Candidate Modified ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets. CA-98-13-tcp-denial-of-service 19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service http://www.openbsd.org/errata23.html#tcpfix 5707 Frech Northcutt, Wall Christey A Bugtraq posting indicates that the bug has to do with "short packets with certain options set," so the description should be modified accordingly. But is this the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. XF:teardrop(338) This assignment was based solely on references to the CERT advisory. The description for BID:190, which links to CVE-1999-0052 (a FreeBSD advisory), notes that the patches provided by FreeBSD in CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without further analysis. Entry Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems. 19981006-01-I CA-98.12.mountd J-006 121 linux-mountd-bo Entry Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd). NAI-29 CA-98.11.tooltalk 19981101-01-A 19981101-01-PX aix-ttdbserver tooltalk 122 Candidate Modified MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. CA-98.10.mime_buffer_overflows outlook-long-name 00175 MS98-008 Magdych, Northcutt, Wall, Baker, Landfield, Cole, Dik, Collins Frech Christey Shostack Extremely minor, but I believe e-mail is the correct term. (If you reject this suggestion, I will not be devastated.) :-) This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 CVE-2000-0415 may be a later rediscovery of this problem for Outlook. Sun bug 4163471, ADDREF BID:125 BUGTRAQ:19980730 Long Filenames & Lotus Products URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2 Entry Arbitrary command execution via IMAP buffer overflow in authenticate command. CA-98.09.imapd 00177 130 imap-authenticate-bo Entry Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command. CA-98.08.qpopper_vul 19980801-01-I AA-98.01 qpopper-pass-overflow 133 Entry Information from SSL-encrypted sessions via PKCS #1. CA-98.07.PKCS MS98-002 nt-ssl-fix Entry Buffer overflow in NIS+, in Sun's rpc.nisd program. CA-98.06.nisd 00170 June10,1998 nisd-bo-check Entry Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. 19980603-01-PX HPSBUX9808-083 00180 CA-98.05.bind_problems bind-bo 134 Entry Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages. CA-98.05.bind_problems 19980603-01-PX HPSBUX9808-083 bind-dos Entry Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer. CA-98.05.bind_problems 19980603-01-PX HPSBUX9808-083 00180 bind-axfr-dos Entry Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names. CA-98.04.Win32.WebServers nt-web8.3 Entry Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user. CA-98.03.ssh-agent NAI-24 ssh-agent Entry Unauthorized privileged access or denial of service via dtappgather program in CDE. HPSBUX9801-075 00185 CA-98.02.CDE Candidate Proposed Teardrop IP denial of service. CA-97.28.Teardrop_Land teardrop Wall Frech Christey XF: teardrop-mod Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. MSKB:Q154174 MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) indicate that CVE-1999-0015 was fixed in NT SP3, but CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the problems keep separate candidates because one problem appears in a different version than the other. BID:124 http://www.securityfocus.com/bid/124 Consider MSKB:Q154174 http://support.microsoft.com/support/kb/articles/q154/1/74.asp Consider BUGTRAQ:19971113 Linux IP fragment overlap bug http://www.securityfocus.com/archive/1/8014 Entry Land IP denial of service. CA-97.28.Teardrop_Land FreeBSD-SA-98:01 HPSBUX9801-076 http://www.cisco.com/warp/public/770/land-pub.shtml cisco-land land 95-verv-tcp land-patch ver-tcpip-sys Entry FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce. CA-97.27.FTP_bounce ftp-bounce ftp-privileged-port Entry Buffer overflow in statd allows root privileges. CA-97.26.statd AA-97.29 statd 127 Entry Delete or create a file via rpc.statd, due to invalid information. CA-96.09.rpc.statd rpc-stat 00135 Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Frech Levy, Northcutt, Wall, Shostack Christey, Baker XF:lpr-bo DUPE CVE-1999-0032, which includes XF:lpr-bo Entry Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program. 19971010 Security flaw in Count.cgi (wwwcount) CA-97.24.Count_cgi http-cgi-count 128 Entry Local user gains root privileges via buffer overflow in rdist, via expstr() function. CA-97.23.rdist 00179 rdist-bo3 rdist-sept97 Entry Local user gains root privileges via buffer overflow in rdist, via lookup() function. CA-96.14.rdist_vul rdist-bo rdist-bo2 Entry DNS cache poisoning via BIND, by predictable query IDs. CA-97.22.bind bind NAI-11 Entry root privileges via buffer overflow in df command on SGI IRIX systems. CA-1997-21 AA-97.19.IRIX.df.buffer.overflow.vul SGI:19970505-01-A SGI:19970505-02-PX VU#20851 346 df-bo(440) Entry root privileges via buffer overflow in pset command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.20.IRIX.pset.buffer.overflow.vul pset-bo Entry root privileges via buffer overflow in eject command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.21.IRIX.eject.buffer.overflow.vul eject-bo Entry root privileges via buffer overflow in login/scheme command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.22.IRIX.login.scheme.buffer.overflow.vul sgi-schemebo Entry root privileges via buffer overflow in ordist command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.23-IRIX.ordist.buffer.overflow.vul ordist-bo Candidate Proposed root privileges via buffer overflow in xlock command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.24.IRIX.xlock.buffer.overflow.vul sgi-xlockbo 19970508-02-PX Ozancin, Levy, Prosser Baker Frech Christey XF:xlock-bo (also add) As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and several Linii. Also, don't you mean to cite SGI:19970502-02-PX? The one you list is login/scheme. Notice that this xlock overflow is the same as in CA-97.13. CA-97.21 simply is a reminder. As pointed out by Elias, CA-97.21 states: "For more information about vulnerabilities in xlock... see CA-97.13" CA-97.13 = CVE-1999-0038. This may also be a duplicate with CVE-1999-0306. See exploits at: http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 Sun also has this problem, at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba Entry JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability. CA-97.20.javascript HPSBUX9707-065 Entry Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option. 