Candidate Modified ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets. CA-98-13-tcp-denial-of-service 19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service http://www.openbsd.org/errata23.html#tcpfix 5707 Frech Northcutt, Wall Christey A Bugtraq posting indicates that the bug has to do with "short packets with certain options set," so the description should be modified accordingly. But is this the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. XF:teardrop(338) This assignment was based solely on references to the CERT advisory. The description for BID:190, which links to CVE-1999-0052 (a FreeBSD advisory), notes that the patches provided by FreeBSD in CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without further analysis. Entry Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems. 19981006-01-I CA-98.12.mountd J-006 121 linux-mountd-bo Entry Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd). NAI-29 CA-98.11.tooltalk 19981101-01-A 19981101-01-PX aix-ttdbserver tooltalk 122 Candidate Modified MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. CA-98.10.mime_buffer_overflows outlook-long-name 00175 MS98-008 Baker, Cole, Collins, Dik, Landfield, Magdych, Northcutt, Wall Frech Christey Shostack Extremely minor, but I believe e-mail is the correct term. (If you reject this suggestion, I will not be devastated.) :-) This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 CVE-2000-0415 may be a later rediscovery of this problem for Outlook. Sun bug 4163471, ADDREF BID:125 BUGTRAQ:19980730 Long Filenames & Lotus Products URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2 Entry Arbitrary command execution via IMAP buffer overflow in authenticate command. CA-98.09.imapd 00177 130 imap-authenticate-bo Entry Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command. CA-98.08.qpopper_vul 19980801-01-I AA-98.01 qpopper-pass-overflow 133 Entry Information from SSL-encrypted sessions via PKCS #1. CA-98.07.PKCS MS98-002 nt-ssl-fix Entry Buffer overflow in NIS+, in Sun's rpc.nisd program. CA-98.06.nisd 00170 June10,1998 nisd-bo-check Entry Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. 19980603-01-PX HPSBUX9808-083 00180 CA-98.05.bind_problems bind-bo 134 Entry Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages. CA-98.05.bind_problems 19980603-01-PX HPSBUX9808-083 bind-dos Entry Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer. CA-98.05.bind_problems 19980603-01-PX HPSBUX9808-083 00180 bind-axfr-dos Entry Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names. CA-98.04.Win32.WebServers nt-web8.3 Entry Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user. CA-98.03.ssh-agent NAI-24 ssh-agent Entry Unauthorized privileged access or denial of service via dtappgather program in CDE. HPSBUX9801-075 00185 CA-98.02.CDE Candidate Modified Teardrop IP denial of service. CA-97.28.Teardrop_Land oval:org.mitre.oval:def:5579 teardrop Wall Frech Christey XF: teardrop-mod Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. MSKB:Q154174 MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) indicate that CVE-1999-0015 was fixed in NT SP3, but CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the problems keep separate candidates because one problem appears in a different version than the other. BID:124 http://www.securityfocus.com/bid/124 Consider MSKB:Q154174 http://support.microsoft.com/support/kb/articles/q154/1/74.asp Consider BUGTRAQ:19971113 Linux IP fragment overlap bug http://www.securityfocus.com/archive/1/8014 Entry Land IP denial of service. CA-97.28.Teardrop_Land FreeBSD-SA-98:01 HPSBUX9801-076 http://www.cisco.com/warp/public/770/land-pub.shtml cisco-land land 95-verv-tcp land-patch ver-tcpip-sys Entry FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce. CA-97.27.FTP_bounce ftp-bounce ftp-privileged-port Entry Buffer overflow in statd allows root privileges. CA-97.26.statd AA-97.29 statd 127 Entry Delete or create a file via rpc.statd, due to invalid information. CA-96.09.rpc.statd rpc-stat 00135 Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Frech Levy, Northcutt, Shostack, Wall Baker, Christey XF:lpr-bo DUPE CVE-1999-0032, which includes XF:lpr-bo Entry Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program. 19971010 Security flaw in Count.cgi (wwwcount) CA-97.24.Count_cgi http-cgi-count 128 Entry Local user gains root privileges via buffer overflow in rdist, via expstr() function. CA-97.23.rdist 00179 rdist-bo3 rdist-sept97 Entry Local user gains root privileges via buffer overflow in rdist, via lookup() function. CA-96.14.rdist_vul rdist-bo rdist-bo2 Entry DNS cache poisoning via BIND, by predictable query IDs. CA-97.22.bind bind NAI-11 Entry root privileges via buffer overflow in df command on SGI IRIX systems. CA-1997-21 AA-97.19.IRIX.df.buffer.overflow.vul SGI:19970505-01-A SGI:19970505-02-PX VU#20851 346 df-bo(440) Entry root privileges via buffer overflow in pset command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.20.IRIX.pset.buffer.overflow.vul pset-bo Entry root privileges via buffer overflow in eject command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.21.IRIX.eject.buffer.overflow.vul eject-bo Entry root privileges via buffer overflow in login/scheme command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.22.IRIX.login.scheme.buffer.overflow.vul sgi-schemebo Entry root privileges via buffer overflow in ordist command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.23-IRIX.ordist.buffer.overflow.vul ordist-bo Candidate Proposed root privileges via buffer overflow in xlock command on SGI IRIX systems. CA-97.21.sgi_buffer_overflow AA-97.24.IRIX.xlock.buffer.overflow.vul sgi-xlockbo 19970508-02-PX Levy, Ozancin, Prosser Baker Frech Christey XF:xlock-bo (also add) As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and several Linii. Also, don't you mean to cite SGI:19970502-02-PX? The one you list is login/scheme. Notice that this xlock overflow is the same as in CA-97.13. CA-97.21 simply is a reminder. As pointed out by Elias, CA-97.21 states: "For more information about vulnerabilities in xlock... see CA-97.13" CA-97.13 = CVE-1999-0038. This may also be a duplicate with CVE-1999-0306. See exploits at: http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 Sun also has this problem, at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba Entry JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability. CA-97.20.javascript HPSBUX9707-065 Entry Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option. 19960813 Possible bufferoverflow condition in lpr, xterm and xload 19961025 Linux & BSD's lpr exploit [freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit [linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program. CA-97.19.bsdlp AA-96.12 H-08 I-042 19980402-01-PX 707 bsd-lprbo2 bsd-lprbo lpr-bo Candidate Modified Command execution in Sun systems via buffer overflow in the at program. CA-97.18.at 00160 sun-atbo Baker, Cole, Collins, Dik, Hill, Northcutt, Shostack, Wall Christey Frech This vulnerability also manifests itself for the following platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, please add the following: Reference: XF:at-bo Sun bug 1265200, 4063161 ADDREF SGI:19971102-01-PX ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX SCO:SB.97:01 ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a CIAC:F-15 http://ciac.llnl.gov/ciac/bulletins/f-15.shtml HP:HPSBUX9502-023 Add period to the end of the description. Entry Buffer overflow in suidperl (sperl), Perl 4.x and 5.x. CA-97.17.sperl perl-suid Entry Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. ftp-ftpd CA-97.16.ftpd AA-97.03 Entry IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files. CA-97.15.sgi_login AA-97.12 H-106 19970508-02-PX 990 sgi-lockout(557) Entry Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail. CA-97.14.metamail metamail-header-commands Entry Buffer overflow in xlock program allows local users to execute commands as root. CA-97.13.xlock xlock-bo Entry webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter. 19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in 19970507 Re: SGI Advisory: webdist.cgi CA-1997-12 AA-97.14 19970501-02-PX 374 235 http-sgi-webdist(333) Entry Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges. CA-97.11.libXt libXt-bo Entry Buffer overflow in NLS (Natural Language Service). CA-97.10.nls nls-bo Entry Buffer overflow in University of Washington's implementation of IMAP and POP servers. NAI-21 CA-97.09.imap_pop popimap-bo Entry Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. CA-97.08.innd inn-controlmsg Entry fsdump command in IRIX allows local users to obtain root access by modifying sensitive files. 19970301-01-P sgi-fsdump Entry List of arbitrary files on Web host via nph-test-cgi script. CA-97.07.nph-test-cgi_script http-cgi-nph Entry Buffer overflow of rlogin program using TERM environmental variable. CA-97.06.rlogin-term rlogin-termbo Entry MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4. CA-97.05.sendmail 685 sendmail-mime-bo2 Entry Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges. CA-97.04.talkd FreeBSD-SA-96:21 AA-97.01 00147 talkd-bo netkit-talkd Entry Csetup under IRIX allows arbitrary file creation or overwriting. sgi-csetup CA-97.03.csetup Entry Buffer overflow in HP-UX newgrp program. CA-97.02.hp_newgrp AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability hp-newgrpbo Entry Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX. sgi-licensemanager CA-97.01.flex_lm AA-96.03 Entry IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash. FreeBSD-SA-98:08 908 freebsd-ip-frag-dos(1389) Entry TCP RST denial of service in FreeBSD. FreeBSD-SA-98:07 6094 Entry Sun's ftpd daemon can be subjected to a denial of service. 00171 sun-ftpd Entry Buffer overflows in Sun libnsl allow root access. 00172 IX80543 RSI.0005.05-14-98.SUN.LIBNSL sun-libnsl Entry Buffer overflow in Sun's ping program can give root access to local users. 00174 sun-ping Entry Vacation program allows command execution by remote users through a sendmail command. NAI-19 vacation HPSBUX9811-087 Entry Buffer overflow in PHP cgi program, php.cgi allows shell access. NAI-12 712 http-cgi-phpbo Entry IRIX fam service allows an attacker to obtain a list of all files on the server. NAI-16 353 164 irix-fam(325) Entry Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. NAI-26 ascend-config-kill http://www.ascend.com/2695.html Candidate Proposed File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). NAI-20 bsd-lpd Frech, Hill, Northcutt Baker Christey This should be split into three separate problems based on the SNI advisory. But there's newer information to further complicate things. What do we do about this one? in 1997 or so, SNI did an advisory on this problem. In early 2000, it was still discovered to be present in some Linux systems. So an SF-DISCOVERY content decision might say that this is a long enough time between the two, so this should be recorded separately. But they're the same codebase... so if we keep them in the same entry, how do we make sure that this entry reflects that some new information has been discovered? The use of dot notation may help in this regard, to use one dot for the original problem as discovered in 1997, and another dot for the resurgence of the problem in 2000. We should merge these. Perhaps this should be NAI-19 instead of NAI-20? The original Bugtraq post for the SNI advisory suggests SNI-19: BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability URL:SNI-19:BSD lpd vulnerability Also add: BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 However, archives of "NAI-0020" point to the lpd vuln. If I recall correctly, some of the NAI advisory numbers got switched when NAI acquired SNI. Entry The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage. openbsd-chpass NAI-28 7559 Entry Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port. ESB-98.197 http://www.cisco.com/warp/public/770/iossyslog-pub.shtml cisco-syslog-crash Entry Buffer overflow in AIX lquerylv program gives root access to local users. May28,1997 lquerylv-bo Entry Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands. 00181 hp-dtmail Entry AnyForm CGI remote execution. 19950731 SECURITY HOLE: "AnyForm" CGI 719 http-cgi-anyform Entry phf CGI program allows remote command execution through shell metacharacters. 19960923 PHF Attacks - Fun and games for the whole family CA-1996-06 AA-96.01 629 136 http-cgi-phf Entry CGI PHP mylog script allows an attacker to read any file on the target server. 19971019 Vulnerability in PHP Example Logging Scripts http-cgi-php-mylog 713 3396 Entry Solaris ufsrestore buffer overflow. 00169 sun-ufsrestore 8158 Entry test-cgi program allows an attacker to list files on the server. http-cgi-test Entry Apache httpd cookie buffer overflow for versions 1.1.1 and earlier. http-apache-cookie NAI-2 Entry Buffer overflow in AIX xdat gives root access to local users. ERS-SVA-E01-1997:004.1 ibm-xdat Entry Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access. CA-95:14.Telnetd_Environment_Vulnerability linkerbug Entry Listening TCP ports are sequentially allocated, allowing spoofing attacks. seqport Entry PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password. 19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd ftp-pasvcore 5742 Candidate Modified Buffer overflow in wu-ftp from PASV command causes a core dump. ftp-args Baker, Frech, Ozancin Balinsky Christey Don't know what this is. Is this the LIST Core dump vulnerability? Need to add more references and details. Entry Predictable TCP sequence numbers allow spoofing. tcp-seq-predict(139) Candidate Modified pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. CA-96.08.pcnfsd rpc-pcnfsd Collins, Frech, Landfield, Northcutt, Shostack Baker Christey This candidate should be SPLIT, since there are two separate software flaws. One is a symlink race and the other is a shell metacharacter problem. The permissions part of this vulnerability appears to overlap with CVE-1999-0353 SGI:20020802-01-I Entry Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports. ftp-pasv-dos ftp-pasvdos Entry Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command. 19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd) CA-95:16.wu-ftpd.vul ftp-execdotdot Entry wu-ftp allows files to be overwritten via the rnfr command. ftp-rnfr Entry CWD ~root command in ftpd allows root access. ftp-cwd Improving the Security of Your Site by Breaking Into it Entry getcwd() file descriptor leak in FTP. cwdleak Entry Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0. nfs-mknod(78) Entry Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname. 19960821 rwhod buffer overflow rwhod(119) rwhod-vuln(118) Candidate Interim AIX routed allows remote users to modify sensitive files. ERS-SVA-E01-1998:001.1 ibm-routed Northcutt, Shostack Frech, Prosser Baker Christey Reference: XF:ibm-routed This vulnerability allows debug mode to be turned on which is the problem. Should this be more specific in the description? This one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which is in the SGI cluster, shouldn't these be cross-referenced as the same vuln affects multiple OSes. This appears to be subsumed by CVE-1999-0215 Entry Denial of service in AIX telnet can freeze a system and prevent users from accessing the server. ibm-telnetdos ERS-SVA-E01-1998:003.1 7992 Candidate Proposed IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. ERS-SVA-E01-1998:004.1 Northcutt, Shostack Frech, Prosser Baker Christey ERS (and other references, BTW) explicitly stipulate 'local and remote'. Reference: XF:irix-autofsd Include the SGI Alert as well since it is mentioned in the description. SGI Security Advisory 19981005-01-PX DUPE CVE-1999-0210? ADDREF CIAC:J-014 It does look very similar to 1999-0210. Perhaps they should be a single entry Candidate Interim Buffer overflow in AIX libDtSvc library can allow local users to gain root access. ERS-SVA-E01-1997:005.1 ibm-libDtSvc Northcutt, Shostack Frech, Prosser Baker Christey Reference: XF:ibm-libDtSvc The overflow is in the dtaction utility. Also affects dtaction in the CDE on versions of SunOS (SUN 164). Probably should be specific. Same Codebase as CVE-1999-0121, so the two entries should be merged. Entry Buffer overflow in AIX rcp command allows local users to obtain root access. ERS-SVA-E01-1997:005.1 ibm-rcp Entry Buffer overflow in AIX writesrv command allows local users to obtain root access. ERS-SVA-E01-1997:005.1 ibm-writesrv Candidate Proposed Various vulnerabilities in the AIX portmir command allows local users to obtain root access. ERS-SVA-E01-1997:006.1 Baker, Bollinger Frech Ozancin XF:ibm-portmir Entry AIX nslookup command allows local users to obtain root access by not dropping privileges correctly. ERS-SVA-E01-1997:008.1 ibm-nslookup Entry AIX piodmgrsu command allows local users to gain additional group privileges. ERS-SVA-E01-1997:007.1 ibm-piodmgrsu Entry The debug command in Sendmail is enabled, allowing attackers to execute commands as root. CA-88.01 CA-93.14 1 195 smtp-debug Entry Sendmail decode alias can be used to overwrite sensitive files. CA-93.16 CA-95.05 A-13 A-14 00122 smtp-dcod Entry The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character). ERS-SVA-E01-1997:009.1 ibm-ftp Candidate Proposed Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. smtp-helo-bo Baker, Frech Wall Christey (Accept XF reference.) Our references do not mention hiding activities. This issue can crash the SMTP server or execute arbitrary byte-code. Is there another reference available? Should this be merged with CVE-1999-0284, which is Sendmail with SMTP HELO? BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference. Entry Buffer overflow in syslog utility allows local or remote attackers to gain root privileges. CA-95.13.syslog.vul smtp-syslog Entry Remote access in AIX innd 1.5.1, using control messages. ERS-SVA-E01-1997:002.1 inn-controlmsg Entry Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. ERS-SVA-E01-1997:001.1 ERS-SVA-E01-1996:007.1 00137a H-13 NAI-1 ghbn-bo Entry Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line. slmail-fromheader-overflow Entry Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm. CA-96.01.UDP_service_denial echo chargen chargen-patch Candidate Modified A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2. CA-97.28.Teardrop_Land oval:org.mitre.oval:def:5743 teardrop-mod Frech, Wall Christey Another reference is Microsoft Knowledge Base Q179129. Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Note that the hotfix name is teardrop2, but the keywords included in the KB article specifically name bonk (CVE-1999-0258) and boink. Since teardrop2 was fixed in a slightly different version (at least in a separate patch) than Teardrop, CD:SF-LOC suggests keeping them separate. Add period to the end of the description. Candidate Proposed finger allows recursive searches by using a long string of @ symbols. Baker, Frech, Shostack Christey Northcutt fingerD XF:finger-bomb aka redirection or forwarding requests? (but then might overlap CVE-1999-0106) should change description to indicate the recursive searching can consume enough system resources to cause a DoS. Candidate Proposed Finger redirection allows finger bombs. Northcutt Frech, Shostack Baker Christey fingerd allows redirection This is a larger modification, since there are two applications of the vulnerability, one that I can finger anonymously, and the other that I can finger bomb anonymously. XF:finger-bomb need more refs This should be merged with 1999-0105 Candidate Modified Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters. apache-dos 19971230 Apache DoS attack? Baker Frech Northcutt, Shostack, Wall Levy Christey - Although this is probably the phf hack. XF:apache-dos This sounds like the incident reported in: NTBUGTRAQ:20000810 Apache Distributed Denial of Service I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. BUGTRAQ: http://www.securityfocus.com/archive/1/10228 BUGTRAQ: http://www.securityfocus.com/archive/1/10516 Entry The printers program in IRIX has a buffer overflow that gives root access to local users. another day, another buffer overflow... printers-bo Entry Buffer overflow in ffbconfig in Solaris 2.5.1. 00140 AA-97.06 ffbconfig-bo Candidate Interim ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Frech Levy, Northcutt, Shostack, Wall Baker, Christey, Dik XF:fdformat-bo Duplicate of CVE-1999-0315 dup Entry RIP v1 is susceptible to spoofing. rip Entry Buffer overflow in AIX dtterm program for the CDE. 19970520 AIX 4.2 dtterm exploit dtterm-bo(878) Entry Some implementations of rlogin allow root access if given a -froot parameter. 19940729 -froot??? (AIX rlogin bug) CA-94.09.bin.login.vulnerability E-26 458 rlogin-froot Candidate Modified Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. 19990912 elm filter program 19951226 filter (elm package) security hole elm-filter2 Armstrong, Bishop, Blake, Cole, Landfield, Shostack, Wall Baker, Frech Christey, Northcutt, Ozancin Levy XF:elm-filter2 [Wall changed vote from NOOP to ACCEPT] with Frech modifications ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm Need to make sure that this CERT advisory describes the right problem, especially since the CERT advisory is dated December 18, 1995 and the original Bugtraq post was December 26, 1995. BID:1802 URL:http://www.securityfocus.com/bid/1802 BID:1802 doesn't include the 1999 posting - does Security Focus think that the 1999 post describes a different vulnerability? XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? Its references point to the December 26, 1995 BUgtraq post. Also consider CIAC:G-36 and CERT:VB-95:10 DELREF:XF:elm-filter2(711) ADDREF:XF:elm-filter(402) Entry AIX bugfiler program allows local users to gain root access. 19970909 AIX bugfiler ibm-bugfiler 1800 Entry Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. CA-96.21.tcp_syn.flooding 19961202-01-PX 00136 Entry AIX passwd allows local users to gain root access. ibm-passwd CA-92:07.AIX.passwd.vulnerability Entry AIX infod allows local users to gain root access through an X display. 19981119 RSI.0011.11-09-98.AIX.INFOD aix-infod Candidate Proposed Windows NT 4.0 beta allows users to read and delete shares. Frech Baker, Northcutt Wall Reject based on beta copy. XF:nt-beta(11) Reconsider reject, because this beta was in widespread use. Entry Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root. 00126 CA-94.06.utmp.vulnerability utmp-write Candidate Proposed Buffer overflow in dtaction command gives root access. 00164 ERS-SVA-E01-1997:005.1 Dik, Northcutt Baker, Frech, Prosser Christey Reference: XF:dtaction-bo Reference: XF:sun-dtaction Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a library in AIX 4.x, but reference for this Sun vulnerability should only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Bulletin This is the Same Codebase as CVE-1999-0089, so the two entries should be merged. Replace sun-dtaction(732) with dtaction-bo(879) Merge with 1999-0089 Entry Buffer overflow in AIX lchangelv gives root access. Jul21,1999 lchangelv-bo Candidate Modified Race condition in Linux mailx command allows local users to read user files. linux-mailx 19951222 mailx-5.5 (slackware /bin/mail) security hole Baker, Frech, Ozancin Wall Entry Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon. CA-93:11.UMN.UNIX.gopher.vulnerability gopher-vuln Entry Buffer overflow in SGI IRIX mailx program. sgi-mailx-bo 19980605-01-PX Entry SGI IRIX buffer overflow in xterm and Xaw allows root access. VB-98.04.xterm.Xaw J-010 xfree86-xterm-xaw xfree86-xaw Candidate Proposed swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. CA-96.27.hp_sw_install AA-96.04 hpux-swinstall Baker, Prosser Frech Christey (keep current XF: reference, and add) XF:hpux-sqwmodify Perhaps this should be split, per SF-LOC. CIAC:H-81 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml HP:HPSBUX9707-064 references CERT:CA-96.27 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml The original AUSCERT advisory says that the programs "create files in an insecure manner" and "Exploit details involving this vulnerability have been made publicly available." which leads one to assume that the following original Bugtraq post provides the details for a standard symlink problem: BUGTRAQ:19961005 swinst,bug http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2 Entry Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death. ping-death CA-96.26.ping Entry Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. CA-96.25.sendmail_groups Entry Local users can start Sendmail in daemon mode and gain root privileges. CA-96.24.sendmail.daemon.mode 716 sendmail-daemon-mode Entry Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users. CA-96.20.sendmail_vul smtp-875bo 717 Entry Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access. CA-1996-19 11723 expreserve(401) Entry fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access. CA-96.18.fm_fls fmaker-logfile Entry vold in Solaris 2.x allows local users to gain root access. sol-voldtmp CA-96.17.Solaris_vold_vul AL-96.04 8159 Entry admintool in Solaris allows a local user to write to arbitrary files and gain root access. sun-admintool CA-96.16.Solaris_admintool_vul AL-96.03 Entry Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access. sol-KCMSvuln AL-96.02 CA-96.15.Solaris_KCMS_vul Entry The dip program on many Linux systems allows local users to gain root access via a buffer overflow. linux-dipbo CA-96.13.dip_vul dip-bo Entry The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access. CA-96.12.suidperl_vul sperl-suid Entry Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access. sol-mkcookie RSI.0012.12-03-98.SOLARIS.MKCOOKIE 8205 Candidate Proposed Denial of service in RAS/PPTP on NT systems. Hill Frech, Meunier Baker Christey Add "pptp invalid packet length in header" to distinguish from other vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be discovered in the future. XF:nt-ras-bo ONLY IF reference is to MS:MS99-016 According to my mappings, this is not the MS:MS99-016 problem referred to by Andre. However, I have yet to dig up a source. [Christey changed vote from NOOP to REVIEWING] [Christey changed vote from REVIEWING to REJECT] This is too general to know which problem is being discussed. More precise candidates should be created. Consider adding BID:2111 Entry Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet. http-java-applet CA-96.07.java_bytecode_verifier 00134 Entry The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts. CA-96.05.java_applet_security_mgr http-java-appletsecmgr Entry Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys. CA-96.03.kerberos_4_key_server kerberos-bf Candidate Modified Denial of service in Qmail by specifying a large number of recipients with the RCPT command. 19970612 qmail-dos-2.c, another denial of service attack 19970612 Re: Denial of service (qmail-smtpd) http://cr.yp.to/qmail/venema.html http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html 2237 qmail-rcpt Baker, Frech, Hill, Meunier Christey DUPE CVE-1999-0418 and CVE-1999-0250? Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html http://cr.yp.to/qmail/venema.html Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. His page states this is not a qmail problem, rather it is a UNIX problem that many apps can consume all available memory, and that the administrator is responsible to set limits in the OS, rather than expect applications to individually prevent memory exhaustion. CAN 1999-0250 does appear to be a duplicate of this entry, based on the research I have done so far. There were two different bugtraq postings, but the second one references the first, stating that the new exploit uses perl instead of shell scripting to accomplish the same attack/exploit. http://www.securityfocus.com/archive/1/6970 http://www.securityfocus.com/archive/1/6969 http://cr.yp.to/qmail/venema.html Should probably reject CVE-1999-0250, and add these references to this Candidate. http://www.securityfocus.com/bid/2237 [Baker changed vote from REVIEWING to ACCEPT] qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. NOTE: the ufo.org domain was purchased by another party in 2003, so the current owner is not associated with any statements by "super@ufo.org" that were made before 2003. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BID:2237 ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." Entry Sendmail WIZ command enabled, allowing root access. CA-1990-11 CA-1993-14 19950206 sendmail wizard thing... Improving the Security of Your Site by Breaking Into it Entry The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file. 19970715 Bug CGI campas 1975 http-cgi-campas(298) Entry The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands. http-cgi-glimpse AA-97.28 Entry The handler CGI program in IRIX allows arbitrary command execution. 19970501-02-PX 380 http-sgi-handler Entry The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack. 19970420 IRIX 6.x /cgi-bin/wrap bug 19970501-02-PX 373 247 http-sgi-wrap(290) Entry The Perl fingerd program allows arbitrary command execution from remote users. perl-fingerd Entry The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access. CA-95.07a.REVISED.satan.vul CA-95.06.satan.vul Entry The DG/UX finger daemon allows remote command execution through shell metacharacters. 19970811 dgux in.fingerd vulnerability dgux-fingerd Entry Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke. win-oob 1666 Candidate Proposed IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. Q163485 Q164059 19970220 ! [ADVISORY] Major Security Hole in MS ASP http-iis-aspdot http-iis-aspsource Foat, Frech, Stracener, Wall Baker, Christey, Cole This is the precursor to the problem that is identified in CVE-1999-0253. CIAC:H-48 URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml [Foat changed vote from NOOP to ACCEPT] Entry The ghostscript command with the -dSAFER option allows remote attackers to execute commands. gscript-dsafer CA-95.10.ghostscript Candidate Proposed wu-ftpd FTP daemon allows any user and password combination. ftp-pwless Northcutt, Shostack Baker Frech Christey, Prosser but so far can find no reference to this one Our records indicate that this does not necessarly affect just wu-ftp (ie, also affects IIS FTP server). The references for XF:ftp-pwless are not specific enough, e.g. in terms of version numbers. Perhaps this candidate should be rejected due to insufficient information. Entry Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service. http://www.cisco.com/warp/public/770/nifrag.shtml cisco-fragmented-attacks 1097 Entry Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known. 20010913 Cisco PIX Firewall Manager File Exposure cisco-pix-file-exposure 685 Entry Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases. http://www.cisco.com/warp/public/770/ioslogin-pub.shtml cisco-ios-crash Entry Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. 19971001 Vulnerabilities in Cisco CHAP Authentication I-002A 1099 cisco-chap Entry In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering. http://www.cisco.com/warp/public/707/1.html cisco-acl-tacacs 797 Entry The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering. 19950601 "Established" Keyword May Allow Packets to Bypass Filter cisco-acl-established Candidate Proposed In older versions of Sendmail, an attacker could use a pipe character to execute root commands. smtp-pipe Frech, Northcutt Prosser Baker, Christey Shostack there was a 'To: |' and a 'From: |' attack, which I think are seperate. older vulnerability, but one additional reference is- The Ultimate Sendmail Hole List by Markus Hübner @ bau2.uibk.ac.at/matic/buglist.htm '|PROGRAM ' Description needs to be more specific to distinguish between this and CVE-1999-0203, as alluded to by Adam Shostack Entry A race condition in the Solaris ps command allows an attacker to overwrite critical files. sol-pstmprace AA-95.07 CA-95.09.Solaris.ps.vul 8346 Candidate Modified NFS cache poisoning. nfs-cache Baker, Frech, Northcutt Shostack Prosser Christey need more data need more refs Add period to the end of the description. Entry NFS allows users to use a "cd .." command to access other directories besides the exported file system. nfs-cd Entry In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system. nfs-guess CA-91.21.SunOS.NFS.Jumbo.and.fsirand Entry The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions. nfs-portmap Candidate Proposed NFS allows attackers to read and write any file on the system by specifying a false UID. nfs-uid Frech, Northcutt Baker Shostack this is not a vulnerability but a design feature. Maybe we should reword it so that it is clear that this was a problem to something like: "A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID." Entry Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list. nfs-ultrix Candidate Proposed Denial of service in syslog by sending it a large number of superfluous messages. syslog-flood Frech, Northcutt Baker Christey, Shostack design issue, not a vulnerability. Alternately, add: DOS on server by opening a large number of telnet sessions.. Duplicate of CVE-1999-0566 Entry FormMail CGI program allows remote execution of commands. http-cgi-formmail-exe Aug02,1995 Entry FormMail CGI program can be used by web servers other than the host server that the program resides on. http-cgi-formmail-use Entry The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19970208 view-source http-cgi-viewsrc Entry The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server. http-nov-convert Entry The Webgais program allows a remote user to execute arbitrary commands. Jul10,1997 http-webgais-query Entry The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs. 19970904 [Alert] Website's uploader.exe (from demo) vulnerable 19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable 19970904 [Alert] Website's uploader.exe (from demo) vulnerable http-website-uploader Entry Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string. 19970106 Re: signal handling 2078 8 http-website-winsample(295) Entry Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share. Q140818 nt-samba-dotdot nt-351 nt-35 Entry in.rshd allows users to login with a NULL username and execute commands. rsh-null Entry The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands. walld Entry Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password. H-110 VB-97.10.samba nt-samba-bo Entry Linux implementations of TFTP would allow access to files outside the restricted directory. linux-tftp Entry When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. dns-updates Entry In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution. 00156 sun-ftpd/logind Candidate Modified In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm 00178 snmp-backdoor-access Baker, Dik Frech Wall Christey Change XF:snmp-backdoor-access to XF:sol-hidden-commstr Add ISS:Hidden Community String in SNMP Implementation What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. ADDREF BID:177 ISS:19981102 Hidden community string in SNMP implementation http://xforce.iss.net/alerts/advise11.php Change description to include "hidden" XF:snmp-backdoor-access is missing. Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Hill, Northcutt Baker, Frech, Prosser Dik Christey The Sun Patches in Ref roll-up fixes for an earlier BO in rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() (ref CERT 97-23) and various vendor bulletins. However both of these rdist BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content decision XF:rdist-bo (error msg formation) XF:rdist-bo2 (execute code) XF:rdist-bo3 (execute user-created code) XF:rdist-sept97 (root from local) Duplicate of CVE-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist), but as Mike and Andre noted, there are multiple flaws here, so a RECAST may be necessary. As currently phrasedm thissa duplicate of CVE-1999-0022 Based on our new philosophy, this should be recast/merged or re-described. Entry The passwd command in Solaris can be subjected to a denial of service. 00182 sun-passwd-dos Entry Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111. NAI-15 00142 rpc-32771 Entry Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access. 00167 sun-rpcbind Entry IIS newdsn.exe CGI script allows remote users to overwrite files. http-cgi-newdsn 275 Entry Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable. SNI-20 bsd-tel-tgetent Candidate Proposed Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. Bishop, Cole, Northcutt, Ozancin, Shostack Baker, Blake Armstrong, Frech, Landfield, Wall Christey, Levy possibly XF:ascend-kill I can't find a reference that lists both routers in the same reference. Comment: There is a reference about the zero length TCP option in BugTraq on Feb 5, 1999 and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 mentions vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 mentions 3Com vulnerabilities, but not TCP. Too confusing withour better references. What are the references for this ? I cannot find a means to check it out. [Frech changed vote from REVIEWING to NOOP] Cannot reconcile to our database without further references. I'm with Andre. I only remember and can find reference to the Ascend issue. Do we have a refernce to the 3Coms? If not, that should be removed from the description. http://xforce.iss.net/static/614.php Misc Defensive Info http://www.securityfocus.com/archive/1/5682 Misc Offensive Info http://www.securityfocus.com/archive/1/5647 Misc Defensive Info http://www.securityfocus.com/archive/1/5640 Misc Defensive Info [Armstrong changed vote from REVIEWING to NOOP] Entry Denial of service in in.comsat allows attackers to generate messages. comsat Candidate Modified Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1. 19990128 rpcbind: deceive, enveigle and obfuscate Balinsky, Shostack Frech Baker, Northcutt, Wall Christey, Levy XF:rpcbind-spoof CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0461, make sure it gets XF:pmap-sset Entry websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable). 19970704 Vulnerability in websendmail 2077 237 http-webgais-smail Candidate Proposed finger 0@host on some systems may print information on some user accounts. Baker Frech, Shostack Northcutt fingerd may respond to 'finger 0@host' with account info Need more reference to establish this 'exposure'. [Frech changed vote from REVIEWING to MODIFY] XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 Finger 0@host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host feature) Candidate Proposed finger .@host on some systems may print information on some user accounts. Baker Frech, Shostack Northcutt as above Need more reference to establish this 'exposure'. [Frech changed vote from REVIEWING to MODIFY] XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 Finger .@target-host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host check ) http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host feature) Candidate Modified Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password. Q137853 Baker Frech, Shostack Northcutt, Wall Christey Levy WFTP is not sufficient; is this wu-, ws-, war-, or another? Other have mentioned this before, but it may be WU-FTP. POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root access without anon FTP or a regular account? POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a non-anon FTP account and gain root privs. added MSKB reference [Christey changed vote from REVOTE to REJECT] The MSKB article may have confused things even more. There were reports of problems in a Windows-based FTP server called WFTP (http://www.wftpd.com/) that is not a Microsft FTP server. It's best to just kill this candidate where it stands and start fresh. Entry A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user. ftp-home Entry The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands. ftp-exectar Entry In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program. CA-95.08 E-03 smtp-sendmail-version5 Entry Sendmail 8.6.9 allows remote attackers to execute root commands, using ident. ident-bo F-13 Candidate Modified Denial of service in Sendmail 8.6.11 and 8.6.12. 19990708 SM 8.6.12 Hill, Northcutt Frech, Prosser Baker Christey, Ozancin XF:sendmail-alias-dos additional source Bugtraq "Re: SM 8.6.12" http://www.securityfocus.com The Bugtraq thread does not provide any proof, including a comment by Eric Allman that he hadn't been provided any details either. See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu for the thread. Change Bugtraq reference date to 19950708. Entry MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access. sendmail-mime-bo AA-96.06a Entry Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. majordomo-exe CA-94.11.majordomo.vulnerabilities Entry rpc.ypupdated (NIS) allows remote users to execute arbitrary commands. rpc-update CA-95.17.rpc.ypupdated.vul Entry The SunView (SunTools) selection_svc facility allows remote users to read files. CA-90.05.sunselection.vulnerability 8 selsvc Entry Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters. 19971126 Solaris 2.5.1 automountd exploit (fwd) 19990103 SUN almost has a clue! (automountd) HPSBUX9910-104 CA-99-05 235 Entry Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone. CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability 24 Entry Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server. 00168 I-048 sun-mountd Candidate Modified libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. sun-libnsl 4305859 Blake, Cole, Dik, Hill, Landfield, Ozancin Baker, Frech, Levy Armstrong, Bishop, Meunier, Wall Christey XF:sun-libnsl Sun bug #4305859 http://xforce.iss.net/static/1204.php Misc Defensive Info http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info http://www.securityfocus.com/archive/1/9749 Misc Defensive Info I don't think this is the bug that everyone thinks it is. This candidate came from CyberCop Scanner 2.4/2.5, which only reports this as a DoS problem. If SUN:00172 is an advisory for this, then it may be a duplicate of CVE-1999-0055. There appears to be overlap with other references as well. HOWEVER, this particular one deals with a DoS in rpcbind - which isn't mentioned in the sources for CVE-1999-0055. BID 148 Entry Denial of service by sending forged ICMP unreachable packets. icmp-unreachable Entry Routed allows attackers to append data to files. 19981004-01-PX J-012 ripapp Candidate Modified Denial of service of inetd on Linux through SYN and RST packets. 19971130 Linux inetd.. linux-inetd-dos HPSBUX9803-077 hp-inetd Hill Baker, Frech Meunier The location of the vulnerability, whether in the Linux kernel or the application, is debatable. Any program making the same (reasonnable) assumption is vulnerable, i.e., implements the same vulnerability: "Assumption that TCP-three-way handshake is complete after calling Linux kernel function accept(), which returns socket after getting SYN. Result is process death by SIGPIPE" Moreover, whether it results in DOS (to third parties) depends on the process that made the assumption. I think that the present entry should be split, one entry for every application that implements the vulnerability (really describing threat instances, which is what other people think about when we talk about vulnerabilities), and one entry for the Linux kernel that allows the vulnerability to happen. XF:hp-inetd XF:linux-inetd-dos Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast Entry Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems. udp-bomb Entry Livingston portmaster machines could be rebooted via a series of commands. portmaster-reboot Entry Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command. 