE-1999-0005 Status: Entry Reference: CERT:CA-98.09.imapd Reference: SUN:00177 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/177 Reference: BID:130 Reference: URL:http://www.securityfocus.com/bid/130 Reference: XF:imap-authenticate-bo Arbitrary command execution via IMAP buffer overflow in authenticate command. ====================================================== Name: CVE-1999-0006 Status: Entry Reference: CERT:CA-98.08.qpopper_vul Reference: SGI:19980801-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980801-01-I Reference: AUSCERT:AA-98.01 Reference: XF:qpopper-pass-overflow Reference: BID:133 Reference: URL:http://www.securityfocus.com/bid/133 Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command. ====================================================== Name: CVE-1999-0007 Status: Entry Reference: CERT:CA-98.07.PKCS Reference: MS:MS98-002 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-002.mspx Reference: XF:nt-ssl-fix Information from SSL-encrypted sessions via PKCS #1. ====================================================== Name: CVE-1999-0008 Status: Entry Reference: CERT:CA-98.06.nisd Reference: SUN:00170 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/170 Reference: ISS:June10,1998 Reference: XF:nisd-bo-check Buffer overflow in NIS+, in Sun's rpc.nisd program. ====================================================== Name: CVE-1999-0009 Status: Entry Reference: SGI:19980603-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX Reference: HP:HPSBUX9808-083 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 Reference: SUN:00180 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180 Reference: CERT:CA-98.05.bind_problems Reference: XF:bind-bo Reference: BID:134 Reference: URL:http://www.securityfocus.com/bid/134 Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. ====================================================== Name: CVE-1999-0010 Status: Entry Reference: CERT:CA-98.05.bind_problems Reference: SGI:19980603-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX Reference: HP:HPSBUX9808-083 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 Reference: XF:bind-dos Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages. ====================================================== Name: CVE-1999-0011 Status: Entry Reference: CERT:CA-98.05.bind_problems Reference: SGI:19980603-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX Reference: HP:HPSBUX9808-083 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083 Reference: SUN:00180 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180 Reference: XF:bind-axfr-dos Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer. ====================================================== Name: CVE-1999-0012 Status: Entry Reference: CERT:CA-98.04.Win32.WebServers Reference: XF:nt-web8.3 Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names. ====================================================== Name: CVE-1999-0013 Status: Entry Reference: CERT:CA-98.03.ssh-agent Reference: NAI:NAI-24 Reference: XF:ssh-agent Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user. ====================================================== Name: CVE-1999-0014 Status: Entry Reference: HP:HPSBUX9801-075 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-075 Reference: SUN:00185 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/185 Reference: CERT:CA-98.02.CDE Unauthorized privileged access or denial of service via dtappgather program in CDE. ====================================================== Name: CVE-1999-0015 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0015 Phase: Proposed (19990726) Category: SF Reference: CERT:CA-97.28.Teardrop_Land Reference: XF:teardrop Teardrop IP denial of service. Current Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) Christey Voter Comments: Frech> XF: teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q154174 MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) indicate that CVE-1999-0015 was fixed in NT SP3, but CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the problems keep separate candidates because one problem appears in a different version than the other. Christey> BID:124 http://www.securityfocus.com/bid/124 Consider MSKB:Q154174 http://support.microsoft.com/support/kb/articles/q154/1/74.asp Consider BUGTRAQ:19971113 Linux IP fragment overlap bug http://www.securityfocus.com/archive/1/8014 ====================================================== Name: CVE-1999-0016 Status: Entry Reference: CERT:CA-97.28.Teardrop_Land Reference: FREEBSD:FreeBSD-SA-98:01 Reference: HP:HPSBUX9801-076 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-076 Reference: CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml Reference: XF:cisco-land Reference: XF:land Reference: XF:95-verv-tcp Reference: XF:land-patch Reference: XF:ver-tcpip-sys Land IP denial of service. ====================================================== Name: CVE-1999-0017 Status: Entry Reference: CERT:CA-97.27.FTP_bounce Reference: XF:ftp-bounce Reference: XF:ftp-privileged-port FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce. ====================================================== Name: CVE-1999-0018 Status: Entry Reference: CERT:CA-97.26.statd Reference: AUSCERT:AA-97.29 Reference: XF:statd Reference: BID:127 Reference: URL:http://www.securityfocus.com/bid/127 Buffer overflow in statd allows root privileges. ====================================================== Name: CVE-1999-0019 Status: Entry Reference: CERT:CA-96.09.rpc.statd Reference: XF:rpc-stat Reference: SUN:00135 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/135 Delete or create a file via rpc.statd, due to invalid information. ====================================================== Name: CVE-1999-0020 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0020 Phase: Modified (20050204) Category: SF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: MODIFY(1) Frech NOOP(4) Levy, Northcutt, Wall, Shostack REJECT(2) Christey, Baker Voter Comments: Frech> XF:lpr-bo Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo ====================================================== Name: CVE-1999-0021 Status: Entry Reference: BUGTRAQ:19971010 Security flaw in Count.cgi (wwwcount) Reference: CERT:CA-97.24.Count_cgi Reference: XF:http-cgi-count Reference: BID:128 Reference: URL:http://www.securityfocus.com/bid/128 Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program. ====================================================== Name: CVE-1999-0022 Status: Entry Reference: CERT:CA-97.23.rdist Reference: SUN:00179 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/179 Reference: XF:rdist-bo3 Reference: XF:rdist-sept97 Local user gains root privileges via buffer overflow in rdist, via expstr() function. ====================================================== Name: CVE-1999-0023 Status: Entry Reference: CERT:CA-96.14.rdist_vul Reference: XF:rdist-bo Reference: XF:rdist-bo2 Local user gains root privileges via buffer overflow in rdist, via lookup() function. ====================================================== Name: CVE-1999-0024 Status: Entry Reference: CERT:CA-97.22.bind Reference: XF:bind Reference: NAI:NAI-11 DNS cache poisoning via BIND, by predictable query IDs. ====================================================== Name: CVE-1999-0025 Status: Entry Reference: CERT:CA-1997-21 Reference: URL:http://www.cert.org/advisories/CA-1997-21.html Reference: AUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul Reference: SGI:SGI:19970505-01-A Reference: SGI:SGI:19970505-02-PX Reference: CERT-VN:VU#20851 Reference: URL:http://www.kb.cert.org/vuls/id/20851 Reference: BID:346 Reference: URL:http://www.securityfocus.com/bid/346 Reference: XF:df-bo(440) Reference: URL:http://xforce.iss.net/xforce/xfdb/440 root privileges via buffer overflow in df command on SGI IRIX systems. ====================================================== Name: CVE-1999-0026 Status: Entry Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.20.IRIX.pset.buffer.overflow.vul Reference: XF:pset-bo root privileges via buffer overflow in pset command on SGI IRIX systems. ====================================================== Name: CVE-1999-0027 Status: Entry Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul Reference: XF:eject-bo root privileges via buffer overflow in eject command on SGI IRIX systems. ====================================================== Name: CVE-1999-0028 Status: Entry Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.22.IRIX.login.scheme.buffer.overflow.vul Reference: XF:sgi-schemebo root privileges via buffer overflow in login/scheme command on SGI IRIX systems. ====================================================== Name: CVE-1999-0029 Status: Entry Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.23-IRIX.ordist.buffer.overflow.vul Reference: XF:ordist-bo root privileges via buffer overflow in ordist command on SGI IRIX systems. ====================================================== Name: CVE-1999-0030 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0030 Phase: Proposed (19990623) Category: SF Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul Reference: XF:sgi-xlockbo Reference: SGI:19970508-02-PX root privileges via buffer overflow in xlock command on SGI IRIX systems. Current Votes: ACCEPT(3) Ozancin, Levy, Prosser NOOP(1) Baker RECAST(1) Frech REJECT(1) Christey Voter Comments: Frech> XF:xlock-bo (also add) As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and several Linii. Also, don't you mean to cite SGI:19970502-02-PX? The one you list is login/scheme. Levy> Notice that this xlock overflow is the same as in CA-97.13. CA-97.21 simply is a reminder. Christey> As pointed out by Elias, CA-97.21 states: "For more information about vulnerabilities in xlock... see CA-97.13" CA-97.13 = CVE-1999-0038. This may also be a duplicate with CVE-1999-0306. See exploits at: http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 Sun also has this problem, at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba ====================================================== Name: CVE-1999-0031 Status: Entry Reference: CERT:CA-97.20.javascript Reference: HP:HPSBUX9707-065 Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability. ====================================================== Name: CVE-1999-0032 Status: Entry Reference: BUGTRAQ:19960813 Possible bufferoverflow condition in lpr, xterm and xload Reference: BUGTRAQ:19961025 Linux & BSD's lpr exploit Reference: MLIST:[freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit Reference: MLIST:[linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program. Reference: CERT:CA-97.19.bsdlp Reference: AUSCERT:AA-96.12 Reference: CIAC:H-08 Reference: CIAC:I-042 Reference: URL:http://www.ciac.org/ciac/bulletins/i-042.shtml Reference: SGI:19980402-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980402-01-PX Reference: BID:707 Reference: URL:http://www.securityfocus.com/bid/707 Reference: XF:bsd-lprbo2 Reference: XF:bsd-lprbo Reference: XF:lpr-bo Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option. ====================================================== Name: CVE-1999-0033 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0033 Phase: Modified (20040811) Category: SF Reference: CERT:CA-97.18.at Reference: SUN:00160 Reference: XF:sun-atbo Command execution in Sun systems via buffer overflow in the at program. Current Votes: ACCEPT(8) Hill, Northcutt, Wall, Baker, Cole, Dik, Shostack, Collins NOOP(1) Christey RECAST(1) Frech Voter Comments: Frech> This vulnerability also manifests itself for the following platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, please add the following: Reference: XF:at-bo Dik> Sun bug 1265200, 4063161 Christey> ADDREF SGI:19971102-01-PX ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX SCO:SB.97:01 ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a Christey> CIAC:F-15 http://ciac.llnl.gov/ciac/bulletins/f-15.shtml HP:HPSBUX9502-023 Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0034 Status: Entry Reference: CERT:CA-97.17.sperl Reference: XF:perl-suid Buffer overflow in suidperl (sperl), Perl 4.x and 5.x. ====================================================== Name: CVE-1999-0035 Status: Entry Reference: XF:ftp-ftpd Reference: CERT:CA-97.16.ftpd Reference: AUSCERT:AA-97.03 Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. ====================================================== Name: CVE-1999-0036 Status: Entry Reference: CERT:CA-97.15.sgi_login Reference: AUSCERT:AA-97.12 Reference: CIAC:H-106 Reference: URL:http://www.ciac.org/ciac/bulletins/h-106.shtml Reference: SGI:19970508-02-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970508-02-PX Reference: OSVDB:990 Reference: URL:http://www.osvdb.org/990 Reference: XF:sgi-lockout(557) Reference: URL:http://xforce.iss.net/xforce/xfdb/557 IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files. ====================================================== Name: CVE-1999-0037 Status: Entry Reference: CERT:CA-97.14.metamail Reference: XF:metamail-header-commands Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail. ====================================================== Name: CVE-1999-0038 Status: Entry Reference: CERT:CA-97.13.xlock Reference: XF:xlock-bo Buffer overflow in xlock program allows local users to execute commands as root. ====================================================== Name: CVE-1999-0039 Status: Entry Reference: BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in Reference: BUGTRAQ:19970507 Re: SGI Advisory: webdist.cgi Reference: CERT:CA-1997-12 Reference: URL:http://www.cert.org/advisories/CA-1997-12.html Reference: AUSCERT:AA-97.14 Reference: SGI:19970501-02-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX Reference: BID:374 Reference: URL:http://www.securityfocus.com/bid/374 Reference: OSVDB:235 Reference: URL:http://www.osvdb.org/235 Reference: XF:http-sgi-webdist(333) Reference: URL:http://xforce.iss.net/xforce/xfdb/333 webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter. ====================================================== Name: CVE-1999-0040 Status: Entry Reference: CERT:CA-97.11.libXt Reference: XF:libXt-bo Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges. ====================================================== Name: CVE-1999-0041 Status: Entry Reference: CERT:CA-97.10.nls Reference: XF:nls-bo Buffer overflow in NLS (Natural Language Service). ====================================================== Name: CVE-1999-0042 Status: Entry Reference: NAI:NAI-21 Reference: CERT:CA-97.09.imap_pop Reference: XF:popimap-bo Buffer overflow in University of Washington's implementation of IMAP and POP servers. ====================================================== Name: CVE-1999-0043 Status: Entry Reference: CERT:CA-97.08.innd Reference: XF:inn-controlmsg Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. ====================================================== Name: CVE-1999-0044 Status: Entry Reference: SGI:19970301-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970301-01-P Reference: XF:sgi-fsdump fsdump command in IRIX allows local users to obtain root access by modifying sensitive files. ====================================================== Name: CVE-1999-0045 Status: Entry Reference: CERT:CA-97.07.nph-test-cgi_script Reference: XF:http-cgi-nph List of arbitrary files on Web host via nph-test-cgi script. ====================================================== Name: CVE-1999-0046 Status: Entry Reference: CERT:CA-97.06.rlogin-term Reference: XF:rlogin-termbo Buffer overflow of rlogin program using TERM environmental variable. ====================================================== Name: CVE-1999-0047 Status: Entry Reference: CERT:CA-97.05.sendmail Reference: BID:685 Reference: URL:http://www.securityfocus.com/bid/685 Reference: XF:sendmail-mime-bo2 MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4. ====================================================== Name: CVE-1999-0048 Status: Entry Reference: CERT:CA-97.04.talkd Reference: FREEBSD:FreeBSD-SA-96:21 Reference: AUSCERT:AA-97.01 Reference: SUN:00147 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/147 Reference: XF:talkd-bo Reference: XF:netkit-talkd Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges. ====================================================== Name: CVE-1999-0049 Status: Entry Reference: XF:sgi-csetup Reference: CERT:CA-97.03.csetup Csetup under IRIX allows arbitrary file creation or overwriting. ====================================================== Name: CVE-1999-0050 Status: Entry Reference: CERT:CA-97.02.hp_newgrp Reference: AUSCERT:AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability Reference: XF:hp-newgrpbo Buffer overflow in HP-UX newgrp program. ====================================================== Name: CVE-1999-0051 Status: Entry Reference: XF:sgi-licensemanager Reference: CERT:CA-97.01.flex_lm Reference: AUSCERT:AA-96.03 Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX. ====================================================== Name: CVE-1999-0052 Status: Entry Reference: FREEBSD:FreeBSD-SA-98:08 Reference: OSVDB:908 Reference: URL:http://www.osvdb.org/908 Reference: XF:freebsd-ip-frag-dos(1389) Reference: URL:http://xforce.iss.net/xforce/xfdb/1389 IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash. ====================================================== Name: CVE-1999-0053 Status: Entry Reference: FREEBSD:FreeBSD-SA-98:07 Reference: OSVDB:6094 Reference: URL:http://www.osvdb.org/6094 TCP RST denial of service in FreeBSD. ====================================================== Name: CVE-1999-0054 Status: Entry Reference: SUN:00171 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/171 Reference: XF:sun-ftpd Sun's ftpd daemon can be subjected to a denial of service. ====================================================== Name: CVE-1999-0055 Status: Entry Reference: SUN:00172 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172 Reference: AIXAPAR:IX80543 Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX80543&apar=only Reference: RSI:RSI.0005.05-14-98.SUN.LIBNSL Reference: XF:sun-libnsl Buffer overflows in Sun libnsl allow root access. ====================================================== Name: CVE-1999-0056 Status: Entry Reference: SUN:00174 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/174 Reference: XF:sun-ping Buffer overflow in Sun's ping program can give root access to local users. ====================================================== Name: CVE-1999-0057 Status: Entry Reference: NAI:NAI-19 Reference: XF:vacation Reference: HP:HPSBUX9811-087 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9811-087 Vacation program allows command execution by remote users through a sendmail command. ====================================================== Name: CVE-1999-0058 Status: Entry Reference: NAI:NAI-12 Reference: BID:712 Reference: URL:http://www.securityfocus.com/bid/712 Reference: XF:http-cgi-phpbo Buffer overflow in PHP cgi program, php.cgi allows shell access. ====================================================== Name: CVE-1999-0059 Status: Entry Reference: NAI:NAI-16 Reference: BID:353 Reference: URL:http://www.securityfocus.com/bid/353 Reference: OSVDB:164 Reference: URL:http://www.osvdb.org/164 Reference: XF:irix-fam(325) Reference: URL:http://xforce.iss.net/xforce/xfdb/325 IRIX fam service allows an attacker to obtain a list of all files on the server. ====================================================== Name: CVE-1999-0060 Status: Entry Reference: NAI:NAI-26 Reference: XF:ascend-config-kill Reference: ASCEND:http://www.ascend.com/2695.html Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. ====================================================== Name: CVE-1999-0061 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0061 Phase: Proposed (19990630) Category: SF Reference: NAI:NAI-20 Reference: XF:bsd-lpd File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). Current Votes: ACCEPT(3) Hill, Northcutt, Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Christey> This should be split into three separate problems based on the SNI advisory. But there's newer information to further complicate things. What do we do about this one? in 1997 or so, SNI did an advisory on this problem. In early 2000, it was still discovered to be present in some Linux systems. So an SF-DISCOVERY content decision might say that this is a long enough time between the two, so this should be recorded separately. But they're the same codebase... so if we keep them in the same entry, how do we make sure that this entry reflects that some new information has been discovered? The use of dot notation may help in this regard, to use one dot for the original problem as discovered in 1997, and another dot for the resurgence of the problem in 2000. Baker> We should merge these. Christey> Perhaps this should be NAI-19 instead of NAI-20? The original Bugtraq post for the SNI advisory suggests SNI-19: BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability URL:SNI-19:BSD lpd vulnerability Also add: BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 However, archives of "NAI-0020" point to the lpd vuln. If I recall correctly, some of the NAI advisory numbers got switched when NAI acquired SNI. ====================================================== Name: CVE-1999-0062 Status: Entry Reference: XF:openbsd-chpass Reference: NAI:NAI-28 Reference: OSVDB:7559 Reference: URL:http://www.osvdb.org/7559 The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage. ====================================================== Name: CVE-1999-0063 Status: Entry Reference: AUSCERT:ESB-98.197 Reference: CISCO:http://www.cisco.com/warp/public/770/iossyslog-pub.shtml Reference: XF:cisco-syslog-crash Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port. ====================================================== Name: CVE-1999-0064 Status: Entry Reference: BUGTRAQ:May28,1997 Reference: XF:lquerylv-bo Buffer overflow in AIX lquerylv program gives root access to local users. ====================================================== Name: CVE-1999-0065 Status: Entry Reference: SUN:00181 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/181 Reference: XF:hp-dtmail Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands. ====================================================== Name: CVE-1999-0066 Status: Entry Reference: BUGTRAQ:19950731 SECURITY HOLE: "AnyForm" CGI Reference: BID:719 Reference: URL:http://www.securityfocus.com/bid/719 Reference: XF:http-cgi-anyform AnyForm CGI remote execution. ====================================================== Name: CVE-1999-0067 Status: Entry Reference: BUGTRAQ:19960923 PHF Attacks - Fun and games for the whole family Reference: CERT:CA-1996-06 Reference: URL:http://www.cert.org/advisories/CA-1996-06.html Reference: AUSCERT:AA-96.01 Reference: BID:629 Reference: URL:http://www.securityfocus.com/bid/629 Reference: OSVDB:136 Reference: URL:http://www.osvdb.org/136 Reference: XF:http-cgi-phf phf CGI program allows remote command execution through shell metacharacters. ====================================================== Name: CVE-1999-0068 Status: Entry Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts Reference: XF:http-cgi-php-mylog Reference: BID:713 Reference: URL:http://www.securityfocus.com/bid/713 Reference: OSVDB:3396 Reference: URL:http://www.osvdb.org/3396 CGI PHP mylog script allows an attacker to read any file on the target server. ====================================================== Name: CVE-1999-0069 Status: Entry Reference: SUN:00169 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/169 Reference: XF:sun-ufsrestore Reference: OSVDB:8158 Reference: URL:http://www.osvdb.org/8158 Solaris ufsrestore buffer overflow. ====================================================== Name: CVE-1999-0070 Status: Entry Reference: XF:http-cgi-test test-cgi program allows an attacker to list files on the server. ====================================================== Name: CVE-1999-0071 Status: Entry Reference: XF:http-apache-cookie Reference: NAI:NAI-2 Apache httpd cookie buffer overflow for versions 1.1.1 and earlier. ====================================================== Name: CVE-1999-0072 Status: Entry Reference: ERS:ERS-SVA-E01-1997:004.1 Reference: XF:ibm-xdat Buffer overflow in AIX xdat gives root access to local users. ====================================================== Name: CVE-1999-0073 Status: Entry Reference: CERT:CA-95:14.Telnetd_Environment_Vulnerability Reference: XF:linkerbug Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access. ====================================================== Name: CVE-1999-0074 Status: Entry Reference: XF:seqport Listening TCP ports are sequentially allocated, allowing spoofing attacks. ====================================================== Name: CVE-1999-0075 Status: Entry Reference: BUGTRAQ:19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd Reference: XF:ftp-pasvcore Reference: OSVDB:5742 Reference: URL:http://www.osvdb.org/5742 PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password. ====================================================== Name: CVE-1999-0076 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0076 Phase: Modified (19990925-01) Category: SF Reference: XF:ftp-args Buffer overflow in wu-ftp from PASV command causes a core dump. Current Votes: ACCEPT(3) Ozancin, Baker, Frech NOOP(1) Balinsky REVIEWING(1) Christey Voter Comments: Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability? Christey> Need to add more references and details. ====================================================== Name: CVE-1999-0077 Status: Entry Reference: XF:tcp-seq-predict(139) Reference: URL:http://xforce.iss.net/static/139.php Predictable TCP sequence numbers allow spoofing. ====================================================== Name: CVE-1999-0078 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0078 Phase: Modified (19990621-01) Category: SF Reference: CERT:CA-96.08.pcnfsd Reference: XF:rpc-pcnfsd pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. Current Votes: ACCEPT(5) Collins, Northcutt, Landfield, Frech, Shostack NOOP(1) Baker RECAST(1) Christey Voter Comments: Christey> This candidate should be SPLIT, since there are two separate software flaws. One is a symlink race and the other is a shell metacharacter problem. Christey> The permissions part of this vulnerability appears to overlap with CVE-1999-0353 Christey> SGI:20020802-01-I ====================================================== Name: CVE-1999-0079 Status: Entry Reference: XF:ftp-pasv-dos Reference: XF:ftp-pasvdos Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports. ====================================================== Name: CVE-1999-0080 Status: Entry Reference: BUGTRAQ:19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd) Reference: CERT:CA-95:16.wu-ftpd.vul Reference: XF:ftp-execdotdot Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command. ====================================================== Name: CVE-1999-0081 Status: Entry Reference: XF:ftp-rnfr wu-ftp allows files to be overwritten via the rnfr command. ====================================================== Name: CVE-1999-0082 Status: Entry Reference: XF:ftp-cwd Reference: FarmerVenema:Improving the Security of Your Site by Breaking Into it Reference: URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html CWD ~root command in ftpd allows root access. ====================================================== Name: CVE-1999-0083 Status: Entry Reference: XF:cwdleak getcwd() file descriptor leak in FTP. ====================================================== Name: CVE-1999-0084 Status: Entry Reference: XF:nfs-mknod(78) Reference: URL:http://xforce.iss.net/xforce/xfdb/78 Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0. ====================================================== Name: CVE-1999-0085 Status: Entry Reference: BUGTRAQ:19960821 rwhod buffer overflow Reference: XF:rwhod(119) Reference: URL:http://xforce.iss.net/xforce/xfdb/119 Reference: XF:rwhod-vuln(118) Reference: URL:http://xforce.iss.net/xforce/xfdb/118 Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname. ====================================================== Name: CVE-1999-0086 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0086 Phase: Interim (19990630) Category: SF Reference: ERS:ERS-SVA-E01-1998:001.1 Reference: XF:ibm-routed AIX routed allows remote users to modify sensitive files. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Prosser, Frech NOOP(1) Baker REJECT(1) Christey Voter Comments: Frech> Reference: XF:ibm-routed Prosser> This vulnerability allows debug mode to be turned on which is the problem. Should this be more specific in the description? This one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which is in the SGI cluster, shouldn't these be cross-referenced as the same vuln affects multiple OSes. Christey> This appears to be subsumed by CVE-1999-0215 ====================================================== Name: CVE-1999-0087 Status: Entry Reference: XF:ibm-telnetdos Reference: ERS:ERS-SVA-E01-1998:003.1 Reference: OSVDB:7992 Reference: URL:http://www.osvdb.org/7992 Denial of service in AIX telnet can freeze a system and prevent users from accessing the server. ====================================================== Name: CVE-1999-0088 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0088 Phase: Proposed (19990617) Category: SF Reference: ERS:ERS-SVA-E01-1998:004.1 Reference: URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Prosser, Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Frech> ERS (and other references, BTW) explicitly stipulate 'local and remote'. Reference: XF:irix-autofsd Prosser> Include the SGI Alert as well since it is mentioned in the description. SGI Security Advisory 19981005-01-PX Christey> DUPE CVE-1999-0210? Christey> ADDREF CIAC:J-014 Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry ====================================================== Name: CVE-1999-0089 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0089 Phase: Interim (19990630) Category: SF Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: XF:ibm-libDtSvc Buffer overflow in AIX libDtSvc library can allow local users to gain root access. Current Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Prosser, Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Reference: XF:ibm-libDtSvc Prosser> The overflow is in the dtaction utility. Also affects dtaction in the CDE on versions of SunOS (SUN 164). Probably should be specific. Christey> Same Codebase as CVE-1999-0121, so the two entries should be merged. ====================================================== Name: CVE-1999-0090 Status: Entry Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: XF:ibm-rcp Buffer overflow in AIX rcp command allows local users to obtain root access. ====================================================== Name: CVE-1999-0091 Status: Entry Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: XF:ibm-writesrv Buffer overflow in AIX writesrv command allows local users to obtain root access. ====================================================== Name: CVE-1999-0092 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0092 Phase: Proposed (19990623) Category: SF Reference: ERS:ERS-SVA-E01-1997:006.1 Various vulnerabilities in the AIX portmir command allows local users to obtain root access. Current Votes: ACCEPT(2) Baker, Bollinger MODIFY(1) Frech NOOP(1) Ozancin Voter Comments: Frech> XF:ibm-portmir ====================================================== Name: CVE-1999-0093 Status: Entry Reference: ERS:ERS-SVA-E01-1997:008.1 Reference: XF:ibm-nslookup AIX nslookup command allows local users to obtain root access by not dropping privileges correctly. ====================================================== Name: CVE-1999-0094 Status: Entry Reference: ERS:ERS-SVA-E01-1997:007.1 Reference: XF:ibm-piodmgrsu AIX piodmgrsu command allows local users to gain additional group privileges. ====================================================== Name: CVE-1999-0095 Status: Entry Reference: CERT:CA-88.01 Reference: CERT:CA-93.14 Reference: BID:1 Reference: URL:http://www.securityfocus.com/bid/1 Reference: OSVDB:195 Reference: URL:http://www.osvdb.org/195 Reference: XF:smtp-debug The debug command in Sendmail is enabled, allowing attackers to execute commands as root. ====================================================== Name: CVE-1999-0096 Status: Entry Reference: CERT:CA-93.16 Reference: CERT:CA-95.05 Reference: CIAC:A-13 Reference: CIAC:A-14 Reference: SUN:00122 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/122&type=0&nav=sec.sba Reference: XF:smtp-dcod Sendmail decode alias can be used to overwrite sensitive files. ====================================================== Name: CVE-1999-0097 Status: Entry Reference: ERS:ERS-SVA-E01-1997:009.1 Reference: XF:ibm-ftp The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character). ====================================================== Name: CVE-1999-0098 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0098 Phase: Proposed (19990726) Category: SF Reference: XF:smtp-helo-bo Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. Current Votes: MODIFY(2) Baker, Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> (Accept XF reference.) Our references do not mention hiding activities. This issue can crash the SMTP server or execute arbitrary byte-code. Is there another reference available? Christey> Should this be merged with CVE-1999-0284, which is Sendmail with SMTP HELO? Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 Baker> Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference. ====================================================== Name: CVE-1999-0099 Status: Entry Reference: CERT:CA-95.13.syslog.vul Reference: XF:smtp-syslog Buffer overflow in syslog utility allows local or remote attackers to gain root privileges. ====================================================== Name: CVE-1999-0100 Status: Entry Reference: ERS:ERS-SVA-E01-1997:002.1 Reference: XF:inn-controlmsg Remote access in AIX innd 1.5.1, using control messages. ====================================================== Name: CVE-1999-0101 Status: Entry Reference: ERS:ERS-SVA-E01-1997:001.1 Reference: ERS:ERS-SVA-E01-1996:007.1 Reference: SUN:00137a Reference: CIAC:H-13 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-13.shtml Reference: NAI:NAI-1 Reference: XF:ghbn-bo Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. ====================================================== Name: CVE-1999-0102 Status: Entry Reference: XF:slmail-fromheader-overflow Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line. ====================================================== Name: CVE-1999-0103 Status: Entry Reference: CERT:CA-96.01.UDP_service_denial Reference: XF:echo Reference: XF:chargen Reference: XF:chargen-patch Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm. ====================================================== Name: CVE-1999-0104 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0104 Phase: Modified (20040811) Category: SF Reference: CERT:CA-97.28.Teardrop_Land Reference: XF:teardrop-mod A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2. Current Votes: ACCEPT(2) Wall, Frech REVIEWING(1) Christey Voter Comments: Wall> Another reference is Microsoft Knowledge Base Q179129. Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Note that the hotfix name is teardrop2, but the keywords included in the KB article specifically name bonk (CVE-1999-0258) and boink. Since teardrop2 was fixed in a slightly different version (at least in a separate patch) than Teardrop, CD:SF-LOC suggests keeping them separate. Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0105 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0105 Phase: Proposed (19990726) Category: SF finger allows recursive searches by using a long string of @ symbols. Current Votes: MODIFY(3) Shostack, Baker, Frech NOOP(1) Christey REJECT(1) Northcutt Voter Comments: Shostack> fingerD Frech> XF:finger-bomb Christey> aka redirection or forwarding requests? (but then might overlap CVE-1999-0106) Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS. ====================================================== Name: CVE-1999-0106 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0106 Phase: Proposed (19990726) Category: SF Finger redirection allows finger bombs. Current Votes: ACCEPT(1) Northcutt MODIFY(2) Shostack, Frech RECAST(1) Baker REVIEWING(1) Christey Voter Comments: Shostack> fingerd allows redirection This is a larger modification, since there are two applications of the vulnerability, one that I can finger anonymously, and the other that I can finger bomb anonymously. Frech> XF:finger-bomb Christey> need more refs Baker> This should be merged with 1999-0105 ====================================================== Name: CVE-1999-0107 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0107 Phase: Modified (19991223-01) Category: SF Reference: XF:apache-dos Reference: BUGTRAQ:19971230 Apache DoS attack? Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Shostack, Northcutt, Wall REVIEWING(1) Levy REVOTE(1) Christey Voter Comments: Wall> - Although this is probably the phf hack. Frech> XF:apache-dos Christey> This sounds like the incident reported in: NTBUGTRAQ:20000810 Apache Distributed Denial of Service Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. BUGTRAQ: http://www.securityfocus.com/archive/1/10228 BUGTRAQ: http://www.securityfocus.com/archive/1/10516 ====================================================== Name: CVE-1999-0108 Status: Entry Reference: BUGTRAQ:another day, another buffer overflow... Reference: XF:printers-bo The printers program in IRIX has a buffer overflow that gives root access to local users. ====================================================== Name: CVE-1999-0109 Status: Entry Reference: SUN:00140 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/140 Reference: AUSCERT:AA-97.06 Reference: XF:ffbconfig-bo Buffer overflow in ffbconfig in Solaris 2.5.1. ====================================================== Name: CVE-1999-0110 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0110 Phase: Interim (19990810) Category: SF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: MODIFY(1) Frech NOOP(4) Shostack, Levy, Northcutt, Wall REJECT(3) Dik, Christey, Baker Voter Comments: Frech> XF:fdformat-bo Christey> Duplicate of CVE-1999-0315 Dik> dup ====================================================== Name: CVE-1999-0111 Status: Entry Reference: XF:rip RIP v1 is susceptible to spoofing. ====================================================== Name: CVE-1999-0112 Status: Entry Reference: BUGTRAQ:19970520 AIX 4.2 dtterm exploit Reference: XF:dtterm-bo(878) Reference: URL:http://xforce.iss.net/xforce/xfdb/878 Buffer overflow in AIX dtterm program for the CDE. ====================================================== Name: CVE-1999-0113 Status: Entry Reference: BUGTRAQ:19940729 -froot??? (AIX rlogin bug) Reference: CERT:CA-94.09.bin.login.vulnerability Reference: CIAC:E-26 Reference: BID:458 Reference: URL:http://www.securityfocus.com/bid/458 Reference: XF:rlogin-froot Some implementations of rlogin allow root access if given a -froot parameter. ====================================================== Name: CVE-1999-0114 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0114 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19990912 elm filter program Reference: BUGTRAQ:19951226 filter (elm package) security hole Reference: XF:elm-filter2 Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. Current Votes: ACCEPT(7) Shostack, Bishop, Blake, Wall, Landfield, Cole, Armstrong MODIFY(2) Baker, Frech NOOP(3) Ozancin, Christey, Northcutt REVIEWING(1) Levy Voter Comments: Frech> XF:elm-filter2 CHANGE> [Wall changed vote from NOOP to ACCEPT] Landfield> with Frech modifications Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm Need to make sure that this CERT advisory describes the right problem, especially since the CERT advisory is dated December 18, 1995 and the original Bugtraq post was December 26, 1995. Christey> BID:1802 URL:http://www.securityfocus.com/bid/1802 BID:1802 doesn't include the 1999 posting - does Security Focus think that the 1999 post describes a different vulnerability? Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? Its references point to the December 26, 1995 BUgtraq post. Also consider CIAC:G-36 and CERT:VB-95:10 Frech> DELREF:XF:elm-filter2(711) ADDREF:XF:elm-filter(402) ====================================================== Name: CVE-1999-0115 Status: Entry Reference: BUGTRAQ:19970909 AIX bugfiler Reference: XF:ibm-bugfiler Reference: BID:1800 Reference: URL:http://www.securityfocus.com/bid/1800 AIX bugfiler program allows local users to gain root access. ====================================================== Name: CVE-1999-0116 Status: Entry Reference: CERT:CA-96.21.tcp_syn.flooding Reference: SGI:19961202-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961202-01-PX Reference: SUN:00136 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/136 Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. ====================================================== Name: CVE-1999-0117 Status: Entry Reference: XF:ibm-passwd Reference: CERT:CA-92:07.AIX.passwd.vulnerability AIX passwd allows local users to gain root access. ====================================================== Name: CVE-1999-0118 Status: Entry Reference: BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91158980826979&w=2 Reference: XF:aix-infod AIX infod allows local users to gain root access through an X display. ====================================================== Name: CVE-1999-0119 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0119 Phase: Proposed (19990728) Category: SF Windows NT 4.0 beta allows users to read and delete shares. Current Votes: MODIFY(1) Frech NOOP(2) Northcutt, Baker REJECT(1) Wall Voter Comments: Wall> Reject based on beta copy. Frech> XF:nt-beta(11) Reconsider reject, because this beta was in widespread use. ====================================================== Name: CVE-1999-0120 Status: Entry Reference: SUN:00126 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/126 Reference: CERT:CA-94.06.utmp.vulnerability Reference: XF:utmp-write Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root. ====================================================== Name: CVE-1999-0121 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0121 Phase: Proposed (19990617) Category: SF Reference: SUN:00164 Reference: ERS:ERS-SVA-E01-1997:005.1 Buffer overflow in dtaction command gives root access. Current Votes: ACCEPT(2) Dik, Northcutt MODIFY(3) Prosser, Baker, Frech REVIEWING(1) Christey Voter Comments: Frech> Reference: XF:dtaction-bo Reference: XF:sun-dtaction Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a library in AIX 4.x, but reference for this Sun vulnerability should only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Bulletin Christey> This is the Same Codebase as CVE-1999-0089, so the two entries should be merged. Frech> Replace sun-dtaction(732) with dtaction-bo(879) Baker> Merge with 1999-0089 ====================================================== Name: CVE-1999-0122 Status: Entry Reference: BUGTRAQ:Jul21,1999 Reference: XF:lchangelv-bo Buffer overflow in AIX lchangelv gives root access. ====================================================== Name: CVE-1999-0123 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0123 Phase: Modified (20000105-01) Category: SF Reference: XF:linux-mailx Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole Race condition in Linux mailx command allows local users to read user files. Current Votes: ACCEPT(3) Ozancin, Baker, Frech NOOP(1) Wall ====================================================== Name: CVE-1999-0124 Status: Entry Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability Reference: XF:gopher-vuln Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon. ====================================================== Name: CVE-1999-0125 Status: Entry Reference: XF:sgi-mailx-bo Reference: SGI:19980605-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980605-01-PX Buffer overflow in SGI IRIX mailx program. ====================================================== Name: CVE-1999-0126 Status: Entry Reference: CERT:VB-98.04.xterm.Xaw Reference: CIAC:J-010 Reference: URL:http://www.ciac.org/ciac/bulletins/j-010.shtml Reference: XF:xfree86-xterm-xaw Reference: XF:xfree86-xaw SGI IRIX buffer overflow in xterm and Xaw allows root access. ====================================================== Name: CVE-1999-0127 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0127 Phase: Proposed (19990623) Category: SF Reference: CERT:CA-96.27.hp_sw_install Reference: AUSCERT:AA-96.04 Reference: XF:hpux-swinstall swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. Current Votes: ACCEPT(2) Prosser, Baker MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> (keep current XF: reference, and add) XF:hpux-sqwmodify Christey> Perhaps this should be split, per SF-LOC. Christey> CIAC:H-81 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml HP:HPSBUX9707-064 references CERT:CA-96.27 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml The original AUSCERT advisory says that the programs "create files in an insecure manner" and "Exploit details involving this vulnerability have been made publicly available." which leads one to assume that the following original Bugtraq post provides the details for a standard symlink problem: BUGTRAQ:19961005 swinst,bug http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2 ====================================================== Name: CVE-1999-0128 Status: Entry Reference: XF:ping-death Reference: CERT:CA-96.26.ping Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death. ====================================================== Name: CVE-1999-0129 Status: Entry Reference: CERT:CA-96.25.sendmail_groups Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. ====================================================== Name: CVE-1999-0130 Status: Entry Reference: CERT:CA-96.24.sendmail.daemon.mode Reference: BID:716 Reference: URL:http://www.securityfocus.com/bid/716 Reference: XF:sendmail-daemon-mode Local users can start Sendmail in daemon mode and gain root privileges. ====================================================== Name: CVE-1999-0131 Status: Entry Reference: CERT:CA-96.20.sendmail_vul Reference: XF:smtp-875bo Reference: BID:717 Reference: URL:http://www.securityfocus.com/bid/717 Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users. ====================================================== Name: CVE-1999-0132 Status: Entry Reference: CERT:CA-1996-19 Reference: URL:http://www.cert.org/advisories/CA-1996-19.html Reference: OSVDB:11723 Reference: URL:http://www.osvdb.org/11723 Reference: XF:expreserve(401) Reference: URL:http://xforce.iss.net/xforce/xfdb/401 Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access. ====================================================== Name: CVE-1999-0133 Status: Entry Reference: CERT:CA-96.18.fm_fls Reference: XF:fmaker-logfile fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access. ====================================================== Name: CVE-1999-0134 Status: Entry Reference: XF:sol-voldtmp Reference: CERT:CA-96.17.Solaris_vold_vul Reference: AUSCERT:AL-96.04 Reference: OSVDB:8159 Reference: URL:http://www.osvdb.org/8159 vold in Solaris 2.x allows local users to gain root access. ====================================================== Name: CVE-1999-0135 Status: Entry Reference: XF:sun-admintool Reference: CERT:CA-96.16.Solaris_admintool_vul Reference: AUSCERT:AL-96.03 admintool in Solaris allows a local user to write to arbitrary files and gain root access. ====================================================== Name: CVE-1999-0136 Status: Entry Reference: XF:sol-KCMSvuln Reference: AUSCERT:AL-96.02 Reference: CERT:CA-96.15.Solaris_KCMS_vul Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access. ====================================================== Name: CVE-1999-0137 Status: Entry Reference: XF:linux-dipbo Reference: CERT:CA-96.13.dip_vul Reference: XF:dip-bo The dip program on many Linux systems allows local users to gain root access via a buffer overflow. ====================================================== Name: CVE-1999-0138 Status: Entry Reference: CERT:CA-96.12.suidperl_vul Reference: XF:sperl-suid The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access. ====================================================== Name: CVE-1999-0139 Status: Entry Reference: XF:sol-mkcookie Reference: RSI:RSI.0012.12-03-98.SOLARIS.MKCOOKIE Reference: OSVDB:8205 Reference: URL:http://www.osvdb.org/8205 Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access. ====================================================== Name: CVE-1999-0140 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0140 Phase: Proposed (19990630) Category: SF Denial of service in RAS/PPTP on NT systems. Current Votes: ACCEPT(1) Hill MODIFY(2) Frech, Meunier NOOP(1) Baker REJECT(1) Christey Voter Comments: Meunier> Add "pptp invalid packet length in header" to distinguish from other vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be discovered in the future. Frech> XF:nt-ras-bo ONLY IF reference is to MS:MS99-016 Christey> According to my mappings, this is not the MS:MS99-016 problem referred to by Andre. However, I have yet to dig up a source. CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> This is too general to know which problem is being discussed. More precise candidates should be created. Christey> Consider adding BID:2111 ====================================================== Name: CVE-1999-0141 Status: Entry Reference: XF:http-java-applet Reference: CERT:CA-96.07.java_bytecode_verifier Reference: SUN:00134 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/134 Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet. ====================================================== Name: CVE-1999-0142 Status: Entry Reference: CERT:CA-96.05.java_applet_security_mgr Reference: XF:http-java-appletsecmgr The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts. ====================================================== Name: CVE-1999-0143 Status: Entry Reference: CERT:CA-96.03.kerberos_4_key_server Reference: XF:kerberos-bf Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys. ====================================================== Name: CVE-1999-0144 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0144 Phase: Modified (20010301-02) Category: SF Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 Reference: BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319029&w=2 Reference: MISC:http://cr.yp.to/qmail/venema.html Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html Reference: BID:2237 Reference: URL:http://www.securityfocus.com/bid/2237 Reference: XF:qmail-rcpt Reference: URL:http://xforce.iss.net/static/208.php Denial of service in Qmail by specifying a large number of recipients with the RCPT command. Current Votes: ACCEPT(4) Frech, Meunier, Hill, Baker REVIEWING(1) Christey Voter Comments: Christey> DUPE CVE-1999-0418 and CVE-1999-0250? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> http://cr.yp.to/qmail/venema.html Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. His page states this is not a qmail problem, rather it is a UNIX problem that many apps can consume all available memory, and that the administrator is responsible to set limits in the OS, rather than expect applications to individually prevent memory exhaustion. CAN 1999-0250 does appear to be a duplicate of this entry, based on the research I have done so far. There were two different bugtraq postings, but the second one references the first, stating that the new exploit uses perl instead of shell scripting to accomplish the same attack/exploit. Baker> http://www.securityfocus.com/archive/1/6970 http://www.securityfocus.com/archive/1/6969 http://cr.yp.to/qmail/venema.html Should probably reject CVE-1999-0250, and add these references to this Candidate. Baker> http://www.securityfocus.com/bid/2237 CHANGE> [Baker changed vote from REVIEWING to ACCEPT] Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. NOTE: the ufo.org domain was purchased by another party in 2003, so the current owner is not associated with any statements by "super@ufo.org" that were made before 2003. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BID:2237 ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." ====================================================== Name: CVE-1999-0145 Status: Entry Reference: CERT:CA-1990-11 Reference: URL:http://www.cert.org/advisories/CA-1990-11.html Reference: CERT:CA-1993-14 Reference: URL:http://www.cert.org/advisories/CA-1993-14.html Reference: BUGTRAQ:19950206 sendmail wizard thing... Reference: URL:http://www2.dataguard.no/bugtraq/1995_1/0332.html Reference: FarmerVenema:Improving the Security of Your Site by Breaking Into it Reference: URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html Sendmail WIZ command enabled, allowing root access. ====================================================== Name: CVE-1999-0146 Status: Entry Reference: BUGTRAQ:19970715 Bug CGI campas Reference: BID:1975 Reference: URL:http://www.securityfocus.com/bid/1975 Reference: XF:http-cgi-campas(298) Reference: URL:http://xforce.iss.net/xforce/xfdb/298 The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file. ====================================================== Name: CVE-1999-0147 Status: Entry Reference: XF:http-cgi-glimpse Reference: AUSCERT:AA-97.28 The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands. ====================================================== Name: CVE-1999-0148 Status: Entry Reference: SGI:19970501-02-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX Reference: BID:380 Reference: URL:http://www.securityfocus.com/bid/380 Reference: XF:http-sgi-handler The handler CGI program in IRIX allows arbitrary command execution. ====================================================== Name: CVE-1999-0149 Status: Entry Reference: BUGTRAQ:19970420 IRIX 6.x /cgi-bin/wrap bug Reference: SGI:19970501-02-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX Reference: BID:373 Reference: URL:http://www.securityfocus.com/bid/373 Reference: OSVDB:247 Reference: URL:http://www.osvdb.org/247 Reference: XF:http-sgi-wrap(290) Reference: URL:http://xforce.iss.net/xforce/xfdb/290 The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0150 Status: Entry Reference: XF:perl-fingerd The Perl fingerd program allows arbitrary command execution from remote users. ====================================================== Name: CVE-1999-0151 Status: Entry Reference: CERT:CA-95.07a.REVISED.satan.vul Reference: CERT:CA-95.06.satan.vul The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access. ====================================================== Name: CVE-1999-0152 Status: Entry Reference: BUGTRAQ:19970811 dgux in.fingerd vulnerability Reference: XF:dgux-fingerd The DG/UX finger daemon allows remote command execution through shell metacharacters. ====================================================== Name: CVE-1999-0153 Status: Entry Reference: XF:win-oob Reference: OSVDB:1666 Reference: URL:http://www.osvdb.org/1666 Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke. ====================================================== Name: CVE-1999-0154 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0154 Phase: Proposed (20010912) Category: SF Reference: MSKB:Q163485 Reference: MSKB:Q164059 Reference: BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP Reference: XF:http-iis-aspdot Reference: XF:http-iis-aspsource IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. Current Votes: ACCEPT(4) Frech, Stracener, Wall, Foat NOOP(3) Christey, Baker, Cole Voter Comments: Christey> This is the precursor to the problem that is identified in CVE-1999-0253. Christey> CIAC:H-48 URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml CHANGE> [Foat changed vote from NOOP to ACCEPT] ====================================================== Name: CVE-1999-0155 Status: Entry Reference: XF:gscript-dsafer Reference: CERT:CA-95.10.ghostscript The ghostscript command with the -dSAFER option allows remote attackers to execute commands. ====================================================== Name: CVE-1999-0156 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0156 Phase: Proposed (19990714) Category: SF Reference: XF:ftp-pwless wu-ftpd FTP daemon allows any user and password combination. Current Votes: ACCEPT(2) Shostack, Northcutt NOOP(1) Baker RECAST(1) Frech REVIEWING(2) Christey, Prosser Voter Comments: Prosser> but so far can find no reference to this one Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie, also affects IIS FTP server). Christey> The references for XF:ftp-pwless are not specific enough, e.g. in terms of version numbers. Perhaps this candidate should be rejected due to insufficient information. ====================================================== Name: CVE-1999-0157 Status: Entry Reference: CISCO:http://www.cisco.com/warp/public/770/nifrag.shtml Reference: XF:cisco-fragmented-attacks Reference: OSVDB:1097 Reference: URL:http://www.osvdb.org/1097 Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service. ====================================================== Name: CVE-1999-0158 Status: Entry Reference: CISCO:20010913 Cisco PIX Firewall Manager File Exposure Reference: URL:http://www.cisco.com/warp/public/770/pixmgrfile-pub.shtml Reference: XF:cisco-pix-file-exposure Reference: OSVDB:685 Reference: URL:http://www.osvdb.org/685 Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known. ====================================================== Name: CVE-1999-0159 Status: Entry Reference: CISCO:http://www.cisco.com/warp/public/770/ioslogin-pub.shtml Reference: XF:cisco-ios-crash Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases. ====================================================== Name: CVE-1999-0160 Status: Entry Reference: CISCO:19971001 Vulnerabilities in Cisco CHAP Authentication Reference: CIAC:I-002A Reference: OSVDB:1099 Reference: URL:http://www.osvdb.org/1099 Reference: XF:cisco-chap Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. ====================================================== Name: CVE-1999-0161 Status: Entry Reference: CISCO:http://www.cisco.com/warp/public/707/1.html Reference: XF:cisco-acl-tacacs Reference: OSVDB:797 Reference: URL:http://www.osvdb.org/797 In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering. ====================================================== Name: CVE-1999-0162 Status: Entry Reference: CISCO:19950601 "Established" Keyword May Allow Packets to Bypass Filter Reference: XF:cisco-acl-established The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering. ====================================================== Name: CVE-1999-0163 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0163 Phase: Proposed (19990714) Category: SF Reference: XF:smtp-pipe In older versions of Sendmail, an attacker could use a pipe character to execute root commands. Current Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Prosser NOOP(2) Christey, Baker RECAST(1) Shostack Voter Comments: Shostack> there was a 'To: |' and a 'From: |' attack, which I think are seperate. Prosser> older vulnerability, but one additional reference is- The Ultimate Sendmail Hole List by Markus Hübner @ bau2.uibk.ac.at/matic/buglist.htm '|PROGRAM ' Christey> Description needs to be more specific to distinguish between this and CVE-1999-0203, as alluded to by Adam Shostack ====================================================== Name: CVE-1999-0164 Status: Entry Reference: XF:sol-pstmprace Reference: AUSCERT:AA-95.07 Reference: CERT:CA-95.09.Solaris.ps.vul Reference: OSVDB:8346 Reference: URL:http://www.osvdb.org/8346 A race condition in the Solaris ps command allows an attacker to overwrite critical files. ====================================================== Name: CVE-1999-0165 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0165 Phase: Modified (20040811) Category: SF Reference: XF:nfs-cache NFS cache poisoning. Current Votes: ACCEPT(3) Frech, Northcutt, Baker MODIFY(1) Shostack NOOP(1) Prosser REVIEWING(1) Christey Voter Comments: Shostack> need more data Christey> need more refs Christey> Add period to the end of the description. ====================================================== Name: CVE-1999-0166 Status: Entry Reference: XF:nfs-cd NFS allows users to use a "cd .." command to access other directories besides the exported file system. ====================================================== Name: CVE-1999-0167 Status: Entry Reference: XF:nfs-guess Reference: CERT:CA-91.21.SunOS.NFS.Jumbo.and.fsirand In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system. ====================================================== Name: CVE-1999-0168 Status: Entry Reference: XF:nfs-portmap The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions. ====================================================== Name: CVE-1999-0169 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0169 Phase: Proposed (19990714) Category: SF Reference: XF:nfs-uid NFS allows attackers to read and write any file on the system by specifying a false UID. Current Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Baker REJECT(1) Shostack Voter Comments: Shostack> this is not a vulnerability but a design feature. Baker> Maybe we should reword it so that it is clear that this was a problem to something like: "A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID." ====================================================== Name: CVE-1999-0170 Status: Entry Reference: XF:nfs-ultrix Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list. ====================================================== Name: CVE-1999-0171 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0171 Phase: Proposed (19990714) Category: SF Reference: XF:syslog-flood Denial of service in syslog by sending it a large number of superfluous messages. Current Votes: ACCEPT(2) Frech, Northcutt NOOP(1) Baker REJECT(2) Shostack, Christey Voter Comments: Shostack> design issue, not a vulnerability. Alternately, add: DOS on server by opening a large number of telnet sessions.. Christey> Duplicate of CVE-1999-0566 ====================================================== Name: CVE-1999-0172 Status: Entry Reference: XF:http-cgi-formmail-exe Reference: BUGTRAQ:Aug02,1995 FormMail CGI program allows remote execution of commands. ====================================================== Name: CVE-1999-0173 Status: Entry Reference: XF:http-cgi-formmail-use FormMail CGI