19960813 Possible bufferoverflow condition in lpr, xterm and xload 19961025 Linux & BSD's lpr exploit [freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit [linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program. CA-97.19.bsdlp AA-96.12 H-08 I-042 19980402-01-PX 707 bsd-lprbo2 bsd-lprbo lpr-bo Candidate Modified Command execution in Sun systems via buffer overflow in the at program. CA-97.18.at 00160 sun-atbo Hill, Northcutt, Wall, Baker, Cole, Dik, Shostack, Collins Christey Frech This vulnerability also manifests itself for the following platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, please add the following: Reference: XF:at-bo Sun bug 1265200, 4063161 ADDREF SGI:19971102-01-PX ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX SCO:SB.97:01 ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a CIAC:F-15 http://ciac.llnl.gov/ciac/bulletins/f-15.shtml HP:HPSBUX9502-023 Add period to the end of the description. Entry Buffer overflow in suidperl (sperl), Perl 4.x and 5.x. CA-97.17.sperl perl-suid Entry Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. ftp-ftpd CA-97.16.ftpd AA-97.03 Entry IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files. CA-97.15.sgi_login AA-97.12 H-106 19970508-02-PX 990 sgi-lockout(557) Entry Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail. CA-97.14.metamail metamail-header-commands Entry Buffer overflow in xlock program allows local users to execute commands as root. CA-97.13.xlock xlock-bo Entry webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter. 19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in 19970507 Re: SGI Advisory: webdist.cgi CA-1997-12 AA-97.14 19970501-02-PX 374 235 http-sgi-webdist(333) Entry Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges. CA-97.11.libXt libXt-bo Entry Buffer overflow in NLS (Natural Language Service). CA-97.10.nls nls-bo Entry Buffer overflow in University of Washington's implementation of IMAP and POP servers. NAI-21 CA-97.09.imap_pop popimap-bo Entry Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. CA-97.08.innd inn-controlmsg Entry fsdump command in IRIX allows local users to obtain root access by modifying sensitive files. 19970301-01-P sgi-fsdump Entry List of arbitrary files on Web host via nph-test-cgi script. CA-97.07.nph-test-cgi_script http-cgi-nph Entry Buffer overflow of rlogin program using TERM environmental variable. CA-97.06.rlogin-term rlogin-termbo Entry MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4. CA-97.05.sendmail 685 sendmail-mime-bo2 Entry Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges. CA-97.04.talkd FreeBSD-SA-96:21 AA-97.01 00147 talkd-bo netkit-talkd Entry Csetup under IRIX allows arbitrary file creation or overwriting. sgi-csetup CA-97.03.csetup Entry Buffer overflow in HP-UX newgrp program. CA-97.02.hp_newgrp AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability hp-newgrpbo Entry Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX. sgi-licensemanager CA-97.01.flex_lm AA-96.03 Entry IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash. FreeBSD-SA-98:08 908 freebsd-ip-frag-dos(1389) Entry TCP RST denial of service in FreeBSD. FreeBSD-SA-98:07 6094 Entry Sun's ftpd daemon can be subjected to a denial of service. 00171 sun-ftpd Entry Buffer overflows in Sun libnsl allow root access. 00172 IX80543 RSI.0005.05-14-98.SUN.LIBNSL sun-libnsl Entry Buffer overflow in Sun's ping program can give root access to local users. 00174 sun-ping Entry Vacation program allows command execution by remote users through a sendmail command. NAI-19 vacation HPSBUX9811-087 Entry Buffer overflow in PHP cgi program, php.cgi allows shell access. NAI-12 712 http-cgi-phpbo Entry IRIX fam service allows an attacker to obtain a list of all files on the server. NAI-16 353 164 irix-fam(325) Entry Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. NAI-26 ascend-config-kill http://www.ascend.com/2695.html Candidate Proposed File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). NAI-20 bsd-lpd Hill, Northcutt, Frech Baker Christey This should be split into three separate problems based on the SNI advisory. But there's newer information to further complicate things. What do we do about this one? in 1997 or so, SNI did an advisory on this problem. In early 2000, it was still discovered to be present in some Linux systems. So an SF-DISCOVERY content decision might say that this is a long enough time between the two, so this should be recorded separately. But they're the same codebase... so if we keep them in the same entry, how do we make sure that this entry reflects that some new information has been discovered? The use of dot notation may help in this regard, to use one dot for the original problem as discovered in 1997, and another dot for the resurgence of the problem in 2000. We should merge these. Perhaps this should be NAI-19 instead of NAI-20? The original Bugtraq post for the SNI advisory suggests SNI-19: BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability URL:SNI-19:BSD lpd vulnerability Also add: BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 However, archives of "NAI-0020" point to the lpd vuln. If I recall correctly, some of the NAI advisory numbers got switched when NAI acquired SNI. Entry The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage. openbsd-chpass NAI-28 7559 Entry Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port. ESB-98.197 http://www.cisco.com/warp/public/770/iossyslog-pub.shtml cisco-syslog-crash Entry Buffer overflow in AIX lquerylv program gives root access to local users. May28,1997 lquerylv-bo Entry Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands. 00181 hp-dtmail Entry AnyForm CGI remote execution. 19950731 SECURITY HOLE: "AnyForm" CGI 719 http-cgi-anyform Entry phf CGI program allows remote command execution through shell metacharacters. 19960923 PHF Attacks - Fun and games for the whole family CA-1996-06 AA-96.01 629 136 http-cgi-phf Entry CGI PHP mylog script allows an attacker to read any file on the target server. 