19990503 Buffer overflows in FTP Serv-U 2.5 19990504 Re: Buffer overflows in FTP Serv-U 2.5 19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT 269 ftp-servu(205) Candidate Proposed Attackers can do a denial of service of IRC by crashing the server. Baker, Northcutt Christey, Frech Would reconsider if any references were available. No references available, combined with extremely vague description, equals REJECT. Entry Denial of service of Ascend routers through port 150 (remote administration). ascend-150-kill Candidate Proposed Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL. Baker Frech, Levy, Shostack Balinsky, Northcutt, Wall Ziese Christey I follow cisco announcements and problems pretty closely, and haven't seen this. Source? XF:cisco-web-crash XF:cisco-web-crash has no additional references. I can't find any references in Bugtraq or Cisco either. This bug is supposedly tested by at least one security product, but that product's database doesn't have any references either. So a question becomes, how did it make it into at least two security companies' databases? BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 BID 1154 The vulnerability is addressed by a vendor acknowledgement. This one, if recast to reflect that "...after using a long url..." should be replaced with "...A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled, browsing to "http://router-ip/anytext?/" is attempted, and the enable password is supplied when requested. This defect can be exploited to produce a denial of service (DoS) attack." Then I can accept this and mark it as "Verfied by my Company". If it can't be recast because this (long uri) is diffferent then our release (special url construction). [Christey changed vote from REVIEWING to REJECT] Elias Levy's suggested reference is CVE-2000-0380. I don't think that Kevin's description is really addressing this either. The lack of references and a specific description make this candidate unusable, so it should be rejected. Entry Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry. 19961109 Syslogd and Solaris 2.4 1249320 http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches sol-syslogd-crash 1878 Entry Denial of service in Windows NT messenger service through a long username. nt-messenger Entry Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size. 19980214 Windows NT Logon Denial of Service Q180963 nt-logondos Candidate Proposed Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. Northcutt Frech Baker Christey Too general, and no references. XF:nt-frag(528) See reference from BugTraq Mailing List, "A New Fragmentation Attack" at http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net Entry Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service. Q154087 nt-lsass-crash Entry Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT. nt-rpc-ver Q162567 Candidate Modified Denial of service in Windows NT IIS server using ..\.. Q115052 Baker, Shostack Frech, Wall Northcutt Christey Levy Denial of service in Windows NT IIS Server 1.0 using ..\... Source: Microsoft Knowledge Base Article Q115052 - IIS Server. XF:http-dotdot (not necessarily IIS?) DELREF XF:http-dotdot - it deals with a read/access dot dot problem. This actually looks like XF:iis-dot-dot-crash(1638) http://xforce.iss.net/static/1638.php If so, include the version number (2.0) [Christey changed vote from REVOTE to REJECT] Bill Wall intended to suggest Q155052, but the affected IIS version there is 1.0; the effect is to read files, so this sounds like a directory traversal problem, instead of an inability to process certain strings. As a result, this candidate is too general, since it could apply to 2 different problems, so it should be REJECTed. Consider adding BID:2218 Entry Buffer overflow in Cisco 7xx routers through the telnet service. http://www.cisco.com/warp/public/770/pwbuf-pub.shtml 1102 Candidate Modified Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. 19990317 Re: SLMail 2.6 DoS - Imail also Baker, Levy Christey, Landfield, Northcutt Frech Ozancin XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) XF:smtp-vrfy-bo (many mail packages) (There is no way I will have access to these systems) Some sources report that VRFY and EXPN are both affected. Candidate Modified Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. Hill, Northcutt Frech Prosser Baker Christey Unable to provide a match due to vague/insufficient description/references. Possible matches are: XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) XF:http-ncsa-longurl (highest probability) CVE-1999-0235 is the one associated with XF:http-ncsa-longurl More research is necessary for this one. Since this has no references at all, and is vague and we have a CAN for the most likely issue, we should kill this one Entry IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files. Q148188 Q155056 http-iis-cmd Entry Bash treats any character with a value of 255 as a command separator. bash-cmd CA-96.22.bash_vuls Candidate Modified Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access. CA-95:04 F-11 Hill, Northcutt, Prosser Frech Baker, Christey XF:http-ncsa-longurl CVE-1999-0235 has the same ref's as CVE-1999-0267 Not to mention, the X-force listings of http-ncsa-longurl and http-port both refer to the same problem. This should be rejected as 1999-0267 is the same problem. Entry ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs. http-scriptalias Entry Remote execution of arbitrary commands through Guestbook CGI program. http-cgi-guestbook VB-97.02 Candidate Proposed php.cgi allows attackers to read any file on the system. http-cgi-phpfileread Baker, Collins, Frech, Northcutt, Prosser Christey additional source AUSCERT External Security Bulletin ESB-97.047 http://www.auscert.org.au ADDREF BUGTRAQ:19970416 Update on PHP/FI hole URL:http://www.dataguard.no/bugtraq/1997_2/0069.html The attacker specifies the filename as an argument to the program. Add "PHP/FI" to description to facilitate search. AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 Consider adding BID:2250 Entry Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET. fastrack-get-directory-list 122 Candidate Proposed Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. Northcutt Baker Frech Would reconsider if any references were available. Candidate Modified Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm. http-xguess-cookie Hill, Northcutt, Proctor Frech, Prosser Baker Christey Also add to references: XF:sol-mkcookie additional source Bugtraq "X11 cookie hijacker" http://www.securityfocus.com The cookie hijacker thread has to do with stealing cookies through a file with bad permissions. I'm not sure the X-Force reference identifies this problem either. CIAC:G-04 URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml SGI:19960601-01-I URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I CERT:VB-95:08 Candidate Modified Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords. 19951222 mailx-5.5 (slackware /bin/mail) security hole linux-pop3d Baker Frech Christey, Northcutt, Shostack, Wall Levy Ambiguous description: need more detail. Possibly: XF:linux-pop3d (mktemp() leads to reading e-mail) At first glance this might look like CVE-1999-0123 or CVE-1999-0125, however this particular candidate arises out of a brief mention of the problem in a larger posting which discusses CVE-1999-0123 (which may be the same bug as CVE-1999-0125). See the following phrase in the Bugtraq post: "one such example of this is in.pop3d" However, the original source of this candidate's description explicitly mentions shadowed passwords, though it has no references to help out here. Candidate Proposed Linux cfingerd could be exploited to gain root access. Shostack Baker, Levy, Northcutt, Wall Christey, Frech This has no sources; neither does the original database that this entry came from. It's a likely duplicate of CVE-1999-0813. I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. [Frech changed vote from REVIEWING to REJECT] If the reference I previously supplied is correct, then it appears as if the poster modified the source using authorized access to make it vulnerable. Modifying the source in this manner does not qualify as being listed a vulnerability. I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. Entry Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root. NAI-23 radius-accounting-overflow Entry Some configurations of NIS+ in Linux allowed attackers to log in as the user "+". 19950907 Linux NIS security problem hole and fix linux-plus Candidate Proposed HP Remote Watch allows a remote user to gain root access. hp-remote Frech, Hill, Northcutt, Prosser Baker Christey Comment: Determine if it's RemoteWatch or Remote Watch. HP:HPSBUX9610-039 alludes to multiple vulnerabilities in Remote Watch (the advisory uses two words, not one, for the "Remote Watch" name) ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit) URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com agree that the advisory mentions two vulnerabilities in Remote Watch, one being a socket connection and other with the showdisk utility which seems to be a suid vulnerability. Never get much details on this anywhere since the recommendation is to remove the program since it is obsolete and superceded by later tools. Believe the biggest concern here is to just not run the tool at all. CIAC:H-16 Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp And possibly AUSCERT:AA-96.07 at ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul Also BUGTRAQ:19961013 BoS: SOD remote exploit http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2 Include "remwatch" in the description to facilitate search. Entry Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands. 19970721 INN news server vulnerabilities 1443 inn-bo Entry A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials. http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1 Candidate Proposed Windows NT RSHSVC program allows remote users to execute arbitrary commands. Baker Frech, Wall Northcutt, Shostack Christey Levy Windows NT Rshsvc.exe from the Windows NT Resource Kit allows remote users to execute arbitrary commands. Source: rshsvc.txt from the Windows NT Resource Kit. XF:rsh-svc MSKB:Q158320, last reviewed in January 1999, refers to a case where remote users coming from authorized machines are allowed access regardless of what .rhosts says. XF:rsh-svc refers to a bug circa 1997 where any remote entity could execute commands as system. Candidate Modified Denial of service in Qmail through long SMTP commands. 19970612 qmail-dos-2.c, another denial of service attack http://cr.yp.to/qmail/venema.html http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html qmail-leng Hill, Meunier Frech Baker Christey XF:qmail-rcpt DUPE CVE-1999-0418 and CVE-1999-0144? Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html This appears to be the same vulnerability listed in CAN 1999-0144. In reading through both bugtraq postings, the one that is referenced by 0144 is based on a shell code exploit to cause memory exhaustion. The bugtraq posting referenced by this entry refers explicitly to the prior posting for 0144, and states that the same effect could be accomplished by a perl exploit, which was then attached. http://www.securityfocus.com/archive/1/6969 CVE-1999-0144 http://www.securityfocus.com/archive/1/6970 CVE-1999-0250 Both references should be added to CVE-1999-0144, and CVE-1999-0250 should likely be rejected. [Baker changed vote from REVIEWING to REJECT] XF:qmail-leng no longer exists; check with Andre to see if they regarded it as a duplicate as well. qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd) ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." Entry Denial of service in talk program allows remote attackers to disrupt a user's display. talkd-flash Entry Buffer overflow in listserv allows arbitrary command execution. smtp-listserv Candidate Modified IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. http-iis-2e 19970319 Armstrong, Baker, Bishop, Blake, Cole, Collins, Frech, Landfield, Northcutt LeBlanc Ozancin, Prosser, Wall Christey This is a problem that was introduced after patching a previous dot bug with the iis-fix hotfix (see CVE-1999-0154). Since the hotfix introduced the problem, this should be treated as a seaprate issue. Agree with the comment. - this one is so old, I don't remember it at all and can't verify or deny the issue. If you can find some documentation that says we fixed it (KB article, hotfix, something), then I would change this to ACCEPT [Christey changed vote from NOOP to REVIEWING] BID:1814 URL:http://www.securityfocus.com/bid/1814 Candidate Proposed A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information. Hidden SNMP community in HP OpenView hpov-hidden-snmp-comm Baker, Frech Wall Christey What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. Candidate Proposed Buffer overflow in ircd allows arbitrary command execution. Baker, Hill, Northcutt Frech Prosser Christey XF:irc-bo This is too general and doesn't have any references. The XF reference doesn't appear toe xist any more. Perhaps this reference would help: BUGTRAQ:19970701 ircd buffer overflow It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post. Entry Buffer overflow in War FTP allows remote execution of commands. war-ftpd 875 Candidate Proposed Nestea variation of teardrop IP fragmentation denial of service. Wall Frech Christey XF:nestea-linux-dos Not sure how many separate "instances" of Teardrop and its ilk. Also see comments on CVE-1999-0001. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Is CVE-1999-0001 the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Also see BUGTRAQ:19990909 CISCO and nestea. Finally, note that there is no fundamental difference between nestea and nestea2/nestea-v2; they are different ports that exploit the same problem. The original nestea advisory is at http://www.technotronic.com/rhino9/advisories/06.htm but notice that the suggested fix is in line 375 of ip_fragment.c, not ip_input.c. See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. BUGTRAQ:19980501 nestea does other things http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2 BUGTRAQ:19980508 nestea2 and HP Jet Direct cards. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2 BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2 Nestea source code is in MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html Candidate Proposed Bonk variation of teardrop IP fragmentation denial of service. Frech, Wall Christey Reference Q179129 XF:teardrop-mod Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. BUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2 NTBUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2 NTBUGTRAQ:19980109 Re: Bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2 NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2 BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2 CIAC:I-031a http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml CERT summary CS-98.02 implies that bonk, boink, and newtear all exploit the same vulnerability. Entry cfingerd lists all users on a system via search.**@target. 19970523 cfingerd vulnerability cfinger-user-enumeration Entry The jj CGI program allows command execution via shell metacharacters. 19961224 jj cgi http-cgi-jj Candidate Modified Netmanager Chameleon SMTPd has several buffer overflows that cause a crash. 19980504 Netmanage Holes http://www.insecure.org/sploits/netmanage.chameleon.overflows.html Baker Frech, Landfield Christey, Northcutt, Ozancin XF:chamelion-smtp-dos - Specify what "a crash" means. ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site) Consider adding BID:2387 Entry Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string. 19980804 remote exploit in faxsurvey cgi-script 19980804 PATCH: faxsurvey 2056 http-cgi-faxsurvey(1532) Entry Solaris SUNWadmap can be exploited to obtain root access. 00173 sun-sunwadmap Entry htmlscript CGI program allows remote read access to files. http-htmlscript-file-access Jan27,1998 Entry ICMP redirect messages may crash or lock up a host. Q154174 ICMP Redirects Against Embedded Controllers icmp-redirect Entry The info2www CGI script allows remote file access or remote command execution. 19980303 Vulnerabilites in some versions of info2www CGI 1995 http-cgi-info2www Entry Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution. http-port CA-95.04.NCSA.http.daemon.for.unix.vulnerability Entry MetaInfo MetaWeb web server allows users to upload, execute, and read scripts. 19980630 Security vulnerabilities in MetaInfo products 19980703 Followup to MetaInfo vulnerabilities 110 3969 metaweb-server-dot-attack Entry Netscape Enterprise servers may list files through the PageServices query. netscape-server-pageservices Entry Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files. 19980317 IRIX performer_tools bug 19980401-01-P I-041 64 134 sgi-pfdispaly(810) Candidate Modified Progressive Networks Real Video server (pnserver) can be crashed remotely. 19980115 pnserver exploit.. 19980817 Re: Real Audio Server Version 5 bug? Baker, Blake, Northcutt Frech Prosser Christey Problem confirmed by RealServer vendor (URL listed in Bugtraq posting), but may be multiple codebases since several Real Audio servers are affected. Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow. See CVE-1999-0896 [Frech changed vote from REVIEWING to MODIFY] ADDREF XF:realvideo-telnet-dos Entry Denial of service in Slmail v2.5 through the POP3 port. slmail-username-bo Entry Denial of service through Solaris 2.5.1 telnet by sending ^D characters. sun-telnet-kill Entry Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made. NAI-5 nt-dns-dos Entry Denial of service in Windows NT DNS servers by flooding port 53 with too many characters. nt-dnscrash nt-dnsver Q169461 Entry mSQL v2.0.1 and below allows remote execution through a buffer overflow. msql-debug-bo sekure.01-99.msql Entry The WorkMan program can be used to overwrite any file to get root access. workman CA-96.23.workman_vul Entry In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. MS98-003 iis-asp-data-check oval:org.mitre.oval:def:913 Entry Excite for Web Servers (EWS) allows remote command execution via shell metacharacters. 19971217 CGI security hole in EWS (Excite for Web Servers) 19980115 Excite announcement VB-98.01.excite excite-cgi-search-vuln Entry Remote command execution in Microsoft Internet Explorer using .lnk and .url files. 19970317 Internet Explorer Bug #4 H-38 http-ie-lnkurl Entry Denial of service in IIS using long URLs. http-iis-longurl Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage. Baker, Dik Frech Ozancin Prosser Christey XF:sun-loadmodule XF:sun-modload (CERT CA-93.18 very old!) Believe the reference given, 95-12, is referencing a later loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the same as the HP patches are 100448-02 for the 93 loadmodule/modload vulnerability and 100448-03 for the 95 loadmodule vulnerability which normally indicated a patch update. Looks like the original patch either didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell much beyond that and this is my opinion only as have no way to check it. Which one is this CVE referencing? I accept both. There are three similar Sun bug ids associated with the patches. 1076118 loadmodule has a security vulnerability 1148753 loadmodule has a security vulnerability 1222192 loadmodule has a security vulnerability as well as: 1137491 Ancient stuff. Add period to the end of the description. [Christey changed vote from NOOP to REVIEWING] This is distinct from CVE-1999-1584 - CVE-1999-1584 is for CA-93.18. [Christey changed vote from REVIEWING to REJECT] This candidate combines two separate issues. It uses the CERT alert reference from 1995, from one issue, but a description that is associated with a separate issue. Candidate Modified The Java Web Server would allow remote users to obtain the source code for CGI programs. 19970716 Viewable .jhtml source with JavaWebServer Baker, Blake, Cole, Collins, Dik, Northcutt, Wall Frech Armstrong, Bishop, Christey, Landfield, Prosser Ozancin Acknowledged by vendor at http://www.sun.com/software/jwebserver/techinfo/jws112info.html. Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/7260 Misc Defensive Info http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info BID:1891 URL:http://www.securityfocus.com/bid/1891 Add version number (1.1 beta) and details of attack (appending a . or a \) The Sun URL referenced by Dave Baker no longer exists, so I wasn't able to verify that it addressed the problem described in the Bugtraq post. This might not even be Sun's "Java Web Server," as CVE-2001-0186 describes some product called "Free Java Web Server" There appears to be some confusion. The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed in 1.1.2 (get foo.jthml source by appending "." of "\" to URL) There are other bugs that give access and that require a configuration change. http://www.sun.com/software/jwebserver/techinfo/security_advisory.html Need to make sure to create CAN's for the other bugs, as documented in: NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2 BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2 The reported bugs are: 1) file read by appending %20 2) Directly call /servlet/file URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html #2 is explicitly mentioned in the Sun advisory for CVE-1999-0283. [Frech changed vote from REVIEWING to MODIFY] XF:javawebserver-cgi-source(5383) Candidate Proposed Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command. smtp-helo-bo Blake, Northcutt Frech, Levy, Ozancin Baker Christey "Windows NT-based mail servers" (A trademark thing, and for clarification) XF:mdaemon-helo-bo XF:lotus-notes-helo-crash XF:slmail-helo-overflow XF:smtp-helo-bo (mentions several products) XF:smtp-exchangedos - Need one per software. Each one should be its own vulnerability. => Windows NT is correct These are probably multiple codebases, so we'll need to use dot notation. Also need to see if this should be merged with CVE-1999-0098 (Sendmail SMTP HELO). Candidate Proposed Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection. Hill Baker, Wall Christey, Frech No references, no information. [Frech changed vote from REVIEWING to REJECT] No references; closest documented match is with CVE-2001-0346, but that's for Windows 2000. Candidate Proposed In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages. Armstrong, Cole, Shostack Blake, Levy, Wall Baker, Bishop, Landfield, Northcutt, Ozancin Frech Christey In some NT web servers, appending a dot at the end of a URL may allows attackers to read source code for active pages. Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears in Browser" In the meantime, reword description as 'Windows NT' (trademark issue) Q163485 does not refer to a space, it refers to a dot. However, I don't have other references. Reading source code with a dot appended is in CVE-1999-0154, which will be proposed. A subsequent bug similar to the dot bug is CVE-1999-0253. NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014 NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019 BID 273 Reference: http://www.allaire.com/handlers/index.cfm?ID=10967 [Christey changed vote from NOOP to REVIEWING] [Frech changed vote from REVIEWING to REJECT] BID articles) Candidate Proposed Vulnerability in the Wguest CGI program. Frech, Shostack Blake, Levy, Northcutt, Wall Baker, Christey allows file reading XF:http-cgi-webcom-guestbook CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Mnemonix says that he had previously reported on a similar problem. Let's refer to the NTBugtraq posting as CVE-1999-0467. We will refer to the "previous report" as CVE-1999-0287, which could be found at: http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html 0287 describes an exploit via the "template" hidden variable. The exploit describes manually editing the HTML form to change the filename to read from the template variable. The exploit as described in 0467 encodes the template variable directly into the URL. However, hidden variables are also encoded into the URL, which would have looked the same to the web server regardless of the exploit. Therefore 0287 and 0467 are the same. BID:2024 Entry The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets. 19970801 WINS flooding 19970801 WINS flooding 19970815 Re: WINS flooding http://safenetworks.com/Windows/wins.html 155701 nt-winsupd-fix(1233) Entry The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL. Entry The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost. 19980221 WinGate DoS 19980326 WinGate Intermediary Fix/Update wingate-dos Entry The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication. wingate-unpassworded Entry Denial of service through Winpopup using large user names. nt-winpopup Entry AAA authentication on Cisco systems allows attackers to execute commands without authorization. http://www.cisco.com/warp/public/770/aaapair-pub.shtml cisco-ios-aaa-auth Entry All records in a WINS database can be deleted through SNMP for a denial of service. nt-wins-snmp2 Entry Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges. sun-sysdef 00157 Entry Solaris volrmmount program allows attackers to read any file. 00162 sun-volrmmount Entry Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable. NAI-3 AA-96.21 H-17 vixie-cron Candidate Modified ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack. 19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme Cole, Dik, Levy, Northcutt Frech Baker, Christey, Shostack ADDREF BID:1441 URL:http://www.securityfocus.com/bid/1441 If you run with "-ypset", then you're always insecure. With ypsetme, only root on the local host can run ypset in Solaris 2.x+. Probably true for SunOS 4, hence my vote. [Frech changed vote from REVIEWING to MODIFY] ADDREF XF:ypbind-ypset-root [Dik changed vote from REVIEWING to ACCEPT] This vulnerability does exist in SunOS 4.x in non default configurations. In Solaris 2.x, the vulnerability only applies to files named "cache_binding" and not all files ending in .2 Both releases are not vulnerable in the default configuration (both disabllow ypset by default which prevents this problem from occurring) Entry Buffer overflow in FreeBSD lpd through long DNS hostnames. NAI-9 6093 Entry nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers. 00155 sun-niscache Entry Buffer overflow in SunOS/Solaris ps command. 00149 AUSCERT-97.17 sun-ps2bo Entry SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server. 00176 sun-ftp-server Entry Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames. bnu-uucpd-bo RSI.0002.05-18-98.BNU.UUCPD Entry mmap function in BSD allows local attackers in the kmem group to modify memory through devices. bsd-mmap FreeBSD-SA-98:02 Entry The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections. Feb15,1998 "IP Source Routing Problem" http://www.openbsd.org/advisories/sourceroute.txt 11502 bsd-sourceroute(736) Candidate Proposed buffer overflow in HP xlock program. hp-xlock Baker, Frech, Northcutt Prosser Shostack Christey This is another of those with multiple affected OSs. Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt, HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150 XF:hp-xlock points to SGI:19970502-02-PX which says this is the same problem as in CERT:CA-97.13, which is CVE-1999-0038. Candidate Modified Buffer overflow in HP-UX cstm program allows local users to gain root privileges. 19961116 This week: turn me on, dead man hpux-cstm-bo Frech, Northcutt Baker, Prosser, Shostack Christey only ref I can find is an old SOD exploit on www.outpost9.com MERGE CVE-1999-0336 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. See the original post: http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org Entry HP-UX gwind program allows users to modify arbitrary files. HPSBUX9410-018 hpux-gwind-overwrite H-03: HP-UX suid Vulnerabilities Entry HP-UX vgdisplay program gives root access to local users. HPSBUX9702-056 hpux-vgdisplay H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Entry SSH 1.2.25 on HP-UX allows access to new user accounts. ssh-1225 Entry fpkg2swpk in HP-UX allows local users to gain root access. hpux-fpkg2swpk HPSBUX9612-042 Entry HP ypbind allows attackers with root privileges to modify NIS data. nis-ypbind CA-93:01.REVISED.HP.NIS.ypbind.vulnerability Entry disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. http://www.securityfocus.com/bid/213/exploit 19980701-01-P 214 936 sgi-disk-bandwidth(1441) Entry ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames. http://www.securityfocus.com/bid/213/exploit 19980701-01-P 213 6788 sgi-ioconfig(1199) Entry Buffer overflow in Solaris fdformat command gives root access to local users. fdformat-bo 00138 Entry Buffer overflow in Linux splitvt command gives root access to local users. linux-splitvt G-08 Candidate Modified Buffer overflow in Linux su command gives root access to local users. 19990818 slackware-3.5 /bin/su buffer overflow su-bo Frech, Hill, Northcutt Prosser Baker Christey DUPE CVE-1999-0845? Also, ADDREF XF:unixware-su-username-bo A report summary by Aleph One states that nobody was able to confirm this problem on any Linux distribution. If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these. Sounds like the same bug however... XF:su-bo no longer seems to exist. How about XF:linux-subo(734) ? http://xforce.iss.net/static/734.php BID:475 also seems to describe the same problem (http://www.securityfocus.com/bid/475) in which case, vsyslog is blamed in: BUGTRAQ:19971220 Linux vsyslog() overflow http://www.securityfocus.com/archive/1/8274 Entry Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable. 19961125 Security Problems in XMCD 19961125 XMCD v2.1 released (was: Security Problems in XMCD) xmcd-envbo Candidate Proposed Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting. xmcd-tiflestr Frech, Hill, Northcutt Baker, Prosser Christey BUGTRAQ:19961126 Security Problems in XMCD 2.1 A followup to this post says that xmcd is not suid here. Entry SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files. 00166 sun-rpc.cmsd Entry Buffer overflow in Solaris kcms_configure command allows local users to gain root access. sun-kcms-configure-bo Entry The open() function in FreeBSD allows local attackers to write to arbitrary files. FreeBSD-SA-97:05 freebsd-open 6092 Entry FreeBSD mmap function allows users to modify append-only or immutable files. FreeBSD-SA-98:04 1998-003 bsd-mmap Entry ppl program in HP-UX allows local users to create root files through symlinks. HPSBUX9702-053 H-31 hp-ppllog Entry vhe_u_mnt program in HP-UX allows local users to create root files through symlinks. hp-vhe HPSBUX9406-013 Entry Vulnerability in HP-UX mediainit program. HPSBUX9710-071 hp-mediainit Entry SGI syserr program allows local users to corrupt files. 19971103-01-PX sgi-syserr Entry SGI permissions program allows local users to gain root privileges. 19971103-01-PX sgi-permtool Entry SGI mediad program allows local users to gain root access. 19980602-01-PX sgi-mediad Candidate Modified Linux bdash game has a buffer overflow that allows local users to gain root access. 19940101 (No Subject) bdash-bo Baker Frech Northcutt, Shostack, Wall Levy XF:bdash-bo Candidate Modified Buffer overflow in Internet Explorer 4.0(1). msie-bo Baker, Northcutt Frech, Shostack Prosser Christey, LeBlanc this is a high cardinality item needs to be more specific. Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague duplicate) Description (from xfdb): Some versions of Internet Explorer for Windows contain a vulnerability that may crash the broswer when a malicious web site contains a certain kind of URL (that begins with "mk://") with more characters than the browser supports. The description is too vague. too vague Add period to the end of the description. Entry Buffer overflow in NetMeeting allows denial of service and remote command execution. nt-netmeeting Q184346 Candidate Modified HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack. RSI.0009.09-08-98.HP-UX.OMNIBACK HPSBUX9810-085 omniback-remote Baker, Frech Prosser Christey additional source HP Security Bulletin 85 http://us-support.external.hp.com http://europe-support.external.hp.com Two separate bugs, so SF-LOC says this candidate should be split ADDREF CIAC:J-007 URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml Entry In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access. sol-startup CA-93.19.Solaris.Startup.vulnerability Entry DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032. Candidate Modified Buffer overflow in mstm in HP-UX allows local users to gain root access. 19961116 This week: turn me on, dead man hpux-mstm-bo Frech, Northcutt Baker, Prosser, Shostack Christey same as CVE-1999-0307, only ref I can find is an old SOD exploit on www.outpost9.com MERGE CVE-1999-0307 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. Entry AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled. CA-94.10.IBM.AIX.bsh.vulnerability.html ibm-bsh Entry AIX Licensed Program Product performance tools allow local users to gain root access. ibm-perf-tools CA-94.03.AIX.performance.tools Entry Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access. sol-sun-libauth RSI.0007.05-26-98 Entry Buffer overflow in Linux Slackware crond program allows local users to gain root access. 005 linux-crond Entry Buffer overflow in the Linux mail program "deliver" allows local users to gain root access. 006 linux-deliver Entry Linux PAM modules allow local users to gain root access using temporary files. http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam linux-pam-passwd-tmprace Entry A malicious Palace server can force a client to execute arbitrary programs. 19981002 Announcements from The Palace (fwd) palace-malicious-servers-vuln Entry NT users can gain debug-level access on a system process using the Sechole exploit. MS98-009 Q190288 nt-priv-fix Candidate Proposed Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. Blake, Cole Frech, Wall Bishop, Landfield, Northcutt, Ozancin Meunier Armstrong, Baker, LeBlanc, Levy Christey Invalid ICMP datagram fragments causes a denial of service in Windows 95 and Windows NT systems. Reference: Q154174. Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. It is a modified teardrop 2 attack. XF:nt-ssping ADDREF XF:ping-death ADDREF XF:teardrop-mod ADDREF XF:mpeix-echo-request-dos I can't tell whether the Jolt exploit at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net is exploiting any different flaw than teardrop does. [Christey changed vote from NOOP to REVIEWING] Jolt (original) is basically just a fragmented oversized ICMP that kills Win boxes ala Ping of Death. Teardrop is altering the offset in fragmented tcp packets so that the end of subsequent fragments is inside first packet... Teardrop 2 is UDP packets, if I remember right. Seems like Jolt (original, not jolt 2) is just exploit code that creates a ping of death (CVE 1999-0128) I tend to agree with Baker. [Armstrong changed vote from REVIEWING to REJECT] This code does not use fragment overlap. It is simply a large ICMP echo request. See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. This is a hodge-podge of DoS attacks. Jolt isn't the same thing as ping of death - POD was an oversized ICMP packet, Jolt froze Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes. Teardrop and teardrop2 were related attacks (usually ICMP frag attacks), but each of these is a distinct vulnerability, affected a discrete group of systems, and should have distinct CVE numbers. CVE entries should be precise as to what the problem is. I agree with Leblanc in that Jolt is multi-faceted. Jolt has characteristics of Ping of Death AND teardrop, but it doesn't do either exactly. Moreover, it sends a truncated IP fragment. I disagree with Armstrong; jolt uses overlapping fragments. It's not a simple ping of death either. It may be that the author's intent was to construct a "super attack" somehow combining elements of other vulnerabilities to try to make it more potent. In any case it succeeded in confusing the CVE board :-). I notice that Jolt uses echo replies (type 0) instead of echo requests (to get past firewalls?). Jolt is peculiar in that it also sends numerous overlapping fragments. The "Pascal Simulator" :-) says it sends: - 172 fragments of length 400 with offset starting at 5120 and > 3)), which eventually results in sending fragments inside an already > 3) is greater than 5120, which occurs when n is reaches 108. This would look a bit like TearDrop if fragments were reassembled on-the-fly. - 1 fragment such that the total length of all the fragments is greater than 65535 (my calculation is 172*380 + 418 = 65778; the comment about 65538 must be wrong). The last packet is size 418 according to the IP header but the buffer is of size 400. The sendto takes as argument the size of the buffer so a truncated packet is sent. So, I am not sure if the problem is because the last packet doesn't extend to the payload it says it has or because the total size of all fragments is greater than 65535. The author says it may take more than one sending, so perhaps this has to do with an incorrect error handling and recovery. One would need to experiment and isolate each of those characteristics and test them independently. Inasmuch as each of those things is likely a different vulnerability, then I agree with Leblanc that this entry should be split. I'll try that if I ever get bored. Jolt 2 should also have a different entry (see below). Jolt 2 runs in an infinite loop, sending the same fragmented IP packet, which can pretend to be "ICMP" or "UDP" data; however this is meaningless, as it's just a late fragment of an IP packet. The attack works only as long as packets are sent. According to http://www.securityfocus.com/archive/1/62170 the packets are truncated, and would overflow over the 65535 byte limit, which is similar to Jolt. Note that Jolt does send that much data whereas jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it has weaker consequences, I believe that it's a different vulnerability. "Jolt 2 vulnerability causes a temporary denial-of-service in Windows-type OSes" would be a title for it. Entry CGI PHP mlog script allows an attacker to read any file on the target server. 19971019 Vulnerability in PHP Example Logging Scripts 713 http-cgi-php-mlog 3397 Candidate Modified Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character. 19990126 Javascript ecurity bug in Internet Explorer 19990126 Javascript ecurity bug in Internet Explorer Baker, LeBlanc, Levy, Northcutt Frech, Prosser Christey this is a modified Cross-Frame vulnerability that circumvents the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012 http://www.microsoft.com/security/bulletins/ms99-012.asp Duplicate of CVE-1999-0490? If Prosser is correct that this is MS99-012, accept BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2 BID:197 URL:http://www.securityfocus.com/bid/197 [Frech changed vote from REVIEWING to MODIFY] XF:ie-window-spoof(2069) Entry IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory. Jan27,1999 Q197003 930 Entry A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands. IIS Remote FTP Exploit/DoS Attack MS99-003 Q188348 Jan27,1999 iis-remote-ftp Entry Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits. Feb8,1999 clearcase-temp-race Entry FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client. 01 http://attrition.org/security/advisory/misc/infowar/iw_sec_01.txt pasv-pizza-thief-dos(3389) Candidate Proposed ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption. Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software controlit-passwd-encrypt Baker, Frech Northcutt, Wall Ozancin Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses weak encryption. Entry rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory. HPSBUX9902-091 J-026 pcnfsd-world-write Candidate Proposed Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message. Jan27,1999 MS99-002 Baker, Ozancin, Wall Frech Christey XF:word97-template-macro CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2 BID:196 http://www.securityfocus.com/bid/196 MSKB:Q214652 http://support.microsoft.com/support/kb/articles/q214/6/52.asp Entry Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service. Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software controlit-reboot Candidate Proposed ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book. Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software controlit-bookfile-access Baker, Frech Northcutt, Wall Ozancin Entry Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets. 19990125 Win98 crash? win98-oshare-dos Entry Digital Unix 4.0 has a buffer overflow in the inc program of the mh package. 19990125 Digital Unix 4.0 exploitable buffer overflows SSRT0583U du-inc J-027 Candidate Proposed ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords. 19990127 UNIX shell modem access vulnerabilities ptylogin-dos Cole, Frech Baker XF:ptylogin-dos Should say "... lock out a modem, ..." rather than "... locking out modems..." Candidate Modified MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely. 19990130 Security Advisory for Internet Information Server 4 with Site Jan29,1999 Blake, Cole, Collins, Landfield, Northcutt, Wall Baker, Frech, LeBlanc Armstrong, Christey, Ozancin, Prosser I can't find the original Bugtraq posting (it appears that mnemonix discovered the problem). - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a BUGTRAQ posting we can't find could be anything. Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type THis is the URL for the Bugtraq posting. It was cross posted to NT Bugtraq as well, but identical text. It was Mnemonix... BID:1811 URL:http://www.securityfocus.com/bid/1811 CHANGEREF BUGTRAQ add "Server 2." to the subject. Also standardize NTBUGTRAQ reference title. Add "uploadn.asp" to the description. [Frech changed vote from REVIEWING to MODIFY] XF:siteserver-user-dir-permissions(5384) Candidate Proposed NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging. Jan29,1999 Baker Frech Northcutt, Wall XF:compulink-pw-laserfiche(1679) Normalize BUGTRAQ reference to: BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords Entry WS_FTP server remote denial of service through cwd command. AD02021999 wsftp-remote-dos 217 Entry SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise. Feb02,1999 plp-lpc-bo 328 Candidate Modified Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data. 19990204 Microsoft Access 97 Stores Database Password as Plaintext Baker, LeBlanc Frech Northcutt, Wall [Frech changed vote from REVIEWING to MODIFY] XF:access-weak-passwords(1774) An older published reference (from our own Adam) would be better: ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0" http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192 07028.1462108427&hitnum=1 Entry The metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry. Feb04,1999 metamail-header-commands Entry In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value. MS99-004 Q214840 nt-sp4-auth-error Entry NetBSD netstat command allows local users to access kernel memory. 1999-002 7571 Entry Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto. palmetto.ftpd CA-99.03 palmetto-ftpd-bo Entry The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access. 00183 sun-sdtcm-convert-bo Candidate Modified In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files. 00184 165 Baker, Dik, Northcutt, Prosser Frech Christey Reference: XF:sun-man ADDREF CIAC:J-028 Is the Linux man symlink problem the same as the one for Sun? See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1 Also see BID:305 sun bug 4154565 Entry Lynx allows a local user to overwrite sensitive files through /tmp symlinks. 19990211 Lynx /tmp problem VB-97.05.lynx lynx-temp-files-race Entry The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted. MS99-005 nt-backoffice-setup Q217004 Entry Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root. Buffer Overflow in "Super" package in Debian Linux linux-super-bo linux-super-logging-bo Entry Debian GNU/Linux cfengine package is susceptible to a symlink attack. 19990215 Feb16,1999 linux-cfengine-symlinks Entry Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands. February 16, 1999 Feb16,1999 nfr-webd-overflow Entry Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs. MS99-006 Feb20,1999 Feb18,1999 nt-knowndlls-list Entry Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services. Feb22,1999 Entry InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands. 19990222 BlackHats Advisory -- InterScan VirusWall 19990225 Patch for InterScan VirusWall for Unix now available viruswall-http-request 6167 Entry Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting. MS99-007 19990223 Microsoft Security Bulletin (MS99-007) 498 1019 win-resourcekit-taskpads Entry SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user. 199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service 19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service SLmail 3.2 Build 3113 (Web Administration Security Fix) 497 slmail-ras-ntfs-bypass(5392) Candidate Proposed super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access. 