program can be used by web servers other than the host server that the program resides on. ====================================================== Name: CVE-1999-0174 Status: Entry Reference: BUGTRAQ:19970208 view-source Reference: XF:http-cgi-viewsrc The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack. ====================================================== Name: CVE-1999-0175 Status: Entry Reference: XF:http-nov-convert The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server. ====================================================== Name: CVE-1999-0176 Status: Entry Reference: BUGTRAQ:Jul10,1997 Reference: XF:http-webgais-query The Webgais program allows a remote user to execute arbitrary commands. ====================================================== Name: CVE-1999-0177 Status: Entry Reference: NTBUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable Reference: NTBUGTRAQ:19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable Reference: BUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable Reference: XF:http-website-uploader The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs. ====================================================== Name: CVE-1999-0178 Status: Entry Reference: BUGTRAQ:19970106 Re: signal handling Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1997_1/0021.html Reference: BID:2078 Reference: URL:http://www.securityfocus.com/bid/2078 Reference: OSVDB:8 Reference: URL:http://www.osvdb.org/8 Reference: XF:http-website-winsample(295) Reference: URL:http://xforce.iss.net/xforce/xfdb/295 Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string. ====================================================== Name: CVE-1999-0179 Status: Entry Reference: MSKB:Q140818 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q140818 Reference: XF:nt-samba-dotdot Reference: XF:nt-351 Reference: XF:nt-35 Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share. ====================================================== Name: CVE-1999-0180 Status: Entry Reference: XF:rsh-null in.rshd allows users to login with a NULL username and execute commands. ====================================================== Name: CVE-1999-0181 Status: Entry Reference: XF:walld The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands. ====================================================== Name: CVE-1999-0182 Status: Entry Reference: CIAC:H-110 Reference: URL:http://www.ciac.org/ciac/bulletins/h-110.shtml Reference: CERT:VB-97.10.samba Reference: XF:nt-samba-bo Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password. ====================================================== Name: CVE-1999-0183 Status: Entry Reference: XF:linux-tftp Linux implementations of TFTP would allow access to files outside the restricted directory. ====================================================== Name: CVE-1999-0184 Status: Entry Reference: XF:dns-updates When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. ====================================================== Name: CVE-1999-0185 Status: Entry Reference: SUN:00156 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/156 Reference: XF:sun-ftpd/logind In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution. ====================================================== Name: CVE-1999-0186 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0186 Phase: Modified (20071119) Category: SF Reference: CONFIRM:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm Reference: SUN:00178 Reference: XF:snmp-backdoor-access In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters. Current Votes: ACCEPT(2) Dik, Baker MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Voter Comments: Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr Add ISS:Hidden Community String in SNMP Implementation Christey> What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. Christey> ADDREF BID:177 Christey> ISS:19981102 Hidden community string in SNMP implementation http://xforce.iss.net/alerts/advise11.php Change description to include "hidden" Christey> XF:snmp-backdoor-access is missing. ====================================================== Name: CVE-1999-0187 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0187 Phase: Modified (20050204) Category: SF ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Current Votes: ACCEPT(2) Hill, Northcutt RECAST(3) Frech, Prosser, Baker REJECT(1) Dik REVIEWING(1) Christey Voter Comments: Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() (ref CERT 97-23) and various vendor bulletins. However both of these rdist BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content decision Frech> XF:rdist-bo (error msg formation) XF:rdist-bo2 (execute code) XF:rdist-bo3 (execute user-created code) XF:rdist-sept97 (root from local) Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist), but as Mike and Andre noted, there are multiple flaws here, so a RECAST may be necessary. Dik> As currently phrasedm thissa duplicate of CVE-1999-0022 Baker> Based on our new philosophy, this should be recast/merged or re-described. ====================================================== Name: CVE-1999-0188 Status: Entry Reference: SUN:00182 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/182 Reference: XF:sun-passwd-dos The passwd command in Solaris can be subjected to a denial of service. ====================================================== Name: CVE-1999-0189 Status: Entry Reference: NAI:NAI-15 Reference: SUN:00142 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/142 Reference: XF:rpc-32771 Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111. ====================================================== Name: CVE-1999-0190 Status: Entry Reference: SUN:00167 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/167 Reference: XF:sun-rpcbind Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access. ====================================================== Name: CVE-1999-0191 Status: Entry Reference: XF:http-cgi-newdsn Reference: OSVDB:275 Reference: URL:http://www.osvdb.org/275 IIS newdsn.exe CGI script allows remote users to overwrite files. ====================================================== Name: CVE-1999-0192 Status: Entry Reference: SNI:SNI-20 Reference: XF:bsd-tel-tgetent Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable. ====================================================== Name: CVE-1999-0193 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0193 Phase: Proposed (19990714) Category: SF Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. Current Votes: ACCEPT(5) Shostack, Bishop, Ozancin, Northcutt, Cole MODIFY(2) Blake, Baker NOOP(4) Frech, Wall, Landfield, Armstrong REVIEWING(2) Levy, Christey Voter Comments: Frech> possibly XF:ascend-kill I can't find a reference that lists both routers in the same reference. Wall> Comment: There is a reference about the zero length TCP option in BugTraq on Feb 5, 1999 and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 mentions vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 mentions 3Com vulnerabilities, but not TCP. Too confusing withour better references. Landfield> What are the references for this ? I cannot find a means to check it out. CHANGE> [Frech changed vote from REVIEWING to NOOP] Frech> Cannot reconcile to our database without further references. Blake> I'm with Andre. I only remember and can find reference to the Ascend issue. Do we have a refernce to the 3Coms? If not, that should be removed from the description. Baker> http://xforce.iss.net/static/614.php Misc Defensive Info http://www.securityfocus.com/archive/1/5682 Misc Offensive Info http://www.securityfocus.com/archive/1/5647 Misc Defensive Info http://www.securityfocus.com/archive/1/5640 Misc Defensive Info CHANGE> [Armstrong changed vote from REVIEWING to NOOP] ====================================================== Name: CVE-1999-0194 Status: Entry Reference: XF:comsat Denial of service in in.comsat allows attackers to generate messages. ====================================================== Name: CVE-1999-0195 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0195 Phase: Modified (19991130-01) Category: SF Reference: BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1. Current Votes: ACCEPT(2) Shostack, Balinsky MODIFY(1) Frech NOOP(3) Northcutt, Wall, Baker REVIEWING(2) Levy, Christey Voter Comments: Frech> XF:rpcbind-spoof Christey> CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0461, make sure it gets XF:pmap-sset ====================================================== Name: CVE-1999-0196 Status: Entry Reference: BUGTRAQ:19970704 Vulnerability in websendmail Reference: BID:2077 Reference: URL:http://www.securityfocus.com/bid/2077 Reference: OSVDB:237 Reference: URL:http://www.osvdb.org/237 Reference: XF:http-webgais-smail websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable). ====================================================== Name: CVE-1999-0197 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0197 Phase: Proposed (19990726) Category: SF finger 0@host on some systems may print information on some user accounts. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) Northcutt Voter Comments: Shostack> fingerd may respond to 'finger 0@host' with account info Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 Finger 0@host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host feature) ====================================================== Name: CVE-1999-0198 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0198 Phase: Proposed (19990726) Category: SF finger .@host on some systems may print information on some user accounts. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) Northcutt Voter Comments: Shostack> as above Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 Finger .@target-host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host check ) http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host feature) ====================================================== Name: CVE-1999-0200 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0200 Phase: Modified (19991130-01) Category: SF Reference: MSKB:Q137853 Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack NOOP(2) Northcutt, Wall REJECT(1) Christey REVIEWING(1) Levy Voter Comments: Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another? Frech> Other have mentioned this before, but it may be WU-FTP. POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root access without anon FTP or a regular account? POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a non-anon FTP account and gain root privs. Christey> added MSKB reference CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> The MSKB article may have confused things even more. There were reports of problems in a Windows-based FTP server called WFTP (http://www.wftpd.com/) that is not a Microsft FTP server. It's best to just kill this candidate where it stands and start fresh. ====================================================== Name: CVE-1999-0201 Status: Entry Reference: XF:ftp-home A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user. ====================================================== Name: CVE-1999-0202 Status: Entry Reference: XF:ftp-exectar The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands. ====================================================== Name: CVE-1999-0203 Status: Entry Reference: CERT:CA-95.08 Reference: CIAC:E-03 Reference: XF:smtp-sendmail-version5 In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program. ====================================================== Name: CVE-1999-0204 Status: Entry Reference: XF:ident-bo Reference: CIAC:F-13 Sendmail 8.6.9 allows remote attackers to execute root commands, using ident. ====================================================== Name: CVE-1999-0205 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0205 Phase: Modified (19990925-01) Category: SF Reference: BUGTRAQ:19990708 SM 8.6.12 Denial of service in Sendmail 8.6.11 and 8.6.12. Current Votes: ACCEPT(2) Hill, Northcutt MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(2) Ozancin, Christey Voter Comments: Frech> XF:sendmail-alias-dos Prosser> additional source Bugtraq "Re: SM 8.6.12" http://www.securityfocus.com Christey> The Bugtraq thread does not provide any proof, including a comment by Eric Allman that he hadn't been provided any details either. See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu for the thread. Christey> Change Bugtraq reference date to 19950708. ====================================================== Name: CVE-1999-0206 Status: Entry Reference: XF:sendmail-mime-bo Reference: AUSCERT:AA-96.06a MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access. ====================================================== Name: CVE-1999-0207 Status: Entry Reference: XF:majordomo-exe Reference: CERT:CA-94.11.majordomo.vulnerabilities Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. ====================================================== Name: CVE-1999-0208 Status: Entry Reference: XF:rpc-update Reference: CERT:CA-95.17.rpc.ypupdated.vul rpc.ypupdated (NIS) allows remote users to execute arbitrary commands. ====================================================== Name: CVE-1999-0209 Status: Entry Reference: CERT:CA-90.05.sunselection.vulnerability Reference: BID:8 Reference: URL:http://www.securityfocus.com/bid/8 Reference: XF:selsvc The SunView (SunTools) selection_svc facility allows remote users to read files. ====================================================== Name: CVE-1999-0210 Status: Entry Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88053459921223&w=2 Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2 Reference: HP:HPSBUX9910-104 Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9910-104 Reference: CERT:CA-99-05 Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html Reference: BID:235 Reference: URL:http://www.securityfocus.com/bid/235 Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters. ====================================================== Name: CVE-1999-0211 Status: Entry Reference: CERT:CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability Reference: BID:24 Reference: URL:http://www.securityfocus.com/bid/24 Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone. ====================================================== Name: CVE-1999-0212 Status: Entry Reference: SUN:00168 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/168 Reference: CIAC:I-048 Reference: URL:http://www.ciac.org/ciac/bulletins/i-048.shtml Reference: XF:sun-mountd Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server. ====================================================== Name: CVE-1999-0213 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0213 Phase: Modified (20001009-01) Category: SF Reference: XF:sun-libnsl Reference: SUNBUG:4305859 libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. Current Votes: ACCEPT(6) Dik, Ozancin, Hill, Blake, Landfield, Cole MODIFY(3) Frech, Levy, Baker NOOP(4) Bishop, Meunier, Wall, Armstrong REVIEWING(1) Christey Voter Comments: Frech> XF:sun-libnsl Dik> Sun bug #4305859 Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info http://www.securityfocus.com/archive/1/9749 Misc Defensive Info Christey> I don't think this is the bug that everyone thinks it is. This candidate came from CyberCop Scanner 2.4/2.5, which only reports this as a DoS problem. If SUN:00172 is an advisory for this, then it may be a duplicate of CVE-1999-0055. There appears to be overlap with other references as well. HOWEVER, this particular one deals with a DoS in rpcbind - which isn't mentioned in the sources for CVE-1999-0055. Levy> BID 148 ====================================================== Name: CVE-1999-0214 Status: Entry Reference: XF:icmp-unreachable Denial of service by sending forged ICMP unreachable packets. ====================================================== Name: CVE-1999-0215 Status: Entry Reference: SGI:19981004-01-PX Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981004-01-PX Reference: CIAC:J-012 Reference: URL:http://www.ciac.org/ciac/bulletins/j-012.shtml Reference: XF:ripapp Routed allows attackers to append data to files. ====================================================== Name: CVE-1999-0216 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0216 Phase: Modified (19991203-01) Category: SF Reference: BUGTRAQ:19971130 Linux inetd.. Reference: XF:linux-inetd-dos Reference: HP:HPSBUX9803-077 Reference: XF:hp-inetd Denial of service of inetd on Linux through SYN and RST packets. Current Votes: ACCEPT(1) Hill MODIFY(2) Frech, Baker RECAST(1) Meunier Voter Comments: Meunier> The location of the vulnerability, whether in the Linux kernel or the application, is debatable. Any program making the same (reasonnable) assumption is vulnerable, i.e., implements the same vulnerability: "Assumption that TCP-three-way handshake is complete after calling Linux kernel function accept(), which returns socket after getting SYN. Result is process death by SIGPIPE" Moreover, whether it results in DOS (to third parties) depends on the process that made the assumption. I think that the present entry should be split, one entry for every application that implements the vulnerability (really describing threat instances, which is what other people think about when we talk about vulnerabilities), and one entry for the Linux kernel that allows the vulnerability to happen. Frech> XF:hp-inetd XF:linux-inetd-dos Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast ====================================================== Name: CVE-1999-0217 Status: Entry Reference: XF:udp-bomb Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems. ====================================================== Name: CVE-1999-0218 Status: Entry Reference: XF:portmaster-reboot Livingston portmaster machines could be rebooted via a series of commands. ====================================================== Name: CVE-1999-0219 Status: Entry Reference: NTBUGTRAQ:19990503 Buffer overflows in FTP Serv-U 2.5 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92574916930144&w=2 Reference: NTBUGTRAQ:19990504 Re: Buffer overflows in FTP Serv-U 2.5 Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92582581330282&w=2 Reference: BUGTRAQ:19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT Reference: BID:269 Reference: URL:http://www.securityfocus.com/bid/269 Reference: XF:ftp-servu(205) Reference: URL:http://xforce.iss.net/xforce/xfdb/205 Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command. ====================================================== Name: CVE-1999-0220 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0220 Phase: Proposed (19990728) Category: SF Attackers can do a denial of service of IRC by crashing the server. Current Votes: NOOP(2) Northcutt, Baker REJECT(2) Frech, Christey Voter Comments: Frech> Would reconsider if any references were available. Christey> No references available, combined with extremely vague description, equals REJECT. ====================================================== Name: CVE-1999-0221 Status: Entry Reference: XF:ascend-150-kill Denial of service of Ascend routers through port 150 (remote administration). ====================================================== Name: CVE-1999-0222 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0222 Phase: Proposed (19990714) Category: SF Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL. Current Votes: ACCEPT(1) Baker MODIFY(3) Frech, Shostack, Levy NOOP(3) Balinsky, Northcutt, Wall RECAST(1) Ziese REJECT(1) Christey Voter Comments: Shostack> I follow cisco announcements and problems pretty closely, and haven't seen this. Source? Frech> XF:cisco-web-crash Christey> XF:cisco-web-crash has no additional references. I can't find any references in Bugtraq or Cisco either. This bug is supposedly tested by at least one security product, but that product's database doesn't have any references either. So a question becomes, how did it make it into at least two security companies' databases? Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 BID 1154 Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if recast to reflect that "...after using a long url..." should be replaced with "...A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled, browsing to "http://router-ip/anytext?/" is attempted, and the enable password is supplied when requested. This defect can be exploited to produce a denial of service (DoS) attack." Then I can accept this and mark it as "Verfied by my Company". If it can't be recast because this (long uri) is diffferent then our release (special url construction). CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> Elias Levy's suggested reference is CVE-2000-0380. I don't think that Kevin's description is really addressing this either. The lack of references and a specific description make this candidate unusable, so it should be rejected. ====================================================== Name: CVE-1999-0223 Status: Entry Reference: BUGTRAQ:19961109 Syslogd and Solaris 2.4 Reference: SUNBUG:1249320 Reference: CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches Reference: XF:sol-syslogd-crash Reference: BID:1878 Reference: URL:http://www.securityfocus.com/bid/1878 Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry. ====================================================== Name: CVE-1999-0224 Status: Entry Reference: XF:nt-messenger Denial of service in Windows NT messenger service through a long username. ====================================================== Name: CVE-1999-0225 Status: Entry Reference: NAI:19980214 Windows NT Logon Denial of Service Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/25_windows_nt_dos_adv.asp Reference: MSKB:Q180963 Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=180963 Reference: XF:nt-logondos Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size. ====================================================== Name: CVE-1999-0226 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0226 Phase: Proposed (19990728) Category: SF Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) Christey Voter Comments: Christey> Too general, and no references. Frech> XF:nt-frag(528) See reference from BugTraq Mailing List, "A New Fragmentation Attack" at http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net ====================================================== Name: CVE-1999-0227 Status: Entry Reference: MSKB:Q154087 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154087 Reference: XF:nt-lsass-crash Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service. ====================================================== Name: CVE-1999-0228 Status: Entry Reference: XF:nt-rpc-ver Reference: MSKB:Q162567 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q162567 Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT. ====================================================== Name: CVE-1999-0229 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0229 Phase: Modified (19991228-02) Category: SF Reference: MSKB:Q115052 Denial of service in Windows NT IIS server using ..\.. Current Votes: ACCEPT(2) Shostack, Baker MODIFY(2) Frech, Wall NOOP(1) Northcutt REJECT(1) Christey REVIEWING(1) Levy Voter Comments: Wall> Denial of service in Windows NT IIS Server 1.0 using ..\... Source: Microsoft Knowledge Base Article Q115052 - IIS Server. Frech> XF:http-dotdot (not necessarily IIS?) Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot problem. Christey> This actually looks like XF:iis-dot-dot-crash(1638) http://xforce.iss.net/static/1638.php If so, include the version number (2.0) CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> Bill Wall intended to suggest Q155052, but the affected IIS version there is 1.0; the effect is to read files, so this sounds like a directory traversal problem, instead of an inability to process certain strings. As a result, this candidate is too general, since it could apply to 2 different problems, so it should be REJECTed. Christey> Consider adding BID:2218 ====================================================== Name: CVE-1999-0230 Status: Entry Reference: CISCO:http://www.cisco.com/warp/public/770/pwbuf-pub.shtml Reference: OSVDB:1102 Reference: URL:http://www.osvdb.org/1102 Buffer overflow in Cisco 7xx routers through the telnet service. ====================================================== Name: CVE-1999-0231 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0231 Phase: Modified (19991207-01) Category: SF Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. Current Votes: ACCEPT(2) Levy, Baker NOOP(3) Christey, Northcutt, Landfield RECAST(1) Frech REVIEWING(1) Ozancin Voter Comments: Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) XF:smtp-vrfy-bo (many mail packages) Northcutt> (There is no way I will have access to these systems) Christey> Some sources report that VRFY and EXPN are both affected. ====================================================== Name: CVE-1999-0232 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0232 Phase: Modified (19991220-01) Category: SF Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. Current Votes: ACCEPT(2) Hill, Northcutt MODIFY(1) Frech NOOP(1) Prosser REJECT(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Unable to provide a match due to vague/insufficient description/references. Possible matches are: XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) XF:http-ncsa-longurl (highest probability) Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl More research is necessary for this one. Baker> Since this has no references at all, and is vague and we have a CAN for the most likely issue, we should kill this one ====================================================== Name: CVE-1999-0233 Status: Entry Reference: MSKB:Q148188 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q148188 Reference: MSKB:Q155056 Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q155056 Reference: XF:http-iis-cmd IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files. ====================================================== Name: CVE-1999-0234 Status: Entry Reference: XF:bash-cmd Reference: CERT:CA-96.22.bash_vuls Bash treats any character with a value of 255 as a command separator. ====================================================== Name: CVE-1999-0235 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0235 Phase: Modified (19991220-01) Category: SF Reference: CERT:CA-95:04 Reference: CIAC:F-11 Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access. Current Votes: ACCEPT(3) Hill, Prosser, Northcutt MODIFY(1) Frech REJECT(2) Christey, Baker Voter Comments: Frech> XF:http-ncsa-longurl Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267 Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both refer to the same problem. This should be rejected as 1999-0267 is the same problem. ====================================================== Name: CVE-1999-0236 Status: Entry Reference: XF:http-scriptalias ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs. ====================================================== Name: CVE-1999-0237 Status: Entry Reference: XF:http-cgi-guestbook Reference: CERT:VB-97.02 Remote execution of arbitrary commands through Guestbook CGI program. ====================================================== Name: CVE-1999-0238 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0238 Phase: Proposed (19990623) Category: SF Reference: XF:http-cgi-phpfileread php.cgi allows attackers to read any file on the system. Current Votes: ACCEPT(5) Frech, Collins, Prosser, Northcutt, Baker NOOP(1) Christey Voter Comments: Prosser> additional source AUSCERT External Security Bulletin ESB-97.047 http://www.auscert.org.au Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole URL:http://www.dataguard.no/bugtraq/1997_2/0069.html The attacker specifies the filename as an argument to the program. Add "PHP/FI" to description to facilitate search. AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 Christey> Consider adding BID:2250 ====================================================== Name: CVE-1999-0239 Status: Entry Reference: XF:fastrack-get-directory-list Reference: OSVDB:122 Reference: URL:http://www.osvdb.org/122 Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET. ====================================================== Name: CVE-1999-0240 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0240 Phase: Proposed (19990728) Category: SF Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. Current Votes: ACCEPT(1) Northcutt NOOP(1) Baker REJECT(1) Frech Voter Comments: Frech> Would reconsider if any references were available. ====================================================== Name: CVE-1999-0241 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0241 Phase: Modified (19990925-01) Category: SF Reference: XF:http-xguess-cookie Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm. Current Votes: ACCEPT(3) Hill, Northcutt, Proctor MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(1) Christey Voter Comments: Frech> Also add to references: XF:sol-mkcookie Prosser> additional source Bugtraq "X11 cookie hijacker" http://www.securityfocus.com Christey> The cookie hijacker thread has to do with stealing cookies through a file with bad permissions. I'm not sure the X-Force reference identifies this problem either. Christey> CIAC:G-04 URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml SGI:19960601-01-I URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I CERT:VB-95:08 ====================================================== Name: CVE-1999-0242 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0242 Phase: Modified (20000106-01) Category: SF Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole Reference: XF:linux-pop3d Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords. Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Shostack, Christey, Northcutt, Wall REVIEWING(1) Levy Voter Comments: Frech> Ambiguous description: need more detail. Possibly: XF:linux-pop3d (mktemp() leads to reading e-mail) Christey> At first glance this might look like CVE-1999-0123 or CVE-1999-0125, however this particular candidate arises out of a brief mention of the problem in a larger posting which discusses CVE-1999-0123 (which may be the same bug as CVE-1999-0125). See the following phrase in the Bugtraq post: "one such example of this is in.pop3d" However, the original source of this candidate's description explicitly mentions shadowed passwords, though it has no references to help out here. ====================================================== Name: CVE-1999-0243 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0243 Phase: Proposed (19990714) Category: SF Linux cfingerd could be exploited to gain root access. Current Votes: ACCEPT(1) Shostack NOOP(4) Levy, Northcutt, Wall, Baker REJECT(2) Frech, Christey Voter Comments: Christey> This has no sources; neither does the original database that this entry came from. It's a likely duplicate of CVE-1999-0813. Frech> I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> If the reference I previously supplied is correct, then it appears as if the poster modified the source using authorized access to make it vulnerable. Modifying the source in this manner does not qualify as being listed a vulnerability. I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. ====================================================== Name: CVE-1999-0244 Status: Entry Reference: NAI:NAI-23 Reference: XF:radius-accounting-overflow Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root. ====================================================== Name: CVE-1999-0245 Status: Entry Reference: BUGTRAQ:19950907 Linux NIS security problem hole and fix Reference: XF:linux-plus Some configurations of NIS+ in Linux allowed attackers to log in as the user "+". ====================================================== Name: CVE-1999-0246 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0246 Phase: Proposed (19990630) Category: SF Reference: XF:hp-remote HP Remote Watch allows a remote user to gain root access. Current Votes: ACCEPT(4) Frech, Hill, Prosser, Northcutt NOOP(1) Baker RECAST(1) Christey Voter Comments: Frech> Comment: Determine if it's RemoteWatch or Remote Watch. Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in Remote Watch (the advisory uses two words, not one, for the "Remote Watch" name) ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit) URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com Prosser> agree that the advisory mentions two vulnerabilities in Remote Watch, one being a socket connection and other with the showdisk utility which seems to be a suid vulnerability. Never get much details on this anywhere since the recommendation is to remove the program since it is obsolete and superceded by later tools. Believe the biggest concern here is to just not run the tool at all. Christey> CIAC:H-16 Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp And possibly AUSCERT:AA-96.07 at ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2 Include "remwatch" in the description to facilitate search. ====================================================== Name: CVE-1999-0247 Status: Entry Reference: NAI:19970721 INN news server vulnerabilities Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/17_inn_avd.asp Reference: BID:1443 Reference: URL:http://www.securityfocus.com/bid/1443 Reference: XF:inn-bo Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands. ====================================================== Name: CVE-1999-0248 Status: Entry Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html Reference: CONFIRM:http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1 A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials. ====================================================== Name: CVE-1999-0249 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0249 Phase: Proposed (19990714) Category: SF Windows NT RSHSVC program allows remote users to execute arbitrary commands. Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Wall NOOP(2) Shostack, Northcutt RECAST(1) Christey REVIEWING(1) Levy Voter Comments: Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows remote users to execute arbitrary commands. Source: rshsvc.txt from the Windows NT Resource Kit. Frech> XF:rsh-svc Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case where remote users coming from authorized machines are allowed access regardless of what .rhosts says. XF:rsh-svc refers to a bug circa 1997 where any remote entity could execute commands as system. ====================================================== Name: CVE-1999-0250 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0250 Phase: Modified (20010301-01) Category: SF Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2 Reference: MISC:http://cr.yp.to/qmail/venema.html Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html Reference: XF:qmail-leng Denial of service in Qmail through long SMTP commands. Current Votes: ACCEPT(2) Meunier, Hill MODIFY(1) Frech REJECT(1) Baker REVIEWING(1) Christey Voter Comments: Frech> XF:qmail-rcpt Christey> DUPE CVE-1999-0418 and CVE-1999-0144? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading through both bugtraq postings, the one that is referenced by 0144 is based on a shell code exploit to cause memory exhaustion. The bugtraq posting referenced by this entry refers explicitly to the prior posting for 0144, and states that the same effect could be accomplished by a perl exploit, which was then attached. Baker> http://www.securityfocus.com/archive/1/6969 CVE-1999-0144 http://www.securityfocus.com/archive/1/6970 CVE-1999-0250 Both references should be added to CVE-1999-0144, and CVE-1999-0250 should likely be rejected. CHANGE> [Baker changed vote from REVIEWING to REJECT] Christey> XF:qmail-leng no longer exists; check with Andre to see if they regarded it as a duplicate as well. qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd) ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." ====================================================== Name: CVE-1999-0251 Status: Entry Reference: XF:talkd-flash Denial of service in talk program allows remote attackers to disrupt a user's display. ====================================================== Name: CVE-1999-0252 Status: Entry Reference: XF:smtp-listserv Buffer overflow in listserv allows arbitrary command execution. ====================================================== Name: CVE-1999-0253 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0253 Phase: Modified (20000106-01) Category: SF Reference: XF:http-iis-2e Reference: L0PHT:19970319 IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. Current Votes: ACCEPT(9) Frech, Bishop, Collins, Blake, Northcutt, Baker, Landfield, Cole, Armstrong MODIFY(1) LeBlanc NOOP(3) Ozancin, Prosser, Wall REVIEWING(1) Christey Voter Comments: Christey> This is a problem that was introduced after patching a previous dot bug with the iis-fix hotfix (see CVE-1999-0154). Since the hotfix introduced the problem, this should be treated as a seaprate issue. Wall> Agree with the comment. LeBlanc> - this one is so old, I don't remember it at all and can't verify or deny the issue. If you can find some documentation that says we fixed it (KB article, hotfix, something), then I would change this to ACCEPT CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:1814 URL:http://www.securityfocus.com/bid/1814 ====================================================== Name: CVE-1999-0254 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0254 Phase: Proposed (19990726) Category: SF Reference: ISS:Hidden SNMP community in HP OpenView Reference: XF:hpov-hidden-snmp-comm A