19971019 Vulnerability in PHP Example Logging Scripts http-cgi-php-mylog 713 3396 Entry Solaris ufsrestore buffer overflow. 00169 sun-ufsrestore 8158 Entry test-cgi program allows an attacker to list files on the server. http-cgi-test Entry Apache httpd cookie buffer overflow for versions 1.1.1 and earlier. http-apache-cookie NAI-2 Entry Buffer overflow in AIX xdat gives root access to local users. ERS-SVA-E01-1997:004.1 ibm-xdat Entry Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access. CA-95:14.Telnetd_Environment_Vulnerability linkerbug Entry Listening TCP ports are sequentially allocated, allowing spoofing attacks. seqport Entry PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password. 19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd ftp-pasvcore 5742 Candidate Modified Buffer overflow in wu-ftp from PASV command causes a core dump. ftp-args Ozancin, Baker, Frech Balinsky Christey Don't know what this is. Is this the LIST Core dump vulnerability? Need to add more references and details. Entry Predictable TCP sequence numbers allow spoofing. tcp-seq-predict(139) Candidate Modified pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. CA-96.08.pcnfsd rpc-pcnfsd Collins, Northcutt, Landfield, Frech, Shostack Baker Christey This candidate should be SPLIT, since there are two separate software flaws. One is a symlink race and the other is a shell metacharacter problem. The permissions part of this vulnerability appears to overlap with CVE-1999-0353 SGI:20020802-01-I Entry Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports. ftp-pasv-dos ftp-pasvdos Entry Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command. 19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd) CA-95:16.wu-ftpd.vul ftp-execdotdot Entry wu-ftp allows files to be overwritten via the rnfr command. ftp-rnfr Entry CWD ~root command in ftpd allows root access. ftp-cwd Improving the Security of Your Site by Breaking Into it Entry getcwd() file descriptor leak in FTP. cwdleak Entry Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0. nfs-mknod(78) Entry Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname. 19960821 rwhod buffer overflow rwhod(119) rwhod-vuln(118) Candidate Interim AIX routed allows remote users to modify sensitive files. ERS-SVA-E01-1998:001.1 ibm-routed Northcutt, Shostack Prosser, Frech Baker Christey Reference: XF:ibm-routed This vulnerability allows debug mode to be turned on which is the problem. Should this be more specific in the description? This one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which is in the SGI cluster, shouldn't these be cross-referenced as the same vuln affects multiple OSes. This appears to be subsumed by CVE-1999-0215 Entry Denial of service in AIX telnet can freeze a system and prevent users from accessing the server. ibm-telnetdos ERS-SVA-E01-1998:003.1 7992 Candidate Proposed IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. ERS-SVA-E01-1998:004.1 Northcutt, Shostack Prosser, Frech Baker Christey ERS (and other references, BTW) explicitly stipulate 'local and remote'. Reference: XF:irix-autofsd Include the SGI Alert as well since it is mentioned in the description. SGI Security Advisory 19981005-01-PX DUPE CVE-1999-0210? ADDREF CIAC:J-014 It does look very similar to 1999-0210. Perhaps they should be a single entry Candidate Interim Buffer overflow in AIX libDtSvc library can allow local users to gain root access. ERS-SVA-E01-1997:005.1 ibm-libDtSvc Northcutt, Shostack Prosser, Frech Baker Christey Reference: XF:ibm-libDtSvc The overflow is in the dtaction utility. Also affects dtaction in the CDE on versions of SunOS (SUN 164). Probably should be specific. Same Codebase as CVE-1999-0121, so the two entries should be merged. Entry Buffer overflow in AIX rcp command allows local users to obtain root access. ERS-SVA-E01-1997:005.1 ibm-rcp Entry Buffer overflow in AIX writesrv command allows local users to obtain root access. ERS-SVA-E01-1997:005.1 ibm-writesrv Candidate Proposed Various vulnerabilities in the AIX portmir command allows local users to obtain root access. ERS-SVA-E01-1997:006.1 Baker, Bollinger Frech Ozancin XF:ibm-portmir Entry AIX nslookup command allows local users to obtain root access by not dropping privileges correctly. ERS-SVA-E01-1997:008.1 ibm-nslookup Entry AIX piodmgrsu command allows local users to gain additional group privileges. ERS-SVA-E01-1997:007.1 ibm-piodmgrsu Entry The debug command in Sendmail is enabled, allowing attackers to execute commands as root. CA-88.01 CA-93.14 1 195 smtp-debug Entry Sendmail decode alias can be used to overwrite sensitive files. CA-93.16 CA-95.05 A-13 A-14 00122 smtp-dcod Entry The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character). ERS-SVA-E01-1997:009.1 ibm-ftp Candidate Proposed Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. smtp-helo-bo Baker, Frech Wall Christey (Accept XF reference.) Our references do not mention hiding activities. This issue can crash the SMTP server or execute arbitrary byte-code. Is there another reference available? Should this be merged with CVE-1999-0284, which is Sendmail with SMTP HELO? BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference. Entry Buffer overflow in syslog utility allows local or remote attackers to gain root privileges. CA-95.13.syslog.vul smtp-syslog Entry Remote access in AIX innd 1.5.1, using control messages. ERS-SVA-E01-1997:002.1 inn-controlmsg Entry Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. ERS-SVA-E01-1997:001.1 ERS-SVA-E01-1996:007.1 00137a H-13 NAI-1 ghbn-bo Entry Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line. slmail-fromheader-overflow Entry Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm. CA-96.01.UDP_service_denial echo chargen chargen-patch Candidate Modified A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2. CA-97.28.Teardrop_Land teardrop-mod Wall, Frech Christey Another reference is Microsoft Knowledge Base Q179129. Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Note that the hotfix name is teardrop2, but the keywords included in the KB article specifically name bonk (CVE-1999-0258) and boink. Since teardrop2 was fixed in a slightly different version (at least in a separate patch) than Teardrop, CD:SF-LOC suggests keeping them separate. Add period to the end of the description. Candidate Proposed finger allows recursive searches by using a long string of @ symbols. Shostack, Baker, Frech Christey Northcutt fingerD XF:finger-bomb aka redirection or forwarding requests? (but then might overlap CVE-1999-0106) should change description to indicate the recursive searching can consume enough system resources to cause a DoS. Candidate Proposed Finger redirection allows finger bombs. Northcutt Shostack, Frech Baker Christey fingerd allows redirection This is a larger modification, since there are two applications of the vulnerability, one that I can finger anonymously, and the other that I can finger bomb anonymously. XF:finger-bomb need more refs This should be merged with 1999-0105 Candidate Modified Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters. apache-dos 19971230 Apache DoS attack? Baker Frech Shostack, Northcutt, Wall Levy Christey - Although this is probably the phf hack. XF:apache-dos This sounds like the incident reported in: NTBUGTRAQ:20000810 Apache Distributed Denial of Service I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. BUGTRAQ: http://www.securityfocus.com/archive/1/10228 BUGTRAQ: http://www.securityfocus.com/archive/1/10516 Entry The printers program in IRIX has a buffer overflow that gives root access to local users. another day, another buffer overflow... printers-bo Entry Buffer overflow in ffbconfig in Solaris 2.5.1. 00140 AA-97.06 ffbconfig-bo Candidate Interim ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Frech Shostack, Levy, Northcutt, Wall Dik, Christey, Baker XF:fdformat-bo Duplicate of CVE-1999-0315 dup Entry RIP v1 is susceptible to spoofing. rip Entry Buffer overflow in AIX dtterm program for the CDE. 19970520 AIX 4.2 dtterm exploit dtterm-bo(878) Entry Some implementations of rlogin allow root access if given a -froot parameter. 19940729 -froot??? (AIX rlogin bug) CA-94.09.bin.login.vulnerability E-26 458 rlogin-froot Candidate Modified Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. 19990912 elm filter program 19951226 filter (elm package) security hole elm-filter2 Shostack, Bishop, Blake, Wall, Landfield, Cole, Armstrong Baker, Frech Ozancin, Christey, Northcutt Levy XF:elm-filter2 [Wall changed vote from NOOP to ACCEPT] with Frech modifications ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm Need to make sure that this CERT advisory describes the right problem, especially since the CERT advisory is dated December 18, 1995 and the original Bugtraq post was December 26, 1995. BID:1802 URL:http://www.securityfocus.com/bid/1802 BID:1802 doesn't include the 1999 posting - does Security Focus think that the 1999 post describes a different vulnerability? XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? Its references point to the December 26, 1995 BUgtraq post. Also consider CIAC:G-36 and CERT:VB-95:10 DELREF:XF:elm-filter2(711) ADDREF:XF:elm-filter(402) Entry AIX bugfiler program allows local users to gain root access. 19970909 AIX bugfiler ibm-bugfiler 1800 Entry Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. CA-96.21.tcp_syn.flooding 19961202-01-PX 00136 Entry AIX passwd allows local users to gain root access. ibm-passwd CA-92:07.AIX.passwd.vulnerability Entry AIX infod allows local users to gain root access through an X display. 19981119 RSI.0011.11-09-98.AIX.INFOD aix-infod Candidate Proposed Windows NT 4.0 beta allows users to read and delete shares. Frech Northcutt, Baker Wall Reject based on beta copy. XF:nt-beta(11) Reconsider reject, because this beta was in widespread use. Entry Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root. 00126 CA-94.06.utmp.vulnerability utmp-write Candidate Proposed Buffer overflow in dtaction command gives root access. 00164 ERS-SVA-E01-1997:005.1 Dik, Northcutt Prosser, Baker, Frech Christey Reference: XF:dtaction-bo Reference: XF:sun-dtaction Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a library in AIX 4.x, but reference for this Sun vulnerability should only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Bulletin This is the Same Codebase as CVE-1999-0089, so the two entries should be merged. Replace sun-dtaction(732) with dtaction-bo(879) Merge with 1999-0089 Entry Buffer overflow in AIX lchangelv gives root access. Jul21,1999 lchangelv-bo Candidate Modified Race condition in Linux mailx command allows local users to read user files. linux-mailx 19951222 mailx-5.5 (slackware /bin/mail) security hole Ozancin, Baker, Frech Wall Entry Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon. CA-93:11.UMN.UNIX.gopher.vulnerability gopher-vuln Entry Buffer overflow in SGI IRIX mailx program. sgi-mailx-bo 19980605-01-PX Entry SGI IRIX buffer overflow in xterm and Xaw allows root access. VB-98.04.xterm.Xaw J-010 xfree86-xterm-xaw xfree86-xaw Candidate Proposed swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. CA-96.27.hp_sw_install AA-96.04 hpux-swinstall Prosser, Baker Frech Christey (keep current XF: reference, and add) XF:hpux-sqwmodify Perhaps this should be split, per SF-LOC. CIAC:H-81 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml HP:HPSBUX9707-064 references CERT:CA-96.27 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml The original AUSCERT advisory says that the programs "create files in an insecure manner" and "Exploit details involving this vulnerability have been made publicly available." which leads one to assume that the following original Bugtraq post provides the details for a standard symlink problem: BUGTRAQ:19961005 swinst,bug http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2 Entry Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death. ping-death CA-96.26.ping Entry Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. CA-96.25.sendmail_groups Entry Local users can start Sendmail in daemon mode and gain root privileges. CA-96.24.sendmail.daemon.mode 716 sendmail-daemon-mode Entry Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users. CA-96.20.sendmail_vul smtp-875bo 717 Entry Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access. CA-1996-19 11723 expreserve(401) Entry fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access. CA-96.18.fm_fls fmaker-logfile Entry vold in Solaris 2.x allows local