19990225 SUPER buffer overflow linux-super-logging-bo 342 Baker, Blake, Cole, Frech, Landfield, Levy, Ozancin Bishop Armstrong, Wall Christey Is this the same as CVE-1999-0373? They both have the same X-Force reference. BID:342 suggests that there are two. http://www.debian.org/security/1999/19990215a suggests that there are two. However, CVE-1999-0373 is written up in a fashion that is too general; and both XF:linux-super-bo and XF:linux-super-logging-bo refer to CVE-1999-0373. CVE-1999-0373 may need to be split. From what I can surmise, ISS released the original advisory (attached to linux-super-bo), and Sekure SDI expanded on it by releasing another related overflow in syslog (which is linux-super-logging-bo). When I was originally assigning these issues, I placed both XF references and the ISS advisory on the -0373 candidate, since there was nothing else available. Based on the information above, I'd request that XF:linux-super-logging-bo be removed from CVE-1999-0373. Given Andre's feedback, these are different issues. CVE-1999-0373 does not need to be split because the ISS reference is sufficient to distinguish that CVE from this candidate; however, the CVE-1999-0373 description should probably be modified slightly. (as indicated by Christey) [Cole changed vote from NOOP to ACCEPT] [Christey changed vote from NOOP to REVIEWING] There are 2 bugs, as confirmed by the super author at: BUGTRAQ:19990226 Buffer Overflow in Super (new) http://www.securityfocus.com/archive/1/12713 BID:397 also seems to cover this one, and it may cover CVE-1999-0373 as well. Entry The screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges. MS99-008 nt-screen-saver Entry ACC Tigris allows public access without a login. 19990103 Tigris vulnerability 183 267 acc-tigris-login Entry The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content. forms-vuln-patch MS99-001 Entry The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands. MS99-009 LDAP Buffer overflow against Microsoft Directory Services ldap-exchange-overflow ldap-mds-dos Entry Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL. MS99-010 pws-file-access 111 Entry A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords. MS99-052 Q168115 829 9x-plaintext-pwd Entry DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root. datalynx-suguard-relative-paths Jan3,1999 3186 Candidate Modified Buffer overflow in the bootp server in the Debian Linux netstd package. 19990104 19990103 [SECURITY] New versions of netstd fixes buffer overflows 324 Baker, Ozancin, Stracener Frech Christey Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 has January 1999 dates associated with it, while CVE-1999-0798 was reported in late December. Also, is this the same line of code as CVE-1999-0914? Both are in the netstd package, it could look like a library problem. However, deep in the changelog in the netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes the following entry: +netstd (3.07-7slink.1) frozen; urgency=high + + * bootpd: Applied patch from Redhat as well as a fix for the overflow in + report() (fixes #30675). + * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow + bugs. + + -- Herbert Xu <herbert@debian.org> Sat, 19 Dec 1998 14:36:48 +1100 This tells me that two separate bugs are involved. Note that Red Hat posted *some* fix for *some* bootp problem in June 1998. See: http://www.redhat.com/support/errata/rh42-errata-general.html#bootp XF:debian-netstd-bo Further analysis indicates that this is a duplicate of CVE-1999-0799 [Christey changed vote from REJECT to REVIEWING] The fix information for BID:324 suggests that there are two overflows, one of which is in handle_request (bootpd.c) and is likely related to a file name; but there is another issue in report (report.c) which also looks like a straightforward overflow, which would suggest that this is not a duplicate of CVE-1999-0798 or CVE-1999-0799. Note: see comments for CVE-1999-0798 which explain how that candidate is not related to CVE-1999-0799. Entry Buffer overflow in Dosemu Slang library in Linux. 19990104 Dosemu/S-Lang Overflow + sploit CSSA-1999-006.1 187 Entry The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user. Jan. 5, 1999 Entry Buffer overflow in Thomas Boutell's cgic library version up to 1.05. Jan10,1999 http-cgic-library-bo Entry Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers. 19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want! 19990121 Sendmail 8.8.x/8.9.x bugware sendmail-parsing-redirection Candidate Proposed DPEC Online Courseware allows an attacker to change another user's password without knowing the original password. 19990115 DPEC Online Courseware Baker Christey Frech If I understand the issue, this HIGHCARD involves insecure web programming. If I don't understand, mark this as my first NOOP. CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com ADDREF BID:565 URL:http://www.securityfocus.com/vdb/bottom.html?vid=565 Entry A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server. 19990118 Vulnerability in the BackWeb Polite Agent Protocol backweb-polite-agent-protocol Entry A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service. 1999-001 Feb17,1999 netbsd-tcp-race Candidate Proposed The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext. Jan21,1999 Jan21,1999 Northcutt Frech Baker Wall Reject based on beta copy. XF:quakenbush-pw-appraiser(1652) Candidate Modified In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login. 19990123 SSH 1.x and 2.x Daemon 19990124 SSH Daemon ssh-exp-account-access Baker Frech Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet released. v1.2.26 should be substituted in the description for '27. XF:ssh-exp-account-access Candidate Modified The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands. 19990124 Mirc 5.5 'DCC Server' hole mirc-dcc-metachar-filename Baker Frech XF:mirc-dcc-metachar-filename Candidate Modified Denial of service in Linux 2.2.0 running the ldd command on a core file. 19990127 2.2.0 SECURITY (fwd) linux-kernel-ldd-dos 344 Baker Frech BUGTRAQ:Jan27,1999 (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22& msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com) XF:linux-kernel-ldd-dos Candidate Modified A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files. 19990202 [patch] /proc race fixes for 2.2.1 (fwd) linux-race-condition-proc Baker Frech XF:linux-race-condition-proc Entry wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself. Feb2,1999 wget-permissions 19990220 Entry A bug in Cyrix CPUs on Linux allows local users to perform a denial of service. 19990204 Cyrix bug: freeze in hell, badboy cyrix-hang Entry Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution. Feb14,1999 mailmax-bo Entry A buffer overflow in lsof allows local users to obtain root privilege. 002 Feb18,1999 19990220a lsof-bo 3163 Candidate Proposed Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege. Feb19,1999 digital-networker-bo Baker Frech In description, change 'which' to 'that'. Entry By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. 19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS 19990209 Re: IIS4 allows proxied password attacks over NetBIOS iis-iisadmpwd Entry Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server. 19990225 Cobalt root exploit cobalt-raq-history-exposure 337 Entry Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access. 19990304 Linux /usr/bin/gnuplot overflow gnuplot-home-overflow 319 Entry The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access. Mar5,1999 sol-cancel 293 Candidate Proposed Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access. Feb19,1999 sco-startup-scripts Baker, Frech Christey, Wall Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not 19 February) does not mention gaining root access... it says a local user could "delete or overwrite arbitrary files on the system." By overwriting arbitrary files, one could then gain root access. I agree with a minor description change to reflect this. Normalize Bugtraq reference to: BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p). http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2 Also, SCO:SB-99.17 ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c Entry In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension. Feb19,1999 iis-isapi-execute 501 Entry A buffer overflow in the SGI X server allows local users to gain root access through the X server font path. 19990301-01-PX irix-font-path-overflow Entry In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection. Linux Blind TCP Spoofing linux-blind-spoof Entry The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration. 19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers 19990311 Cisco 7xx TCP and HTTP Vulnerabilities J-034 cisco-router-commands cisco-web-config Entry Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port. 19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers 19990311 Cisco 7xx TCP and HTTP Vulnerabilities J-034 cisco-web-crash Entry 64 bit Solaris 7 procfs allows local users to perform a denial of service. Mar9,1999 solaris-psinfo-crash 448 1001 Candidate Proposed Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection. 19990308 SMTP server account probing Cole Frech Baker, Foat, Wall Christey DUPE CVE-1999-0144 and CVE-1999-0250? XF:smtp-rctpto-dos(7499) Candidate Modified When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service. 19990319 Microsoft's SMTP service broken/stupid smtp-4xx-error-dos Baker Frech, LeBlanc Christey XF:smtp-4xx-error-dos - if we can find a KB or something that shows that this wasn't just user error, I'd vote ACCEPT. David Lemson, Microsoft SMTP Service Program Manager, posted a followup that said "We have confirmed this as a problem..." http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2 Entry umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program. 1999-006 Entry During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password. Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations linux-slackware-install 338 981 Entry In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set. 1999-007 Entry Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges. HPSBUX9903-093 hp-hpterm-files Entry talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes. Mar18,1999 netscape-talkback-overwrite Entry talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes. Mar18,1999 netscape-talkback-kill Candidate Proposed The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing. 19990319 The default permissions on /dev/kmem is insecure. Frech Baker Christey XF:linux-dev-kmem-spoof DUPE CVE-1999-0414 XF:linux-dev-kmem-spoof does not exist. *Now* XF:linux-dev-kmem-spoof(3500) exists... Candidate Proposed Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names. 19990320 Eudora Attachment Buffer Overflow eudora-long-attachments Baker Frech Christey Change version number to 4.2beta. Second to last paragraph in bugtraq reference states: "Both the Win 95 and Win NT versions, along with the 4.2 beta of Eudora are affected." This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Is this a duplicate/subsumed by CVE-1999-0004? Entry OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. 19990322 OpenSSL/SSLeay Security Alert ssl-session-reuse 3936 Entry The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference. 19990323 19990324 Re: LNotes encryption 19990326 Lotus Notes Encryption Bug 19990326 Re: Lotus Notes security advisory lotus-client-encryption Entry Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload. Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches Cisco Catalyst Supervisor Remote Reload cisco-catalyst-crash 1103 Candidate Modified Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service. 19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug linux-zerolength-fragment Baker Frech Christey XF:linux-zerolength-fragment Consider adding BID:2247 Entry ftp on HP-UX 11.00 allows local users to gain privileges. HPSBUX9903-094 hp-ftp Entry XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. Mar28,1999 19990321 X11R6 NetBSD Security Problem xfree86-temp-directories Candidate Proposed XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. 19990331 Bug in xfs 359 Baker Frech Christey XF:xfree86-xfs-symlink-dos Is this the same problem as CVE-1999-0433? CVE-1999-0433 deals with a symlink attack on one file (/tmp/.X11-unix), while xfs (this candidate) deals with /tmp/.font-unix XF:xfree86-xfs-symlink-dos doesn't exist. ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable Note: Debian's advisory says that this is not a problem for Debian. Candidate Proposed MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM. HPSBUX9903-096 Baker, Ozancin Frech Christey XF:hp-servicegaurd ADDREF CIAC:J-039 Note the typo in Andre's suggested reference. Normalize to XF:hp-serviceguard(2046) Entry Domain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges. HPSBUX9903-095 hp-desms-servers Entry Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port. WebRamp Denial of Service Attacks webramp-device-crash Entry Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address. WebRamp Denial of Service Attacks webramp-ipchange Entry Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file. 19990405 Re: [SECURITY] new version of procmail with security fixes 19990422 CSSA-1999:007 procmail-overflow Entry The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages. 19990405 Security Hole in Java 2 (and JDK 1.1.x) http://java.sun.com/pr/1999/03/pr990329-01.html 1939 java-unverified-code Entry Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service. AD02221999 wingate-redirector-dos 509 Entry Solaris ff.core allows local users to modify files. 19990107 really silly ff.core exploit for Solaris 19990108 ff.core exploit on Solaris (2.)7 19990408 Solaris7 and ff.core 327 Candidate Proposed Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password. 19990409 Patrol security bugs bmc-patrol-replay Baker Frech Change "Patrol management software" to "The PATROL management product from BMC Software". Candidate Modified Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files. 19990412 ARP problem in Windows9X/NT windows-arp-dos Baker Frech ADDREF: XF:windows-arp-dos Entry In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters. Cisco IOS(R) Software Input Access List Leakage with NAT cisco-natacl-leakage 1104 Entry Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS. 1999-008 netbsd-vfslocking-panic 7051 Entry Local users can gain privileges using the debug utility in the MPE/iX operating system. HPSBMP9904-006 mpeix-debug Entry IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request. 19990121 IIS 4 Request Logging Security Advisory iis-http-request-logging Entry The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts. 19990126 IIS 4 Advisory - ExAir sample site DoS 19990126 IIS 4 Advisory - ExAir sample site DoS 19990125 Re: [NTSEC] IIS 4 Advisory - ExAir sample site DoS 193 2 3 4 iis-exair-dos Candidate Modified In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe). 19990122 Perl.exe and IIS security advisory 194 Ozancin, Wall Baker, Christey Frech, LeBlanc Can't find in database. This looks like another discovery of CVE-2000-0071 - I just tried to repro this based on the BUGTRAQ vuln information, and it does not repro - GET /bogus.pl HTTP/1.0 HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Thu, 05 Oct 2000 21:04:20 GMT Content-Length: 3243 Content-Type: text/html No path is returned whatsoever. This may have been a problem on some version of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable. Let's try and figure out what version had the problem, whether it is intrinsic to IIS or the result of adding a 3rd party implementation of perl, and when it got fixed, then we can try again. [Frech changed vote from REVIEWING to REJECT] Add "no-such-file.pl" as an example to the desc, to facilitate search (it's used by CGI scanners and in the original example) Candidate Proposed Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port. Jan19,1999 343 Baker, Ozancin Frech Wall [Frech changed vote from REVIEWING to MODIFY] XF:linux-ports-dos(8364) Candidate Proposed A service or application has a backdoor password that was placed there by the developer. Baker, Wall Frech Much too broad. Also may be HIGHCARD (or will be in the future). I think we want to address this using the dot notation idea. We do need to address this, just not a separate entry for every single occurance. Candidate Modified An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP). 19990118 Remote Cisco Identification Baker, Balinsky Frech Northcutt, Wall Christey XF:cisco-ident(2289) ADDREF BUGTRAQ:19990118 Remote Cisco Identification In description, probably better to use "Cisco" as product/company name. CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity. There may be a slight abstraction problem here, e.g. look at the candidate for queso/nmap; also see followup Bugtraq post from "Basement Research" on 19990120 which says that there are many other features in Cisco products that allow remote identification. fix typo: "Dicsovery" Candidate Proposed A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso. Frech Christey, Wall Baker, Northcutt Nmap and queso are the tip of the iceberg and not the most advanced ways to accomplish this. To pursue making the world signature free is as much a vulnerability as having signatures, nay more. XF:decod-nmap(2053) XF:decod-queso(2048) Add "fingerprinting" to facilitate search. Some references: MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2 BUGTRAQ:19990222 Preventing remote OS detection http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2 BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2 BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD, http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2 BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs) http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2 BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2 BUGTRAQ:20000609 p0f - passive os fingerprinting tool http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2 I think we can probably reject this as the corollary is that you can identify OS from a IP/TCP packet sent by a system, looking at various parts of the SYN packet. Unless we believe that all systems should always use identical packet header/identical responses, in which case the protocol should not permit variation. Candidate Modified The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly. ASB-001 coldfusion-expression-evaluator 115 Balinsky, Frech, Ozancin Wall Baker Christey The reference should be ASB99-01 (Expression Evaluator Security Issues) make application plural since there are three sample applications (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm). The CD:SF-EXEC and CD:SF-LOC content decisions apply here. Since there are 3 separate "executables" with the same (or similar) problem, we need to make sure that CD:SF-EXEC determines what to do here. There is evidence that some of these .cfm scripts have an "include" file, and if so, then CD:SF-LOC says that we shouldn't make separate entries for each of these scripts. On the other hand, the initial L0pht discovery didn't include all 3 of these scripts, and as far as I can tell, Allaire had patched the first problem before the others were discovered. So, CD:DISCOVERY-DATE may argue that we should split these because the problems were discovered and patched at different times. In any case, this candidate can not be accepted until the Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC, and CD:DISCOVERY-DATE content decisions. Entry Linux ftpwatch program allows local users to gain root privileges. Jan17,1999 19990117 ftpwatch-vuln 317 Entry L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information. Jan6,1999 l0phtcrack-temp-files 915 Candidate Proposed Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot. linux-milo-halt Frech Baker, Northcutt Wall Reject based on beta copy. Candidate Proposed Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service. 19990218 Linux autofs overflow in 2.0.36+ 312 Baker, Ozancin Frech Wall [Frech changed vote from REVIEWING to MODIFY] XF:linux-autofs-bo(8365) Candidate Proposed Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address. Frech Baker Christey ADDREF XF:pmap-sset CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0195, make sure it gets XF:pmap-sset THis does appear to be a duplicate. We should accept 1999-0195, since it already has the votes and get rid of this one Candidate Proposed suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk. 19990114 Secuity hole with perl (suidperl) and nosuid mounts on Linux 339 Baker Frech Christey XF:perl-suidperl-bo XF:perl-suidperl-bo doesn't exist. Entry Remote attackers can perform a denial of service using IRIX fcagent. 19981201-01-PX sgi-fcagent-dos Entry Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames. 19990104 Tripwire mess.. http://marc.theaimsgroup.com/?l=bugtraq&m=91592136122066&w=2 6609 Candidate Proposed Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter. http-img-overflow Frech, Northcutt Baker LeBlanc, Wall Reject based on client-side DoS Client side DOS Entry The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device. 1999-009 905 Candidate Modified The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter. 19990409 Webcom's CGI Guestbook for Win32 web servers http-cgi-webcom-guestbook Blake, Frech, Landfield, Ozancin Baker, Christey, Northcutt CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Mnemonix says that he had previously reported on a similar problem. Let's refer to the NTBugtraq posting as CVE-1999-0467. We will refer to the "previous report" as CVE-1999-0287, which can be found at: http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html 0287 describes an exploit via the "template" hidden variable. The exploit describes manually editing the HTML form to change the filename to read from the template variable. The exploit as described in 0467 encodes the template variable directly into the URL. However, hidden variables are also encoded into the URL, which would have looked the same to the web server regardless of the exploit. Therefore 0287 and 0467 are the same. The CD:SF-EXEC content decision also applies here. We have 2 programs, wguest.exe and rguest.exe, which appear to have the same problem. CD:SF-EXEC needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry. When finalized, CD:SF-EXEC will decide whether this candidate should be split or not. BID:2024 Entry Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component. MS99-012 ie-scriplet-fileread Apr9,1999 Candidate Proposed Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client. 19990409 IE 5.0 security vulnerabilities - %01 bug again ie-window-spoof Wall Baker, Northcutt Christey, Frech, LeBlanc Reference: Microsoft Security Bulletin MS99-012 DUPE CVE-1999-0488 Defer to Christey's vote. However, XF:ie-mshtml-crossframe(2216) assigned to CVE-1999-0488. Duplicate Entry A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted. 19990409 New Novell Remote.NLM Password Decryption Algorithm with Exploit 482 netware-remotenlm-passwords Entry The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the "cancel" button. winroute-config Apr9,1999 Entry The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it. netcache-snmp Apr7,1999 Entry The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred. 19990407 rsync 2.3.1 release - security fix CSSA-1999:010.0 19990823 145 rsync-permissions Entry The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory. icq-webserver-read Apr5,1999 Entry A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail. procmail-race Apr5,1999 Candidate Proposed A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user. 19990331 Potential vulnerability in SCO TermVision Windows 95 client sco-termvision-password Baker, Frech, Ozancin LeBlanc, Northcutt, Wall Candidate Modified The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly. Cold Fusion App Server coldfusion-expression-evaluator 115 Baker, Christey, Frech, Ozancin Wall Duplicate of 0455 CVE-1999-0477 and CVE-1999-0455 were discovered at different times. Also, the attack was different. So "Same Attack" and "Same Time of Discovery" dictate that these should remain separate. Entry Denial of service in HP-UX sendmail 8.8.6 related to accepting connections. HPSBUX9904-097 sendmail-headers-dos Entry Denial of service Netscape Enterprise Server with VirtualVault on HP-UX VVOS systems. HPSBUX9903-092 netscape-server-dos Candidate Modified Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack. 19980315 Midnight Commander /tmp race Baker Frech Christey XF:midnight-commander-symlink-dos XF:midnight-commander-symlink-dos(3505) Entry Denial of service in "poll" in OpenBSD. Mar22,1999 7556 Entry OpenBSD kernel crash through TSS handling, as caused by the crashme program. Mar21,1999 7557 Entry OpenBSD crash using nlink value in FFS and EXT2FS filesystems. Feb25,1999 6129 Entry Buffer overflow in OpenBSD ping. Feb23,1999 6130 Entry Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD. Feb19,1999 openbsd-ipintr-race 7558 Candidate Modified Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash. 19990420 AOL Instant Messenger URL Crash Baker Frech Christey XF:aol-im. XF:aol-im appears to be related to the problem discussed in BUGTRAQ:19980224 AOL Instant Messanger Bug This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash Entry The DHTML Edit ActiveX control in Internet Explorer allows remote attackers to read arbitrary files. MS99-011 ie-dhtml-control Candidate Modified Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the "cross frame" vulnerability. MS99-012 Baker, Landfield Frech, Wall Christey, Ozancin XF:ie-mshtml-crossframe (source: MSKB:Q168485) CVE-1999-0469 appears to be a duplicate; prefer this one over that one, since this one has an MS advisory. Confirm with Microsoft that these are really duplicates. Also review CVE-1999-0487, which appears to be a similar bug. Candidate Modified MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013. MS99-015 Levy Wall Baker, Ozancin Prosser Christey Frech Wasn't Untrusted scripted paste MS98-015? I can find no mention of a clipboard in either. I cannot proceed on this one without further clarification. (source: MS:MS99-012) agree with Andre here. The Untrusted Scripted paste vulnerability was originally addressed in MS98-015 and it is in the file upload intrinsic control in which an attacker can paste the name of a file on the target's drive in the control and a form submission would then send that file from the attacked machine to the remote web site. This one has nothing to do with the clipboard. What the advisory mentioned here, MS99-012, does is replace the MSHTML parsing engine which is supposed to fix the original Untrusted Scripted Paste issue and a variant, as well as the two Cross-Frame variants and a privacy issue in IMG SRC. The vulnerability that allowed reading of a user's clipboard is the Forms 2.0 Active X control vulnerability discussed in MS99-01 The advisory should have been listed as MS99-012. CVE-1999-0468 describes the untrusted scripted paste problem in MS99-012. Pending response to guidance request. 12/6/01. Candidate Modified MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag. MS99-012 Landfield, Wall Frech Baker, Ozancin Christey XF:ie-scriplet-fileread Duplicate of CVE-1999-0347? Entry The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute. 19990420 Bash Bug CSSA-1999-008.0 119 Candidate Proposed The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses. Apr23,1999 Armstrong, Collins, Northcutt Baker, Blake, Frech, Shostack Christey, Cole, Landfield, Wall Ozancin isn't that what finger is supposed to do? Maybe we need a new category of "unsafe system utilities and protocols" Ffingerd 1.19 allows remote attackers to differentiate valid and invalid usernames on the target system based on its responses to finger queries. CHANGEREF BUGTRAQ [canonicalize] BUGTRAQ:19990423 Ffingerd privacy issues http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2 Here's the nature of the problem. (1) FFingerd allows users to decide not to be fingered, printing a message "That user does not want to be fingered" (2) If the fingered user does not exist, then FFingerd's intended default is to print that the user does not want to be fingered; however, the error message has a period at the end. Thus, ffingerd can allow someone to determine who valid users on the server are, *in spite of* the intended functionality of ffingerd itself. Thus this exposure should be viewed in light of the intended functionality of the application, as opposed to the common usage of the finger protocol in general. Also, the vendor posted a followup and said that a patch was available. See: http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2 Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/13422 Misc Defensive Info [Frech changed vote from REVIEWING to MODIFY] XF:ffinger-user-info(5393) Entry rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd. CA-99-05 00186 J-045 19990103 SUN almost has a clue! (automountd) 450 Entry Denial of service in WinGate proxy through a buffer overflow in POP3. wingate-pop3-user-bo Candidate Proposed A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares. Baker, Blake, Cole, Collins, Northcutt, Ozancin Frech Armstrong, Bishop, Landfield, Wall Christey, Levy XF:nb-dotdotknown(837) References would be appreciated. We've got no reference for this issue; confidence rating is consequently low. Some refernces: http://www.securityfocus.com/archive/1/3894 http://www.securityfocus.com/archive/1/3533 http://www.securityfocus.com/archive/1/3535 Entry A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin. Q146965 nt-getadmin nt-getadmin-present Candidate Modified Anonymous FTP is enabled. Shostack Frech Baker, Christey Northcutt ftp-anon(52) at http://xforce.iss.net/static/52.php ftp-anon2(543) at http://xforce.iss.net/static/543.php Add period to the end of the description. DOn't know about this, but it may be the only easy way to allow access to data for some folks. Candidate Modified TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files. CA-91.18.Active.Internet.tftp.Attacks Blake, Hill, Northcutt Frech Baker Christey XF:linux-tftp XF:linux-tftp refers to CVE-1999-0183 Candidate Proposed NETBIOS share information may be published through SNMP registry keys in NT. Baker, Northcutt, Ozancin, Shostack, Wall Frech LeBlanc Change wording to 'Windows NT.' XF:snmp-netbios Share info can be obtained via SNMP queries, but I question whether this is a vulnerability. The system can be configured not to do this, and one may argue that SNMP itself is an insecure configuration. Furthermore, the share information isn't published via registry keys - the description could refer to more than one actual issue. SNMP is meant to allow people to obtain information about systems. I'm willing to discuss this with the rest of the board. Candidate Proposed A Unix account has a guessable password. Baker, Northcutt, Shostack Frech, Meunier Christey Guessable falls into the class of CVE-1999-0502, since I can guess a default, null, etc. password. Suggest changing to something like "has an existing non-default password that can be guessed." I'm also including default passwords in this entry. In that vein, we show the following references: XF:user-password XF:passwd-username XF:default-unix-sync XF:default-unix-4dgifts XF:default-unix-bin XF:default-unix-daemon XF:default-unix-lp XF:default-unix-me XF:default-unix-nuucp XF:default-unix-root XF:default-unix-toor XF:default-unix-tour XF:default-unix-tty XF:default-unix-uucp This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. [Meunier changed vote from ACCEPT to RECAST] This relates only to account password technology, so this candidate is independent of the operating system, application, web site or other application of this technology. The appropriate (natural) level of abstraction is therefore without specifying that it is for UNIX. Change the description to "An account has a guessable password other than default, null, blank." This should satisfy Andre's objection. This Candidate should be merged with any candidate relating to account password technology where "Unix" in the original description can be replaced by something else. Candidate Proposed A Unix account has a default, null, blank, or missing password. Baker, Meunier, Northcutt, Shostack Frech Christey XF:passwd-blank XF:no-pass XF:dict XF:sgi-accounts XF:linux-caldera-lisa This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Candidate Proposed A Windows NT local user or administrator account has a guessable password. Baker, Meunier, Northcutt, Shostack Frech Christey Note: I am assuming that this entry includes Windows 2000 accounts and machine/service accounts listed in User Manager. XF:nt-guess-admin XF:nt-guess-user XF:nt-guess-guest XF:nt-guessed-operpwd XF:nt-guessed-powerwd XF:nt-guessed-disabled XF:nt-guessed-backup XF:nt-guessed-acctoper-pwd XF:nt-adminuserpw XF:nt-guestuserpw XF:nt-accountuserpw XF:nt-operator-userpw XF:nt-service-user-pwd XF:nt-server-oper-user-pwd XF:nt-power-user-pwd XF:nt-backup-operator-userpwd XF:nt-disabled-account-userpwd This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Candidate Proposed A Windows NT local user or administrator account has a default, null, blank, or missing password. Baker, Meunier, Northcutt, Shostack Frech Christey XF:nt-guestblankpw XF:nt-adminblankpw XF:nt-adminnopw XF:nt-usernopw XF:nt-guestnopw XF:nt-accountblankpw XF:nt-nopw XF:nt-operator-blankpwd XF:nt-server-oper-blank-pwd XF:nt-power-user-blankpwd XF:nt-backup-operator-blankpwd XF:nt-disabled-account-blankpwd This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Candidate Proposed A Windows NT domain user or administrator account has a guessable password. Baker, Meunier, Northcutt, Shostack Frech XF:nt-guessed-domain-userpwd XF:nt-guessed-domain-guestpwd XF:nt-guessed-domain-adminpwd XF:nt-domain-userpwd XF:nt-domain-admin-userpwd XF:nt-domain-guest-userpwd XF:win2k-certpub-usrpwd XF:win2k-dhcpadm-usrpwd XF:win2k-dnsadm-usrpwd XF:win2k-entadm-usrpwd XF:win2k-schema-usrpwd XF:win2k-guessed-certpub XF:win2k-guessed-dhcpadm XF:win2k-guessed-dnsadm XF:win2k-guessed-entadm XF:win2k-guessed-schema Candidate Proposed A Windows NT domain user or administrator account has a default, null, blank, or missing password. Baker, Meunier, Northcutt, Shostack Frech XF:nt-domain-admin-blankpwd XF:nt-domain-admin-nopwd XF:nt-domain-guest-blankpwd XF:nt-domain-guest-nopwd XF:nt-domain-user-blankpwd XF:nt-domain-user-nopwd XF:win2k-certpub-blnkpwd XF:win2k-dhcpadm-blnkpwd XF:win2k-dnsadm-blnkpwd XF:win2k-entadm-blnkpwd XF:win2k-schema-blnkpwd Candidate Proposed An account on a router, firewall, or other network device has a guessable password. Baker, Meunier, Northcutt, Shostack Frech XF:firewall-tisopen XF:firewall-raptoropen XF:firewall-msopen XF:firewall-checkpointopen XF:firewall-ciscoopen Candidate Proposed An account on a router, firewall, or other network device has a default, null, blank, or missing password. Baker, Meunier, Northcutt, Shostack Frech Christey Note: Because the distinction between network hardware and software is not distinct, the term 'network device' was liberally interpreted. Feel free to reject any of the below terms. XF:default-netranger XF:cayman-gatorbox XF:breezecom-default-passwords XF:default-portmaster XF:wingate-unpassworded XF:netopia-unpassworded XF:default-bay-switches XF:motorola-cable-default-pass XF:default-flowpoint XF:qms-2060-no-root-password XF:avirt-ras-password XF:webtrends-rtp-serv-install-password XF:cisco-bruteforce XF:cisco-bruteadmin XF:sambar-server-defaults XF:management-pfcuser XF:http-cgi-wwwboard-default DELREF XF:avirt-ras-password - does not fit CVE-1999-0508. Candidate Modified Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands. CA-96.11 Northcutt, Wall Frech Baker Christey What is the right level of abstraction to use here? Should we combine all possible interpreters into a single entry, or have a different entry for each one? I've often seen Perl separated from other interpreters - is it included by default in some Windows web server configurations? Add tcsh, zsh, bash, rksh, ksh, ash, to support search. XF:http-cgi-vuln(146) Candidate Proposed A router or firewall allows source routed packets from arbitrary hosts. Baker, Northcutt Frech XF:source-routing Candidate Proposed IP forwarding is enabled on a machine which is not a router or firewall. Baker, Northcutt Frech XF:ip-forwarding Candidate Modified A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers. Baker, Northcutt, Shostack Frech Christey XF:smtp-sendmail-relay(210) XF:ntmail-relay(2257) XF:exchange-relay(3107) (also assigned to CVE-1999-0682) XF:smtp-relay-uucp(3470) XF:sco-sendmail-spam(4342) XF:sco-openserver-mmdf-spam(4343) XF:lotus-domino-smtp-mail-relay(6591) XF:win2k-smtp-mail-relay(6803) XF:cobalt-poprelayd-mail-relay(6806) Candidate implicitly may refer to relaying settings enabled by default, or the bypass/circumvention of relaying. Both interpretations were used in assigning this candidate. The intention of this candidate is to cover configurations in which the admin has explicitly enabled relaying. Other cases in which the application *intends* to prvent relaying, but there is some specific input that bypasses/tricks it, count as vulnerabilities (or exposures?) and as such would be assigned different numbers. http://www.sendmail.org/~ca/email/spam.html seems like a good general resource, as does ftp://ftp.isi.edu/in-notes/rfc2505.txt I changed the description to make it more clear that the issue is that of explicit configuration, as opposed to being the result of a vulnerability. Entry ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service. CA-98.01.smurf FreeBSD-SA-98:06 smurf Entry UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target. fraggle Candidate Proposed An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv. Baker, Northcutt Frech Shostack Overly broad XF:rsh-equiv(111) Since this is unrestricted trust, I agree this is a problem Candidate Proposed An SNMP community name is guessable. Baker, Meunier, Northcutt, Shostack Frech Christey XF:snmp-get-guess XF:snmp-set-guess XF:sol-hidden-commstr XF:hpov-hidden-snmp-comm This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Candidate Proposed An SNMP community name is the default (e.g. public), null, or missing. Baker, Meunier, Northcutt, Shostack Frech Christey XF:nt-snmp XF:snmp-comm XF:snmp-set-any XF:snmp-get-public XF:snmp-set-public XF:snmp-get-any This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Consider adding BID:2112 Candidate Proposed A NETBIOS/SMB share password is guessable. Baker, LeBlanc, Meunier, Northcutt, Shostack Frech Change description term to NetBIOS. XF:nt-netbios-perm XF:sharepass XF:win95-smb-password XF:nt-netbios-dict Candidate Proposed A NETBIOS/SMB share password is the default, null, or missing. Baker, LeBlanc, Meunier, Northcutt, Shostack Frech Change description term to NetBIOS. XF:decod-smb-password-empty XF:nt-netbios-everyoneaccess XF:nt-netbios-guestaccess XF:nt-netbios-allaccess XF:nt-netbios-open XF:nt-netbios-write XF:nt-netbios-shareguest XF:nt-writable-netbios XF:nt-netbios-everyoneaccess-printer XF:nt-netbios-share-print-guest Candidate Proposed A system-critical NETBIOS/SMB share has inappropriate access control. Wall Frech Baker Northcutt LeBlanc Christey I think we need to enumerate the shares and or the access control One question is, what is "inappropriate"? It's probably very dependent on the policy of the enterprise on which this is found. And should writable shares be different from readable shares? (Or file systems, mail spools, etc.) Yes, the impact may be different, but we could have a large number of entries for each possible type of access. A content decision (CD:CF-DATA) needs to be reviewed and accepted by the Editorial Board in order to resolve this question. Unacceptably vague - agree with Christey's comments. associated to: XF:nt-netbios-everyoneaccess(1) XF:nt-netbios-guestaccess(2) XF:nt-netbios-allaccess(3) XF:nt-netbios-open(15) XF:nt-netbios-write(19) XF:nt-netbios-shareguest(20) XF:nt-writable-netbios(26) XF:nb-rootshare(393) XF:decod-smb-password-empty(2358) Candidate Proposed An NIS domain name is easily guessable. Baker, Meunier, Northcutt, Shostack Frech Christey XF:nis-dom Consider http://www.cert.org/advisories/CA-1992-13.html as well as ftp://ciac.llnl.gov/pub/ciac/bulletin/c-fy92/c-25.ciac-sunos-nis-patch Candidate Proposed The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate. CA-96.10 Baker, Wall Christey Northcutt Why not say world readable, this is what you do further down in the file (world exportable in CVE-1999-0554) ADDREF AUSCERT:AA-96.02 Candidate Proposed ICMP echo (ping) is allowed from arbitrary hosts. Meunier Baker Frech, Northcutt (Though I sympathize with this one :) [Frech changed vote from REVIEWING to REJECT] Ping is a utility that can be run on demand; ICMP echo is a message type. As currently worded, this candidate seems as if an arbitrary host is vulnerable because it is capable of running an arbitrary program or function (in this case, ping/ICMP echo). There are many programs/functions that 'shouldn't' be on a computer, from a security admin's perspective. Even if this were a vulnerability, it would be impacted by CD-HIGHCARD. Every ICMP message type presents a vulnerability or an exposure, if access is not controlled. By that I mean not only those in RFC 792, but also those in RFC 1256, 950, and more. I think that the description should be changed to "ICMP messages are acted upon without any access control". ICMP is an error and debugging protocol. We complain about vendors leaving testing backdoors in their programs. ICMP is the equivalent for TCP/IP. ICMP should be in the dog house, unless you are trying to troubleshoot something. MTU discovery is just a performance tweak -- it's not necessary. I don't know of any ICMP message type that is necessary if the network is functional. Limited logging of ICMP messages could be useful, but acting upon them and allowing the modification of routing tables, the behavior of the TCP/IP stack, etc... without any form of authentication is just crazy. Candidate Modified ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts. http://descriptions.securescout.com/tc/11010 http://descriptions.securescout.com/tc/11011 http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1434 95 icmp-netmask(306) icmp-timestamp(322) Baker, Frech, Meunier Northcutt XF:icmp-timestamp XF:icmp-netmask If this is not merged with 1999-0523 as I commented for that CVE, then the description should be changed to "ICMP messages of types 13 and 14 (timestamp request and reply) and 17 and 18 (netmask request and reply) are acted upon without any access control". It's a more precise and correct language. I believe that this is a valid CVE entry (it's a common source of vulnerabilities or exposures) even though I see that the inferred action was "reject". Knowing the time of a host also allows attacks against random number generators that are seeded with the current time. I want to push to have it accepted. I agree with the description changes suggested by Pascal Candidate Proposed IP traceroute is allowed from arbitrary hosts. Frech Baker Northcutt XF:traceroute Entry An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server. xcheck-keystroke VU#704969 Candidate Proposed The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten. Baker, Northcutt, Wall Frech That that starts to get specific :) ftp-writable-directory(6253) ftp-write(53) "writeable" in the description should be "writable." Candidate Proposed A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of. Baker, Meunier, Northcutt Frech possibly XF:nisd-dns-fwd-check [Frech changed vote from REVIEWING to MODIFY] XF:firewall-external-packet-forwarding(8372) Candidate Proposed A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc. Frech Baker, Meunier Northcutt I have seen ISPs "assign" private addresses within their domain A border router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc, outside of their area of validity. [Frech changed vote from REVIEWING to ACCEPT] I think the description should be modified to say they accept this type of traffic from an interface not residing on private/reserved network. Candidate Proposed A system is operating in "promiscuous" mode which allows it to perform packet sniffing. Baker, Northcutt Frech Shostack XF:etherstatd(264) XF:sniffer-attack(778) XF:decod-packet-capture-remote(1072) XF:netmon-running(1448) XF:netxray3-probe(1450) XF:sol-snoop-getquota-bo(3670) (also assigned to CVE-1999-0974) Does pose a problem in non-switched environments Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO." Frech Christey Shostack Northcutt I think expn != vrfy, help, esmtp. XF:lotus-domino-esmtp-bo(4499) (also assigned to CVE-2000-0452 and CVE-2000-1046) XF:smtp-expn(128) XF:smtp-vrfy(130) XF:smtp-helo-bo(886) XF:smtp-vrfy-bo(887) XF:smtp-expn-bo(888) XF:slmail-vrfyexpn-overflow(1721) XF:smtp-ehlo(323) Perhaps add RCPT? If so, add XF:smtp-rcpt(1928) XF:smtp-vrfy(130) ? Candidate Proposed A DNS server allows zone transfers. Frech Baker Northcutt (With split DNS implementations this is quite appropriate) XF:dns-zonexfer Candidate Proposed A DNS server allows inverse queries. Frech Baker Northcutt (rule of thumb) XF:dns-iquery Candidate Proposed A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input. Baker, Christey, Ozancin, Shostack, Wall Frech, Northcutt If we are going to write a laundry list put access to the scheduler in it. The list of privileges is very useful for lookup. XF:nt-create-token XF:nt-replace-token XF:nt-lock-memory XF:nt-increase-quota XF:nt-unsol-input XF:nt-act-system XF:nt-create-object XF:nt-sec-audit XF:nt-add-workstation XF:nt-manage-log XF:nt-take-owner XF:nt-load-driver XF:nt-profile-system XF:nt-system-time XF:nt-single-process XF:nt-increase-priority XF:nt-create-pagefile XF:nt-backup XF:nt-restore XF:nt-debug XF:nt-system-env XF:nt-remote-shutdown Candidate Proposed A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness. Shostack, Wall Baker, Frech Northcutt, Ozancin inappropriate implies there is appropriate. As a guy who has been monitoring networks for years I have deep reservations about justiying the existance of any fixed cleartext password. For appropriate to exist, some "we" would have to establish some criteria for appropriate passwords. Perhaps this could be re-worded a bit. The CVE CVE-1999-00582 specifies "...settings for lockouts". To remain consistent with the other, maybe it should specify "...settings for passwords" I think most people would agree that passwords should be at least 8 characters; contain letters (upper and lowercase), numbers and at least one non-alphanumeric; should only be good a limited time 30-90 days; and should not contain character combinations from user's prior 2 or 3 passwords. Suggested rewrite - A Windows NT account policy does not enforce reasonable minimum security-critical settings for passwords, e.g. passwords of sufficient length, periodic required password changes, or new password uniqueness What is appropriate? XF:nt-autologonpwd XF:nt-pwlen XF:nt-maxage XF:nt-minage XF:nt-pw-history XF:nt-user-pwnoexpire XF:nt-unknown-pwdfilter XF:nt-pwd-never-expire XF:nt-pwd-nochange XF:nt-pwdcache-enable XF:nt-guest-change-passwords Candidate Proposed A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc. Wall Baker Frech LeBlanc Good candidate for dot notation. XF:nav-java-enabled XF:nav-javascript-enabled XF:ie-active-content XF:ie-active-download XF:ie-active-scripting XF:ie-activex-execution XF:ie-java-enabled XF:netscape-javascript XF:netscape-java XF:zone-active-scripting XF:zone-activex-execution XF:zone-desktop-install XF:zone-low-channel XF:zone-file-download XF:zone-file-launch XF:zone-java-scripting XF:zone-low-java XF:zone-safe-scripting XF:zone-unsafe-scripting Not a vulnerability. These are just checks for configuration settings that a user might have changed. I understand need to increase number of checks in a scanning product, but don't feel like these belong in CVE. Scanner vendors could argue that these entries are needed to keep a common language. Not sure about whether we should bother to include this type issue or not. It does provide a stepping stone for further actions, but in and of itself it isn't a specific vulnerability. Candidate Proposed A trust relationship exists between two Unix hosts. Frech Baker Northcutt, Shostack Too non specific XF:trusted-host(341) XF:trust-remote-same(717) XF:trust-remote-root(718) XF:trust-remote-nonroot(719) XF:trust-remote-any(720) XF:trust-other-host(723) XF:trust-all-nonroot(726) XF:trust-any-remote(727) XF:trust-local-acct(728) XF:trust-local-any(729) XF:trust-local-nonroot(730) XF:trust-all-hosts(731) XF:nt-trusted-domain(1284) XF:rsagent-trusted-domainadded(1588) XF:trust-remote-user(2955) XF:user-trust-hosts(3074) XF:user-trust-other-host(3077) XF:user-trust-remote-account(3079) Candidate Proposed A password for accessing a WWW URL is guessable. Baker, Meunier, Northcutt, Shostack Frech XF:http-password Candidate Proposed The Windows NT guest account is enabled. Baker, Northcutt, Ozancin, Shostack, Wall Frech XF:nt-guest-account Candidate Proposed An SSH server allows authentication through the .rhosts file. Baker, Shostack Frech Northcutt XF:sshd-rhosts(315) Candidate Proposed A superfluous NFS server is running, but it is not importing or exporting any file systems. Shostack Baker Northcutt Candidate Proposed Windows NT automatically logs in an administrator upon rebooting. Hill Blake, Frech, Ozancin Wall Baker Don't know what this is. Don't think it is a vulnerability and would initially reject. This is different than just renaming the administrator account. Would appreciate more information on this one, as in a reference. Reference: XF:nt-autologin Needs more detail I tried to find the XF:nt-autologin reference, and got no matching records from their search engine. No refs, no details, should reject [Frech changed vote from REVIEWING to MODIFY] XF:nt-autologon(5) Candidate Proposed A router's routing tables can be obtained from arbitrary hosts. Baker Frech Northcutt Don't you mean obtained by arbitrary hosts XF:routed XF:decod-rip-entry XF:rip Concur with this as a security issue Entry HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests. HPSBUX9804-078 hp-openmail Candidate Proposed NFS exports system-critical data to the world, e.g. / or a password file. Northcutt, Wall Baker Christey A content decision (CD:CF-DATA) needs to be reviewed and accepted by the Editorial Board in order to resolve this question. Candidate Proposed A Unix account with a name other than "root" has UID 0, i.e. root privileges. Baker Northcutt, Shostack This is very bogus Candidate Proposed Two or more Unix accounts have the same UID. Baker, Christey Northcutt, Shostack XF:duplicate-uid(876) Add terms "duplicate" and "user ID" to facilitate search. ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist Candidate Proposed A system-critical Unix file or directory has inappropriate permissions. Baker, Wall Northcutt, Shostack Writable other than by root/bin/wheelgroup? Candidate Proposed A system-critical Windows NT file or directory has inappropriate permissions. Baker, Wall Northcutt I think we should specify these Candidate Proposed IIS has the #exec function enabled for Server Side Include (SSI) files. Baker, Northcutt Shostack LeBlanc Does not meet definition of a vulnerability. This function is just enabled. You can turn it off if you want. if you trust the people putting up your web pages, this isn't a problem. If you don't, this is just one of many things you need to change. Candidate Modified The registry in Windows NT can be accessed remotely by users who are not administrators. oval:org.mitre.oval:def:1023 Baker, Ozancin, Shostack, Wall Frech Northcutt This isn't all or nothing, users may be allowed to access part of the registry. XF:nt-winreg-all XF:nt-winreg-net Candidate Proposed An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled. Baker, Shostack Northcutt Candidate Proposed A Sendmail alias allows input to be piped to a program. Northcutt Baker Shostack Christey Is this a default alias? Is my .procmailrc an instance of this? It is not entirely clear whether the simple fact that an alias pipes into a program should be considered a vulnerability. It all depends on the behavior of that particular program. This is one of a number of configuration-related issues from the "draft" CVE that came from vulnerability scanners. In general, when we get to general configuration and "policy," it becomes more difficult to use the current CVE model to represent them. So at the very least, this candidate (and similar ones) should be given close consideration and discussion before being added to the official CVE list. Because this candidate is related to general configuration issues, and we have not completely determined how to handle such issues in CVE, this candidate cannot be promoted to an official CVE entry until such issues are resolved. Entry An attacker can write to syslog files from any location, causing a denial of service by filling up the logs, and hiding activities. ibm-syslogd syslog-flood Candidate Proposed rpc.admind in Solaris is not running in a secure mode. Northcutt Baker, Christey Dik, Shostack are there secure modes? Several: 1) there is no "rpc.admind" daemon. there used to be a "admind" RPC daemon (100087/10) and there's now an "sadmind" daemon (100232/10) The switch over was somewhere around Solaris 2.4. 2) Neither defaults to "secure mode" 3) secure mode is "using secure RPC" which does proper over the wire authentication by specifying the "-S 2" option in inetd.conf (security level 2) XF:rpc-admind(626) http://xforce.iss.net/static/626.php MISC:http://pulhas.org/xploitsdb/mUNIXes/admind.html Candidate Modified A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file. Wall Baker, Christey Northcutt I do this intentionally somethings in high content directories XF:http-noindex(90) ? Candidate Proposed Windows NT is not using a password filter utility, e.g. PASSFILT.DLL. Northcutt Frech Baker, Christey Wall Here we are crossing into the best practices arena again. However since passfilt does establish a measurable standard and since we aren't the ones defining the stanard, simply saying it should be employed I will vote for this. XF:nt-passfilt-not-inst(1308) XF:nt-passfilt-not-found(1309) Consider MSKB:Q161990 and MSKB:Q151082 Candidate Modified A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts. Feb5,1999 Baker Frech Christey, Northcutt [Frech changed vote from REVIEWING to MODIFY] XF:ascend-config-kill(889) XF:cisco-ios-crash(1238) XF:webramp-remote-access(1670) XF:ascom-timeplex-debug(1824) XF:netopia-unpassworded(1850) XF:cisco-web-crash(1886) XF:cisco-router-commands(1951) XF:motorola-cable-default-pass(2002) XF:default-flowpoint(2091) XF:netgear-router-idle-dos(4003) XF:cisco-cbos-telnet(4251) XF:routermate-snmp-community(4290) XF:cayman-router-dos(4479) XF:wavelink-authentication(5185) XF:ciscosecure-ldap-bypass-authentication(5274) XF:foundry-firmware-telnet-dos(5514) XF:netopia-view-system-log(5536) XF:cisco-webadmin-remote-dos(5595) XF:cisco-cbos-web-access(5626) XF:netopia-telnet-dos(6001) XF:cisco-sn-gain-access(6827) XF:cayman-dsl-insecure-permissions(6841) XF:linksys-etherfast-reveal-passwords(6949) XF:zyxel-router-default-password(6968) XF:cisco-cbos-web-config(7027) XF:prestige-wan-bypass-filter(7146) I changed the description to make it more explicit that this candidate is about router configuration, as opposed to vulnerabilities that accidentally make a configuration service accessible to anyone. Candidate Modified .reg files are associated with the Windows NT registry editor (regedit), making the registry susceptible to Trojan Horse attacks. Baker, Ozancin, Shostack, Wall Frech Christey, Northcutt I don't quite get what this means, sorry XF:nt-regfile(178) MISC:http://security-archive.merton.ox.ac.uk/nt-security-199902/0087.html Candidate Proposed A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking. Christey, Ozancin, Shostack, Wall Frech Baker, Northcutt It isn't a great truth that you should enable all or the above, if you do you potentially introduce a vulnerbility of filling up the file system with stuff you will never look at. It is far less interesting what a user does successfully that what they attempt and fail at. The list of event types is very useful for lookup. XF:nt-system-audit XF:nt-logon-audit XF:nt-object-audit XF:nt-privil-audit XF:nt-process-audit XF:nt-policy-audit XF:nt-account-audit [Baker changed vote from REVIEWING to RECAST] Candidate Proposed A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories. Baker, Shostack, Wall Frech, Ozancin Northcutt 1.) Too general are we ready to state what the security-critical files and directories are 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability Some files and directories are clearly understood to be critical. Others are unclear. We need to clarify that critical is. XF:nt-object-audit Candidate Proposed A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories. Shostack, Wall Baker, Frech, Ozancin Northcutt It is far less interesting what a user does successfully that what they attempt and fail at. Perhaps only failure should be logged. XF:nt-object-audit [Baker changed vote from REVIEWING to MODIFY] Failure on non-critical files is what should be monitored. Candidate Proposed A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys. Baker, Ozancin, Shostack, Wall Frech Northcutt with reservation Again what is defined as critical [Frech changed vote from REVIEWING to MODIFY] XF:nt-object-audit(228) Candidate Proposed A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys. Baker, Shostack, Wall Frech, Ozancin Northcutt Again only failure may be of interest. It would be impractical to wad through the incredibly large amount of logging that this would generate. It could overwhelm log entries that you might find interesting. [Frech changed vote from REVIEWING to MODIFY] XF:nt-object-audit(228) Candidate Proposed The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions. Wall Baker Northcutt I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. This is way vague... Candidate Proposed The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions. Wall Baker Northcutt I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. way too vague Candidate Proposed A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc. Ozancin, Shostack, Wall Baker, Frech Northcutt The definition is? Maybe a rewording of this one too. I think most people would agree on some "minimum" policies like 3-5 bad attempts lockout for an hour or until the administrator unlocks the account. Suggested rewrite - A Windows NT account policy does not enforce reasonable minimum security-critical settings for lockouts, e.g. lockout duration, lockout after bad logon attempts, etc. with reservations What is appropriate? XF:nt-thres-lockout XF:nt-lock-duration XF:nt-lock-window XF:nt-perm-lockout XF:lockout-disabled Candidate Proposed There is a one-way or two-way trust relationship between Windows NT domains. Baker, Christey Northcutt, Shostack XF:nt-trusted-domain(1284) Candidate Proposed A Windows NT file system is not NTFS. Northcutt, Wall Frech Baker, Christey NTFS partition provides the security. This could be re-worded to "A Windows NT file system is FAT" since it is either NTFS or FAT and FAT is less secure. XF:nt-filesys(195) MSKB:Q214579 MSKB:Q214579 http://support.microsoft.com/support/kb/articles/Q100/1/08.ASP Candidate Proposed A Windows NT administrator account has the default name of Administrator. Ozancin Frech Baker, Northcutt, Shostack Wall Some sources say this is not a vulnerability, but a warning. It just slows down the search for the admin account (SID = 500) which can always be found. I change this on all NT systems I am responsible for, but is root a vulnerability? There are ways to identify the administrator account anyway, so this is only a minor delay to someone that is knowledgeable. This, in and of itself, doesn't really strike me as a vulnerability, anymore than the root account on a Unix box. (there is no way to hide the account name today) XF:nt-adminexists Candidate Proposed A network service is running on a nonstandard port. Baker Shostack Northcutt Might be acceptable if clearer; is that a standard service on a non-standard port, or any service on an unassigned port? It might actually be an enhancement rather than a problem to run a service on a non-standard port Candidate Proposed A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data. Wall Baker Northcutt While I would accept this for Unix, I am not sure this applies to NT, VMS, palm pilots, or commodore 64 Candidate Proposed A filter in a router or firewall allows unusual fragmented packets. Baker, Frech Northcutt I want to vote to accept this one, but unusual is a shade broad. XF:nt-rras XF:cisco-fragmented-attacks XF:ip-frag Perhaps we should use the word abnormally fragmented or some other descriptor. Candidate Proposed A system-critical Windows NT registry key has inappropriate permissions. Wall Baker Christey, Northcutt I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Upon further reflection, this is too high-level for CVE. Specific registry keys with bad permissions is roughly equivalent to Unix configuration files that have bad permissions; those permission problems can be created by any vendor, not just a specific one. Therefore this candidate should be RECAST into each separate registry key that has this problem. Candidate Proposed A system does not present an appropriate legal message or warning to a user who is accessing it. Baker, Northcutt Christey Shostack ADDREF CIAC:J-043 URL:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml Also add "banner" to the description to facilitate search. Should be in place where ever it is possible Candidate Proposed An event log in Windows NT has inappropriate access permissions. Baker, Wall Northcutt splain Lucy, splain Candidate Proposed The Logon box of a Windows NT system displays the name of the last user who logged in. Frech Baker, Christey Northcutt, Wall Information gathering, not vulnerability Ah a C2 weenie must have snuck this in, this can be a good thing not just vulnerability XF:nt-display-last-username(1353) Use it if you will. :-) If not, let us know so I can remove the CAN reference from our database. MSKB:Q114463 http://support.microsoft.com/support/kb/articles/q114/4/63.asp Candidate Modified The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system without logging in. http://www.microsoft.com/technet/archive/winntas/deploy/confeat/06wntpcc.mspx?mfr=true http://technet.microsoft.com/en-us/library/cc722469.aspx 59333 nt-shutdown-without-logon(1291) Wall Frech Baker Northcutt Still a denial of service. May well be appropriate XF:nt-shutdown-without-logon(1291) Candidate Proposed A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive. Wall Frech Baker, Christey Northcutt Perhaps it can be re-worded to "removable media drives such as a floppy disk drive or CDROM drive can be accessed (shared) in a Windows NT system." - what good is my NT w/o its floppy XF:nt-allocate-cdroms(1294) XF:nt-allocate-floppy(1318) MSKB:Q172520 URL:http://support.microsoft.com/support/kb/articles/q172/5/20.asp Candidate Proposed A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded. Q182086 Baker, Wall Frech Northcutt XF:nt-clearpage(216) XF:reg-pagefile-clearing(2551) Candidate Proposed A Windows NT log file has an inappropriate maximum size or retention period. Frech Baker Northcutt, Wall define appropriate XF:reg-app-log-small(2521) XF:reg-sec-log-maxsize(2577) XF:reg-sys-log-small(2586) Candidate Proposed A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire. Northcutt Frech Baker Wall XF:nt-forced-logoff(1343) Candidate Proposed A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection. Armstrong, Baker, Northcutt Frech Christey Waiting for CIEL. This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html Candidate Proposed A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers. Baker, Northcutt Frech Christey Waiting for CIEL. This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html Candidate Proposed A network intrusion detection system (IDS) does not verify the checksum on a packet. Baker, Northcutt Frech Christey Waiting for CIEL. This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html Candidate Proposed A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets. Baker, Northcutt Frech Christey Waiting for Godot, er, CIEL. This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html Candidate Proposed A network intrusion detection system (IDS) does not properly reassemble fragmented packets. Baker, Northcutt Frech Christey Waiting for CIEL. This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html Candidate Proposed In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc. Frech Baker Northcutt, Wall XF:nt-system-operator XF:nt-admin-group XF:nt-replicator XF:nt-print-operator XF:nt-power-user XF:nt-guest-in-group XF:nt-backup-operator XF:nt-domain-admin XF:nt-domain-guest XF:win2k-acct-oper-grp XF:win2k-admin-grp XF:win2k-backup-oper-grp XF:win2k-certpublishers-grp XF:win2k-dhcp-admin-grp XF:win2k-dnsadm-grp XF:win2k-domainadm-grp XF:win2k-entadm-grp XF:win2k-printoper-grp XF:win2k-replicator-grp XF:win2k-schemaadm-grp XF:win2k-serveroper-grp You asked for it... :-) Use or reject at your discretion. If rejected, please let us know so we can remove CAN references from database. Candidate Proposed An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information. 19990420 Shopping Carts exposing CC data Baker Frech Northcutt, Wall XF:webstore-misconfig(3861) Candidate Proposed An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information. 19990420 Shopping Carts exposing CC data Baker Frech Christey, Northcutt, Wall XF:orderform-misconfig(3860) BID:2021 Mention affected files: order_log_v12.dat and order_log.dat fix version number (1.2) Candidate Proposed An incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information. 19990420 Shopping Carts exposing CC data Baker Frech Christey, Northcutt, Wall XF:ezmall2000-misconfig(3859) Add mall_log_files/order.log to desc Candidate Modified quikstore.cgi in QuikStore shopping cart stores quikstore.cfg under the web document root with insufficient access control, which allows remote attackers to obtain the cleartext administrator password and gain privileges. 19990420 Shopping Carts exposing CC data Baker Frech Christey, Northcutt, Wall XF:quikstore-misconfig(3858) http://www.quikstore.com/help/pages/Security/security.htm says: "It is IMPORTANT that during the setup of the QuikStore program, you check to make sure that the cgi-bin or executable program directory of your web site not be viewable from the outside world. You don't want the users to have access to your programs or log files that could be stored there! ... If you can view or download these files from the browser, someone else can too" So is this a configuration problem? See the configuration file at http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm The [DIRECTORY_PATHS] section identifies pathnames and describes how pathnames are constructed. It clearly uses relative pathnames, so all data is underneath the base directory!! If we call this a configuration problem, then maybe this (and all other "CGI-data-in-web-tree" configuration problems) should be combined. Consider adding BID:1983 Entry An incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information. 19990420 Shopping Carts exposing CC data http://www.pdgsoft.com/Security/security.html. pdgsoftcart-misconfig(3857) Candidate Proposed An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information. 19990420 Shopping Carts exposing CC data Baker Frech Christey, Northcutt, Wall XF:softcart-misconfig(3856) Consider adding BID:2055 Candidate Proposed An incorrect configuration of the Webcart CGI program could disclose private information. 19990420 Shopping Carts exposing CC data Baker Frech Northcutt, Wall Cite reference as: BUGTRAQ:19990424 Re: Shopping Carts exposing CC data URL: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist% 3D1%26date%3D2000-08-22%26msg%3D3720E2B6.6031A2E7@datashopper.dk [Frech changed vote from REVIEWING to MODIFY] XF:webcart-data-exposure(8374) Candidate Proposed A system-critical Windows NT registry key has an inappropriate value. Wall Baker Northcutt I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. too vague Entry A version of finger is running that exposes valid user information to any entity on the network. finger-out finger-running Candidate Proposed The rpc.sprayd service is running. Baker, Ozancin Frech Wall Northcutt XF:sprayd Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FTP service is running." Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SNMP service is running." Baker, Prosser, Wall Christey Northcutt Although newer versions on snmp are not as vulnerable as prior versions, this can still be a significant risk of exploitation, as seen in recent attacks on snmp services via automated worms XF:snmp(132) ? This fits the "exposure" description although we also know there are many vulnerabilities in SNMP. This is more of a policy/best practice issue for administrators. If you need SNMP lock it down as tight as you can, if you don't need it, don't run it. Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The TFTP service is running." Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SMTP service is running." Baker, Wall Northcutt Candidate Modified The rexec service is running. rexec Baker, Northcutt, Ozancin, Wall Frech XF:decod-rexec XF:rexec Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The Telnet service is running." Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NIS is running." Baker, Wall Christey Northcutt XF:ypserv(261) Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to NETBIOS is running." oval:org.mitre.oval:def:1024 Baker, Wall Frech LeBlanc, Northcutt There is insufficient description to even know what this is. Lots of component services related to NetBIOS run, and usually do not constitute a problem. associated to: XF:nt-alerter(29) XF:nt-messenger(69) XF:reg-ras-gateway-enabled(2567) Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A component service related to DNS service is running." Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X Windows service is running." Baker, Wall Christey Northcutt Add "X11" to facilitate search. Candidate Interim The rstat/rstatd service is running. rstat-out rstatd Baker, Northcutt, Ozancin Frech Meunier, Wall XF:rstat-out XF:rstatd Candidate Proposed The rpc.rquotad service is running. Baker, Northcutt, Ozancin Frech Wall XF:rquotad Entry A version of rusers is running that exposes valid user information to any entity on the network. rusersd ruser Entry The rexd service is running, which uses weak authentication that can allow an attacker to execute commands. rexd Entry The rwho/rwhod service is running, which exposes machine status and user information. rwhod Candidate Proposed The ident/identd service is running. Baker, Ozancin Frech Christey, Wall Northcutt possibly XF:identd? XF:ident-users(318) ? [Frech changed vote from REVIEWING to MODIFY] XF:identd-vuln(61) XF:ident-users(318) Candidate Proposed The NT Alerter and Messenger services are running. Baker, Wall Christey Northcutt http://support.microsoft.com/support/kb/articles/q189/2/71.asp Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NFS service is running." Baker, Wall Christey Northcutt XF:nfs-nfsd(76) ? Add rpc.mountd/mountd to facilitate search. Candidate Proposed The RPC portmapper service is running. Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The HTTP/WWW service is running." Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The SSH service is running." Baker, Wall Northcutt Candidate Modified The echo service is running. 20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services 18514 Baker, Northcutt, Wall Christey The method to my madness is echo is the common denom in the dos attack How much of this is an overlap with the echo/chargen flood problem (CVE-1999-0103)? If this is only an exposure because of CVE-1999-0103, then maybe this should be REJECTed. Candidate Proposed The discard service is running. Baker Wall Northcutt Candidate Proposed The systat service is running. Baker, Wall Northcutt Candidate Proposed The daytime service is running. Baker Wall Northcutt Candidate Proposed The chargen service is running. Baker, Wall Northcutt Christey How much of this is an overlap with the echo/chargen flood problem (CVE-1999-0103)? If this is only an exposure because of CVE-1999-0103, then maybe this should be REJECTed. Candidate Proposed The Gopher service is running. Baker, Wall Northcutt Candidate Proposed The UUCP service is running. Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A POP service is running." Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IMAP service is running." Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The NNTP news service is running." Baker, Wall Christey Northcutt XF:nntp-post(88) ? Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The IRC service is running." Baker, Wall Christey Northcutt XF:irc-server(767) ? Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The LDAP service is running." Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The bootparam (bootparamd) service is running." Baker, Ozancin Frech Wall Northcutt XF:bootp Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The X25 service is running." Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "The FSP service is running." Baker Wall Northcutt Candidate Modified The netstat service is running, which provides sensitive information to remote attackers. netstat(72) Baker, Wall Northcutt Candidate Proposed The rsh/rlogin service is running. Baker, Wall Frech Christey Northcutt aka "shell" on UNIX systems (at least Solaris) in the /etc/inetd.conf file. associated to: XF:nt-rlogin(92) XF:rsh-svc(114) XF:rshd(2995) Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A database service is running, e.g. a SQL server, Oracle, or mySQL." Baker Frech Wall Northcutt XF:nt-sql-server(1289) XF:msql-detect(2211) XF:oracle-detect(2388) XF:sybase-detect-namedpipes(1461) Candidate Proposed A component service related to NIS+ is running. Baker, Wall Northcutt Candidate Proposed The OS/2 or POSIX subsystem in NT is enabled. Wall Frech Baker, Christey Northcutt These subsystems could still allow a process to persist across logins. XF:nt-posix(217) XF:nt-posix-sub-c2(2397) XF:nt-posix-sub-onceonly(2478) XF:nt-os2-sub(218) XF:nt-os2-sub-c2(2396) XF:nt-os2-sub-onceonly(2477) XF:nt-os2-registry(2550) s2-file-os2(1865) Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. Notes: the former description is: "A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities." Baker, Frech, Northcutt, Ozancin, Wall [Frech changed vote from REVIEWING to ACCEPT] Candidate Modified The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names. http://ca.com/au/securityadvisor/vulninfo/Vuln.aspx?ID=1638 linux-ugidd(348) Baker Wall Northcutt Candidate Proposed WinGate is being used. Baker Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "DCOM is running." Baker, Wall Northcutt Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities, so it is more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present." Baker, Northcutt, Wall Don't consider this a service or a problem. concur with wall on this Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is not about any specific product, protocol, or design, so it is out of scope of CVE. It might be more appropriate to cover under the Common Configuration Enumeration (CCE). Notes: the former description is: "A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc." Baker, Hill, Northcutt, Wall Christey Add "back door" to description. Candidate Modified A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6. CA-1994-07 CA-1994-14 CA-1999-01 CA-1999-02 CA-2002-28 20020801 trojan horse in recent openssh (version 3.4 portable 1) 20020801 OpenSSH Security Advisory: Trojaned Distribution Files 20021009 Re: CERT Advisory CA-2002-28 Trojan Horse Sendmail 5921 sendmail-backdoor(10313) Baker, Hill, Northcutt, Wall Christey Should add the specific CERT advisory references for well-known Trojaned software. CERT:CA-1999-01 CERT:CA-1999-02 includes util-linux wuarchive - CERT:CA-94.07 IRC client - CERT:CA-1994-14 BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1) Modify description to use dot notation. CERT:CA-2002-24 URL:http://www.cert.org/advisories/CA-2002-24.html XF:openssh-backdoor(9763) URL:http://www.iss.net/security_center/static/9763.php BID:5374 URL:http://www.securityfocus.com/bid/5374 [Christey changed vote from NOOP to REVIEWING] Add libpcap and tcpdump: BUGTRAQ:20021113 Latest libpcap & tcpdump sources from tcpdump.org contain a trojan URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103722456708471&w=2 CERT:CA-2002-30 URL:http://www.cert.org/advisories/CA-2002-30.html This CAN has been active for over 4 years. At this moment, my thinking is that we should SPLIT this CAN into each separate trojaned product, then create some criteria that restrict creation of new CANs to "widespread" or "important" products only. Candidate Proposed A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete. Baker, Hill, Northcutt, Wall Candidate Proposed A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified. Baker, Hill, Wall Northcutt This needs to be worded carefully. 1. Rootkits evade checksum detection. 2. The modification could be positive (a patch) Candidate Proposed An application-critical Windows NT registry key has inappropriate permissions. Wall Baker Christey, Northcutt I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Upon further reflection, this is too high-level for CVE. Specific registry keys with bad permissions is roughly equivalent to Unix configuration files that have bad permissions; those permission problems can be created by any vendor, not just a specific one. Therefore this candidate should be RECAST into each separate registry key that has this problem. Candidate Proposed An application-critical Windows NT registry key has an inappropriate value. Wall Baker Northcutt I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. very vague Candidate Proposed The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service. Blake, Cole Stracener Baker, Christey Frech Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp: CVE-1999-0763: NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network. CVE-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries. Will reconsider if reference provides enough information to render a distinction. This particular vulnerability was exploited by an attacker during the ID'Net IDS test network exercise at the SANS Network Security '99 conference. The attacker adapted a publicly available program that was able to spoof another machine on the same physical network. See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2 for the Bugtraq reference that Tom Stracener suggested. This generated a long thread on Bugtraq in 1997. I'll second Tom's request to add the reference, it's a very posting good and the vulnerability is clearly derivative of the work. (I do recall talking to the guy and drafting a description.) Entry The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. 19990821 IE 5.0 allows executing programs MS99-032 J-064 598 ms-scriptlet-eyedog-unsafe Q240308 Candidate Interim The Eyedog ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. MS99-032 J-064 ms-scriptlet-eyedog-unsafe Q240308 Baker, Cole, Ozancin, Prosser, Wall Frech, Stracener Christey XF:ms-scriptlet-eyedog-unsafe Add Ref: MSKB Q240308 Should CVE-1999-0669 and 668 be merged? If not, then this is a reason for not merging CVE-1999-0988 and CVE-1999-0828. Candidate Proposed Buffer overflow in the Eyedog ActiveX control allows a remote attacker to execute arbitrary commands. MS99-032 J-064 Ozancin, Prosser, Wall Frech, Stracener Baker, Cole XF:ie-eyedog-bo Based on the references and information listed this is the same as CVE-1999-0669 Add Ref: MSKB Q240308 Duplicate Entry Buffer overflow in ToxSoft NextFTP client through CWD command. 572 toxsoft-nextftp-cwd-bo Entry Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics. fujitsu-topic-bo 573 Candidate Proposed Buffer overflow in ALMail32 POP3 client via From: or To: headers. 574 Baker, Blake, Cole, Collins, Levy, Wall Frech, Stracener Armstrong, Landfield, Oliver Ozancin AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037 XF:almail-bo [Cole changed vote from NOOP to ACCEPT] Entry The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve. 1999-011 Aug 9,1999 FreeBSD-SA-99:02 19990809 profil(2) bug, a simple test program 570 J-067 netbsd-profil Entry Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host. 19990809 FW1 UDP Port 0 DoS 576 checkpoint-port 1038 Entry sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack. 19990808 sdtcm_convert sun-sdtcm-convert 575 Candidate Modified The WebRamp web administration utility has a default password. 19990802 [LoWNOISE] Password hunting with webramp 577 Baker, Blake, Stracener Cole, Frech Armstrong, Christey I would add that is is not forced to be changed. XF:webramp-default-password This problem may have been detected in January 1999: BUGTRAQ:19990121 Re: WebRamp M3 remote network access bug http://marc.theaimsgroup.com/?l=bugtraq&m=91702375402055&w=2 Entry A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server. apache-debian-usrdoc 19990405 An issue with Apache on Debian 318 Entry Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows remote attackers to execute commands via m_invite invite option. 19990813 w00w00's efnet ircd advisory (exploit included) http://www.efnet.org/archive/servers/hybrid/ChangeLog 581 hybrid-ircd-minvite-bo Entry Windows NT Terminal Server performs extra work when a client opens a new connection but before it is authenticated, allowing for a denial of service. MS99-028 Q238600 J-057 571 nt-terminal-dos Entry Buffer overflow in Microsoft FrontPage Server Extensions (PWS) 3.0.2.926 on Windows 95, and possibly other versions, allows remote attackers to cause a denial of service via a long URL. 19990807 Crash FrontPage Remotely... frontpage-pws-dos 568 Entry Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled. MS99-027 Q237927 567 J-056 exchange-relay Entry Denial of service in Gauntlet Firewall via a malformed ICMP packet. gauntlet-dos 19990729 Remotely Lock Up Gauntlet 5.0 556 1029 Candidate Proposed Denial of service in Sendmail 8.8.6 in HPUX. HPSBUX9904-097 Blake, Cole Frech, Prosser, Stracener Baker Christey Add Ref: CIAC: J-040 Might change description to indicate DoS caused by multiple connections Andre's right. This is a duplicate of CVE-1999-0684. Without further information and/or references, this issue looks like an ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail 8.8.6 related to accepting connections. (was REJECT) XF:hp-sendmail-connect-dos Entry Buffer overflow in Netscape Communicator via EMBED tags in the pluginspage option. 19991209 Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow 618 Entry Denial of service in Netscape Enterprise Server (NES) in HP Virtual Vault (VVOS) via a long URL. 19990514 TGAD DoS 19990610 Re: VVOS/Netscape Bug HPSBUX9906-098 J-046 hp-tgad-dos Entry The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands. 19990913 Vulnerability in ttsession 00192 HPSBUX9909-103 SSRT0617U_TTSESSION K-001 CA-99-11 637 cde-ttsession-rpc-auth Entry Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x. HPSBUX9907-101 545 hp-sd-bo Entry The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack. 19990913 Vulnerability in dtspcd 00192 HPSBUX9909-103 CA-99-11 oval:org.mitre.oval:def:1880 cde-dtspcd-file-auth 636 Entry HP CDE program includes the current directory in root's PATH variable. HPSBUX9907-100 J-053 hp-cde-directory Entry Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name. 19990913 Vulnerability in dtaction 00192 HPSBUX9909-103 SSRTO615U_DTACTION CA-99-11 635 oval:org.mitre.oval:def:3078 cde-dtaction-username-bo Entry The default configuration of the Array Services daemon (arrayd) disables authentication, allowing remote users to gain root privileges. CA-99-09 J-052 19990701-01-P sgi-arrayd Entry Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges. CA-99-11 00192 HPSBUX9909-103 641 oval:org.mitre.oval:def:4374 cde-dtsession-env-bo Entry Denial of service in AIX ptrace system call allows local users to crash the system. J-055 ERS-SVA-E01-1999:002.1 aix-ptrace-halt Entry The Sybase PowerDynamo personal web server allows attackers to read arbitrary files through a .. (dot dot) attack. 19990904 [Sybase] software vendors do not think about old bugs http-powerdynamo-dotdotslash 620 1064 Entry Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd). 19990709 Exploit of rpc.cmsd SB-99.12 00188 4230754 HPSBUX9908-102 SSRT0614U_RPC_CMSD CA-99-08 J-051 sun-cmsd-bo Entry SCO Doctor allows local users to gain root privileges through a Tools option. 19990908 SCO 5.0.5 /bin/doctor nightmare 621 sco-doctor-execute Candidate Proposed Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux. Armstrong, Baker, Blake, Cole, Collins, Ozancin Frech Landfield, Levy, Stracener, Wall Christey Is the candidate referring to the denial of service problem mentioned in the changelogs for versions previous to 1.4.3-1 or does it pertain to some problem with or 1.4.8-1? Depending on the version, this could be any number of DoSes related to ippl. From http://www.larve.net/ippl/: 9 April 1999: version 1.4.3 released, correctly fixing a potential denial of service attack. 7 April 1999: version 1.4.2 released, fixing a potential denial of service attack. XF:linux-ippl-dos Changelog: http://pltplp.net/ippl/docs/HISTORY See comments for version 1.4.2 and 1.4.3 Another source: http://freshmeat.net/news/1999/04/08/923586598.html [Stracener changed vote from REVIEWING to NOOP] [Christey changed vote from NOOP to REJECT] As mentioned by others, this could apply to several different versions. Since the description is too vague, this CAN should be REJECTED and recast into other candidates. Entry The Bluestone Sapphire web server allows session hijacking via easily guessable session IDs. 19990908 [Security] Spoofed Id in Bluestone Sapphire/Web 623 Entry Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file. Q237185 MS99-026 nt-malformed-dialer Entry After an unattended installation of Windows NT 4.0, an installation file could include sensitive information such as the local Administrator password. MS99-036 Q173039 626 nt-install-unattend-file Entry Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability. 19990909 IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs MS99-037 Q241361 ie5-import-export-favorites 627 Entry OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices. 19990805 4.4 BSD issue -- chflags Jul30,1999 FreeBSD-SA-99:01 J-066 openbsd-chflags-fchflags-permitted Entry Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others. RHSA-1999:032-01 CSSA-1999:024.0 SA-99:06 19991018 614 CA-99-12 amd-bo Entry Buffer overflow in INN inews program. inn-inews-bo RHSA1999033_01 CSSA-1999-026 19990831 Security hole in INN 19990907 616 Entry Linux xmonisdn package allows local users to gain root privileges by modifying the IFS or PATH environmental variables. 19990807 19990817 Security hole in i4l (xmonisdn) 583 Entry The default FTP configuration in HP Visualize Conference allows conference users to send a file to other participants without authorization. HPSBUX9906-099 J-050 493 hp-visualize-conference-ftp Entry Buffer overflow in cfingerd allows local users to gain root privileges via a long GECOS field. 