users to gain root access. sol-voldtmp CA-96.17.Solaris_vold_vul AL-96.04 8159 Entry admintool in Solaris allows a local user to write to arbitrary files and gain root access. sun-admintool CA-96.16.Solaris_admintool_vul AL-96.03 Entry Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access. sol-KCMSvuln AL-96.02 CA-96.15.Solaris_KCMS_vul Entry The dip program on many Linux systems allows local users to gain root access via a buffer overflow. linux-dipbo CA-96.13.dip_vul dip-bo Entry The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access. CA-96.12.suidperl_vul sperl-suid Entry Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access. sol-mkcookie RSI.0012.12-03-98.SOLARIS.MKCOOKIE 8205 Candidate Proposed Denial of service in RAS/PPTP on NT systems. Hill Frech, Meunier Baker Christey Add "pptp invalid packet length in header" to distinguish from other vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be discovered in the future. XF:nt-ras-bo ONLY IF reference is to MS:MS99-016 According to my mappings, this is not the MS:MS99-016 problem referred to by Andre. However, I have yet to dig up a source. [Christey changed vote from NOOP to REVIEWING] [Christey changed vote from REVIEWING to REJECT] This is too general to know which problem is being discussed. More precise candidates should be created. Consider adding BID:2111 Entry Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet. http-java-applet CA-96.07.java_bytecode_verifier 00134 Entry The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts. CA-96.05.java_applet_security_mgr http-java-appletsecmgr Entry Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys. CA-96.03.kerberos_4_key_server kerberos-bf Candidate Modified Denial of service in Qmail by specifying a large number of recipients with the RCPT command. 19970612 qmail-dos-2.c, another denial of service attack 19970612 Re: Denial of service (qmail-smtpd) http://cr.yp.to/qmail/venema.html http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html 2237 qmail-rcpt Frech, Meunier, Hill, Baker Christey DUPE CVE-1999-0418 and CVE-1999-0250? Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html http://cr.yp.to/qmail/venema.html Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. His page states this is not a qmail problem, rather it is a UNIX problem that many apps can consume all available memory, and that the administrator is responsible to set limits in the OS, rather than expect applications to individually prevent memory exhaustion. CAN 1999-0250 does appear to be a duplicate of this entry, based on the research I have done so far. There were two different bugtraq postings, but the second one references the first, stating that the new exploit uses perl instead of shell scripting to accomplish the same attack/exploit. http://www.securityfocus.com/archive/1/6970 http://www.securityfocus.com/archive/1/6969 http://cr.yp.to/qmail/venema.html Should probably reject CVE-1999-0250, and add these references to this Candidate. http://www.securityfocus.com/bid/2237 [Baker changed vote from REVIEWING to ACCEPT] qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. NOTE: the ufo.org domain was purchased by another party in 2003, so the current owner is not associated with any statements by "super@ufo.org" that were made before 2003. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BID:2237 ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." Entry Sendmail WIZ command enabled, allowing root access. CA-1990-11 CA-1993-14 19950206 sendmail wizard thing... Improving the Security of Your Site by Breaking Into it Entry The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file. 19970715 Bug CGI campas 1975 http-cgi-campas(298) Entry The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands. http-cgi-glimpse AA-97.28 Entry The handler CGI program in IRIX allows arbitrary command execution. 19970501-02-PX 380 http-sgi-handler Entry The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack. 19970420 IRIX 6.x /cgi-bin/wrap bug 19970501-02-PX 373 247 http-sgi-wrap(290) Entry The Perl fingerd program allows arbitrary command execution from remote users. perl-fingerd Entry The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access. CA-95.07a.REVISED.satan.vul CA-95.06.satan.vul Entry The DG/UX finger daemon allows remote command execution through shell metacharacters. 19970811 dgux in.fingerd vulnerability dgux-fingerd Entry Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke. win-oob 1666 Candidate Proposed IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. Q163485 Q164059 19970220 ! [ADVISORY] Major Security Hole in MS ASP http-iis-aspdot http-iis-aspsource Frech, Stracener, Wall, Foat Christey, Baker, Cole This is the precursor to the problem that is identified in CVE-1999-0253. CIAC:H-48 URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml [Foat changed vote from NOOP to ACCEPT] Entry The ghostscript command with the -dSAFER option allows remote attackers to execute commands. gscript-dsafer CA-95.10.ghostscript Candidate Proposed wu-ftpd FTP daemon allows any user and password combination. ftp-pwless Shostack, Northcutt Baker Frech Christey, Prosser but so far can find no reference to this one Our records indicate that this does not necessarly affect just wu-ftp (ie, also affects IIS FTP server). The references for XF:ftp-pwless are not specific enough, e.g. in terms of version numbers. Perhaps this candidate should be rejected due to insufficient information. Entry Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service. http://www.cisco.com/warp/public/770/nifrag.shtml cisco-fragmented-attacks 1097 Entry Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known. 20010913 Cisco PIX Firewall Manager File Exposure cisco-pix-file-exposure 685 Entry Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases. http://www.cisco.com/warp/public/770/ioslogin-pub.shtml cisco-ios-crash Entry Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. 19971001 Vulnerabilities in Cisco CHAP Authentication I-002A 1099 cisco-chap Entry In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering. http://www.cisco.com/warp/public/707/1.html cisco-acl-tacacs 797 Entry The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering. 