19990921 BP9909-00: cfingerd local buffer overflow 651 Entry The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems. 19990725 Redhat 6.0 cachemgr.cgi lameness http://www.redhat.com/support/errata/archives/rh52-errata-general.html#squid DSA-576 FEDORA-2005-373 FLSA-2006:152809 RHSA-1999:025 RHSA-2005:489 2059 http-cgi-cachemgr(2385) Entry The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix allows local users to execute Tcl commands as root. 19990430 *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed 19990506 Oracle Security Followup, patch and FAQ: setuid on oratclsh oracle-oratclsh Candidate Proposed A vulnerability in Caldera Open Administration System (COAS) allows the /etc/shadow password file to be made world-readable. CSSA-1999:009 linux-coas Baker, Cole, Frech, Stracener Blake Armstrong Christey This obscurely-written advisory seems to state that COAS will make the file world-readable, not that it allows the user to make it so. I hardly think that allowing the user to turn off security is a vulnerability. It's difficult to write the description based on what's in the advisory. If COAS inadvertently changes permissions without user confirmation, then it should be ACCEPTed with appropriate modification to the description. ADDREF BID:137 [Armstrong changed vote from REVIEWING to NOOP] Entry The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges. 19990404 Digital Unix 4.0E /var permission J-044 cde-dtlogin SSRT0600U Entry Vulnerability in Compaq Tru64 UNIX edauth command. SSRT0588U du-edauth Entry Buffer overflow in Remote Access Service (RAS) client allows an attacker to execute commands or cause a denial of service via a malformed phonebook entry. 19990519 Buffer Overruns in RAS allows execution of arbitary code as system MS99-016 Q230677 nt-ras-bo Entry Buffer overflow in Windows NT 4.0 help file utility via a malformed help file. nt-helpfile-bo Q231605 MS99-015 Entry A remote attacker can disable the virus warning mechanism in Microsoft Excel 97. MS99-014 Q231304 excel-virus-warning Entry IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key. 19990823 IBM Gina security warning 608 ibm-gina-group-add Entry The Guile plugin for the Gnumeric spreadsheet package allows attackers to execute arbitrary code. 19990802 Gnumeric potential security hole. RHSA-1999:023-01 gnu-guile-plugin-export 563 Entry The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users. 19990823 [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x 597 linux-pt-chown Entry Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request. Phantom Technical Advisory Q231457 MS99-020 J-049 msrpc-lsa-lookupnames-dos Entry The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages. CA-99-10 558 cobalt-raq2-default-config Entry The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input. 19990411 Death by MessageBox MS99-021 Q233323 J-049 478 nt-csrss-dos Entry Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function. Aug12,1999 openbsd-uio_offset-bo 6128 Entry When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page". Q233335 MS99-022 477 iis-double-byte-code-page(2302) Entry An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header. MS99-023 Q234557 499 nt-malformed-image-header Entry A kernel leak in the OpenBSD kernel allows IPsec packets to be sent unencrypted. 19990608 Packets that should have been handled by IPsec may be transmitted as cleartext openbsd-ipsec-cleartext 6127 Entry A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them. MS99-024 Q236359 nt-ioctl-dos Entry Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to conduct a denial of service through the ldap_search request. 19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6 J-061 601 lotus-ldap-bo 1057 Entry The zsoelim program in the Debian man-db package allows local users to overwrite files via a symlink attack. 19990612 Entry The KDE klock program allows local users to unlock a session using malformed input. 19990623 Security flaw in klock CSSA-1999:017 19990629 Security hole in Klock 489 Entry The logging facilitity of the Debian smtp-refuser package allows local users to delete arbitrary files using symbolic links. 19990823b smtp-refuser-tmp Entry Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable. 19990626 VMWare Advisory - buffer overflows 19990626 VMware Security Alert 19990705 Re: VMWare Advisory.. - exploit 490 vmware-bo Entry A default configuration of CiscoSecure Access Control Server (ACS) allows remote users to modify the server database without authentication. CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability ciscosecure-read-write Entry KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories. KDE K-Mail File Creation Vulnerability CSSA-1999:016 RHSA-1999:015-01 300 Candidate Modified The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. May7,1999 MS99-013 Q232449 Q231368 oval:org.mitre.oval:def:932 Ozancin, Prosser, Stracener, Wall Cole, Frech Baker Christey XF:iis-samples-showcode There are several sample files that allow this. I would quote showcode.asp but make it more generic. (Modify) Have a question on this and on the following three candidates as well. All of these are part of the file viewers utilities that allow unauthorized files reading, but MSKB Q231368 also mentioned the diagnostics program,Winmsdp.exe, as another vulnerable viewer in this same set of viewers. If we are going to split out the seperate viewer tools then shouldn't there should be a seperate CAN for Winmsdp.exe also. Mike's question basically touches on the CD:SF-EXEC content decision - what do you do when you have the same bug in multiple executables? CD:SF-EXEC needs to be reviewed and approved by the Editorial Board before we can decide what to do with this candidate. Mark Burnett says that Microsoft's mention of winmsdp.exe in MSKB:Q231368 may be an error, and that winmsdp.exe is a Microsoft Diagnostics Report Generator which may not even be installed as part of IIS. Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html ADDREF BID:167 URL:http://www.securityfocus.com/vdb/bottom.html?vid=167 MISC:http://p.ulh.as/xploitsdb/NT/iis38.html covers a showcode.asp directory traversal vulnerability and refers to the L0pht advisory. Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 Candidate Proposed The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. MS99-013 Q231656 Ozancin, Prosser, Stracener, Wall Frech Baker, Christey Cole XF:iis-samples-viewcode I would combine this with the previous. (modify) See comments in 0736 above See http://www.securityfocus.com/focus/microsoft/iis/showcode.html for additional details. Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 Candidate Proposed The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. MS99-013 Q232449 Q231368 Ozancin, Prosser, Stracener, Wall Frech Baker, Christey Cole XF:iis-samples-code Same as above (modify) See comments in 0736 above See http://www.securityfocus.com/focus/microsoft/iis/showcode.html for additional details. Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 Candidate Proposed The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. MS99-013 Q232449 Q231368 Ozancin, Prosser, Stracener, Wall Frech Baker, Christey Cole XF:iis-samples-codebrws Same as above. (modify) See comments in 0736 above codebrw2.asp and Codebrw1.asp also need to be included somewhere. Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 Entry Remote attackers can cause a denial of service on Linux in.telnetd telnet daemon through a malformed TERM environmental variable. 594 linux-telnetd-term CSSA-1999:022 RHSA1999029_01 Candidate Proposed QMS CrownNet Unix Utilities for 2060 allows root to log on without a password. 19990818 QMS 2060 printer security hole 593 qms-2060-no-root-password Baker, Frech, Levy, Stracener Christey, Oliver change description - anyone can log on *as* root (Note: this XF also cataloged under CVE-1999-0508.) Entry The Debian mailman package uses weak authentication, which allows attackers to gain privileges. 19990623 480 Entry Trn allows local users to overwrite other users' files via symlinks. 19990819 Insecure use of file in /tmp by trn 19990823c 19990824 Security hole in trn trn-symlinks(3144) Entry Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request. Buffer Overflow in Netscape Enterprise and FastTrack Web Servers 603 Entry Buffer overflow in Source Code Browser Program Database Name Server Daemon (pdnsd) for the IBM AIX C Set ++ compiler. ERS-SVA-E01-1999:003.1 J-059 590 aix-pdnsd-bo Entry A default configuration of in.identd in SuSE Linux waits 120 seconds between requests, allowing a remote attacker to conduct a denial of service. 19990814 DOS against SuSE's identd 19990824 Security hole in netcfg 587 suse-identd-dos Entry Denial of service in BSDi Symmetric Multiprocessing (SMP) when an fstat call is made when the system has a high CPU load. 19990816 Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1 589 bsdi-smp-dos Candidate Proposed Buffer overflows in Red Hat net-tools package. RHSA-1999:017-01 Armstrong, Baker, Cole, Stracener Frech Blake RHSA-1999:017-01 describes "potential security problem fixed" in the absence of knowing whether or not the problems actually existed, I don't think we have an entry here. XF:redhat-net-tool-bo Entry Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 98 via a malformed Telnet argument. 19990815 telnet.exe heap overflow - remotely exploitable MS99-033 win-ie5-telnet-heap-overflow 586 Candidate Proposed Hotmail allows Javascript to be executed via the HTML STYLE tag, allowing remote attackers to execute commands on the user's Hotmail account. 19990913 Hotmail security vulnerability - injecting JavaScript using 'STYLE' tag 630 Levy Frech, Stracener Baker Many sites are vulnerable to this problem. I recommend removing the explicit references to Hotmail and making the description more generic. Suggest: Javascript can be injected using the STYLE tag in an HTML formatted e-mail, allowing remote attackers to execute commands on user accounts. XF:hotmail-html-style-embed Entry Buffer overflow in Accept command in Netscape Enterprise Server 3.6 with the SSL Handshake Patch. 19990913 Accept overflow on Netscape Enterprise Server 3.6 SP2 631 netscape-accept-bo(3256) Entry Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake. 19990706 Netscape Enterprise Server SSL Handshake Bug Entry The w3-msql CGI script provided with Mini SQL allows remote attackers to view restricted directories. 19990817 Stupid bug in W3-msql mini-sql-w3-msql-cgi 591 Entry The INN inndstart program allows local users to gain privileges by specifying an alternate configuration file using the INNCONF environmental variable. 19990511 INN 2.0 and higher. Root compromise potential CSSA-1999-011.0 19990518 Security hole in INN http://www.redhat.com/corp/support/errata/inn99_05_22.html 255 inn-innconf-env Entry Windows NT RRAS and RAS clients cache a user's password even if the user has not selected the "Save password" option. nt-ras-pwcache Q230681 MS99-017 Entry ColdFusion Administrator with Advanced Security enabled allows remote users to stop the ColdFusion server via the Start/Stop utility. ASB99-07 coldfusion-admin-dos(2207) Candidate Proposed The ColdFusion CFCRYPT program for encrypting CFML templates has weak encryption, allowing attackers to decrypt the templates. ASB99-08 coldfusion-encryption Baker, Cole, Frech Christey XF:coldfusion-encryption BUGTRAQ:19990724 Re: New Allaire Security Zone Bulletins and KB Articles URL:http://www.securityfocus.com/archive/1/19471 ADDREF BID:275 URL:http://www.securityfocus.com/bid/275 Entry Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote attacker to view source code to scripts by appending a %20 to the script's URL. ASB99-06 netscape-space-view Entry Buffer overflow in FuseMAIL POP service via long USER and PASS commands. 19990913 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug http://www.crosswinds.net/~fuseware/faq.html#8 634 fuseware-popmail-bo Entry Undocumented ColdFusion Markup Language (CFML) tags and functions in the ColdFusion Administrator allow users to gain additional privileges. ASB99-10 550 coldfusion-server-cfml-tags Entry Buffer overflow in FreeBSD fts library routines allows local user to modify arbitrary files via the periodic program. FreeBSD-SA-99:05 freebsd-fts-lib-bo 644 1074 Entry When Javascript is embedded within the TITLE tag, Netscape Communicator allows a remote attacker to use the "about" protocol to gain access to browser information. netscape-title 19990524 Netscape Communicator JavaScript in <TITLE> security vulnerability Entry NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network. 1999-010 netbsd-arp 6540 Entry NetBSD allows ARP packets to overwrite static ARP entries. 1999-010 netbsd-arp 6539 Entry SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor. 19990619 IRIX midikeys root exploit. 19990501-01-A 262 irix-midikeys Entry The Microsoft Java Virtual Machine allows a malicious Java applet to execute arbitrary commands outside of the sandbox environment. MS99-031 Q240346 600 msvm-verifier-java Candidate Proposed Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable. 00189 Baker, Blake, Cole, Dik Frech, Stracener Christey, Prosser Add Ref: CIAC: J-069 XF:sun-libc-lcmessages BID 268 is an additional reference for this one as it has info on the Sun vulnerability. However, BID 268 also includes AIX in this vulnerability and refs APARS issued to fix a vulnerability in various 'nixs with the Natural Language Service environmental variables NSLPATH and PATH_LOCALE depending on the 'nix, ref CERT CA-97.10, CVE-1999-0041. However, Georgi Guninski reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it is possible the AIX APARs fix an earlier, similar vulnerability to the Sun BO in LC_MESSAGES. This should probably be considered under a different CAN. Any ideas? Given that the buffer overflows in CVE-1999-0041 are NLSPATH and PATH_LOCALE, I'd say that's good evidence that this is not the same problem. But a buffer overflow in libc in LC_MESSAGES... We must ask if these are basically the same codebase. ADDREF CIAC:J-069 While the description indicates multiple programs, CD:SF-EXEC does not apply because the vulnerability was in libc, and rcp and ufsrestore were both statically linked against libc. Thus CD:SF-LOC applies, and a single candidate is maintained because the problem occurred in a library. Sun bug 4240566 I'm consulting with Casper Dik and Troy Bollinger to see if this should be combined with the AIX buffer overflows for LC_MESSAGES; current indications are that they should be split. For further consultation, consider this post, though it's associated with CVE-1999-0041: BUGTRAQ:19970213 Linux NLSPATH buffer overflow http://www.securityfocus.com/archive/1/6296 Also add "NLSPATH" and "PATH_LOCALE" to the description to facilitate search. Entry Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable. 602 RHSA-1999:030-02 19990829 Security hole in cron Entry Vixie Cron on Linux systems allows local users to set parameters of sendmail commands via the MAILTO environmental variable. RHSA-1999:030-02 CSSA-1999:023.0 19990829 Security hole in cron 19990830 cron 611 Entry Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems. 19990729 Simple DOS attack on FW-1 549 ACK DOS ATTACK 1027 Entry The web components of Compaq Management Agents and the Compaq Survey Utility allow a remote attacker to read arbitrary files via a .. (dot dot) attack. 19990526 Infosec.19990526.compaq-im.a SSRT0612U management-agent-file-read Entry Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301. 19990527 Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post) SSRT0612U management-agent-dos Entry Buffer overflow in Solaris lpset program allows local users to gain root access. 19990511 Solaris2.6 and 2.7 lpset overflow sol-lpset-bo Entry Buffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via long directory names. 19990830 Babcia Padlina Ltd. security advisory: mars_nwe buffer overf RHSA1999037_01 19990916 Security hole in mars nwe 617 Entry Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the "established" keyword in an access list. 19990610 Cisco IOS Software established Access List Keyword Error cisco-gigaswitch Candidate Proposed Alibaba HTTP server allows remote attackers to read files via a .. (dot dot) attack. 19990506 ".."-hole in Alibaba 2.0 http-alibaba-dotdot Frech, Levy, Ozancin, Stracener Baker Armstrong, Blake, Cole, Landfield, LeBlanc, Wall Christey This candidate is unconfirmed by the vendor. Posted by Arne Vidstrom. I'd like to change my vote on this from ACCEPT to NOOP. I did some digging and the vendor seems to have discontinued the product, so no information is available beyond Arne's post. Unless Andre has a copy in his archive and can test it, I think we have to leave it out. I agree with Blake. We have not seen the product and it has been discontinued. [Christey changed vote from NOOP to REVIEWING] If this is (or was) tested by some tool, we should ACCEPT it. http://www.securityfocus.com/bid/270 BID:270 URL:http://www.securityfocus.com/bid/270 Entry IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. MS99-039 Q241407 Q242559 iis-ftp-no-access-files 658 Entry Buffer overflow in Xi Graphics Accelerated-X server allows local users to gain root access via a long display or query parameter. 19990626 KSR[T] #011: Accelerated-X 011 488 accelx-display-bo Entry Denial of service in HP-UX SharedX recserv program. HPSBUX9810-086 hp-sharedx Entry KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file. 19981118 Multiple KDE security vulnerabilities (root compromise) kde-klock-process-kill Entry KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables. 19981118 Multiple KDE security vulnerabilities (root compromise) kde-klock-bindir-trojans Entry KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable. 19981118 Multiple KDE security vulnerabilities (root compromise) kde-kppp-directory-create Entry FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. FreeBSD-SA-98:05 I-057 freebsd-nfs-link-dos 6090 Candidate Proposed Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed string to the listener port, aka NERP. 19980827 NERP DoS attack possible in Oracle 19990104 Re: Fw:"NERP" DoS attack possible in Oracle 19981228 Oracle8 TNSLSNR DoS Baker Frech Cole XF:oracle-tnslsnr-dos(1551) Entry The INN inndstart program allows local users to gain root privileges via the "pathrun" parameter in the inn.conf file. 19990511 INN 2.0 and higher. Root compromise potential 19990518 Security hole in INN inn-pathrun 254 Entry The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack. 19990922 LD_PROFILE local root exploit for solaris 2.6 659 Entry The SSH authentication agent follows symlinks via a UNIX domain socket. 19990917 A few bugs... 19990924 [Fwd: Truth about ssh 1.2.27 vulnerability] ssh-socket-auth-symlink-dos 660 Entry Arkiea nlservd allows remote attackers to conduct a denial of service. 19990924 Multiple vendor Knox Arkiea local root/remote DoS 662 arkiea-backup-nlserverd-remote-dos Entry Buffer overflow in AIX ftpd in the libc library. 19990928 Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an RS6000 ERS-SVA-E01-1999:004.1 J-072 aix-ftpd-bo 679 Entry A remote attacker can read information from a Netscape user's cache via JavaScript. http://home.netscape.com/security/notes/jscachebrowsing.html netscape-javascript Entry Hybrid Network cable modems do not include an authentication mechanism for administration, allowing remote attackers to compromise the system through the HSMP protocol. 19991006 KSR[T] Advisories #012: Hybrid Network's Cable Modems 012 695 hybrid-anon-cable-modem-reconfig Candidate Modified ROUTERmate has a default SNMP community name which allows remote attackers to modify its configuration. http://www2.merton.ox.ac.uk/~security/rootshell/0022.html Baker Frech, Stracener Christey Levy Change the Ref to read: ROOTSHELL: Osicom Technologies ROUTERmate Security Advisory XF:routermate-snmp-community BUGTRAQ:19980914 [rootshell] Security Bulletin #23 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90581019105693&w=2 Entry Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet. MS99-043 ie-java-redirect Entry Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file. MS99-044 excel-sylk Q241900 Q241901 Q241902 Candidate Proposed The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches. NAI-27 Baker, Stracener Frech Ozancin XF:sun-nisplus Entry FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing attacks. SA-98.03 freebsd-ttcp-spoof 6089 Entry NIS finger allows an attacker to conduct a denial of service via a large number of finger requests, resulting in a large number of NIS queries. 19980629 Distributed DoS attack against NIS/NIS+ based networks. I-070 sun-nis-nisplus Candidate Proposed Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a malformed header type. 19981204 bootpd remote vulnerability Baker, Ozancin, Stracener Frech Christey Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 has January 1999 dates associated with it, while CVE-1999-0798 was reported in late December. http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2 SCO appears to have acknowledged this as well: ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a The poster also claims that OpenBSD fixed this as well. XF:bootp-remote-bo Further analysis indicates that this is a duplicate of CVE-1999-0799 [Christey changed vote from REJECT to NOOP] What was I thinking? Brian Caswell pointed out that this is *not* the same bug as CVE-1999-0799. As reported in the 1998 Bugtraq post, the bug is in bootpd.c, and is related to providing an htype value that is used as an index into an array, and exceeds the intended boundaries of that array. Entry Buffer overflow in bootpd 2.4.3 and earlier via a long boot file location. 19970725 Exploitable buffer overflow in bootpd (most unices) bootpd-bo Entry The GetFile.cfm file in Allaire Forums allows remote attackers to read files through a parameter to GetFile.cfm. ASB99-05 19990211 ACFUG List: Alert: Allaire Forums GetFile bug allaire-forums-file-read(1748) 944 Entry BMC Patrol allows remote attackers to gain access to an agent by spoofing frames. 19990409 Patrol security bugs bmc-patrol-frames(2075) Entry Buffer overflow in Internet Explorer 5 allows remote attackers to execute commands via a malformed Favorites icon. 19990503 MSIE 5 FAVICON BUG MS99-018 Q231450 ie-favicon Entry The fwluser script in AIX eNetwork Firewall allows local users to write to arbitrary files via a symlink attack. 19990525 IBM eNetwork Firewall for AIX ibm-enfirewall-tmpfiles 962 Entry Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths. 19990601 Linux kernel 2.2.x vulnerability/exploit 19990607 CSSA-1999:013 19990602 Denial of Service on the 2.2 kernel 19990603 Kernel Update 302 Candidate Proposed Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and earlier allows remote attackers to cause a denial of service via a large number of requests. 19990512 DoS with Netware 4.x's TTS novell-tts-dos Baker, Frech Christey, Cole BID:276 URL:http://www.securityfocus.com/vdb/bottom.html?vid=276 XF:novell-tts-dos Entry Buffer overflow in Solaris dtprintinfo program. 19990510 Solaris2.6,2.7 dtprintinfo exploits cde-dtprintinfo 6552 Entry The Netscape Directory Server installation procedure leaves sensitive information in a file that is accessible to local users. netscape-dirsvc-password Candidate Proposed Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0 and 2.0 allow a remote attacker to cause a denial of service (crash) and possibly execute arbitrary commands via long options. 19980518 DHCP 1.0 and 2.0 SECURITY ALERT! (fwd) I-053 ftp://ftp.isc.org/isc/dhcp/dhcp-1.0-history/dhcp-1.0.0-1.0pl1.diff.gz Armstrong, Cole, Foat, Stracener Frech Wall XF:dhcp-remote-dos(7248) Entry Netscape Communicator 4.x with Javascript enabled does not warn a user of cookie settings, even if they have selected the option to "Only accept cookies originating from the same server as the page being viewed". 19990709 Communicator 4.[56]x, JavaScript used to bypass cookie settings Entry Denial of service in Samba NETBIOS name service daemon (nmbd). 19990721 Samba 2.0.5 security fixes CSSA-1999:018.0 19990731 19990804 RHSA-1999:022-02 19990816 Security hole in Samba Entry Buffer overflow in Samba smbd program via a malformed message command. 19990721 Samba 2.0.5 security fixes RHSA-1999:022-02 CSSA-1999:018.0 19990816 Security hole in Samba 19990731 Samba samba-message-bo 536 Entry Race condition in Samba smbmnt allows local users to mount file systems in arbitrary locations. 19990721 Samba 2.0.5 security fixes 19990731 19990804 CSSA-1999:018.0 RHSA-1999:022-02 19990816 Security hole in Samba Entry Cfingerd with ALLOW_EXECUTION enabled does not properly drop privileges when it executes a program on behalf of the user, allowing local users to gain root privileges. 19990810 Severe bug in cfingerd before 1.4.0 19980724 CFINGERD root security hole 19990814 cfingerd-privileges Entry Red Hat pump DHCP client allows remote attackers to gain root access in some configurations. RHSA-1999:027 Entry Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. Q196270 nt-snmpagent-leak(1974) oval:org.mitre.oval:def:952 Candidate Modified The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024. 19980510 Security Vulnerability in Motorola CableRouters motorola-cable-default-pass Baker, Cole, Stracener Frech Christey, LeBlanc This candidate is unconfirmed by the vendor. XF:motorola-cable-default-pass Entry Lynx WWW client allows a remote attacker to specify command-line parameters which Lynx uses when calling external programs to handle certain protocols, e.g. telnet. 19990915 Security hole in lynx Candidate Proposed Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable. 19991130 another hole of Solaris7 kcms_configure 831 Armstrong, Stracener Cole, Dik, Frech, Prosser Baker Christey This can cause code to be executed. XF:sol-kcms-conf-netpath-bo the bug has nothing to do with kcms_configure; it's a bug in libnsl.so. All set-uid executables that trigger this code path are vulnerable. Sun bug 4295834; fixed in Solaris 8. Okay, I am confused. Based on Casper's comments and checking on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security problem in libnsl) fixed in SunOS 5.4, Patch 101974-37(x86) 101973 (sparc). Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin #00172 for 5.4 up through 2.6. Was this NETPATH a problem that resurfaced in 7 (looks like in 5.4 as well) and was fixed in 8? Need to dig up my offline email on this. May be a duplicate of CVE-1999-0321, whose sole reference (XF:sun-kcms-configure-bo) no longer exists. Also examine BID:452 and BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated) which are the same as XF:sol-kcms-conf-p-bo(3652), which could be the new name for XF:sun-kcms-configure-bo. Entry NTMail does not disable the VRFY command, even if the administrator has explicitly disabled it. 19991130 NTmail and VRFY 19991130 NTmail and VRFY nt-mail-vrfy Entry FreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands. 19991130 Several FreeBSD-3.3 vulnerabilities 838 freebsd-seyon-dir-add 5996 Candidate Proposed FreeBSD seyon allows local users to gain privileges by providing a malicious program in the -emulator argument. 19991130 Several FreeBSD-3.3 vulnerabilities 838 Armstrong, Stracener Frech Baker, Christey Cole Prosser I would combine this with the previous. To me the general vulnerabilities are similar it is just the end result that changes. XF:freebsd-seyon-setgid ADDREF? CALDERA:CSSA-1999-037.0 Candidate Proposed Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command. 19991130 serious Qpopper 3.0 vulnerability 19991130 qpop3.0b20 and below - notes and exploit 830 Armstrong, Baker, Cole, Stracener Frech Christey Prosser XF:qpopper-auth-bo ADDREF? DEBIAN:19991215 buffer overflow in qpopper v3.0 ADDREF XF:qpopper-auth-bo Entry Buffer overflow in FreeBSD xmindpath allows local users to gain privileges via -f argument. 19991130 Several FreeBSD-3.3 vulnerabilities 839 freebsd-xmindpath 1150 Entry A Windows NT user can use SUBST to map a drive letter to a folder, which is not unmapped after the user logs off, potentially allowing that user to modify the location of folders accessed by later users. 833 19991130 SUBST problem 19991130 Subst.exe carelessness (fwd) Candidate Modified The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail. 19991203 UnixWare read/modify users' mail 19991215 Recent postings about SCO UnixWare 7 19991223 FYI, SCO Security patches available. 849 Armstrong, Baker, Cole, Stracener Frech Christey Prosser XF:sco-mail-permissions ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.25a Entry Buffer overflow in FreeBSD angband allows local users to gain privileges. 19991130 Several FreeBSD-3.3 vulnerabilities 840 angband-bo 1151 Candidate Proposed By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which allows frame spoofing. 19991130 Default IE 5.0 security settings allow frame spoofing Armstrong, Baker, LeBlanc, Stracener Cole, Frech Prosser The BID is 855. If I have the right vulnerability, this allows an attacker to access URL's of there choosing which could lead to a compromise of private information. XF:http-frame-spoof Question: Similar vulnerability to MS98-020 / CVE-1999-0869? MSRC tells me this is patched in MS00-009 Candidate Modified UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission. 19991203 UnixWare and the dacread permission 19991204 UnixWare pkg* command exploits 19991223 FYI, SCO Security patches available. 19991220 SCO OpenServer Security Status 853 Armstrong, Baker, Stracener Cole, Frech Christey, Prosser This is BID 850. See comments on CVE-1999-0988. Perhaps these two should be merged. ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely alludes to this problem; the README for patch SSE053 effectively confirms it. XF:sco-pkg-dacread-fileread Candidate Proposed HP Secure Web Console uses weak encryption. 19991201 HP Secure Web Console Armstrong, Stracener Frech Baker, Cole Prosser I could not find details on this using the above references. XF:hp-secure-console Candidate Proposed Buffer overflow in SCO UnixWare Xsco command via a long argument. 19991126 [w00giving '99 #6]: UnixWare 7's Xsco Armstrong, Baker, Stracener Cole, Frech, Prosser Christey This is BID 824 and the BUGTRAQ reference is 19991125. XF:sco-unixware-xsco Confirmed by vendor, albeit vaguely: http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2 agree with Steve on vendor confirmation, however not sure the fix ref'd in BID 824 (SSE041) is right. It lists fixes for libnsl and tcpip.so, nothing about xsco. SSE050b (ftp://ftp.sco.com/SSE/security_bulletins/SB-99.26b) fixes a buffer overflow in xsco on OpenServer (the vendor message Steve refers to) but not the UnixWare vulnerability reported on Bugtraq and in BID824. Anyone more familar with SCO shed some light on this? Are they the same codebase so fix would be same? From the SCO site it seems the UnixWare and OpenSever products are similar but have differences. [Christey changed vote from NOOP to REVIEWING] BID:824 http://www.securityfocus.com/bid/824 Entry Denial of service in Linux syslogd via a large number of connections. CSSA-1999-035.0 RHSA1999055-01 19991118 syslogd-1.3.33 (a1) 19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] 809 slackware-syslogd-dos Entry Buffer overflow in NFS server on Linux allows attackers to execute commands via a long pathname. 19991109 undocumented bugs - nfsd 19991111 buffer overflow in nfs server 19991110 Security hole in nfs-server < 2.2beta47 within nkita CSSA-1999-033.0 RHSA-1999:053-01 19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] linux-nfs-maxpath-bo 782 Entry Buffer overflow in BIND 8.2 via NXT records. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 CA-99-14 788 bind-nxt-bo Entry Buffer overflow in RSAREF2 via the encryption and decryption functions in the RSAREF library. 19991201 Security Advisory: Buffer overflow in RSAREF2 19991202 OpenBSD sslUSA26 advisory (Re: CORE-SDI: Buffer overflow in RSAREF2) CA-99-15 843 rsaref-bo Entry Denial of service in BIND named via malformed SIG records. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 CA-99-14 bind-sigrecord-dos 788 Entry UnixWare uidadmin allows local users to modify arbitrary files via a symlink attack. 19991202 UnixWare 7 uidadmin exploit + discussion SB-99.22a 842 unixware-uid-admin Entry Denial of service in BIND by improperly closing TCP sessions via so_linger. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 bind-solinger-dos 788 Entry Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a denial of service via the SITE command. 19991202 Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability 859 servu-ftp-site-bo Entry Windows NT Task Scheduler installed with Internet Explorer 5 allows a user to gain privileges by modifying the job after it has been scheduled. 19991130 Windows NT Task Scheduler vulnerability allows user to administrator elevation MS99-051 Q246972 ie-task-scheduler-privs 828 Candidate Modified Buffer overflow in CDE dtmail and dtmailpr programs allows local users to gain privileges via a long -f option. 19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow http://www.securiteam.com/exploits/3J5QQPPQ0O.html 832 http://www.securiteam.com/exploits/3J5QQPPQ0O.html solaris-dtmail-overflow(3579) solaris-dtmailpr-overflow(3580) Armstrong, Baker, Dik, Stracener Frech Cole Prosser I went to 1129 and it looks like a reference for a different vulnerability. In the description, should dtmailptr be dtmailpr? XF:solaris-dtmailpr-overflow XF:solaris-dtmail-overflow sun bug: 4166321 Candidate Modified Buffer overflow in CDE mailtool allows local users to gain root privileges via a long MIME Content-Type. 19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow http://www.securiteam.com/exploits/3J5QQPPQ0O.html 832 http://www.securiteam.com/exploits/3J5QQPPQ0O.html cde-mailtool-bo(3732) Armstrong, Baker, Cole, Dik, Stracener Frech Prosser XF:cde-mailtool-bo bug 4163471 (Root access is only possible when mail is send to root and he uses dtmail to read it) Entry Symantec Mail-Gear 1.0 web interface server allows remote users to read arbitrary files via a .. (dot dot) attack. 19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability 19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability 827 symantec-mail-dir-traversal 1144 Candidate Proposed Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port. 19991104 Cisco NAT DoS (VD#1) 19991128 Re: Cisco NAT DoS (VD#1) Balinsky, Cole, Stracener Frech Armstrong, Baker Christey, Prosser, Ziese XF:cisco-nat-dos Mike Prosser's REVIEWING vote expires July 17, 2000 After reviewing http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml I can not confirm this exists unless it's restructred to describe a problem against IOS per se; not NAT per se. I am reviewing this and it may take some time. [Christey changed vote from NOOP to REVIEWING] Not sure if Kevin's suggested reference really describes this one. However, a followup email by Jim Duncan of Cisco does acknowledge the problem as discussed in the Bugtraq post: http://marc.theaimsgroup.com/?l=vuln-dev&m=94385601831585&w=2 The original post is: http://marc.theaimsgroup.com/?l=bugtraq&m=94184947504814&w=2 It could be that the researcher believed that the problem was NAT, but in fact it wasn't. I need to follow up with Ziese/Balinsky on this one. Candidate Proposed Denial of service in MDaemon WorldClient and WebConfig services via a long URL. 19991124 Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability 19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability 823 820 Baker, Stracener Cole, Frech Armstrong Christey Prosser 823 and 820 are two different vulnerabilities and should be separated out. They are both buffer overflows but accomplish it in a different fashion and the end exploit is different. (RECAST?) XF:mdaemon-worldclient-dos XF:mdaemon-webconfig-dos Recast request: This is really two services exhibiting the same problem. as suggested by others. Also see confirmation at: http://mdaemon.deerfield.com/helpdesk/hotfix.cfm Candidate Proposed Buffer overflow in SCO su program allows local users to gain root access via a long username. 19991126 [w00giving '99 #5 and w00news]: UnixWare 7's su 99.19 19991128 SCO su patches Armstrong, Cole, Prosser, Stracener Frech Baker Christey DUPE CVE-1999-0317? XF:sco-su-username-bo ADDREF BID:826 CONFIRM:ftp://ftp.sco.com/SSE/sse039.tar.Z Candidate Proposed Denial of service in MDaemon 2.7 via a large number of connection attempts. 19991129 MDaemon 2.7 J DoS 19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability Armstrong, Baker, Cole, Prosser, Stracener Frech Christey XF:mdaemon-dos CVE-1999-0844 is confirmed by MDaemon at http://mdaemon.deerfield.com/helpdesk/hotfix.cfm but there is no apparent confirmation for this problem, even though it was posted the same day. Looks like from a follow-on message on Bugtraq from Nobuo <http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-28&msg=199912011604.HJI39569.BX-NOJ@lac.co.jp> Deerfield sent a reply about the DoS problems in MDaemon 2.8.5, that also talks about fixing the 2.7 J DoS that Nobuo initially reported. Can't find the original message, so may have been limited distro. Looks like an upgrade to the latest release might be the final solution here. Entry Buffer overflow in free internet chess server (FICS) program, xboard. 19991129 FICS buffer overflow fics-board-bo Entry Denial of service in BIND named via consuming more than "fdmax" file descriptors. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 788 bind-fdmax-dos Entry Denial of service in BIND named via maxdname. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 788 bind-maxdname-bo Candidate Proposed The default permissions for Endymion MailMan allow local users to read email or modify files. 845 19991202 Insecure default permissions for MailMan Professional Edition, version 3.0.18 Cole, Stracener Frech Armstrong, Baker Prosser XF:endymion-mailman-perms Entry Denial of service in BIND named via naptr. 19991111 Security hole in bind8 < 8.2.2p2 and bind4 < 4.9.7-REL 19991116 Denial of service vulnerabilities in bind CSSA-1999-034.1 RHSA-1999:054-01 00194 CA-99-14 788 bind-naptr-dos Candidate Proposed IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin. 844 19991202 WebSphere protections from installation Armstrong, Cole, Stracener Frech Baker Prosser XF:websphere-protect Entry Buffer overflow in Netscape Enterprise Server and Netscape FastTrack Server allows remote attackers to gain privileges via the HTTP Basic Authentication procedure. 847 19991201 Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure netscape-fasttrack-auth-bo Entry Ultimate Bulletin Board stores data files in the cgi-bin directory, allowing remote attackers to view the data if an error occurs when the HTTP server attempts to execute the file. 19991130 Ultimate Bulletin Board v5.3x? Bug 20000225 FW: Important UBB News For Licensed Users http://www.ultimatebb.com/home/versions.shtml http-ultimate-bbs Candidate Proposed Buffer overflow in FreeBSD gdc program. 834 19991130 FreeBSD 3.3 gated-3.1.5 local exploit Armstrong, Prosser, Stracener Cole, Frech Baker, Christey The BID is 834 and the reference is 19991201 not 1130. XF:freebsd-gdc-bo ADDREF BID:780 ? Entry login in Slackware 7.0 allows remote attackers to identify valid users on the system by reporting an encryption error when an account is locked or does not exist. 19991202 Slackware 7.0 - login bug slackware-remote-login Candidate Proposed FreeBSD gdc program allows local users to modify files via a symlink attack. 19991130 FreeBSD 3.3 gated-3.1.5 local exploit 835 Armstrong, Prosser, Stracener Cole, Frech Baker This is via debug output. XF:freebsd-gdc Entry Internet Explorer 5 allows a remote attacker to modify the IE client's proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD) server. MS99-054 Q247333 846 ie-wpad-proxy-settings Entry Solaris arp allows local users to read files via the -f parameter, which lists lines in the file that do not parse properly. 19991130 Solaris 2.x chkperm/arp vulnerabilities 4296166 837 sol-arp-parse 6994 Candidate Proposed Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack. 19991130 Solaris 2.x chkperm/arp vulnerabilities 837 Armstrong, Stracener Dik, Frech Baker, Christey Cole Prosser This is the same as the pervious. XF:sol-chkperm-vmsys include reference to Sun bug 4296167 Remove BID:837, which is for arp, not chkperm Entry Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext. MS99-053 Q244613 iis-ssl-isapi-filter Candidate Proposed Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file. 19991202 PostgreSQL RPM's permission problems Armstrong, Cole, Stracener Frech Baker Prosser XF:postgresql-insecure-perms Candidate Proposed Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI. 19970617 Seyon vulnerability - IRIX 19991108 FreeBSD 3.3's seyon vulnerability 19991130 Several FreeBSD-3.3 vulnerabilities Armstrong, Cole, Prosser, Stracener Frech Baker Christey XF:freebsd-seyon-bo ADDREF? CALDERA:CSSA-1999-037.0 May be multiple bugs here, or a single library problem. CD:SF-LOC needs to be resolved before determining if this candidate should be SPLIT. Also see CVE-1999-0821. Entry UnixWare programs that dump core allow a local user to modify files via a symlink attack on the ./core.pid file. 19991202 UnixWare coredumps follow symlinks 19991215 Recent postings about SCO UnixWare 7 19991223 FYI, SCO Security patches available. 19991220 SCO OpenServer Security Status sco-coredump-symlink 851 Entry Buffer overflow in CommuniGatePro via a long string to the HTTP configuration port. 19991203 CommuniGatePro 3.1 for NT DoS 19991203 CommuniGatePro 3.1 for NT Buffer Overflow 860 communigate-pro-bo Entry Buffer overflow in UnixWare xauto program allows local users to gain root privilege. 19991203 UnixWare gain root with non-su/gid binaries 19991215 Recent postings about SCO UnixWare 7 19991223 FYI, SCO Security patches available. 19991220 SCO OpenServer Security Status SB-99.24a sco-xauto-bo 848 Entry Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers. MS99-029 Q238349 J-058 http-iis-malformed-header 579 Entry ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN. CA-97.08 inn-ucbmail-shell-meta Entry Internet Explorer 3.x to 4.01 allows a remote attacker to insert malicious content into a frame of another web site, aka frame spoofing. MS98-020 167614 http-frame-spoof Entry Internet Explorer 4.01 allows remote attackers to read arbitrary files by pasting a file name into the file upload control, aka untrusted scripted paste. MS98-015 169245 ie-usp-cuartango Entry Internet Explorer 4.0 and 4.01 allow a remote attacker to read files via IE's cross frame security, aka the "Cross Frame Navigate" vulnerability. MS98-013 7837 ie-crossframe-file-read(3668) Candidate Proposed Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file. 759 611 RHSA-1999:030-02 Cole, Frech Baker Blake, Christey, Stracener 611 is the mail to listed above but 759 is for the mail from and should be listed as a separate vulenrability. This does not appear materially different from CVE-1999-0768 This is an apparent duplicate of CVE-1999-0768. REDHAT:RHSA-1999:030-02 describes two issues, one of which is CVE-1999-0768, and the other is CVE-1999-0769. This is a duplicate of candidate CVE-1999-0768. XF:cron-sendmail-bo-root BID:759 is improperly assigned to this candidate and doesn't even describe it. It may have been inadvertently copied from CVE-1999-0873. Entry Buffer overflow in Skyfull mail server via MAIL FROM command. 759 skyfull-mail-from-bo Entry Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. MS99-019 Q234905 AD06081999 CA-99-07 J-048 iis-htr-overflow oval:org.mitre.oval:def:915 Entry DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes. 19990811 Q216141 578 irdp-gateway-spoof Entry Buffer overflow in Internet Explorer 4.0 via EMBED tag. Q185959 Q176697 Entry Internet Explorer 5 allows remote attackers to read files via an ExecCommand method called on an IFRAME. Q243638 MS99-042 ie-iframe-exec Entry Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via MAPPING_CHDIR. SSRT0622 RHSA1999031_01 AA-1999.01 CA-99-13 599 wu-ftpd-dir-name Entry Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via macro variables in a message file. CA-99-13 wuftp-message-file-root Entry Denial of service in WU-FTPD via the SITE NEWER command, which does not free memory properly. CA-99-13 wuftp-site-newer-dos Entry Falcon web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19991025 Falcon Web Server Falcon Web Server 743 falcon-path-parsing 1127 Candidate Proposed Falcon web server allows remote attackers to determine the absolute path of the web root via long file names. 19991025 Falcon Web Server Falcon Web Server Baker, Blake, Stracener Frech Armstrong, Cole XF:falcon-server-long-filename Entry Zeus web server allows remote attackers to read arbitrary files by specifying the file name in an option to the search engine. 19991024 RFP9905: Zeus webserver remote root compromise 742 1126 zeus-remote-root(3380) Entry The Zeus web server administrative interface uses weak encryption for its passwords. 19991024 RFP9905: Zeus webserver remote root compromise 742 8186 zeus-weak-password(3833) Candidate Modified Alibaba web server allows remote attackers to execute commands via a pipe character in a malformed URL. 19991103 More Alibaba Web Server problems... 770 alibaba-url-file-manipulation Baker, Stracener Frech Armstrong, Blake, Christey, Cole, LeBlanc This candidate is unconfirmed by the vendor. Same as CVE-1999-0776. XF:alibaba-url-file-manipulation CD:SF-LOC and CD:SF-EXEC may say to merge this candidate with the problems described in: BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0 URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html If so, then ADDREF BID:1485 as well. Include the names of the affected CGI's, including tst.bat, get32.exe, alibaba.pl, etc. Entry The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager. Q242294 MS99-041 645 nt-rasman-pathname Entry FTGate web interface server allows remote attackers to read files via a .. (dot dot) attack. 19991104 FTGate Version 2.1 Web interface Server Directory Traversal Vulnerability AD05261999 1137 Entry dbsnmp in Oracle Intelligent Agent allows local users to gain privileges by setting the ORACLE_HOME environmental variable, which dbsnmp uses to find the nmiconf.tcl script. 19990817 Security Bug in Oracle oracle-dbsnmp 585 Entry Cisco 675 routers running CBOS allow remote attackers to establish telnet sessions if an exec or superuser password has not been set. 19990810 Cisco 675 password nonsense cisco-cbos-telnet 39 Entry iHTML Merchant allows remote attackers to obtain sensitive information or execute commands via a code parsing error. 19990928 Team Asylum: iHTML Merchant Vulnerabilities http://www.ihtmlmerchant.com/support_patches_feedback.htm 694 ihtml-merchant-file-access Entry The "download behavior" in Internet Explorer 5 allows remote attackers to read arbitrary files via a server-side redirect. MS99-040 Q242542 VU#37828 K-002 674 11274 ie-download-behavior Entry Buffer overflow in Netscape Communicator before 4.7 via a dynamic font whose length field is less than the size of the font. 19991018 Netscape 4.x buffer overflow Entry userOsa in SCO OpenServer allows local users to corrupt files via a symlink attack. 19991011 SCO OpenServer 5.0.5 overwrite /etc/shadow sco-openserver-userosa-script Entry Red Hat Linux screen program does not use Unix98 ptys, allowing local users to write to other terminals. RHSA1999042-01 Entry Firewall-1 does not properly restrict access to LDAP attributes. 19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication 725 checkpoint-ldap-auth 1117 Entry Buffer overflow in RealNetworks RealServer administration utility allows remote attackers to execute arbitrary commands via a long username and password. 19991109 RealNetworks RealServer G2 buffer overflow. http://service.real.com/help/faq/servg260.html realserver-g2-pw-bo 767 Entry iChat ROOMS Webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19980908 bug in iChat 3.0 (maybe others) ichat-file-read-vuln Entry Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request. MS99-047 Q243649 nt-printer-spooler-bo 768 Entry The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider. MS99-047 Q243649 769 nt-printer-spooler-bo Entry Buffer overflow in rpc.yppasswdd allows a local user to gain privileges via MD5 hash generation. RHSA1999046-01 19991023 Security hole in ypserv < 1.3.9 19991027 nis Entry ypserv allows a local user to modify the GECOS and login shells of other users. RHSA1999046-01 19991023 Security hole in ypserv < 1.3.9 19991027 nis Entry ypserv allows local administrators to modify password tables. RHSA1999046-01 19991023 Security hole in ypserv < 1.3.9 19991027 nis Entry genfilt in the AIX Packet Filtering Module does not properly filter traffic to destination ports greater than 32767. 19991025 IBM AIX Packet Filter module 19991027 Re: IBM AIX Packet Filter module (followup) aix-genfilt-filtering Entry Buffer overflow in BFTelnet allows remote attackers to cause a denial of service via a long username. 19991103 Remote DoS Attack in BFTelnet Server v1.1 for Windows NT bftelnet-username-dos 771 Entry Denial of service in Axent Raptor firewall via malformed zero-length IP options. 19991020 Remote DoS in Axent's Raptor 6.0 736 raptor-ipoptions-dos 1121 Entry Buffer overflow in sccw allows local users to gain root access via the HOME environmental variable. 19990923 SuSE 6.2 sccw overflow exploit 19990926 Security hole in sccw (Part II) 656 linux-sccw-bo Entry sccw allows local users to read arbitrary files. 19990916 SuSE 6.2 /usr/bin/sccw read any file 19990921 Security Hole in sccw-1.1 and earlier Entry Denial of service in Solaris TCP streams driver via a malicious connection that causes the server to panic as a result of recursive calls to mutex_enter. 19990921 solaris DoS 655 sun-tcp-mutex-enter-dos Entry Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the "Spoofed Route Pointer" vulnerability. Windows IP Source Routing Vulnerability MS99-038 Q238453 646 nt-ip-source-route Candidate Proposed Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user. MS99-035 625 Baker, Ozancin, Prosser, Wall Frech, Stracener Cole XF:siteserver-cis-cookie-cache Whether cookies are a vulnerbality is a debate for another time, the question here is whether the expiration feature is a vulnerability and I do not think it is because the underlying concerns for this are present even without this feature. The expiration feature does not add any new vulenrabilities that are not already present with cookies. Add Ref: MSKB Q238647 Candidate Modified Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. 19990827 ProFTPD 19990907 ProFTP-1.2.0pre4 buffer overflow -- once more 19990210 FreeBSD-SA-99:03 612 Baker, Blake, Cole, Prosser, Stracener Frech Christey XF:proftpd-long-dir-bo(3399) Not absolutely sure if this isn't the same as Palmetto (CVE-1999-0368), which describes a similar type of overflow. NETBSD:NetBSD-SA1999-003 may refer to CVE-1999-0368: ADDREF URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-003.txt.asc ADDREF CIAC:J-068 Include version numbers; too many wu-ftp/etc. problems were published in summer/fall 1999 Entry FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of service by opening a large number of files. 19990921 FreeBSD-specific denial of service 653 freebsd-vfscache-dos 1079 Candidate Proposed dfire.cgi script in Dragon-Fire IDS allows remote users to execute commands via shell metacharacters. 19990804 NSW Dragon Fire gets drowned 564 Blake, Stracener Frech Armstrong, Baker, Cole, LeBlanc Christey Some voters should use ABSTAIN. XF:dragon-fire-ids-metachar(3834) [Armstrong changed vote from REVIEWING to NOOP] Entry Buffer overflow in the FTP client in the Debian GNU/Linux netstd package. 19990104 19990103 [SECURITY] New versions of netstd fixes buffer overflows 324 Entry URL Live! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19991028 URL Live! 1.0 WebServer 746 1129 Entry WebTrends software stores account names and passwords in a file which does not have restricted access permissions. 19990629 Bad Permissions on Passwords Stored by WebTrends Software Entry The Preloader ActiveX control used by Internet Explorer allows remote attackers to read arbitrary files. MS99-018 Q231452 legacy-activex-local-drive Entry Denial of service in various Windows systems via malformed, fragmented IGMP packets. 19990703 IGMP fragmentation bug in Windows 98/2000 Q238329 MS99-034 igmp-dos 514 Candidate Modified A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections. 19980510 Security Vulnerability in Motorola CableRouters motorola-cable-crash(2004) Baker, Cole Frech Armstrong, Christey, Landfield, LeBlanc, Ozancin, Stracener, Wall Levy This candidate is unconfirmed by the vendor. XF:motorola-cable-crash This has enough votes, but not the "confidence" yet (until we resolve the question of the amount of verification needed for CVE). Entry Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command. 19990526 Remote vulnerability in pop2d 19990607a 283 pop2-fold-bo Entry BMC Patrol allows any remote attacker to flood its UDP port, causing a denial of service. 19990409 Patrol security bugs bmc-patrol-udp-dos(4291) 1879 Entry An example application in ColdFusion Server 4.0 allows remote attackers to view source code via the sourcewindow.cfm file. ASB99-02 coldfusion-sourcewindow Candidate Proposed Sample runnable code snippets in ColdFusion Server 4.0 allow remote attackers to read files, conduct a denial of service, or use the server as a proxy for other HTTP calls. ASB99-02 Baker, Cole Frech Christey XF:coldfusion-source-display(1741) XF:coldfusion-syntax-checker(1742) XF:coldfusion-file-existence(1743) XF:coldfusion-sourcewindow(1744) List all affected runnable code snippets to facilitate search, which may include: viewexample.cfm (though could that be part of CVE-1999-0922?) Entry The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to conduct a denial of service. ASB99-02 coldfusion-syntax-checker(1742) 3236 Candidate Modified UnityMail allows remote attackers to conduct a denial of service via a large number of MIME headers. 19980903 Web servers / possible DOS Attack / mime header flooding Baker, Stracener Frech Christey Levy XF:unitymail-web-dos(1630) BID:1760 URL:http://www.securityfocus.com/bid/1760 Affected version is 2.0 Change date of Bugtraq post - it was 1998. Candidate Proposed Apache allows remote attackers to conduct a denial of service via a large number of MIME headers. 19990903 Web servers / possible DOS Attack / mime header flooding Cole Frech Christey, Foat, Wall BID:1760 URL:http://www.securityfocus.com/bid/1760 XF:unitymail-web-dos(1630) Entry NTMail allows remote attackers to read arbitrary files via a .. (dot dot) attack. AD05261999 279 ntmail-fileread Entry Buffer overflow in SmartDesk WebSuite allows remote attackers to cause a denial of service via a long URL. 19990525 Buffer overflow in SmartDesk WebSuite v2.1 websuite-dos 278 Candidate Interim Novell NetWare with Novell-HTTP-Server or YAWN web servers allows remote attackers to conduct a denial of service via a large number of HTTP GET requests. 19990616 Novell NetWare webservers DoS Armstrong, Blake, Cole, Stracener Frech Baker XF:novell-webserver-dos(2287) Entry wwwboard allows a remote attacker to delete message board articles via a malformed argument. 19980903 wwwboard.pl vulnerability http://www.worldwidemart.com/scripts/faq/wwwboard/q5.shtml http-cgi-wwwboard(2344) 1795 Entry Buffer overflow in Mediahouse Statistics Server allows remote attackers to execute commands. 19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01 734 mediahouse-stats-login-bo Entry Mediahouse Statistics Server allows remote attackers to read the administrator password, which is stored in cleartext in the ss.cfg file. 19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01 735 mediahouse-stats-adminpw-cleartext Entry TeamTrack web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. 19991001 RFP9904: TeamTrack webserver vulnerability 689 1096 Entry classifieds.cgi allows remote attackers to read arbitrary files via shell metacharacters. 19991215 Classifieds (classifieds.cgi) 2020 http-cgi-classifieds-read(3102) Entry classifieds.cgi allows remote attackers to execute arbitrary commands by specifying them in a hidden variable in a CGI form. 19991215 Classifieds (classifieds.cgi) Entry BNBSurvey survey.cgi program allows remote attackers to execute commands via shell metacharacters. 19981203 BNBSurvey (survey.cgi) Entry BNBForm allows remote attackers to read arbitrary files via the automessage hidden form variable. 19981203 BNBForm (bnbform.cgi) Entry MBone SDR Package allows remote attackers to execute commands via shell metacharacters in Sesion Initiation Protocol (SIP) messages. VN-99-03 sdr-execute Entry Denial of service in Debian IRC Epic/epic4 client via a long string. 19990826 [SECURITY] New versions of epic4 fixes possible DoS vulnerability 19990826 605 Entry Buffer overflow in mutt mail client allows remote attackers to execute commands via malformed MIME messages. CSSA-1999-031 19990927 Security hole in mutt Candidate Proposed Mutt mail client allows a remote attacker to execute commands via shell metacharacters. 19980728 mutt x.x Stracener Baker, Christey Frech Levy References are vague, but seem to be identical to CVE-1999-0940 (XF:mutt-text-enriched-mime-bo). According to the references, the malformed messages consist of metacharacters. In addition, -0941's reference and -0940's SuSE reference both refer to fixes in 1.0pre3 release. Will reconsider vote if other clearer references are forthcoming. Modify to mention that the metachar's are in the Content-Type header. http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2 Entry UnixWare dos7utils allows a local user to gain root privileges by using the STATICMERGE environmental variable to find a script which it executes. 19991005 SCO UnixWare 7.1 local root exploit sco-unixware-dos7utils-root-privs Entry Buffer overflow in OpenLink 3.2 allows remote attackers to gain privileges via a long GET request to the web configurator. 19991015 OpenLink 3.2 Advisory 720 Candidate Proposed IBM WebSphere ikeyman tool uses weak encryption to store a password for a key database that is used for SSL connections. 19991024 password leak in IBM WebSphere / HTTP Server / ikeyman Baker, Stracener Frech Bollinger, Christey Levy XF:websphere-database-pwd-accessible ADDREF BID:1763 URL:http://www.securityfocus.com/bid/1763 Entry Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange 5.5 and 5.0 allows remote attackers to conduct a denial of service via AUTH or AUTHINFO commands. 19980724 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5 I-080 Q169174 exchange-dos(1223) Entry Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag. 19991102 Some holes for Win/UNIX softwares yamaha-midiplug-embed 760 Entry AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat, and envout.bat, which allow remote attackers to execute commands via shell metacharacters. 19991102 Some holes for Win/UNIX softwares 762 Candidate Proposed Buffer overflow in uum program for Canna input system allows local users to gain root privileges. 757 19991102 Some holes for Win/UNIX softwares Levy, Stracener Frech Baker, Christey CVE-1999-0948 and CVE-1999-0949 are extremely similar. uum (0948) is exploitable through a different set of options than canuum (0949). If it's the same generic option parsing routine used by both programs, then CD:SF-CODEBASE says to merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC says to split them. However, this is a prime example of how SF-EXEC might be modified - uum and canuum are clearly part of the same package, so in the absence of clear information, maybe we should merge them. XF:canna-uum-bo Candidate Proposed Buffer overflow in canuum program for Canna input system allows local users to gain root privileges. 757 19991102 Some holes for Win/UNIX softwares Levy, Stracener Frech Baker, Christey CVE-1999-0948 and CVE-1999-0949 are extremely similar. uum (0948) is exploitable through a different set of options than canuum (0949). If it's the same generic option parsing routine used by both programs, then CD:SF-CODEBASE says to merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC says to split them. However, this is a prime example of how SF-EXEC might be modified - uum and canuum are clearly part of the same package, so in the absence of clear information, maybe we should merge them. Also review BID:758 and BID:757 - may need to change the BID here. XF:canna-uum-bo CHANGEREF BID:757 BID:758 The following page says that canuum is a "Japanese input tty frontend for Canna using uum," which suggests that it is, at the least, a different package, so perhaps this should stay SPLIT. http://wuarchive.wustl.edu/mirrors/NetBSD/NetBSD-current/pkgsrc/inputmethod/canuum/README.html Entry Buffer overflow in WFTPD FTP server allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories. 19991027 WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability 747 wftpd-mkd-bo Entry Buffer overflow in OmniHTTPd CGI program imagemap.exe allows remote attackers to execute commands. 19991022 Imagemap CGI overflow exploit 739 http-cgi-imagemap-bo 3380 Candidate Proposed Buffer overflow in Solaris lpstat via class argument allows local users to gain root access. 19990126 Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat Baker, Ozancin, Stracener Dik, Frech Christey XF:solaris-lpstat-bo It is unclear from Casper Dik's followup whether this is exploitable or not. Sunbug 4129917 (other reports in the same thread suggest that the then current patchd id fix the problem) Confirm with Casper Dik that the overflow is in the -c option, and if so, include it in the description to differentiate it from the lpstat -n buffer overflow. Entry WWWBoard stores encrypted passwords in a password file that is under the web root and thus accessible by remote attackers. 19980903 wwwboard.pl vulnerability 19990916 More fun with WWWBoard Entry WWWBoard has a default username and default password. 19990916 More fun with WWWBoard 649 Entry Race condition in wu-ftpd and BSDI ftpd allows remote attackers gain root access via the SITE EXEC command. CA-94.08 E-17 ftp-exec Entry The NeXT NetInfo _writers property allows local users to gain root privileges or conduct a denial of service. CA-93.02a next-netinfo Entry MajorCool mj_key_cache program allows local users to modify files via a symlink attack. 19970618 Security hole in MajorCool 1.0.3 majorcool-file-overwrite-vuln Entry sudo 1.5.x allows local users to execute arbitrary commands via a .. (dot dot) attack. 19980112 Re: hole in sudo for MP-RAS. sudo-dot-dot-attack Entry IRIX startmidi program allows local users to modify arbitrary files via a symlink attack. 19970209 IRIX: Bug in startmidi AA-97-05 19980301-01-PX 469 8447 irix-startmidi-file-creation((1634) Entry IRIX cdplayer allows local users to create directories in arbitrary locations via a command line option. AA-96.11 19980301-01-PX irix-cdplayer-directory-create Entry HPUX sysdiag allows local users to gain root privileges via a symlink attack during log file creation. 19960921 Vunerability in HP sysdiag ? H-03 hp-sysdiag-symlink Entry Buffer overflow in HPUX passwd command allows local users to gain root privileges via a command line option. AA-96.13 HPSBUX9701-045 hp-password-cmd-bo 6415 Entry FreeBSD mount_union command allows local users to gain root privileges via a symlink attack. 19960517 BoS: SECURITY BUG in FreeBSD VB-96.06 freebsd-mount-union-root 6088 Entry Buffer overflow in FreeBSD setlocale in the libc module allows attackers to execute arbitrary code via a long PATH_LOCALE environment variable. FreeBSD-SA-97:01 freebsd-setlocale-bo 6086 Entry Race condition in xterm allows local users to modify arbitrary files via the logging option. CA-93.17 xterm Entry Buffer overflow in Solaris getopt in libc allows local users to gain root privileges via a long argv[0]. 19970127 Solaris libc - getopt(3) Entry Buffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource protocol. 19971101 Microsoft Internet Explorer 4.0 Suite Entry Buffer overflow in BNC IRC proxy allows remote attackers to gain privileges. 19981226 bnc exploit bnc-proxy-bo(1546) 1927 Entry The Windows NT RPC service allows remote attackers to conduct a denial of service using spoofed malformed RPC packets which generate an error message that is sent to the spoofed host, potentially setting up a loop, aka Snork. 19980929 "Snork" Denial of Service Attack Against Windows NT RPC Service 19980929 ISS Security Advisory: Snork MS98-014 Q193233 snork-dos Candidate Modified The OmniHTTPD visadmin.exe program allows a remote attacker to conduct a denial of service via a malformed URL which causes a large number of temporary files to be created. 19990605 Remote Exploit (Bug) in OmniHTTPd Web Server omnihttpd-dos(2271) 1808 Baker, Blake, Stracener Frech Christey Levy XF:omnihttpd-dos Some sort of confirmation might be findable at: http://www.omnicron.ab.ca/httpd/docs/release.html See http://www.omnicron.ab.ca/index.html The August 16, 2000 news item says "This release fixes some security problems." It's for version 2.07, but the discloser didn't say what version was available. Other security fixes are in the release notes at http://www.omnicron.ab.ca/httpd/docs/release.html Notes for Professional Version 1.01 say "Patched up two security weaknesses." Notes for version 2.07 say "Fixes dot-appending vulnerability." Professional Alpha 7 says "Revamped CGI launching and security," Professional Alpha 4 says "Fixed SSI path mapping and security problems," Alpha 5 says "Security fixup." In other words, you can't tell whether they've fixed this bug or not. BID:1808 URL:http://www.securityfocus.com/bid/1808 Entry Buffer overflow in Exim allows local users to gain root privileges via a long :include: option in a .forward file. 19970722 Security hole in exim 1.62: local root exploit exim-include-overflow Entry Buffer overflow in Xshipwars xsw program. 19991209 xsw 1.24 remote buffer overflow 863 Entry Buffer overflow in Solaris snoop program allows remote attackers to gain root privileges via a long domain name when snoop is running in verbose mode. 19991206 [w00giving #8] Solaris 2.7's snoop 19991209 Clarification needed on the snoop vuln(s) (fwd) 858 Entry Buffer overflow in Solaris snoop allows remote attackers to gain root privileges via GETQUOTA requests to the rpc.rquotad service. 19991209 Buffer Overflow in Solaris Snoop 00190 19991209 Clarification needed on the snoop vuln(s) (fwd) 864 Entry The Windows help system can allow a local user to execute commands as another user by editing a table of contents metafile with a .CNT extension and modifying the topic action to include the commands to be executed when the .hlp file is accessed. 19991207 Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT 868 Entry Sendmail allows local users to reinitialize the aliases database via the newaliases command, then cause a denial of service by interrupting Sendmail. 19991204 19991207 [Debian] New version of sendmail released sendmail-bi-alias 857 Entry Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request. 19991209 sadmind 19991210 Solaris sadmind Buffer Overflow Vulnerability 19991210 Re: Solaris sadmind Buffer Overflow Vulnerability CA-99-16 00191 866 2354 sol-sadmind-amslverify-bo 2558 Entry htdig allows remote attackers to execute commands via filenames with shell metacharacters. 19991209 867 Entry The SCO UnixWare privileged process system allows local users to gain root privileges by using a debugger such as gdb to insert traps into _init before the privileged process is executed. 19991209 Fundamental flaw in UnixWare 7 security 19991215 Recent postings about SCO UnixWare 7 869 Entry Windows NT Service Control Manager (SCM) allows remote attackers to cause a denial of service via a malformed argument in a resource enumeration request. MS99-055 Q246045 Entry Internet Explorer 5.01 and earlier allows a remote attacker to create a reference to a client window and use a server-side redirect to access local files via that window, aka "Server-side Page Reference Redirect." MS99-050 Q246094 Entry The Sun Web-Based Enterprise Management (WBEM) installation script stores a password in plaintext in a world readable file. 19991206 Solaris WBEM 1.0: plaintext password stored in world readable file Candidate Proposed Whois Internic Lookup program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. 19991109 Whois.cgi - ADVISORY. Blake, Cole, Stracener Frech Baker Christey More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. XF:whois-internic-shell-meta ADDREF BID:2000 The XF appears to be gone. Perhaps it's this one: XF:http-cgi-whois-meta(3798) Candidate Proposed Matt's Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. 19991109 Whois.cgi - ADVISORY. Blake, Stracener Frech Baker, Cole Christey How is this different than the previous? More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. XF:matts-whois-meta ADDREF BID:2000 XF reference is gone. Replace with http-cgi-matts-whois-meta(3799) ? Candidate Proposed CC Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. 19991109 Whois.cgi - ADVISORY. Blake, Stracener Frech Baker, Cole Christey I would combine all of these. More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. XF:cc-whois-meta ADDREF BID:2000 Change cc-whois-meta(3800) to http-cgi-ccwhois(3747) Replace XF reference with XF:cc-whois-meta(3800) ? Entry The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option. 19991209 Big problem on 2.0.x? 870 Entry Windows NT does not properly download a system policy if the domain user logs into the domain with a space at the end of the domain name. 19991118 NT System Policy for Win95 Not downloaded when adding a space after domain name Q237923 Candidate Modified UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack. 19991204 UnixWare pkg* command exploits 19991215 Recent postings about SCO UnixWare 7 19991223 FYI, SCO Security patches available. 19991220 SCO OpenServer Security Status Baker, Blake, Cole Frech Stracener Christey The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam can be used to mount etc/shadow printing attacks as a result of the "dacread" permission (cf. /etc/security/tcb/privs). The procedural differences between the individual exploits for each of these utilities are therefore inconsequential. CVE-1999-0988 should be merged with CVE-1999-0828. From the standpoint of maintaining consistency of the level of abstraction used in CVE, the co-existence of CANS 1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the very small differences (in principle) between the exploits subsumed by 0828 and 0988 and the shared dacread permissions of the pkg* suite, I suggest a merge. Below is a summary of the data upon which my decision was based. utility exploit -------- ---------------------------------- symlink + dacread permission prob truss (debugging utility) in conjunction with pkginfio -d etc/shadow. In this case, it captures the interaction between pkginfo the shadow file. Once again: dacread. buffer overflow + dacread permission prob buffer overflow + dacread permission prob -f etc/shadow (works because of dacread). This is a tough one. While there are few procedural differences, one could view "assignment of an improper permission" as a "class" of problems along the lines of buffer overflows and the like. Just like some programs were fine until they got turned into CGI scripts, this could be an emerging pattern which should be given consideration. Consider the Eyedog and scriptlet.typelib ActiveX utilities being marked as safe for scripting (CVE-1999-0668 and 0669). ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely alludes to this problem; the README for patch SSE053 effectively confirms it. XF:unixware-pkgtrans-symlink Entry Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) allows remote attackers to execute commands via the vnd.ms.radio protocol. 19991205 new IE5 remote exploit 19991205 new IE5 remote exploit 861 Candidate Interim Error messages generated by gdm with the VerboseAuth setting allows an attacker to identify valid users on a system. 19991205 gdm thing Blake, Cole, Stracener Frech Baker XF:verbose-auth-identify-user(3804) Entry Buffer overflow in GoodTech Telnet Server NT allows remote users to cause a denial of service via a long login name. 19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability 19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability 862 Entry HP VirtualVault with the PHSS_17692 patch allows unprivileged processes to bypass access restrictions via the Trusted Gateway Proxy (TGP). HPSBUX9912-107 Candidate Proposed Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed. 19991213 Changing ACL's in Exchange Server Stracener, Wall Frech Baker, Cole LeBlanc XF:exchange-acl-changes(3916) Not a vulnerability Entry Windows NT with SYSKEY reuses the keystream that is used for encrypting SAM password hashes, allowing an attacker to crack passwords. 19991216 Windows NT's SYSKEY feature MS99-056 Q248183 873 Entry Windows NT Local Security Authority (LSA) allows remote attackers to cause a denial of service via malformed arguments to the LsaLookupSids function which looks up the SID, aka "Malformed Security Identifier Request." 19991216 Windows NT LSA Remote Denial of Service MS99-057 Q248185 875 Entry Buffer overflow in Infoseek Ultraseek search engine allows remote attackers to execute commands via a long GET request. AD19991215 19991216 Infoseek Ultraseek Remote Buffer Overflow 19991216 Infoseek Ultraseek Remote Buffer Overflow infoseek-ultraseek-bo 6490 Entry wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress. 19991220 Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) DSA-377 wuftp-ftp-conversion Entry Cisco Cache Engine allows an attacker to replace content in the cache. 19991216 Cisco Cache Engine Authentication Vulnerabilities 19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities cisco-cache-engine-replace Entry Microsoft SQL 7.0 server allows a remote attacker to cause a denial of service via a malformed TDS packet. MS99-059 Q248749 817 Entry The web administration interface for Cisco Cache Engine allows remote attackers to view performance statistics. 19991216 Cisco Cache Engine Authentication Vulnerabilities 19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities cisco-cache-engine-performance Entry Cisco Cache Engine allows a remote attacker to gain access via a null username and password. 19991216 Cisco Cache Engine Authentication Vulnerabilities 19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities Candidate Modified Netscape Navigator uses weak encryption for storing a user's Netscape mail password. http://www.rstcorp.com/news/bad-crypto.html 19991216 Reinventing the wheel (aka "Decoding Netscape Mail passwords") 19991220 Netscape password scrambling Baker, Cole, Stracener, Wall Frech Christey XF:netscape-mail-encryption(3921) CHANGEREF make the RCA URL a "MISC" reference Candidate Proposed War FTP Daemon 1.70 allows remote attackers to cause a denial of service by flooding it with connections. 19991214 Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability 19991216 Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Baker, Cole, Stracener Frech Wall XF:warftp-connection-flood Entry Buffer overflow in the POP server POProxy for the Norton Anti-Virus protection NAV2000 program via a large USER command. 19991217 NAV2000 Email Protection DoS 19991220 Norton Email Protection Remote Overflow (Addendum) http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/6206f660a1f2516a882568660082c930?OpenDocument&Highlight=0,poproxy 6267 Entry Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter. 19991219 Groupewise Web Interface groupwise-web-read-files 879 3413 Candidate Proposed Groupwise web server GWWEB.EXE allows remote attackers to determine the real path of the web server via the HELP parameter. 19991219 Groupewise Web Interface Baker, Cole, Prosser, Stracener Frech Christey, Wall XF:groupwise-web-path Pretty well confirmed by testing with responses to BugTraq list. additional ref: BugTraq ID 879 http://www.securityfocus.com/bid/879 A later discovery almost 2 years later is at: BUGTRAQ:20020227 SecurityOffice Security Advisory:// Novell GroupWise Web Access Path Disclosure Vulnerability http://marc.theaimsgroup.com/?l=bugtraq&m=101494830315071&w=2 CD:SF-LOC might suggest merging these together. Entry Buffer overflow in VDO Live Player allows remote attackers to execute commands on the VDO client via a malformed .vdo file. 19991213 VDO Live Player 3.02 Buffer Overflow vdolive-bo-execute 872 Entry xsoldier program allows local users to gain root access via a long argument. 19991215 FreeBSD 3.3 xsoldier root exploit http://marc.theaimsgroup.com/?l=freebsd-security&m=94531826621620&w=2 871 unix-xsoldier-overflow Candidate Proposed The Disney Go Express Search allows remote attackers to access and modify search information for users by connecting to an HTTP server on the user's system. 19991213 Privacy hole in Go Express Search Baker Frech Balinsky, Cole, Stracener, Wall XF:disney-search-info(3955) The go.express.com web site does not mention the existence of the Express web server mentioned in the advisory. There appears to be no way of verifying this. Entry An SSH 1.2.27 server allows a client to use the "none" cipher, even if it is not allowed by the server policy. 19991214 sshd1 allows unencrypted sessions regardless of server policy ssh-policy-bypass Entry The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands. MS98-004 MS99-025 J-054 19990809 Vulnerabilities in Microsoft Remote Data Service 529 nt-iis-rds 272 Candidate Proposed SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other operating systems, allows a remote attacker to crash the mail server via a long string. 19990504 AS/400 173 Cole Frech Foat, Wall (Task 1770) [Frech changed vote from REVIEWING to MODIFY] XF:lotus-domino-smtp-dos(8790) Candidate Proposed named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group to overwrite system files to gain root access via the -f parameter and a malformed zone file. 673 19990923 named-xfer hole on AIX (fwd) Frech Cole, Foat, Wall XF:aix-named-xfer-root-access(3308) Entry Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local users to gain privileges via a long -m argument. 19990913 Solaris 2.7 /usr/bin/mail 19990927 Working Solaris x86 /usr/bin/mail exploit 4276509 sun-usrbinmail-local-bo(3297) 672 Candidate Proposed Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command. 19980408 AppleShare IP Mail Server 61 Frech Cole, Foat, Wall XF:smtp-helo-bo(886) Candidate Modified Microsoft HTML control as used in (1) Internet Explorer 5.0, (2) FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly others, allows remote malicious web site or HTML emails to cause a denial of service (100% CPU consumption) via large HTML form fields such as text inputs in a table cell. 19990827 HTML code to crash IE5 and Outlook Express 5 606 Cole, Wall Frech Christey, Foat XF:ms-html-table-form-dos(3246) XF:ms-html-table-form-dos(3246) Add period to the end of the description. Candidate Proposed Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail attachments in a specific directory with scripting enabled, which allows a malicious ASP file attachment to execute when the recipient opens the message. 19990728 Seattle Labs EMURL Vulnerability 544 Frech Cole, Foat, Wall (Task 2281) [Frech changed vote from REVIEWING to MODIFY] XF:emurl-attachment-execution(8794) Candidate Proposed IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets. 19990727 Linux 2.2.10 ipchains Advisory 543 Cole Frech Foat, Wall XF:linux-ipchains-bypass-filter(6516) XF:linux-ipchains-bypass-filter(6516) Entry SpectroSERVER in Cabletron Spectrum Enterprise Manager 5.0 installs a directory tree with insecure permissions, which allows local users to replace a privileged executable (processd) with a Trojan horse, facilitating a root or Administrator compromise. 19990623 Cabletron Spectrum security vulnerability 19990624 Re: Cabletron Spectrum security vulnerability 495 Candidate Proposed The installation of Novell Netware NDS 5.99 provides an unauthenticated client with Read access for the tree, which allows remote attackers to access sensitive information such as users, groups, and readable objects via CX.EXE and NLIST.EXE. 19980918 NMRC Advisory - Default NDS Rights 484 novell-nds(1364) Cole, Frech Foat, Wall Entry NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade. CA-1992-15 00117 47 nfs-uid(82) Candidate Proposed serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program. 19941002 sgi-serialports(2111) 464 Cole, Frech Christey, Foat Note: CVE-1999-1310 is a duplicate of this candidate. CVE-1999-1310 will be REJECTed; this is the proper CAN to use. CIAC:F-01 URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml SGI:19941001-01-P URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html Candidate Proposed useradd in Solaris 7.0 does not properly interpret certain date formats as specified in the "-e" (expiration date) argument, which could allow users to login after their accounts have expired. 19990610 Sun Useradd program expiration date bug 426 Dik Frech Cole, Foat, Wall sun bug: 4222400 XF:solaris-useradd-expired-accounts(8375) CONFIRM:(2.6)110883-01, (2.6_x86) 110884-01, (7)110869-01, (7_x86) 110870-01 Candidate Proposed ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop and core dump when tcpdump prints the packet. 19990616 tcpdump 3.4 bug? 19990617 Re: tcpdump 3.4 bug? 19990620 Re: tcpdump 3.4 bug? (final) 313 Cole Frech Foat, Wall XF:tcpdump-ipprint-dos(8373) Candidate Proposed CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string. 19981012 Annoying Solaris/CDE/NIS+ bug 4115685 294 Cole, Dik, Foat, Stracener Frech XF:solaris-cde-nisplus-lock(7473) sun bug: 4115685 Candidate Proposed aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file. 19961220 Solaris 2.5 x86 aspppd (semi-exploitable-hole) 292 Cole Frech Foat XF:sun-aspppd-tmp-symlink(7173) Entry Solaris 2.6 HW3/98 installs admintool with world-writable permissions, which allows local users to gain privileges by replacing it with a Trojan horse program. 19980507 admintool mode 0777 in Solaris 2.6 HW3/98 4178998 solaris-admintool-world-writable(7296) 290 Entry Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of service (CPU utilization) via a large amount of data to port 5631. 19990528 DoS against PC Anywhere 288 pcanywhere-dos(2256) Candidate Proposed SSH server (sshd2) before 2.0.12 does not properly record login attempts if the connection is closed before the maximum number of tries, allowing a remote attacker to guess the password without showing up in the audit logs. 19990513 - J.J.F. / Hackers Team warns for SSHD 2.x brute force password hacking 277 ssh2-bruteforce(2193) Cole, Frech Foat, Wall Candidate Proposed counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via an HTTP request that ends in %0A (newline), which causes a malformed entry in the counter log that produces an access violation. 19990519 Denial of Service in Counter.exe version 2.70 19990519 Denial of Service in Counter.exe version 2.70 267 Frech Cole, Foat, Wall XF:http-cgi-counter-long(2196) XF:http-cgi-counter-long(2196) Candidate Proposed counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via a long argument. 19990519 Denial of Service in Counter.exe version 2.70 19990519 Denial of Service in Counter.exe version 2.70 267 Frech Cole, Foat, Wall XF:http-cgi-counter-long(2196) XF:http-cgi-counter-long(2196) Entry Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 allows attackers to gain root privileges. CA-1991-11 B-36 26 ultrix-telnet(584) Candidate Proposed Microsoft Outlook Express before 4.72.3612.1700 allows a malicious user to send a message that contains a .., which can inadvertently cause Outlook to re-enter POP3 command mode and cause the POP3 session to hang. 19990511 Outlook Express Win98 bug 19990512 Outlook Express Win98 bug, addition. 252 Cole, Wall Frech Foat (Task 2241) [Frech changed vote from REVIEWING to MODIFY] XF:outlook-pop3-dot-dos(8926) Entry Vulnerability in login in AT&T System V Release 4 allows local users to gain privileges. CA-1991-08 B-28 23 sysv-login(583) Entry IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS "GET" vulnerability. MS98-019 Q192296 iis-get-dos(1823) Candidate Proposed COPS 1.04 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files in (1) res_diff, (2) ca.src, and (3) mail.chk. 19980626 vulnerability in satan, cops & tiger Foat Frech Cole, Wall XF:cops-temp-file-symlink(7325) Entry rex.satan in SATAN 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rex.$$ file. 19980626 vulnerability in satan, cops & tiger 19980627 Re: vulnerability in satan, cops & tiger satan-rexsatan-symlink(7167) 3147 Candidate Proposed Tiger 2.2.3 allows local users to overwrite arbitrary files via a symlink attack on various temporary files in Tiger's default working directory, as defined by the WORKDIR variable. 19980626 vulnerability in satan, cops & tiger Foat Frech Cole, Wall XF:tiger-workdir-symlink(7326) Candidate Proposed Vulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches 2291 and 2848 allow a local user to create root-owned files leading to a root compromise. 19980502-01-P3030 Cole, Foat, Stracener Frech Candidate Proposed Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on IRIX 6.3 and 6.4 allows local users to gain root access via a modified IFS environmental variable. 19980408 SGI O2 ipx security issue 19980501-01-P I-055 Cole, Foat, Stracener Christey Frech This candidate and CVE-1999-1501 are duplicates. However, CVE-1999-1501 will be REJECTed in favor of this candidate. Add the following references: BID:70 URL:http://www.securityfocus.com/bid/70 BID:71 URL:http://www.securityfocus.com/bid/71 XF:irix-ipxchk-ipxlink-ifs-commands(7365) URL:http://xforce.iss.net/static/7365.php Candidate Proposed Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4 allows a local user to gain root access via (1) a long TERM environmental variable and (2) a long entry in the .mscreenrc file. 19980827 SCO mscreen vul. 19980926 Root exploit for SCO OpenServer. SB-98.05a VB-98.10 Cole, Foat, Stracener Frech Wall Christey XF:sco-openserver-mscreen-bo(1379) Possible dupe with CVE-1999-1185. Candidate Proposed Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings. 19980813 CRM Temporary File Vulnerability Cole, Foat, Stracener Frech Wall Armstrong, Balinsky, Christey XF:cisco-crm-file-vuln(1575) I think that this is the same as Can-1999-1126 This is the same as CVE-1999-1126. Merge them. DUPE CVE-1999-1126, as noted by others. This candidate will be rejected. CVE-1999-1126 will be promoted. Candidate Proposed Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1) malformed NNTP data, or (2) malformed SMTP data, which allows remote attackers to cause a denial of service (application error). MS98-007 Cole, Foat, Wall Frech XF:exchange-dos(1223) Entry Vulnerability in Advanced File System Utility (advfs) in Digital UNIX 4.0 through 4.0d allows local users to gain privileges. SSRT0495U I-050 dgux-advfs-softlinks(7431) Entry pnserver in RealServer 5.0 and earlier allows remote attackers to cause a denial of service by sending a short, malformed request. 19980115 pnserver exploit.. 19980115 [rootshell] Security Bulletin #7 19980817 Re: Real Audio Server Version 5 bug? http://service.real.com/help/faq/serv501.html realserver-pnserver-remote-dos(7297) 6979 Candidate Proposed Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 8181. 19990302 Multiple IMail Vulnerabilites 504 imail-imonitor-overflow(1897) Cole, Frech Foat, Wall Entry When BSDI patches for Gauntlet 5.0 BSDI are installed in a particular order, Gauntlet allows remote attackers to bypass firewall access restrictions, and does not log the activities. 19991018 Gauntlet 5.0 BSDI warning 19991019 Re: Gauntlet 5.0 BSDI warning gauntlet-bsdi-bypass(3397) Entry Buffer overflow in bash 2.0.0, 1.4.17, and other versions allows local attackers to gain privileges by creating an extremely large directory name, which is inserted into the password prompt via the \w option in the PS1 environmental variable when another user changes into that directory. 19980905 BASH buffer overflow, LiNUX x86 exploit 19970821 Buffer overflow in /bin/bash 19980909 problem with very long pathnames linux-bash-bo(3414) 8345 Candidate Proposed ARCserve NT agents use weak encryption (XOR) for passwords, which allows remote attackers to sniff the authentication request to port 6050 and decrypt the password. 