19950601 "Established" Keyword May Allow Packets to Bypass Filter cisco-acl-established Candidate Proposed In older versions of Sendmail, an attacker could use a pipe character to execute root commands. smtp-pipe Frech, Northcutt Prosser Christey, Baker Shostack there was a 'To: |' and a 'From: |' attack, which I think are seperate. older vulnerability, but one additional reference is- The Ultimate Sendmail Hole List by Markus Hübner @ bau2.uibk.ac.at/matic/buglist.htm '|PROGRAM ' Description needs to be more specific to distinguish between this and CVE-1999-0203, as alluded to by Adam Shostack Entry A race condition in the Solaris ps command allows an attacker to overwrite critical files. sol-pstmprace AA-95.07 CA-95.09.Solaris.ps.vul 8346 Candidate Modified NFS cache poisoning. nfs-cache Frech, Northcutt, Baker Shostack Prosser Christey need more data need more refs Add period to the end of the description. Entry NFS allows users to use a "cd .." command to access other directories besides the exported file system. nfs-cd Entry In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system. nfs-guess CA-91.21.SunOS.NFS.Jumbo.and.fsirand Entry The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions. nfs-portmap Candidate Proposed NFS allows attackers to read and write any file on the system by specifying a false UID. nfs-uid Frech, Northcutt Baker Shostack this is not a vulnerability but a design feature. Maybe we should reword it so that it is clear that this was a problem to something like: "A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID." Entry Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list. nfs-ultrix Candidate Proposed Denial of service in syslog by sending it a large number of superfluous messages. syslog-flood Frech, Northcutt Baker Shostack, Christey design issue, not a vulnerability. Alternately, add: DOS on server by opening a large number of telnet sessions.. Duplicate of CVE-1999-0566 Entry FormMail CGI program allows remote execution of commands. http-cgi-formmail-exe Aug02,1995 Entry FormMail CGI program can be used by web servers other than the host server that the program resides on. http-cgi-formmail-use Entry The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19970208 view-source http-cgi-viewsrc Entry The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server. http-nov-convert Entry The Webgais program allows a remote user to execute arbitrary commands. Jul10,1997 http-webgais-query Entry The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs. 19970904 [Alert] Website's uploader.exe (from demo) vulnerable 19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable 19970904 [Alert] Website's uploader.exe (from demo) vulnerable http-website-uploader Entry Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string. 19970106 Re: signal handling 2078 8 http-website-winsample(295) Entry Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share. Q140818 nt-samba-dotdot nt-351 nt-35 Entry in.rshd allows users to login with a NULL username and execute commands. rsh-null Entry The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands. walld Entry Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password. H-110 VB-97.10.samba nt-samba-bo Entry Linux implementations of TFTP would allow access to files outside the restricted directory. linux-tftp Entry When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. dns-updates Entry In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution. 00156 sun-ftpd/logind Candidate Modified In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm 00178 snmp-backdoor-access Dik, Baker Frech Wall Christey Change XF:snmp-backdoor-access to XF:sol-hidden-commstr Add ISS:Hidden Community String in SNMP Implementation What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. ADDREF BID:177 ISS:19981102 Hidden community string in SNMP implementation http://xforce.iss.net/alerts/advise11.php Change description to include "hidden" XF:snmp-backdoor-access is missing. Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Hill, Northcutt Frech, Prosser, Baker Dik Christey The Sun Patches in Ref roll-up fixes for an earlier BO in rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() (ref CERT 97-23) and various vendor bulletins. However both of these rdist BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content decision XF:rdist-bo (error msg formation) XF:rdist-bo2 (execute code) XF:rdist-bo3 (execute user-created code) XF:rdist-sept97 (root from local) Duplicate of CVE-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist), but as Mike and Andre noted, there are multiple flaws here, so a RECAST may be necessary. As currently phrasedm thissa duplicate of CVE-1999-0022 Based on our new philosophy, this should be recast/merged or re-described. Entry The passwd command in Solaris can be subjected to a denial of service. 00182 sun-passwd-dos Entry Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111. NAI-15 00142 rpc-32771 Entry Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access. 00167 sun-rpcbind Entry IIS newdsn.exe CGI script allows remote users to overwrite files. http-cgi-newdsn 275 Entry Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable. SNI-20 bsd-tel-tgetent Candidate Proposed Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. Shostack, Bishop, Ozancin, Northcutt, Cole Blake, Baker Frech, Wall, Landfield, Armstrong Levy, Christey possibly XF:ascend-kill I can't find a reference that lists both routers in the same reference. Comment: There is a reference about the zero length TCP option in BugTraq on Feb 5, 1999 and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 mentions vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 mentions 3Com vulnerabilities, but not TCP. Too confusing withour better references. What are the references for this ? I cannot find a means to check it out. [Frech changed vote from REVIEWING to NOOP] Cannot reconcile to our database without further references. I'm with Andre. I only remember and can find reference to the Ascend issue. Do we have a refernce to the 3Coms? If not, that should be removed from the description. http://xforce.iss.net/static/614.php Misc Defensive Info http://www.securityfocus.com/archive/1/5682 Misc Offensive Info http://www.securityfocus.com/archive/1/5647 Misc Defensive Info http://www.securityfocus.com/archive/1/5640 Misc Defensive Info [Armstrong changed vote from REVIEWING to NOOP] Entry Denial of service in in.comsat allows attackers to generate messages. comsat Candidate Modified Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1. 