19990222 Severe Security Hole in ARCserve NT agents (fwd) Frech Cole, Foat, Wall XF:arcserve-agent-passwords(1822) Candidate Proposed Directory traversal vulnerability in Matt Wright FormHandler.cgi script allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the reply_message_attach attachment parameter, or (2) by specifying the filename as a template. 19991112 FormHandler.cgi 19991116 Re: FormHandler.cgi 798 799 formhandler-cgi-absolute-path(3550) Frech Cole, Foat, Wall Christey Abstraction and definition issue: CD:SF-LOC suggests combining issues of the same type. Some people refer to "directory traversal" and just mean .. problems; but there are other issues (specifying an absolute pathname, using C: drive letters, doing encodings) that, to my way of thinking, are "different." Perhaps this should be split. My brain hurts too much right now. There are a couple problems with the references and descriptions of CVE-1999-1050 and CVE-1999-1051. I'm interpreting the underlying nature of the problem(s) a little differently than others are. Some of it may be due to differing definitions or thoughts about what "directory traversal vulnerabilities" are. Candidate Proposed Default configuration in Matt Wright FormHandler.cgi script allows arbitrary directories to be used for attachments, and only restricts access to the /etc/ directory, which allows remote attackers to read arbitrary files via the reply_message_attach attachment parameter. 19991116 Re: FormHandler.cgi Frech Cole, Foat, Wall Christey XF:formhandler-cgi-reply-message(7782) I view one of these as a configuration issue: FormHandler.cgi *could* be configured to limit hard-coded pathnames to a single directory which, while being an information leak, would still be "reasonably secure." But by default, it's just not configured that way. My brain hurts too much right now. There are a couple problems with the references and descriptions of CVE-1999-1050 and CVE-1999-1051. I'm interpreting the underlying nature of the problem(s) a little differently than others are. Some of it may be due to differing definitions or thoughts about what "directory traversal vulnerabilities" are. Candidate Proposed Microsoft FrontPage stores form results in a default location in /_private/form_results.txt, which is world-readable and accessible in the document root, which allows remote attackers to read possibly sensitive information submitted by other users. 19990824 Front Page form_results Wall Frech Cole, Foat XF:frontpage-formresults-world-readable(8362) Candidate Proposed guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->". 19990913 Guestbook perl script (long) 19990916 Re: Guestbook perl script (error fix) 19991105 Guestbook.pl, sloppy SSI handling in Apache? (VD#2) 776 Frech Cole, Foat, Wall XF:guestbook-cgi-command-execution(7783) Candidate Proposed The default configuration of FLEXlm license manager 6.0d, and possibly other versions, allows remote attackers to shut down the server via the lmdown command. 19980925 Globetrotter FlexLM 'lmdown' bogosity Cole Foat, Wall Entry Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the CALL function to execute a malicious DLL, aka the Excel "CALL Vulnerability." MS98-018 179 excel-call(1737) Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1395. Reason: This candidate is a duplicate of CVE-1999-1395. Notes: All CVE users should reference CVE-1999-1395 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cole, Foat, Stracener Frech Wall Christey XF:vms-monitor-gain-privileges(7136) DUPE CVE-1999-1395 This CAN is being rejected in favor of CVE-1999-1395 because CVE-1999-1395 has more references. Entry VMS 4.0 through 5.3 allows local users to gain privileges via the ANALYZE/PROCESS_DUMP dcl command. CA-1990-07 B-04 12 vms-analyze-processdump-privileges(7137) Candidate Proposed Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via several long CWD commands. 19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability 19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability vermillion-ftp-cwd-overflow(3543) 818 Cole, Frech Foat, Wall Entry Vulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for various SVR4 systems allows remote attackers to execute arbitrary commands. CA-1992-04 36 att-rexecd(3159) Candidate Proposed Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname. 19990217 Tetrix 1.13.16 is Vulnerable 340 Frech Cole, Foat, Wall XF:tetrinet-dns-hostname-bo(7500) Candidate Proposed HP Laserjet printers with JetDirect cards, when configured with TCP/IP, can be configured without a password, which allows remote attackers to connect to the printer and change its IP address or disable logging. 19971004 HP Laserjet 4M Plus DirectJet Problem laserjet-unpassworded(1876) Cole, Frech Foat CONFIRM:http://www.hp.com/cposupport/printers/support_doc/bpl 02914.html Candidate Proposed HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100. 19971004 HP Laserjet 4M Plus DirectJet Problem laserjet-unpassworded(1876) Cole Frech Foat DELREF:XF:laserjet-unpassworded(1876) ADDREF:XF:hp-printer-flood(1818) Candidate Proposed CDomain whois_raw.cgi whois CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the fqdn parameter. 19990601 whois_raw.cgi problem 304 http-cgi-cdomain(2251) Frech Cole, Foat, Wall Candidate Proposed Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow attackers to cause a denial of service and possibly execute arbitrary commands by executing WindowMaker with a long program name (argv[0]). 19990822 19990824 Re: WindowMaker bugs (was sub:none ) 596 Frech Cole, Foat, Wall XF:windowmaker-bo(3249) XF:windowmaker-bo(3249) Candidate Proposed Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode. 19991104 Palm Hotsync vulnerable to DoS attack Cole Frech Foat, Wall XF:palm-hotsync-bo(7785) Candidate Proposed Quake 1 server responds to an initial UDP game connection request with a large amount of traffic, which allows remote attackers to use the server as an amplifier in a "Smurf" style attack on another host, by spoofing the connection request. 19991222 Quake "smurf" - Quake War Utils Frech Christey, Cole, Foat, Wall This is apparently a problem with the connection protocol. See BUGTRAQ:19980522 NetQuake Protocol problem resulting in smurf like effect. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2 XF:quake-udp-connection-dos(7862) Candidate Proposed SGI MachineInfo CGI program, installed by default on some web servers, prints potentially sensitive system status information, which could be used by remote attackers for information gathering activities. 19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi sgi-machineinfo Frech Cole, Foat I'd be a lot more confident in this vote if there was a more concrete reference strongly associating webdist.cgi and machineinfo. Candidate Proposed Oracle Webserver 2.1, when serving PL/SQL stored procedures, allows remote attackers to cause a denial of service via a long HTTP GET request. 19970723 DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Frech Cole, Foat XF:oracle-webserver-dos(1812) Candidate Proposed Directory traversal vulnerability in carbo.dll in iCat Carbo Server 3.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the icatcommand parameter. 19971108 Security bug in iCat Suite version 3.0 2126 icat-carbo-server-vuln(1620) Cole, Frech Foat iCat's site at http://www.icat.com/ is shut down, and no further support seems to be available. Candidate Proposed Buffer overflow in ping CGI program in Xylogics Annex terminal service allows remote attackers to cause a denial of service via a long query parameter. 19980725 Annex DoS Frech Cole, Foat, Wall XF:annex-ping-crash(2090) Candidate Proposed Excite for Web Servers (EWS) 1.1 installs the Architext.conf authentication file with world-writeable permissions, which allows local users to gain access to Excite accounts by modifying the file. 19981130 Security bugs in Excite for Web Servers 1.1 excite-world-write(1417) Frech Cole, Foat, Wall Candidate Proposed Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi. 19981130 Security bugs in Excite for Web Servers 1.1 Cole, Foat, Wall Candidate Proposed Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack. 19981130 Security bugs in Excite for Web Servers 1.1 Cole, Foat, Wall Entry Webmin before 0.5 does not restrict the number of invalid passwords that are entered for a valid username, which could allow remote attackers to gain privileges via brute force password cracking. 19980501 Warning! Webmin Security Advisory http://www.webmin.com/webmin/changes.html 98 Candidate Proposed inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserver (ToolTalk server), but also inadvertently listens on port N-1 without passing control to ttdbserver, which allows remote attackers to cause a denial of service via a large number of connections to port N-1, which are not properly closed by inetd. 19980318 AIX 4.1.5 DoS attack (aka "Port 1025 problem") Frech Cole, Foat, Wall XF:aix-ttdbserver(813) CONFIRM:APAR IX70400 Candidate Proposed Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the "Log Out" option and selecting a "Cancel" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session. 19991026 Mac OS 9 Idle Lock Bug 745 Cole, Foat Frech Wall XF:macos-idle-screenlock-bypass(7794) Candidate Proposed Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock. 19991101 Re: Mac OS 9 Idle Lock Bug 756 Cole, Foat Frech Wall XF:macos-debug-screenlock-access(3426) Candidate Proposed WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges. 19990729 WS_FTP Pro 6.0 Weak Password Encryption Vulnerability 547 Frech Cole, Foat, Wall XF:wsftp-weak-password-encryption(8349) Candidate Proposed Vulnerability in ptrace in AIX 4.3 allows local users to gain privileges by attaching to a setgid program. 19990506 AIX Security Fixes Update 19990825 AIX security summary IX80470 439 Cole, Foat, Stracener Frech XF:aix-ptrace-setgid(7487) Entry rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf. 19990510 SunOS 5.7 rmmount, no nosuid. 19991011 250 4205437 solaris-rmmount-gain-root(8350) Candidate Proposed Vulnerability in files.pl script in Novell WebServer Examples Toolkit 2 allows remote attackers to read arbitrary files. http://www.w3.org/Security/Faq/wwwsf8.html#Q87 http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35 http-nov-files(2054) Cole, Frech Foat Candidate Proposed Directory traversal vulnerability in Jana proxy web server 1.40 allows remote attackers to ready arbitrary files via a "......" (modified dot dot) attack. 19991008 Jana webserver exploit 699 Cole Frech Foat, Wall XF:jana-server-directory-traversal(6513) Candidate Proposed Directory traversal vulnerability in Jana proxy web server 1.45 allows remote attackers to ready arbitrary files via a .. (dot dot) attack. 20000502 Security Bug in Jana HTTP Server 699 Cole Frech Christey, Foat, Wall XF:jana-server-directory-traversal(6513) MODIFY description - the attack is of the form "/./../" (single dot followed by double-dot) Candidate Proposed The "AEDebug" registry key is installed with insecure permissions, which allows local users to modify the key to specify a Trojan Horse debugger which is automatically executed on a system crash. 19980622 Yet another "get yourself admin rights exploit": Q103861 MS00-008 K-029 1044 Cole, Foat, Wall Frech XF:nt-registry-permissions(4111) Entry SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the "SSH insertion attack." 19980612 CORE-SDI-04: SSH insertion attack 19980703 UPDATE: SSH insertion attack 20010627 Multiple SSH Vulnerabilities VU#13877 ssh-insert(1126) Candidate Proposed Novell 5 and earlier, when running over IPX with a packet signature level less than 3, allows remote attackers to gain administrator privileges by spoofing the MAC address in IPC fragmented packets that make NetWare Core Protocol (NCP) calls. 19990715 NMRC Advisory: Netware 5 Client Hijacking 528 Cole Frech Foat, Wall XF:netware-ipx-session-spoof(2350) Entry Internet Explorer 4 treats a 32-bit number ("dotless IP address") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server. MS98-016 Q168617 http://www.microsoft.com/Windows/Ie/security/dotless.asp 7828 ie-dotless(2209) Candidate Proposed Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local users to gain privileges. HPSBUX9701-050 H-21 hp-chsh(2012) Cole, Foat, Frech, Stracener Candidate Proposed Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows local users to gain privileges via a long command line argument. 19961209 the HP Bug of the Week! HPSBUX9701-049 H-21 H-16 AA-96.18 hp-chfn(2008) Cole, Foat, Frech, Stracener Entry The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files. CA-1991-15 ftp-ncsa(1844) Candidate Proposed UNIX news readers tin and rtin create the /tmp/.tin_log file with insecure permissions and follow symlinks, which allows attackers to modify the permissions of files writable by the user via a symlink attack. 19960903 [BUG] Vulnerability in TIN 19960903 Re: BoS: [BUG] Vulnerability in TIN 19970329 symlink bug in tin/rtin tin-tmpfile(431) Frech Cole, Foat Candidate Proposed tin 1.40 creates the .tin directory with insecure permissions, which allows local users to read passwords from the .inputhistory file. 19991117 default permissions for tin Frech Cole, Foat, Wall XF:tin-insecure-permissions(7796) Confirmed in changelog for 1.4.1 http://ftp.kreonet.re.kr/pub/tools/news/tin/v1.4/CHANGES Entry Buffer overflow in the Window.External function in the JScript Scripting Engine in Internet Explorer 4.01 SP1 and earlier allows remote attackers to execute arbitrary commands via a malicious web page. MS98-011 Q191200 java-script-patch(1276) Entry Buffer overflow in Internet Explorer 4.01 and earlier allows remote attackers to execute arbitrary commands via a long URL with the "mk:" protocol, aka the "MK Overrun security issue." Q176697 19980114 L0pht Advisory MSIE4.0(1) iemk-bug(917) Candidate Proposed sort creates temporary files and follows symbolic links, which allows local users to modify arbitrary files that are writable by the user running sort, as observed in updatedb and other programs that use sort. 19971006 KSR[T] Advisory #3: updatedb / crontabs 19980303 updatedb stuff 19980303 updatedb: sort patch 19980302 overwrite any file with updatedb Frech Christey, Cole, Foat XF:sort-tmp-file-symlink(7182) This issue clearly has a long history. CALDERA:CSSA-2002-SCO.21 URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html CALDERA:CSSA-2002-SCO.2 URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html (There are 2 Caldera advisories because one is for Open UNIX and UnixWare, and the other is for OpenServer) XF:openserver-sort-symlink(9218) URL:http://www.iss.net/security_center/static/9218.php Candidate Proposed Buffer overflow in kscreensaver in KDE klock allows local users to gain root privileges via a long HOME environmental variable. 19980516 kde exploit 19980517 simple kde exploit fix kde-klock-home-bo(1644) Frech Cole, Foat, Wall Candidate Proposed Microsoft NetMeeting 2.1 allows one client to read the contents of another client's clipboard via a CTRL-C in the chat box when the box is empty. 19990504 Microsoft Netmeeting Hole netmeeting-clipboard(2187) Frech Cole, Foat, Wall Entry Vulnerability in BSD Telnet client with encryption and Kerberos 4 authentication allows remote attackers to decrypt the session via sniffing. CA-1995-03 F-12 bsd-telnet(516) 4881 Entry Kerberos 4 allows remote attackers to obtain sensitive information via a malformed UDP packet that generates an error string that inadvertently includes the realm name and the last user. 19961122 L0pht Kerberos Advisory kerberos-user-grab(65) Entry Cisco PIX Private Link 4.1.6 and earlier does not properly process certain commands in the configuration file, which reduces the effective key length of the DES key to 48 bits instead of 56 bits, which makes it easier for an attacker to find the proper key via a brute force attack. 19980616 PIX Private Link Key Processing and Cryptography Issues I-056 cisco-pix-parse-error(1579) Candidate Proposed Kabsoftware Lydia utility uses weak encryption to store user passwords in the lydia.ini file, which allows local users to easily decrypt the passwords and gain privileges. 19990219 Yet Another password storing problem (was: Re: Possible Netscape Crypto Security Flaw) Frech Cole, Foat, Wall XF:lydia-ini-passwords(7501) ADDREF:http://www.kabsoftware.com/lydia_history.txt (Version History for Lydia, V3.3 - 11/24/00) Entry lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems allows local users to create or overwrite arbitrary files via a symlink attack that is triggered after invoking lpr 1000 times. http://www.phreak.org/archives/security/8lgm/8lgm.lpr 19940307 8lgm Advisory Releases E-25a Entry dxconsole in DEC OSF/1 3.2C and earlier allows local users to read arbitrary files by specifying the file with the -file parameter. VB-96.05 G-18 http://www.tao.ca/fire/bos/0209.html osf-dxconsole-gain-privileges(7138) Entry Windows 95 uses weak encryption for the password list (.pwl) file used when password caching is enabled, which allows local users to gain privileges by decrypting the passwords. 19951205 Cracked: WINDOWS.PWL 19980121 How to recover private keys for various Microsoft products 19980120 How to recover private keys for various Microsoft products Q140557 win95-nbsmbpwl(71) Entry Windows 95, when Remote Administration and File Sharing for NetWare Networks is enabled, creates a share (C$) when an administrator logs in remotely, which allows remote attackers to read arbitrary files by mapping the network drive. http://www.zdnet.com/eweek/reviews/1016/tr42bug.html http://www.net-security.sk/bugs/NT/netware1.html win95-netware-hidden-share(7231) Candidate Proposed Buffer overflow in kppp in KDE allows local users to gain root access via a long -c (account_name) command line argument. 19980429 Security hole in kppp kde-kppp-account-bo(1643) 92 Cole, Frech Foat, Wall Candidate Proposed Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable. 19981118 Multiple KDE security vulnerabilities (root compromise) kde-kppp-path-bo(1650) Frech Cole, Foat, Wall Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1107. Reason: This candidate is a duplicate of CVE-1999-1107. Notes: All CVE users should reference CVE-1999-1107 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cole Foat, Wall Christey, Frech Has exactly the same attributes as CVE-1999-1107. DUPE CVE-1999-1107. Entry Sendmail before 8.10.0 allows remote attackers to cause a denial of service by sending a series of ETRN commands then disconnecting from the server, while Sendmail continues to process the commands after the connection has been terminated. 19991222 Re: procmail / Sendmail - five bugs 20000113 Re: procmail / Sendmail - five bugs 904 sendmail-etrn-dos(7760) Candidate Proposed Windows Media Player ActiveX object as used in Internet Explorer 5.0 returns a specific error code when a file does not exist, which allows remote malicious web sites to determine the existence of files on the client. 19991114 IE 5.0 and Windows Media Player ActiveX object allow checking the existence of local files and directories 793 Wall Frech Cole, Foat XF:ie-mediaplayer-activex(7800) Entry Vulnerability in StackGuard before 1.21 allows remote attackers to bypass the Random and Terminator Canary security mechanisms by using a non-linear attack which directly modifies a pointer to a return address instead of using a buffer overflow to reach the return address entry itself. 19911109 ImmuniX OS Security Alert: StackGuard 1.21 Released 786 immunix-stackguard-bo(3524) Candidate Proposed Buffer overflow in IrfanView32 3.07 and earlier allows attackers to execute arbitrary commands via a long string after the "8BPS" image type in a Photo Shop image header. 19991109 Irfan view 3.07 buffer overflow http://stud4.tuwien.ac.at/~e9227474/main2.html irfan-view32-bo(3549) 781 Frech Cole, Foat, Wall Candidate Proposed Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106. 19980414 MacOS based buffer overflows... 75 Frech Cole, Foat, Wall XF:eudora-ims-user-dos(7300) Entry Buffer overflow in Korn Shell (ksh) suid_exec program on IRIX 6.x and earlier, and possibly other operating systems, allows local users to gain root privileges. H-15A AA-96.17 19980405-01-I ksh-suid_exec(2100) 467 Entry Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr10.2 and sr10.3 beta, related to the Korn Shell (ksh). CA-1990-04 A-30 7 apollo-suidexec-unauthorized-access(6721) Entry Vulnerability in runpriv in Indigo Magic System Administration subsystem of SGI IRIX 6.3 and 6.4 allows local users to gain root privileges. 19970503-01-PX 462 1009 sgi-runpriv(2108) Entry lquerypv in AIX 4.1 and 4.2 allows local users to read arbitrary files by specifying the file in the -h command line parameter. 19961124 19961125 lquerypv fix 19961125 AIX lquerypv H-13 455 ibm-lquerypv(1752) Entry ndd in Solaris 2.6 allows local users to cause a denial of service by modifying certain TCP/IP parameters. 00165 433 sun-ndd(817) Entry FTP installation script anon.ftp in AIX insecurely configures anonymous FTP, which allows remote attackers to execute arbitrary commands. CA-1992-09 41 aix-anon-ftp(3154) Entry netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental variable for finding and executing the disable program, which allows local users to gain privileges. 19970104 Irix: netprint story 19961203-01-PX 19961203-02-PX 395 993 sgi-netprint(2107) Entry The default configuration for UUCP in AIX before 3.2 allows local users to gain root privileges. CA-1992-06 38 ibm-uucp(554) 891 Entry Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges. CA-1989-02 CIAC-08 1019265 3 sun-restore-gain-privileges(6695) Candidate Proposed The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall. CA-1991-07 00107 21 22 sun-sourcetapes(582) Cole, Dik, Foat, Frech, Stracener Wall sun bug: 1059621 Candidate Proposed HTTP Client application in ColdFusion allows remote attackers to bypass access restrictions for web pages on other ports by providing the target page to the mainframeset.cfm application, which requests the page from the server, making it look like the request is coming from the local host. http://packetstorm.securify.com/mag/phrack/phrack54/P54-08 Cole, Wall Foat Candidate Proposed Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file. 19970919 Instresting practises of Oracle [Oracle Webserver] Frech Cole, Foat XF:oracle-webserver-gain-root(7174) Candidate Proposed Cisco Resource Manager (CRM) 1.1 and earlier creates certain files with insecure permissions that allow local users to obtain sensitive configuration information including usernames, passwords, and SNMP community strings, from (1) swim_swd.log, (2) swim_debug.log, (3) dbi_debug.log, and (4) temporary files whose names begin with "DPR_". 19980813 CRM Temporary File Vulnerability I-086 cisco-crm-file-vuln(1575) Armstrong, Cole, Foat, Frech, Stracener Wall Balinsky Duplicate of CVE-1999-1042 Entry Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability. MS98-017 Q195733 nt-spoolss(523) Candidate Proposed Internet Explorer 3.01 on Windows 95 allows remote malicious web sites to execute arbitrary commands via a .isp file, which is automatically downloaded and executed without prompting the user. http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html http://members.tripod.com/~unibyte/iebug3.htm Cole Frech Christey, Foat XF:http-ie-exec(462) DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/ie3.html Candidate Proposed Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag. 19990901 VLAN Security http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm cisco-catalyst-vlan-frames(3294) 615 Foat, Frech Cole, Wall [Foat changed vote from NOOP to ACCEPT] Candidate Proposed Default configuration of the search engine in Netscape Enterprise Server 3.5.1, and possibly other versions, allows remote attackers to read the source of JHTML files by specifying a search command using the HTML-tocrec-demo1.pat pattern file. 19990730 Netscape Enterprise Server yeilds source of JHTML 19990730 Netscape Enterprise Server yeilds source of JHTML 559 Cole Frech Foat, Wall XF:netscape-enterprise-view-jhtml(8352) Entry Buffer overflow in OSF Distributed Computing Environment (DCE) security demon (secd) in IRIX 6.4 and earlier allows attackers to cause a denial of service via a long principal, group, or organization. VB-97.12 I-060 19980601-01-PX sgi-osf-dce-dos(1123) Entry Windows NT 4.0 allows remote attackers to cause a denial of service (crash) via extra source routing data such as (1) a Routing Information Field (RIF) field with a hop count greater than 7, or (2) a list containing duplicate Token Ring IDs. 19981005 NMRC Advisory - Lame NT Token Ring DoS 19981002 NMRC Advisory - Lame NT Token Ring DoS Q179157 token-ring-dos(1399) Candidate Modified HP-UX 9.x and 10.x running X windows may allow local attackers to gain privileges via (1) vuefile, (2) vuepad, (3) dtfile, or (4) dtpad, which do not authenticate users. HPSBUX9709-069 hp-vue-dt(499) Cole, Foat, Frech, Stracener Christey CHANGEREF: chaneg XF reference to XF:hp-vue-dt(499) Candidate Modified Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4038, PHSS_4055, and PHSS_4066. HPSBUX9404-008 E-23 hp-vue(2284) Cole, Foat, Stracener Frech XF:hp-vue(2284) Packetstorm URL is dead. Try another archive. Candidate Proposed Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4994 and PHSS_5438. HPSBUX9504-027 hp-vue(2284) Cole, Foat, Frech, Stracener Entry Vulnerability in Predictive on HP-UX 11.0 and earlier, and MPE/iX 5.5 and earlier, allows attackers to compromise data transfer for Predictive messages (using e-mail or modem) between customer and Response Center Predictive systems. HPSBUX9807-081 HPSBMP9807-005 19980729 HP-UX Predictive & Netscape SSL Vulnerabilities I-081 mpeix-predictive(1413) Entry The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone. E-01 00122 sun-audio(549) 6436 Entry SCO UNIX System V/386 Release 3.2, and other SCO products, installs the home directories (1) /tmp for the dos user, and (2) /usr/tmp for the asg user, which allows other users to gain access to those accounts since /tmp and /usr/tmp are world-writable. CA-1993-13 sco-homedir(546) Entry Character-Terminal User Environment (CUE) in HP-UX 11.0 and earlier allows local users to overwrite arbitrary files and gain root privileges via a symlink attack on the IOERROR.mytty file. 19980121 HP-UX CUE, CUD and LAND vulnerabilities 19970901 HP UX Bug :) HPSBUX9801-074 I-027B hp-cue(2007) Entry Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field. 19971214 buffer overflows in cracklib?! VB-97.16 cracklib-bo(1539) Candidate Proposed Ascom Timeplex router allows remote attackers to obtain sensitive information or conduct unauthorized activities by entering debug mode through a sequence of CTRL-D characters. 19970515 MicroSolved finds hole in Ascom Timeplex Router Security ascom-timeplex-debug(1824) Frech Cole, Foat Entry SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user. CA-1992-11 00116 sun-env(3152) Entry Vulnerability in runtime linker program rld in SGI IRIX 6.x and earlier allows local users to gain privileges via setuid and setgid programs. H-065 19970504-01-PX sgi-rld(2109) Entry Certain files in MPower in HP-UX 10.x are installed with insecure permissions, which allows local users to gain privileges. HPSBUX9701-051 hp-mpower(2056) Entry Vulnerability in Glance programs in GlancePlus for HP-UX 10.20 and earlier allows local users to access arbitrary files and gain privileges. HPSBUX9701-044 H-21 hp-glanceplus(2059) Entry Vulnerability in Glance and gpm programs in GlancePlus for HP-UX 9.x and earlier allows local users to access arbitrary files and gain privileges. HPSBUX9405-011 hp-glanceplus-gpm(2060) Entry Buffer overflow in Platinum Policy Compliance Manager (PCM) 7.0 allows remote attackers to execute arbitrary commands via a long string to the Agent port (1827), which is handled by smaxagent.exe. 19981204 [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 19981207 Re: [SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 pcm-dos-execute(1430) 3164 Entry FTP service in IIS 4.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via many passive (PASV) connections at the same time. MS98-006 Q189262 iis-passive-ftp(1215) Candidate Proposed Buffer overflow in CSM Proxy 4.1 allows remote attackers to cause a denial of service (crash) via a long string to the FTP port. 19980716 S.A.F.E.R. Security Bulletin 980708.DOS.1.1 csm-proxy-dos(1422) Cole, Frech Foat, Wall Candidate Proposed Livingston Portmaster routers running ComOS use the same initial sequence number (ISN) for TCP connections, which allows remote attackers to conduct spoofing and hijack TCP sessions. 19980630 Livingston Portmaster - ISN generation is loosy! portmaster-fixed-isn(1882) Frech Cole, Foat, Wall Candidate Proposed Compaq/Microcom 6000 Access Integrator does not cause a session timeout after prompting for a username or password, which allows remote attackers to cause a denial of service by connecting to the integrator without providing a username or password. 19980603 Compaq/Microcom 6000 DoS + more microcom-dos(2089) Cole, Frech Foat, Wall Candidate Proposed Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack. 19980603 Compaq/Microcom 6000 DoS + more Frech Cole, Foat, Wall XF:microcom-brute-force(7301) Candidate Proposed HAMcards Postcard CGI script 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. 19981109 Several new CGI vulnerabilities cgi-perl-mail-programs(1400) Cole, Frech Foat, Wall Candidate Proposed LakeWeb Filemail CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. 19981109 Several new CGI vulnerabilities http://lakeweb.com/scripts/ cgi-perl-mail-programs(1400) Cole, Frech Christey, Foat, Wall I confirmed this problem via visual inspection of the source code in http://www.lakeweb.com/scripts/filemail.zip Line 82 has an insufficient check for shell metacharacters that doesn't exclude semicolons. Line 129 is the call where the metacharacters are injected. Need to add "filemail.pl" to the description. Candidate Proposed LakeWeb Mail List CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the recipient email address. 19981109 Several new CGI vulnerabilities http://lakeweb.com/scripts/ cgi-perl-mail-programs(1400) Cole, Frech Foat, Wall Entry BisonWare FTP Server 4.1 and earlier allows remote attackers to cause a denial of service via a malformed PORT command that contains a non-numeric character and a large number of carriage returns. 19990517 Vulnerabilities in BisonWare FTP Server 3.5 bisonware-port-crash(2254) Entry Tcpip.sys in Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service via an ICMP Subnet Mask Address Request packet, when certain multiple IP addresses are bound to the same network interface. Q192774 tcpipsys-icmp-dos(3894) Candidate Proposed Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd. AA-97.09 00139 Cole, Dik, Foat, Stracener Frech Christey XF:solaris-pam-bo(7432) sun bug: 4018347 These issues should be SPLIT per CD:SF-EXEC because the PAM problem appears in different Solaris versions than unix_scheme. Entry SSH 2.0.11 and earlier allows local users to request remote forwarding from privileged ports without being root. 19981229 ssh2 security problem (and patch) (fwd) ssh-privileged-port-forward(1471) Entry Vulnerability in ftpd/kftpd in HP-UX 10.x and 9.x allows local and possibly remote users to gain root privileges. HPSBUX9702-055 H-33 hp-ftpd-kftpd(7437) Entry Vulnerability in ppl in HP-UX 10.x and earlier allows local users to gain root privileges by forcing ppl to core dump. 19961103 Re: Untitled 19961104 ppl bugs HPSBUX9704-057 H-32 AA-97.07 hp-ppl(7438) Entry Vulnerability in passwd in SCO UNIX 4.0 and earlier allows attackers to cause a denial of service by preventing users from being able to log into the system. CA-1993-08 sco-passwd-deny(542) Entry Vulnerability in HP Series 800 S/X/V Class servers allows remote attackers to gain access to the S/X/V Class console via the Service Support Processor (SSP) Teststation. HPSBUX9911-105 hp-ssp(7439) Candidate Proposed Microsoft Outlook client allows remote attackers to cause a denial of service by sending multiple email messages with the same X-UIDL headers, which causes Outlook to hang. 19990625 Outlook denial of service Wall Frech Cole, Foat XF:outlook-xuidl-dos(8356) Candidate Proposed GNU fingerd 1.37 does not properly drop privileges before accessing user information, which could allow local users to (1) gain root privileges via a malicious program in the .fingerrc file, or (2) read arbitrary files via symbolic links from .plan, .forward, or .project files. 19990721 old gnu finger bugs 19950317 GNU finger 1.37 executes ~/.fingerrc with gid root 535 Frech Cole, Foat XF:gnu-finger-privilege-dropping(7175) Candidate Proposed Linux 2.0.37 does not properly encode the Custom segment limit, which allows local users to gain root privileges by accessing and modifying kernel memory. 19990711 Linux 2.0.37 segment limit bug 523 Frech Cole, Foat, Wall (Task 2253) [Frech changed vote from REVIEWING to MODIFY] XF:linux-segment-limit-privileges(11202) Entry Cross-site scripting vulnerability in Third Voice Web annotation utility allows remote users to read sensitive data and generate fake web pages for other Third Voice users by injecting malicious Javascript into an annotation. http://www.wired.com/news/technology/0,1282,20677,00.html http://www.wired.com/news/technology/0,1282,20636,00.html thirdvoice-cross-site-scripting(7252) Candidate Proposed install.iss installation script for Internet Security Scanner (ISS) for Linux, version 5.3, allows local users to change the permissions of arbitrary files via a symlink attack on a temporary file. 19990220 ISS install.iss security hole Frech Cole, Foat, Wall XF:iss-temp-files(1793) ADDREF:http://www.securityfocus.com/archive/1/12679 Candidate Proposed nobo 1.2 allows remote attackers to cause a denial of service (crash) via a series of large UDP packets. 19990204 NOBO denial of service Foat Frech Cole, Wall XF:nobo-udp-packet-dos(7502) ADDREF:http://www.securityfocus.com/archive/1/12378 ADDREF:http://web.cip.com.br/nobo/mudancas_en.html Candidate Proposed IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. 19990204 WS FTP Server Remote DoS Attack 218 Frech Cole, Foat, Wall XF:imail-registry(1725) Candidate Proposed IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. 19990204 WS FTP Server Remote DoS Attack 218 Frech Cole, Foat, Wall XF:wsftp-registry(1726) Candidate Proposed By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared. 19990114 security hole in Maximizer Frech Cole, Foat, Wall Christey The discloser does not provide enough details to fully understand what the problem is. This makes it difficult because if Maximizer has a concept of "users" and it is designed to allow any user to modify any other user's data, then this would not be a vulnerability or exposure, unless that "cross-user" capability could be used to violate system integrity, data confidentiality, or the like. There are some features of Maximizer 6.0 that, if abused, could allow someone to do some bad things. For example, an attacker could modify the email addresses for contacts to redirect sales to locations besides the customer. There's also a capability of assigning priorities and alarms, which could be susceptible to an "inconvenience attack" at the very least, as well as tie-ins to e-commerce capabilities. The critical question becomes: "how is this data shared" in the first place? If it's through a network share or other distribution method besides transferring the complete database between sites, then this may be accessible to any attacker who can mimic a Maximizer client (if there is such a thing as a client), and this could be a vulnerability or exposure according to the CVE definition. However, since the Maximizer functionality is unknown to me and not readily apparent from product documentation, it's hard to know what to do about this one. [Frech changed vote from REVIEWING to MODIFY] XF:maximizer-enterprise-calendar-modification(7590) Candidate Proposed Corel Word Perfect 8 for Linux creates a temporary working directory with world-writable permissions, which allows local users to (1) modify Word Perfect behavior by modifying files in the working directory, or (2) modify files of other users via a symlink attack. 19981218 wordperfect 8 for linux security Cole, Foat, Wall Candidate Proposed ZIP drive for Iomega ZIP-100 disks allows attackers with physical access to the drive to bypass password protection by inserting a known disk with a known password, waiting for the ZIP drive to power down, manually replacing the known disk with the target disk, and using the known password to access the target disk. http://www.counterpane.com/crypto-gram-9812.html#doghouse Cole Foat, Wall Entry Web Cache Control Protocol (WCCP) in Cisco Cache Engine for Cisco IOS 11.2 and earlier does not use authentication, which allows remote attackers to redirect HTTP traffic to arbitrary hosts via WCCP packets to UDP port 2048. 19980513 Cisco Web Cache Control Protocol Router Vulnerability I-054 cisco-wccp-vuln(1577) Candidate Proposed Buffer overflow in cidentd ident daemon allows local users to gain root privileges via a long line in the .authlie script. 19980110 Cidentd 19980911 Re: security problems with jidentd http://spisa.act.uji.es/spi/progs/codigo/www.hack.co.za/exploits/daemon/ident/cidentd.c Frech Cole, Foat, Wall XF:cidentd-authlie-bo(7327) Entry Directory traversal vulnerability in nph-publish before 1.2 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the pathname for an upload operation. http://www.w3.org/Security/Faq/wwwsf4.html http://www-genome.wi.mit.edu/WWW/tools/CGI_scripts/server_publish/nph-publish http-cgi-nphpublish(2055) Candidate Proposed Sambar Server 4.1 beta allows remote attackers to obtain sensitive information about the server via an HTTP request for the dumpenv.pl script. sambar-dump-env(3223) 19980610 Sambar Server Beta BUG.. Frech Cole, Foat, Wall Candidate Proposed Vulnerability in man.sh CGI script, included in May 1998 issue of SysAdmin Magazine, allows remote attackers to execute arbitrary commands. 19980515 May SysAdmin man.sh security hole Frech Cole, Foat, Wall XF:mansh-execute-commands(7328) Candidate Proposed O'Reilly WebSite 1.1e and Website Pro 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in an argument to (1) args.cmd or (2) args.bat. http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html 19990216 Website Pro v2.0 (NT) Configuration Issues Wall Frech Christey, Cole, Foat DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/buffer.html XF:website-pro-args-commands(7529) Entry Vulnerability in On-Line Customer Registration software for IRIX 6.2 through 6.4 allows local users to gain root privileges. 19980901-01-PX J-003 irix-register(7441) Candidate Proposed Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for Linux systems allows local users to gain privileges by calling a setuid program with a long program name (argv[0]) and forcing ld.so/ld-linux.so to report an error. 19970717 KSR[T] Advisory #2: ld.so 19970722 ld.so vulnerability 19980204 An old ld-linux.so hole Cole, Foat Candidate Modified System Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows remote attackers to execute commands by providing a trojan horse (1) runtask or (2) runexec descriptor file, which is used to execute a System Manager Task when the user's Mailcap entry supports the x-sgi-task or x-sgi-exec type. 19980403-02-PX 19980403-01-PX 8556 sgi-mailcap(809) Cole, Foat, Stracener Frech XF:sgi-mailcap(809) Candidate Proposed Buffer overflow in Elm 2.4 and earlier allows local users to gain privileges via a long TERM environmental variable. 19970513 19970514 Re: ELM overflow Frech Cole, Foat XF:elm-term-bo(7183) Candidate Proposed Buffer overflow in SCO mscreen allows local users to gain root privileges via a long terminal entry (TERM) in the .mscreenrc file. 19980827 SCO mscreen vul. 19980926 Root exploit for SCO OpenServer. VB-98.10 98.05 sco-openserver-mscreen-bo(1379) Cole, Foat, Frech, Stracener Wall Christey Possible dupe on CVE-1999-1041. Possible dupe with CVE-1999-1041. Candidate Proposed rxvt, when compiled with the PRINT_PIPE option in various Linux operating systems including Linux Slackware 3.0 and RedHat 2.1, allows local users to gain root privileges by specifying a malicious program using the -print-pipe command line parameter. 19960102 rxvt security hole Frech Cole, Foat XF:rxvtpipe(425) Candidate Proposed Pine before version 3.94 allows local users to gain privileges via a symlink attack on a lockfile that is created when a user receives new mail. 19960826 [BUG] Vulnerability in PINE pine-tmpfile(416) Frech Cole, Foat CONFIRM:http://www.washington.edu/pine/changes.html Entry mysqld in MySQL 3.21 creates log files with world-readable permissions, which allows local users to obtain passwords for users who are added to the user database. 19981227 mysql: mysqld creates world readable logs.. mysql-readable-log-files(1568) Entry Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95 and Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument after the ? character in a URL that references an .asp, .cgi, .html, or .pl file. 19991124 Netscape Communicator 4.7 - Navigator Overflows 19991127 Netscape Communicator 4.7 - Navigator Overflows 822 netscape-long-argument-bo(7884) Candidate Proposed Buffer overflow in POP3 server of Admiral Systems EmailClub 1.05 allows remote attackers to execute arbitrary commands via a long "From" header in an e-mail message. http://www.securiteam.com/exploits/E-MailClub__FROM__remote_buffer_overflow.html 801 Frech Cole, Foat, Wall XF:emailclub-pop3-from-bo(7873) Entry Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. 19970519 Re: Finally, most of an exploit for Solaris 2.5.1's ps. AA-97.18 00144 207 solaris-chkey-bo(7442) Entry Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument. 00143 206 solaris-eeprom-bo(7444) Entry The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privileges, which could allow the me user to use the su command to become root. CA-1991-06 next-me(581) 20 Entry chroot in Digital Ultrix 4.1 and 4.0 is insecurely installed, which allows local users to gain privileges. CA-1991-05 17 dec-chroot(577) Candidate Proposed NAI VirusScan NT 4.0.2 does not properly modify the scan.dat virus definition file during an update via FTP, but it reports that the update was successful, which could cause a system administrator to believe that the definitions have been updated correctly. 19990505 NAI AntiVirus Update Problem 19990505 NAI AntiVirus Update Problem 169 Frech Cole, Foat, Wall XF:virusscan-ftp-update(8387) Candidate Proposed Hummingbird Exceed X version 5 allows remote attackers to cause a denial of service via malformed data to port 6000. 19990427 NT/Exceed D.O.S. 158 Frech Cole, Foat, Wall XF:exceed-xserver-dos(7530) Entry TIOCCONS in SunOS 4.1.1 does not properly check the permissions of a user who tries to redirect console output and input, which could allow a local user to gain privileges. CA-1990-12 14 sunos-tioccons-console-redirection(7140) Entry BuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges. CA-1990-06 B-01 11 nextstep-builddisk-root-access(7141) Entry Apache WWW server 1.3.1 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via a large number of MIME headers with the same name, aka the "sioux" vulnerability. 19980807 YA Apache DoS attack 19980808 Debian Apache Security Update 19980810 Apache DoS Attack 19980811 Apache 'sioux' DOS fix for TurboLinux http://www.redhat.com/support/errata/rh51-errata-general.html#apache Candidate Proposed Vintra SMTP MailServer allows remote attackers to cause a denial of service via a malformed "EXPN *@" command. 19980720 DOS in Vintra systems Mailserver software. vintra-mail-dos(1617) Cole, Frech Foat, Wall Entry Windows 95 and Windows 98 systems, when configured with multiple TCP/IP stacks bound to the same MAC address, allow remote attackers to cause a denial of service (traffic amplification) via a certain ICMP echo (ping) packet, which causes all stacks to send a ping response, aka TCP Chorusing. 19990206 New Windows 9x Bug: TCP Chorusing 225 win-multiple-ip-dos(7542) Candidate Proposed StarTech (1) POP3 proxy server and (2) telnet server allows remote attackers to cause a denial of service via a long USER command. 