19990128 rpcbind: deceive, enveigle and obfuscate Shostack, Balinsky Frech Northcutt, Wall, Baker Levy, Christey XF:rpcbind-spoof CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0461, make sure it gets XF:pmap-sset Entry websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable). 19970704 Vulnerability in websendmail 2077 237 http-webgais-smail Candidate Proposed finger 0@host on some systems may print information on some user accounts. Baker Frech, Shostack Northcutt fingerd may respond to 'finger 0@host' with account info Need more reference to establish this 'exposure'. [Frech changed vote from REVIEWING to MODIFY] XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 Finger 0@host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host feature) Candidate Proposed finger .@host on some systems may print information on some user accounts. Baker Frech, Shostack Northcutt as above Need more reference to establish this 'exposure'. [Frech changed vote from REVIEWING to MODIFY] XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 Finger .@target-host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host check ) http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host feature) Candidate Modified Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password. Q137853 Baker Frech, Shostack Northcutt, Wall Christey Levy WFTP is not sufficient; is this wu-, ws-, war-, or another? Other have mentioned this before, but it may be WU-FTP. POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root access without anon FTP or a regular account? POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a non-anon FTP account and gain root privs. added MSKB reference [Christey changed vote from REVOTE to REJECT] The MSKB article may have confused things even more. There were reports of problems in a Windows-based FTP server called WFTP (http://www.wftpd.com/) that is not a Microsft FTP server. It's best to just kill this candidate where it stands and start fresh. Entry A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user. ftp-home Entry The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands. ftp-exectar Entry In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program. CA-95.08 E-03 smtp-sendmail-version5 Entry Sendmail 8.6.9 allows remote attackers to execute root commands, using ident. ident-bo F-13 Candidate Modified Denial of service in Sendmail 8.6.11 and 8.6.12. 19990708 SM 8.6.12 Hill, Northcutt Frech, Prosser Baker Ozancin, Christey XF:sendmail-alias-dos additional source Bugtraq "Re: SM 8.6.12" http://www.securityfocus.com The Bugtraq thread does not provide any proof, including a comment by Eric Allman that he hadn't been provided any details either. See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu for the thread. Change Bugtraq reference date to 19950708. Entry MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access. sendmail-mime-bo AA-96.06a Entry Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. majordomo-exe CA-94.11.majordomo.vulnerabilities Entry rpc.ypupdated (NIS) allows remote users to execute arbitrary commands. rpc-update CA-95.17.rpc.ypupdated.vul Entry The SunView (SunTools) selection_svc facility allows remote users to read files. CA-90.05.sunselection.vulnerability 8 selsvc Entry Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters. 19971126 Solaris 2.5.1 automountd exploit (fwd) 19990103 SUN almost has a clue! (automountd) HPSBUX9910-104 CA-99-05 235 Entry Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone. CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability 24 Entry Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server. 00168 I-048 sun-mountd Candidate Modified libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. sun-libnsl 4305859 Dik, Ozancin, Hill, Blake, Landfield, Cole Frech, Levy, Baker Bishop, Meunier, Wall, Armstrong Christey XF:sun-libnsl Sun bug #4305859 http://xforce.iss.net/static/1204.php Misc Defensive Info http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info http://www.securityfocus.com/archive/1/9749 Misc Defensive Info I don't think this is the bug that everyone thinks it is. This candidate came from CyberCop Scanner 2.4/2.5, which only reports this as a DoS problem. If SUN:00172 is an advisory for this, then it may be a duplicate of CVE-1999-0055. There appears to be overlap with other references as well. HOWEVER, this particular one deals with a DoS in rpcbind - which isn't mentioned in the sources for CVE-1999-0055. BID 148 Entry Denial of service by sending forged ICMP unreachable packets. icmp-unreachable Entry Routed allows attackers to append data to files. 19981004-01-PX J-012 ripapp Candidate Modified Denial of service of inetd on Linux through SYN and RST packets. 19971130 Linux inetd.. linux-inetd-dos HPSBUX9803-077 hp-inetd Hill Frech, Baker Meunier The location of the vulnerability, whether in the Linux kernel or the application, is debatable. Any program making the same (reasonnable) assumption is vulnerable, i.e., implements the same vulnerability: "Assumption that TCP-three-way handshake is complete after calling Linux kernel function accept(), which returns socket after getting SYN. Result is process death by SIGPIPE" Moreover, whether it results in DOS (to third parties) depends on the process that made the assumption. I think that the present entry should be split, one entry for every application that implements the vulnerability (really describing threat instances, which is what other people think about when we talk about vulnerabilities), and one entry for the Linux kernel that allows the vulnerability to happen. XF:hp-inetd XF:linux-inetd-dos Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast Entry Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems. udp-bomb Entry Livingston portmaster machines could be rebooted via a series of commands. portmaster-reboot Entry Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command. 19990503 Buffer overflows in FTP Serv-U 2.5 19990504 Re: Buffer overflows in FTP Serv-U 2.5 19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT 269 ftp-servu(205) Candidate Proposed Attackers can do a denial of service of IRC by crashing the server. Northcutt, Baker Frech, Christey Would reconsider if any references were available. No references available, combined with extremely vague description, equals REJECT. Entry Denial of service of Ascend routers through port 150 (remote administration). ascend-150-kill Candidate Proposed Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL. Baker Frech, Shostack, Levy Balinsky, Northcutt, Wall Ziese Christey I follow cisco announcements and problems pretty closely, and haven't seen this. Source? XF:cisco-web-crash XF:cisco-web-crash has no additional references. I can't find any references in Bugtraq or Cisco either. This bug is supposedly tested by at least one security product, but that product's database doesn't have any references either. So a question becomes, how did it make it into at least two security companies' databases? BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 BID 1154 The vulnerability is addressed by a vendor acknowledgement. This one, if recast to reflect that "...after using a long url..." should be replaced with "...A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled, browsing to "http://router-ip/anytext?/" is attempted, and the enable password is supplied when requested. This defect can be exploited to produce a denial of service (DoS) attack." Then I can accept this and mark it as "Verfied by my Company". If it can't be recast because this (long uri) is diffferent then our release (special url construction). [Christey changed vote from REVIEWING to REJECT] Elias Levy's suggested reference is CVE-2000-0380. I don't think that Kevin's description is really addressing this either. The lack of references and a specific description make this candidate unusable, so it should be rejected. Entry Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry. 19961109 Syslogd and Solaris 2.4 1249320 http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches sol-syslogd-crash 1878 Entry Denial of service in Windows NT messenger service through a long username. nt-messenger Entry Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size. 19980214 Windows NT Logon Denial of Service Q180963 nt-logondos Candidate Proposed Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. Northcutt Frech Baker Christey Too general, and no references. XF:nt-frag(528) See reference from BugTraq Mailing List, "A New Fragmentation Attack" at http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net Entry Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service. Q154087 nt-lsass-crash Entry Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT. nt-rpc-ver Q162567 Candidate Modified Denial of service in Windows NT IIS server using ..\.. Q115052 Shostack, Baker Frech, Wall Northcutt Christey Levy Denial of service in Windows NT IIS Server 1.0 using ..\... Source: Microsoft Knowledge Base Article Q115052 - IIS Server. XF:http-dotdot (not necessarily IIS?) DELREF XF:http-dotdot - it deals with a read/access dot dot problem. This actually looks like XF:iis-dot-dot-crash(1638) http://xforce.iss.net/static/1638.php If so, include the version number (2.0) [Christey changed vote from REVOTE to REJECT] Bill Wall intended to suggest Q155052, but the affected IIS version there is 1.0; the effect is to read files, so this sounds like a directory traversal problem, instead of an inability to process certain strings. As a result, this candidate is too general, since it could apply to 2 different problems, so it should be REJECTed. Consider adding BID:2218 Entry Buffer overflow in Cisco 7xx routers through the telnet service. http://www.cisco.com/warp/public/770/pwbuf-pub.shtml 1102 Candidate Modified Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. 19990317 Re: SLMail 2.6 DoS - Imail also Levy, Baker Christey, Northcutt, Landfield Frech Ozancin XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) XF:smtp-vrfy-bo (many mail packages) (There is no way I will have access to these systems) Some sources report that VRFY and EXPN are both affected. Candidate Modified Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. Hill, Northcutt Frech Prosser Baker Christey Unable to provide a match due to vague/insufficient description/references. Possible matches are: XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) XF:http-ncsa-longurl (highest probability) CVE-1999-0235 is the one associated with XF:http-ncsa-longurl More research is necessary for this one. Since this has no references at all, and is vague and we have a CAN for the most likely issue, we should kill this one Entry IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files. Q148188 Q155056 http-iis-cmd Entry Bash treats any character with a value of 255 as a command separator. bash-cmd CA-96.22.bash_vuls Candidate Modified Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access. CA-95:04 F-11 Hill, Prosser, Northcutt Frech Christey, Baker XF:http-ncsa-longurl CVE-1999-0235 has the same ref's as CVE-1999-0267 Not to mention, the X-force listings of http-ncsa-longurl and http-port both refer to the same problem. This should be rejected as 1999-0267 is the same problem. Entry ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs. http-scriptalias Entry Remote execution of arbitrary commands through Guestbook CGI program. http-cgi-guestbook VB-97.02 Candidate Proposed php.cgi allows attackers to read any file on the system. http-cgi-phpfileread Frech, Collins, Prosser, Northcutt, Baker Christey additional source AUSCERT External Security Bulletin ESB-97.047 http://www.auscert.org.au ADDREF BUGTRAQ:19970416 Update on PHP/FI hole URL:http://www.dataguard.no/bugtraq/1997_2/0069.html The attacker specifies the filename as an argument to the program. Add "PHP/FI" to description to facilitate search. AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 Consider adding BID:2250 Entry Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET. fastrack-get-directory-list 122 Candidate Proposed Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. Northcutt Baker