19980703 Windows95 Proxy DoS Vulnerabilites startech-pop3-overflow(2088) Frech Cole, Foat, Wall Entry Multilink PPP for ISDN dialup users in Ascend before 4.6 allows remote attackers to cause a denial of service via a spoofed endpoint identifier. 19990210 Security problems in ISDN equipment authentication 19990212 PPP/ISDN multilink security issue - summary ascend-ppp-isdn-dos(7498) Entry Check Point Firewall-1 does not properly handle certain restricted keywords (e.g., Mail, auth, time) in user-defined objects, which could produce a rule with a default "ANY" address and result in access to more systems than intended by the administrator. 19980511 Firewall-1 Reserved Keywords Vulnerability http://www.checkpoint.com/techsupport/config/keywords.html fw1-user-defined-keywords-access(7293) 4416 Entry nettune in HP-UX 10.01 and 10.00 is installed setuid root, which allows local users to cause a denial of service by modifying critical networking configuration information. 19960607 HP-UX B.10.01 vulnerability HPSBUX9607-035 G-34 hp-nettune(414) Candidate Proposed SystemSoft SystemWizard package in HP Pavilion PC with Windows 98, and possibly other platforms and operating systems, installs two ActiveX controls that are marked as safe for scripting, which allows remote attackers to execute arbitrary commands via a malicious web page that references (1) the Launch control, or (2) the RegObj control. 19990729 New ActiveX security problems in Windows 98 PCs http://www.systemsoft.com/l-2/l-3/support-systemwizard.htm 555 Armstrong, Cole, Foat, Stracener Frech Christey, Wall XF:systemwizard-modify-registry(7080) CERT-VN:VU#22919 URL:http://www.kb.cert.org/vuls/id/22919 CERT-VN:VU#34453 URL:http://www.kb.cert.org/vuls/id/34453 Candidate Proposed Buffer overflow in web-admin tool in NetXRay 2.6 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request. http://www.efri.hr/~crv/security/bugs/NT/netxtray.html netxray-bo(907) Frech Cole, Foat, Wall Entry Buffer overflow in ping in AIX 4.2 and earlier allows local users to gain root privileges via a long command line argument. 19970721 AIX ping, lchangelv, xlock fixes 19970721 AIX ping (Exploit) ping-bo(803) Entry Vulnerability in scoterm in SCO OpenServer 5.0 and SCO Open Desktop/Open Server 3.0 allows local users to gain root privileges. 19971204 scoterm exploit VB-97.14 sco-scoterm(690) Candidate Proposed xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to overwrite arbitrary files via a symlink attack on a core dump file, which is created when xterm is called with a DISPLAY environmental variable set to a display that xterm cannot access. 19971112 Digital Unix Security Problem dec-xterm(613) Frech Cole, Foat Candidate Proposed Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local users to gain root privileges. CA-1991-02 sun-intelnetd(574) Cole, Dik, Foat, Frech, Stracener Wall CONFIRM:Sun Microsystems, Inc. Security Bulletin #00106 at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/1 06&type=0&nav=sec.sba sun bug: 1054669 1049886 1042370 1033809 Candidate Proposed Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local users to gain root privileges. CA-1991-02 sun-intelnetd(574) Cole, Dik, Foat, Frech, Stracener Wall sun bug: 1054669 1049886 1042370 1033809 Candidate Proposed Vulnerability in telnet service in HP-UX 10.30 allows attackers to cause a denial of service. HPSBUX9710-070 hp-telnetdos(571) Cole, Foat, Frech, Stracener Entry The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID. 19970915 Vulnerability in I/O Signal Handling http://www.openbsd.com/advisories/signals.txt 11062 openbsd-iosig(556) Entry LOGIN.EXE program in Novell Netware 4.0 and 4.01 temporarily writes user name and password information to disk, which could allow local users to gain privileges. D-21 CA-1993-12 novell-login(545) Candidate Proposed Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command. CA-1993-07 D-15 cisco-sourceroute(541) Cole, Foat, Frech, Stracener Wall Entry The PATH in Windows NT includes the current working directory (.), which could allow local users to gain privileges by placing Trojan horse programs with the same name as commonly used system programs into certain directories. 19970725 Re: NT security - why bother? 19970723 NT security - why bother? nt-path(526) Candidate Proposed Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files. CA-1993-04 amiga-finger(522) Cole, Foat, Frech, Stracener Wall Candidate Proposed Vulnerability in sgihelp in the SGI help system and print manager in IRIX 5.2 and earlier allows local users to gain root privileges, possibly through the clogin command. CA-1994-13 AA-94.04a E-33 sgi-prn-mgr(511) 468 Cole, Foat, Frech, Stracener Wall Candidate Proposed Majordomo 1.94.3 and earlier allows remote attackers to execute arbitrary commands when the advertise or noadvertise directive is used in a configuration file, via shell metacharacters in the Reply-To header. 19970824 Vulnerability in Majordomo majordomo-advertise(502) Frech Cole, Foat Candidate Proposed dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify arbitrary files via a symlink attack on the dxchpwd.log file. 19961117 Digital Unix v3.x (v4.x?) security vulnerability dgux-chpwd(399) Frech Cole, Foat Entry Netbt.sys in Windows NT 4.0 allows remote malicious DNS servers to cause a denial of service (crash) by returning 0.0.0.0 as the IP address for a DNS host name lookup. Q188571 dns-netbtsys-dos(3893) Entry IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters. Q187503 url-asp-av(3892) Candidate Proposed IMAP 4.1 BETA, and possibly other versions, does not properly handle the SIGABRT (abort) signal, which allows local users to crash the server (imapd) via certain sequences of commands, which causes a core dump that may contain sensitive password information. 19971008 L0pht Advisory: IMAP4rev1 imapd server imapd-core(349) Frech Cole, Foat Candidate Proposed rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not. 19970824 Serious security flaw in rpc.mountd on several operating systems. mountd-file-exists(347) Frech Cole, Foat Entry Netscape Communicator 4.7 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long certificate key. http://www.securiteam.com/exploits/Netscape_4_7_and_earlier_vulnerable_to__Huge_Key__DoS.html netscape-huge-key-dos(3436) Candidate Proposed Ethereal allows local users to overwrite arbitrary files via a symlink attack on the packet capture file. http://www.ethereal.com/lists/ethereal-dev/199907/msg00126.html http://www.ethereal.com/lists/ethereal-dev/199907/msg00130.html ethereal-dev-capturec-root(3334) Cole, Frech Foat, Wall Candidate Proposed Various modems that do not implement a guard time, or are configured with a guard time of 0, can allow remote attackers to execute arbitrary modem commands such as ATH, ATH0, etc., via a "+++" sequence that appears in ICMP packets, the subject of an e-mail message, IRC commands, and others. 19980927 1+2=3, +++ATH0=Old school DoS http://www.macintouch.com/modemsecurity.html global-village-modem-dos(3320) Frech Cole, Foat, Wall Candidate Proposed Quake 2 server 3.13 on Linux does not properly check file permissions for the config.cfg configuration file, which allows local users to read arbitrary files via a symlink from config.cfg to the target file. 19980225 Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files linux-quake2(733) Frech Cole, Foat, Wall Candidate Proposed Quake 2 server allows remote attackers to cause a denial of service via a spoofed UDP packet with a source address of 127.0.0.1, which causes the server to attempt to connect to itself. 19971224 Quake II Remote Denial of Service quake2-dos(698) Frech Cole, Foat Candidate Proposed ssh 2.0.12, and possibly other versions, allows valid user names to attempt to enter the correct password multiple times, but only prompts an invalid user name for a password once, which allows remote attackers to determine user account names on the server. 19990609 ssh advirsory ssh-leak(2276) Frech Cole, Foat, Wall Candidate Modified Untrusted search path vulnerability in day5datacopier in SGI IRIX 6.2 allows local users to execute arbitrary commands via a modified PATH environment variable that points to a malicious cp program. 19970516 Irix and WWW 8559 sgi-day5datacopier(3316) Frech Cole, Foat Entry IIS 4.0 does not properly restrict access for the initial session request from a user's IP address if the address does not resolve to a DNS domain, aka the "Domain Resolution" vulnerability. MS99-039 241562 657 iis-unresolved-domain-access(3306) Candidate Proposed LSA (LSASS.EXE) in Windows NT 4.0 allows remote attackers to cause a denial of service via a NULL policy handle in a call to (1) SamrOpenDomain, (2) SamrEnumDomainUsers, and (3) SamrQueryDomainInfo. 19991026 Re: LSA vulnerability on NT40 SP5 msrpc-samr-open-dos(3293) Cole, Frech, Wall Foat Candidate Proposed Internet Explorer 5.0 records the username and password for FTP servers in the URL history, which could allow (1) local users to read the information from another user's index.dat, or (2) people who are physically observing ("shoulder surfing") another user to read the information from the status bar when the user moves the mouse over a link. 19990331 Minor Bug in IE5.0 19990825 IE5 FTP password exposure & index.dat null ACL problem nt-ie5-user-ftp-password(3289) Cole, Foat, Frech, Wall [Foat changed vote from NOOP to ACCEPT] Candidate Proposed Internet Anywhere Mail Server 2.3.1 stores passwords in plaintext in the msgboxes.dbf file, which could allow local users to gain privileges by extracting the passwords from msgboxes.dbf. 19991001 Vulnerabilities in the Internet Anywhere Mail Server 731 iams-passwords-plaintext(3285) Cole, Frech Foat, Wall Candidate Proposed Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods. 19990606 Buffer overflows in smbval library smbvalid-bo(2272) Frech Cole, Foat, Wall Candidate Proposed Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05 and earlier allows local users to gain privileges. HPSBUX9409-017 hp-core-diag-fileset(2262) Cole, Foat, Frech, Stracener Candidate Proposed HP-UX 9.x does not properly enable the Xauthority mechanism in certain conditions, which could allow local users to access the X display even when they have not explicitly been authorized to do so. HPSBUX9407-015 hp-xauthority(2261) Cole, Foat, Frech, Stracener Candidate Proposed Buffer overflow in cddbd CD database server allows remote attackers to execute arbitrary commands via a long log message. 19961126 Major Security Vulnerabilities in Remote CD Databases cddbd-bo(2203) Frech Cole, Foat Candidate Proposed Internet Explorer, with a security setting below Medium, allows remote attackers to execute arbitrary commands via a malicious web page that uses the FileSystemObject ActiveX object. http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html ie-filesystemobject(2173) Cole, Frech, Wall Christey, Foat DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/activex4.html Change MISC to http://www.securitybugware.org/NT/1018.html Candidate Proposed Vulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users to gain privileges. HPSBUX9402-003 hp-subnet-config(2162) Cole, Foat, Frech, Stracener Entry SGI Desktop Permissions Tool in IRIX 6.0.1 and earlier allows local users to modify permissions for arbitrary files and gain privileges. F-16 19950301-01-P373 sgi-permissions(2113) Candidate Proposed IPFilter 3.2.3 through 3.2.10 allows local users to modify arbitrary files via a symlink attack on the saved output file. 19990415 FSA-99.04-IPFILTER-v3.2.10 ipfilter-temp-file(2087) Cole, Frech Foat, Wall Candidate Proposed vacm ucd-snmp SNMP server, version 3.52, does not properly disable access to the public community string, which could allow remote attackers to obtain sensitive information. ucd-snmpd-community(2086) Frech Cole, Foat, Wall http://www.securityfocus.com/archive/1/13130 Entry Direct Mailer feature in Microsoft Site Server 3.0 saves user domain names and passwords in plaintext in the TMLBQueue network share, which has insecure default permissions, allowing remote attackers to read the passwords and gain privileges. Q229972 siteserver-directmail-passwords(2068) Candidate Proposed Vulnerability in HP Camera component of HP DCE/9000 in HP-UX 9.x allows attackers to gain root privileges. HPSBUX9402-006 hp-dce9000(2061) Cole, Foat, Frech, Stracener Candidate Proposed Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through 9.0 allows local users to gain privileges. HPSBUX9411-019 hp-supportwatch(2058) Cole, Foat, Frech, Stracener Entry movemail in HP-UX 10.20 has insecure permissions, which allows local users to gain privileges. HPSBUX9701-047 hp-movemail(2057) 8099 Candidate Proposed Vulnerability in CGI program in the Lasso application by Blue World, as used on WebSTAR and other servers, allows remote attackers to read arbitrary files. 19970819 Lasso CGI security hole (fwd) http-cgi-lasso(2044) Frech Cole, Foat Candidate Proposed Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10 allows local users to cause a denial of service. HPSBUX9612-043 hp-audio-panic(2010) Cole, Foat, Frech, Stracener Candidate Proposed Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0 allows local users to access arbitrary files and gain root privileges. VB-96.15 96:002 sco-system-call(1966) Cole, Foat, Frech, Stracener Wall Candidate Proposed Vulnerability in a kernel error handling routine in SCO OpenServer 5.0.2 and earlier, and SCO Internet FastStart 1.0, allows local users to gain root privileges. VB-96.10 96:001 sco-kernel(1965) Cole, Foat, Frech, Stracener Wall Candidate Proposed Windows 95, 98, and NT 4.0 allow remote attackers to cause a denial of service by spoofing ICMP redirect messages from a router, which causes Windows to change its routing tables. 19990308 Winfreeze EXPLOIT Win9x/NT win-redirects-freeze(1947) Cole, Frech, Wall Meunier Christey, Foat Need to get feedback from MS on this. (prompted from Pascal Meunier) should this be treated as a general design issue with ICMP? Or is it a specific implementation flaw that only affects Reliant? The description is too narrow and incorrect. Spoofed ICMP redirect messages can be used to setup man-in-the-middle attacks instead of a DoS. There's no reason that this behavior would be limited to Windows, as it is specified by the standard. As I said elsewhere, ICMP messages should not be acted upon without access controls. Candidate Proposed Hyperseek allows remote attackers to modify the hyperseek configuration by directly calling the admin.cgi program with an edit_file action parameter. http://www.rootshell.com/archive-j457nxiqi3gq59dv/199902/hyperseek.txt.html hyperseek-modify(1914) Cole, Frech Foat, Wall Candidate Proposed Oracle Database Assistant 1.0 in Oracle 8.0.3 Enterprise Edition stores the database master password in plaintext in the spoolmain.log file when a new database is created, which allows local users to obtain the password from that file. 19990304 Oracle Plaintext Password 19990304 Oracle Plaintext Password oracle-passwords(1902) Cole, Frech Foat, Wall Candidate Proposed Xyplex terminal server 6.0.1S1, and possibly other versions, allows remote attackers to bypass the password prompt by entering (1) a CTRL-Z character, or (2) a ? (question mark). 19971126 Xyplex terminal server bug xyplex-controlz-login(1825) xyplex-question-login(1826) Frech Cole, Foat Entry rpc.pwdauthd in SunOS 4.1.1 and earlier does not properly prevent remote access to the daemon, which allows remote attackers to obtain sensitive system information. 00102 sun-pwdauthd(1782) Entry Microsoft Office 98, Macintosh Edition, does not properly initialize the disk space used by Office 98 files and effectively inserts data from previously deleted files into the Office file, which could allow attackers to obtain sensitive information. Q189529 office-extraneous-data(1780) Candidate Proposed mSQL (Mini SQL) 2.0.6 allows remote attackers to obtain sensitive server information such as logged users, database names, and server version via the ServerStats query. 19990215 KSR[T] Advisory #10: mSQL ServerStats msql-serverstats(1777) Frech Cole, Foat, Wall Candidate Proposed Buffer overflow in Rainbow Six Multiplayer allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long nickname (nick) command. 19990211 Rainbow Six Buffer Overflow..... rainbowsix-nick-bo(1772) Frech Cole, Foat, Wall Entry Java in Netscape 4.5 does not properly restrict applets from connecting to other hosts besides the one from which the applet was loaded, which violates the Java security model and could allow remote attackers to conduct unauthorized activities. 19990202 Unsecured server in applets under Netscape java-socket-open(1727) Entry Metamail before 2.7-7.2 allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified, which is processed by uuencode in Metamail scripts such as sun-audio-file. 19971024 Vulnerability in metamail metamail-file-creation(1677) Candidate Proposed WebRamp M3 router does not disable remote telnet or HTTP access to itself, even when access has been expliticly disabled. 19990121 WebRamp M3 remote network access bug 19990203 WebRamp M3 Perceived Bug webramp-remote-access(1670) Frech Cole, Foat, Wall Candidate Proposed SMTP server in SLmail 3.1 and earlier allows remote attackers to cause a denial of service via malformed commands whose arguments begin with a "(" (parenthesis) character, such as (1) SEND, (2) VRFY, (3) EXPN, (4) MAIL FROM, (5) RCPT TO. 19980922 Re: WARNING! SMTP Denial of Service in SLmail ver 3.1 19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1 19980922 WARNING! SMTP Denial of Service in SLmail ver 3.1 slmail-parens-overload(1664) Cole, Foat, Frech Wall Candidate Proposed rsh daemon (rshd) generates different error messages when a valid username is provided versus an invalid name, which allows remote attackers to determine valid users on the system. 19970613 rshd gives away usernames rsh-username-leaks(1660) Frech Cole, Foat Candidate Proposed KDE file manager (kfm) uses a TCP server for certain file operations, which allows remote attackers to modify arbitrary files by sending a copy command to the server. 19970505 Hole in the KDE desktop kde-flawed-ipc(1646) Frech Cole, Foat Candidate Proposed Vulnerability in KDE konsole allows local users to hijack or observe sessions of other users by accessing certain devices. http://lists.kde.org/?l=kde-devel&m=91560433413263&w=2 kde-konsole-hijack(1645) Frech Cole, Foat, Wall Candidate Proposed Screen savers in KDE beta 3 allows local users to overwrite arbitrary files via a symlink attack on the .kss.pid file. 19980206 serious security hole in KDE Beta 3 kde-kss-file-clobber(1641) Frech Cole, Foat, Wall Candidate Proposed KMail in KDE 1.0 provides a PGP passphrase as a command line argument to other programs, which could allow local users to obtain the passphrase and compromise the PGP keys of other users by viewing the arguments via programs that list process information, such as ps. http://lists.kde.org/?l=kde-devel&m=90221974029738&w=2 kde-kmail-passphrase-leak(1639) Frech Cole, Foat, Wall Candidate Proposed Macromedia Dreamweaver uses weak encryption to store FTP passwords, which could allow local users to easily decrypt the passwords of other users. 19980611 Unsecure passwords in Macromedia Dreamweaver dreamweaver-weak-passwords(1636) Cole, Frech Foat, Wall Candidate Proposed Buffer overflows in CDROM Confidence Test program (cdrom) allow local users to gain root privileges. 19980301-01-PX irix-cdrom-confidence(1635) Cole, Foat, Frech, Stracener Candidate Proposed Squid Internet Object Cache 1.1.20 allows users to bypass access control lists (ACLs) by encoding the URL with hexadecimal escape sequences. 19980220 Simple way to bypass squid ACLs squid-regexp-acl(1627) Cole, Frech Foat, Wall Candidate Proposed iPass RoamServer 3.1 creates temporary files with world-writable permissions. 19971229 iPass RoamServer 3.1 ipass-temporary-files(1625) Frech Cole, Foat Candidate Proposed Lotus cc:Mail release 8 stores the postoffice password in plaintext in a hidden file which has insecure permissions, which allows local users to gain privileges. 19970908 Password unsecurity in cc:Mail release 8 lotus-ccmail-passwords(1619) Frech Cole, Foat Entry fte-console in the fte package before 0.46b-4.1 does not drop root privileges, which allows local users to gain root access via the virtual console device. 19981207 fte-console: does not drop its root priviliges fte-console-privileges(1609) Candidate Proposed BackWeb client stores the username and password in cleartext for proxy authentication in the Communication registry key, which could allow other local users to gain privileges by reading the password. 19981224 BackWeb - Password issue (used by NAI for Corporate customer notification). backweb-cleartext-passwords(1565) Frech Cole, Foat, Wall Candidate Proposed nlog CGI scripts do not properly filter shell metacharacters from the IP address argument, which could allow remote attackers to execute certain commands via (1) nlog-smb.pl or (2) rpc-nlog.pl. 19981225 Re: Nlog v1.0 Released - Nmap 2.x log management / analyzing tool 19981226 Nlog 1.1b released - security holes fixed http-cgi-nlog-netbios(1550) http-cgi-nlog-metachars(1549) Cole, Foat, Frech Wall Entry An interaction between the AS/400 shared folders feature and Microsoft SNA Server 3.0 and earlier allows users to view each other's folders when the users share the same Local APPC LU. Q138001 snaserver-shared-folders(1548) Candidate Proposed Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant for development and testing, which logs user names and passwords in cleartext in the test.log file. 19981203 Remote Tools w/Exceed v.6.0.1.0 fer 95 exceed-cleartext-passwords(1547) Frech Cole, Foat, Wall Candidate Proposed Development version of Breeze Network Server allows remote attackers to cause the system to reboot by accessing the configbreeze CGI program. 19981226 Breeze Network Server remote reboot and other bogosity. breeze-remote-reboot(1544) Cole, Frech Foat, Wall There have been no followups to indicate that this issue has been resolved in the production version, and as a benefit to the doubt, this issue transcends EX-BETA until proven otherwise. Candidate Proposed RealSystem G2 server stores the administrator password in cleartext in a world-readable configuration file, which allows local users to gain privileges. 19981210 RealSystem passwords realsystem-readable-conf-file(1542) Cole, Frech Foat, Wall Candidate Proposed Opera 3.2.1 allows remote attackers to cause a denial of service (application crash) via a URL that contains an extra / in the http:// tag. 19980814 URL exploit to crash Opera Browser opera-slash-crash(1541) Cole, Frech Foat, Wall Will go along with a REJECT if MITRE decides on EX-CLIENT-DOS. Entry NukeNabber allows remote attackers to cause a denial of service by connecting to the NukeNabber port (1080) without sending any data, which causes the CPU usage to rise to 100% from the report.exe program that is executed upon the connection. 19981105 various *lame* DoS attacks 19981107 Re: various *lame* DoS attacks http://www.dynamsol.com/puppet/text/new.txt nukenabber-timeout-dos(1540) Candidate Proposed Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed. 19981227 [patch] fix for urandom read(2) not interruptible linux-random-read-dos(1472) Cole, Frech Foat, Wall Candidate Modified addnetpr in SGI IRIX 6.2 and earlier allows local users to modify arbitrary files and possibly gain root access via a symlink attack on a temporary file. 19970509 Re: Irix: misc ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX 330 8560 irix-addnetpr(1433) Frech Christey, Cole, Foat CHANGE DESC: "via a symlink attack on the printers temporary file." Add 5.3 as another affected version. MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX SGI:19961203-02-PX may solve this problem, but the advisory is so vague that it is uncertain whether this was fixed or not. addnetpr is not specifically named in the advisory, which names netprint, which is not specified in the original Bugtraq post. In addition, the date on the advisory is one day earlier than that of the Bugtraq post, though that could be a difference in time zones. It seems plausible that the problem had already been patched (the researcher did say "There *was* [a] race condition") so maybe SGI released this advisory after the problem was publicized. ADDREF BID:330 URL:http://www.securityfocus.com/bid/330 Note: this is a dupe of CVE-1999-1410, but CVE-1999-1410 will be rejected in favor of CVE-1999-1286. Candidate Proposed Vulnerability in Analog 3.0 and earlier allows remote attackers to read arbitrary files via the forms interface. http://www.statslab.cam.ac.uk/~sret1/analog/security.html analog-remote-file(1410) Armstrong, Cole, Frech, Stracener Foat, Wall [Foat changed vote from ACCEPT to NOOP] Entry Samba 1.9.18 inadvertently includes a prototype application, wsmbconf, which is installed with incorrect permissions including the setgid bit, which allows local users to read and write files and possibly gain privileges via bugs in the program. 19981119 Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux SA-1998.35 samba-wsmbconf(1406) Candidate Proposed ICQ 98 beta on Windows NT leaks the internal IP address of a client in the TCP data segment of an ICQ packet instead of the public address (e.g. through NAT), which provides remote attackers with potentially sensitive information about the client or the internal network configuration. 19981111 WARNING: Another ICQ IP address vulnerability icq-ip-info(1398) Cole, Frech, Wall Foat Override EX-BETA in this case, since ICQ is always in beta and is widely run in production environments. Entry Buffer overflow in nftp FTP client version 1.40 allows remote malicious FTP servers to cause a denial of service, and possibly execute arbitrary commands, via a long response string. 19981117 nftp vulnerability (fwd) http://www.ayukov.com/nftp/history.html nftp-bo(1397) Candidate Proposed TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and possibly others, allows remote attackers to reset connections by forcing a reset (RST) via a PSH ACK or other means, obtaining the target's last sequence number from the resulting packet, then spoofing a reset to the target. 19981005 New Windows Vulnerability nt-brkill(1383) Cole, Frech, Wall Christey, Foat Need to get feedback from MS on this. Candidate Proposed Buffer overflow in web administration feature of Kolban Webcam32 4.8.3 and earlier allows remote attackers to execute arbitrary commands via a long URL. 19980901 Remote Buffer Overflow in the Kolban Webcam32 Program webcam32-buffer-overflow(1366) Frech Cole, Foat, Wall Candidate Proposed mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause a denial of service via malformed FTP commands, which causes Apache to dump core. 19980106 Apache security advisory http://www.apache.org/info/security_bulletin_1.2.5.html Armstrong, Cole, Stracener Frech Foat, Wall XF:apache-mod-proxy-dos(7249) CONFIRM reference no longer seems to exist. BugTraq message seems to be a confirmation/advisory, however. [Foat changed vote from ACCEPT to NOOP] Entry Office Shortcut Bar (OSB) in Windows 3.51 enables backup and restore permissions, which are inherited by programs such as File Manager that are started from the Shortcut Bar, which could allow local users to read folders for which they do not have permission. Q146604 nt-filemgr(562) Candidate Modified Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5 does not properly initialize the grouplist for users who belong to a large number of groups, which could allow those users to gain access to resources that are protected by DFS. VB-96.16 dfs-login-groups(7154) Cole, Foat, Stracener Frech Wall XF:dfs-login-groups(7154) Candidate Proposed Buffer overflow in Kerberos IV compatibility libraries as used in Kerberos V allows local users to gain root privileges via a long line in a kerberos configuration file, which can be specified via the KRB_CONF environmental variable. 19970429 vulnerabilities in kerberos Frech Cole, Foat XF:kerberos-config-file-bo(7184) Entry cmdtool in OpenWindows 3.0 and XView 3.0 in SunOS 4.1.4 and earlier allows attackers with physical access to the system to display unechoed characters (such as those from password prompts) via the L2/AGAIN key. 1077164 sun-cmdtool-echo(7482) Entry Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FTP, creates the ftp user without a password and with /bin/date as the shell, which could allow attackers to gain access to certain system resources. FreeBSD-SA-97:03 freebsd-sysinstall-ftp-password(7537) 6087 Candidate Proposed rcp on various Linux systems including Red Hat 4.0 allows a "nobody" user or other user with UID of 65535 to overwrite arbitrary files, since 65535 is interpreted as -1 by chown and other system calls, which causes the calls to fail to modify the ownership of the file. 19970203 Linux rcp bug Frech Cole, Foat XF:rcp-nobody-file-overwrite(7187) Candidate Proposed Vulnerability in accton in Cray UNICOS 6.1 and 6.0 allows local users to read arbitrary files and modify system accounting configuration. B-31 Armstrong, Cole, Foat, Stracener Frech Wall XF: unicos-accton-read-files(7210) Entry A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs. G-31 FreeBSD-SA-96:17 rzsz-command-execution(7540) Candidate Modified Unspecified vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allows local users to gain root access. VB-94:01 F-05 94:001 8797 sco-pt_chmod(7586) Cole, Foat, Stracener Frech XF:sco-pt_chmod(7586) Candidate Proposed Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users to gain root access. F-05 94:001 Cole, Foat, Stracener Frech XF:sco-prwarn(7587) Candidate Proposed Vulnerability in login in SCO UNIX 4.2 and earlier allows local users to gain root access. F-05 94:001 Cole, Foat, Stracener Frech XF:sco-login(7588) Candidate Proposed Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local users to gain root access. F-05 94:001 Cole, Foat, Stracener Frech XF:sco-at(7589) Candidate Proposed Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters. CA-1992-20 Cole, Foat, Stracener Frech Wall Christey XF:cisco-acl-established(1248) Possibly duplicate with CVE-1999-0162? Might be a duplicate of CVE-1999-0162, but CVE-1999-0162 was released in 1995, whereas this bug was released in 1992. Candidate Proposed Vulnerability in urestore in Novell UnixWare 1.1 allows local users to gain root privileges. 19941209 Novell security advisory on sadc, urestore and the suid_exec feature F-06 Armstrong, Cole, Foat, Stracener Frech Wall XF;novell-unixware-urestore-root(7211) Candidate Modified Certain programs in HP-UX 10.20 do not properly handle large user IDs (UID) or group IDs (GID) over 60000, which could allow local users to gain privileges. HPSBUX9611-041 H-09 H-91 hp-large-uid-gid(7594) Cole, Foat, Stracener Frech XF:hp-large-uid-gid(7594) Entry Sendmail before 8.6.7 allows local users to gain root access via a large value in the debug (-d) command line option. 19940314 sendmail -d problem (OLD yet still here) 19940315 so... 19940315 anyone know details? 19940315 Security problem in sendmail versions 8.x.x 19940327 sendmail exploit script - resend CA-1994-12 sendmail-debug-gain-root(7155) Candidate Modified ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1022. Reason: This candidate is a duplicate of CVE-1999-1022. Notes: All CVE users should reference CVE-1999-1022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cole, Foat, Stracener Christey, Frech DUPE CVE-1999-1022 As noted by Andre Frech, this is a duplicate of CVE-1999-1022. The references from this candidate will be added to CVE-1999-1022. Candidate Proposed Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows local users to bypass authentication and gain privileges. HPSBUX9701-046 H-21 Cole, Foat, Stracener Frech XF:hp-dt-bypass-auth(7668) ACKNOWLEDGED-BY-VENDOR Candidate Modified Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP 1.0, allows local users to gain system privileges. CA-1993-05 openvms-local-privilege-elevation(7142) Cole, Foat, Stracener Frech Wall XF:openvms-local-privilege-elevation(7142) Candidate Modified Manual page reader (man) in FreeBSD 2.2 and earlier allows local users to gain privileges via a sequence of commands. G-24 FreeBSD-SA-96:11 bsd-man-command-sequence(7348) Cole, Foat, Stracener Frech XF:bsd-man-command-sequence(7348) Candidate Modified Vulnerability in union file system in FreeBSD 2.2 and earlier, and possibly other operating systems, allows local users to cause a denial of service (system reload) via a series of certain mount_union commands. G-24 FreeBSD-SA-96:10 unionfs-mount-ordering(7429) Cole, Foat, Stracener Frech XF:unionfs-mount-ordering(7429) Candidate Proposed Vulnerabilities in DECnet/OSI for OpenVMS before 5.8 on DEC Alpha AXP and VAX/VMS systems allow local users to gain privileges or cause a denial of service. F-04 Armstrong, Cole, Foat, Stracener Frech Wall XF:openvms-decnetosi-gain-privileges(7212) Entry Passfilt.dll in Windows NT SP2 allows users to create a password that contains the user's name, which could make it easier for an attacker to guess. Q247975 passfilt-fullname(7391) Entry Windows NT 4.0 SP4 and earlier allows local users to gain privileges by modifying the symbolic link table in the \?? object folder using a different case letter (upper or lower) to point to a different device. 19990312 [ ALERT ] Case Sensitivity and Symbolic Links 19990314 AW: [ ALERT ] Case Sensitivity and Symbolic Links Q222159 nt-symlink-case(7398) Entry /usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includes the current working directory (.), which allows local users to gain privileges via Trojan horse programs. 1121935 sun-su-path(7480) Candidate Modified Vulnerability in object server program in SGI IRIX 5.2 through 6.1 allows remote attackers to gain root privileges in certain configurations. 19960101-01-PX irix-object-server(7430) Cole, Foat, Stracener Frech XF:irix-object-server(7430) Entry Vulnerability in Novell NetWare 3.x and earlier allows local users to gain privileges via packet spoofing. D-01 netware-packet-spoofing-privileges(7213) Entry Buffer overflow in ssh 1.2.26 client with Kerberos V enabled could allow remote attackers to cause a denial of service or execute arbitrary commands via a long DNS hostname that is not properly handled during TGT ticket passing. 19981105 security patch for ssh-1.2.26 kerberos code 4883 Candidate Proposed The installation of 1ArcServe Backup and Inoculan AV client modules for Exchange create a log file, exchverify.log, which contains usernames and passwords in plaintext. 19981112 exchverify.log 19981117 Re: exchverify.log - update #1 19981125 Re: exchverify.log - update #2 19981216 Arcserve Exchange Client security issue being fixed 19990305 Cheyenne InocuLAN for Exchange plain text password still there 19990426 ArcServe Exchange Client Security Issue still unresolved Cole, Foat, Wall Candidate Proposed Norton AntiVirus for Internet Email Gateways (NAVIEG) 1.0.1.7 and earlier, and Norton AntiVirus for MS Exchange (NAVMSE) 1.5 and earlier, store the administrator password in cleartext in (1) the navieg.ini file for NAVIEG, and (2) the ModifyPassword registry key in NAVMSE. 19990409 NAV for MS Exchange & Internet Email Gateways Prosser Frech Cole, Foat, Wall XF:nav-admin-password(7543) This has been since corrected in later releases. Entry VAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or MOTIF do not properly disable access to user accounts that exceed the break-in limit threshold for failed login attempts, which makes it easier for attackers to conduct brute force password guessing. D-06 openvms-sysgen-enabled(7225) Entry SAS System 5.18 on VAX/VMS is installed with insecure permissions for its directories and startup file, which allows local users to gain privileges. C-19 vaxvms-sas-gain-privileges(7261) Entry wu-ftpd 2.4 FTP server does not properly drop privileges when an ABOR (abort file transfer) command is executed during a file transfer, which causes a signal to be handled incorrectly and allows local and possibly remote attackers to read arbitrary files. 19970104 serious security bug in wu-ftpd v2.4 19970105 BoS: serious security bug in wu-ftpd v2.4 -- PATCH wuftpd-abor-gain-privileges(7169) Entry Buffer overflow in linuxconf 1.11r11-rh2 on Red Hat Linux 5.1 allows local users to gain root privileges via a long LANG environmental variable. 19980601 Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd) http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf linuxconf-lang-bo(7239) 6065 Entry linuxconf before 1.11.r11-rh3 on Red Hat Linux 5.1 allows local users to overwrite arbitrary files and gain root access via a symlink attack. 19980826 [djb@redhat.com: Unidentified subject!] 19980823 Security concerns in linuxconf shipped w/RedHat 5.1 http://www.redhat.com/support/errata/rh51-errata-general.html#linuxconf linuxconf-symlink-gain-privileges(7232) 6068 Entry Buffer overflow in SysVInit in Red Hat Linux 5.1 and earlier allows local users to gain privileges. http://www.redhat.com/support/errata/rh50-errata-general.html#SysVinit sysvinit-root-bo(7250) Entry The snprintf function in the db library 1.85.4 ignores the size parameter, which could allow attackers to exploit buffer overflows that would be prevented by a properly implemented snprintf. 19970709 [linux-security] so-called snprintf() in db-1.85.4 (fwd) http://lists.openresources.com/Debian/debian-bugs-closed/msg00581.html http://www.redhat.com/support/errata/rh42-errata-general.html#db linux-libdb-snprintf-bo(7244) Entry netcfg 2.16-1 in Red Hat Linux 4.2 allows the Ethernet interface to be controlled by users on reboot when an option is set, which allows local users to cause a denial of service by shutting down the interface. http://www.redhat.com/support/errata/rh42-errata-general.html#netcfg netcfg-ethernet-dos(7245) Entry gzexe in the gzip package on Red Hat Linux 5.0 and earlier allows local users to overwrite files of other users via a symlink attack on a temporary file. 19980128 GZEXE - the big problem http://www.redhat.com/support/errata/rh50-errata-general.html#gzip DSA-308 7845 3812 gzip-gzexe-tmp-symlink(7241) Entry automatic download option in ncftp 2.4.2 FTP client in Red Hat Linux 5.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the names of files that are to be downloaded. 19980319 ncftp 2.4.2 MkDirs bug http://www.redhat.com/support/errata/rh50-errata-general.html#ncftp ncftp-autodownload-command-execution(7240) 6111 Candidate Proposed Multiple buffer overflows in filter command in Elm 2.4 allows attackers to execute arbitrary commands via (1) long From: headers, (2) long Reply-To: headers, or (3) via a long -f (filterfile) command line argument. 19980129 KSR[T] Advisory #7: filter http://www.redhat.com/support/errata/rh50-errata-general.html#elm Cole, Foat, Stracener Frech Armstrong, Wall XF:elm-filter-getfilterrules-bo(7214) XF:elm-filter2(711) Entry snmpd server in cmu-snmp SNMP package before 3.3-1 in Red Hat Linux 4.0 is configured to allow remote attackers to read and write sensitive information. http://www.redhat.com/support/errata/rh40-errata-general.html#cmu-snmp cmusnmp-read-write(7251) Entry 3Com HiPer Access Router Card (HiperARC) 4.0 through 4.2.29 allows remote attackers to cause a denial of service (reboot) via a flood of IAC packets to the telnet port. 19990812 3com hiperarch flaw [hiperbomb.c] 19990816 Re: 3com hiperarch flaw [hiperbomb.c] 6057 Entry FTP client in Midnight Commander (mc) before 4.5.11 stores usernames and passwords for visited sites in plaintext in the world-readable history file, which allows other local users to gain privileges. 19990801 midnight commander vulnerability(?) (fwd) midnight-commander-data-disclosure(9873) 5921 Candidate Proposed Delegate proxy 5.9.3 and earlier creates files and directories in the DGROOT with world-writable permissions. 19990721 Delegate creates directories writable for anyone Frech Cole, Foat, Wall XF:delegate-dgroot-permissions(8438) Entry Vulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command. 19990722 Re: ping -R causes kernel panic on a forwarding machine ( 2.2.5 a nd 2 .2.10) 19990722 Linux +ipchains+ ping -R http://www.kernel.org/pub/linux/kernel/v2.2/patch-2.2.11.gz ipchains-ping-route-dos(7257) 6105 Candidate Proposed Buffer overflow in faxalter in hylafax 4.0.2 allows local users to gain privileges via a long -m command line argument. 19991104 hylafax-4.0.2 local exploit 765 Frech Cole, Foat, Wall XF:hylafax-faxalter-gain-privs(3453) Proper spelling of the product is HylaFAX (see http://www.hylafax.org/) Entry Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices. 19991022 Local user can send forged packets linux-tiocsetd-forge-packets(7858) Candidate Proposed ICQ ActiveList Server allows remote attackers to cause a denial of service (crash) via malformed packets to the server's UDP port. 19991017 ICQ ActiveList Server Exploit... Frech Cole, Foat, Wall XF:icq-activelist-udp-dos(7877) Candidate Proposed HTTP server for Xerox DocuColor 4 LP allows remote attackers to cause a denial of service (hang) via a long URL that contains a large number of . characters. 19991013 Xerox DocuColor 4 LP D.O.S Frech Cole, Foat, Wall XF:xerox-docucolor4lp-dos(8041) Candidate Proposed Auto_FTP.pl script in Auto_FTP 0.2 stores usernames and passwords in plaintext in the auto_ftp.conf configuration file. 19991005 Auto_FTP v0.02 Advisory Frech Cole, Foat, Wall XF:autoftp-plaintext-password(8045) Candidate Proposed Auto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared directory with insecure permissions, which allows local users to (1) send arbitrary files to the remote server by placing them in the directory, and (2) view files that are being transferred. 19991005 Auto_FTP v0.02 Advisory Frech Cole, Foat, Wall XF:autoftp-shared-directory(8047) Candidate Proposed PAM configuration file for rlogin in Red Hat Linux 6.1 and earlier includes a less restrictive rule before a more restrictive one, which allows users to access the host via rlogin even if rlogin has been explicitly disabled using the /etc/nologin file. 19991007 Problems with redhat 6 Xsession and pam.d/rlogin. Frech Cole, Foat, Wall XF:pam-rlogin-bypass(8315) Candidate Proposed Xsession in Red Hat Linux 6.1 and earlier can allow local users with restricted accounts to bypass execution of the .xsession file by starting kde, gnome or anotherlevel from kdm. 19991007 Problems with redhat 6 Xsession and pam.d/rlogin. Frech Cole, Foat, Wall XF:xsession-bypass(8316) Candidate Proposed Linuxconf on Red Hat Linux 6.0 and earlier does not properly disable PAM-based access to the shutdown command, which could allow local users to cause a denial of service. 19990630 linuxconf doesn't seem to deal correctly with /etc/pam.d/reboot Cole Frech Foat, Wall XF:linuxconf-pam-shutdown-dos(8437) Candidate Proposed NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to cause a denial of service (resource exhaustion) via certain packets, possibly with the Urgent (URG) flag set, to port 111. 19991006 Omni-NFS/X Enterprise (nfsd.exe) DOS Frech Cole, Foat, Wall XF:xlink-nfsd-dos(8317) Candidate Proposed ARCAD Systemhaus 0.078-5 installs critical programs and files with world-writeable permissions, which could allow local users to gain privileges by replacing a program with a Trojan horse. 19990929 Multiple Vendor ARCAD permission problems Frech Cole, Foat, Wall XF:arcad-insecure-permissions(8318) Entry Directory traversal vulnerability in KVIrc IRC client 0.9.0 with the "Listen to !nick <soundname> requests" option enabled allows remote attackers to read arbitrary files via a .. (dot dot) in a DCC GET request. 19990924 Kvirc bug kvirc-dot-directory-traversal(7761) Candidate Proposed mknod in Linux 2.2 follows symbolic links, which could allow local users to overwrite files or gain privileges. 19990928 Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Frech Cole, Foat, Wall XF:mknod-symlink(8319) Candidate Proposed Nosque MsgCore 2.14 stores passwords in cleartext: (1) the administrator password in the AdmPasswd registry key, and (2) user passwords in the Userbase.dbf data file, which could allow local users to gain privielges. 19990907 MsgCore mailserver stores passwords in clear text Frech Cole, Foat, Wall XF:msgcore-plaintext-passwords(8271) BUGTRAQ Reference is actually NTBUGTRAQ. Candidate Proposed E-mail client in Softarc FirstClass Internet Server 5.506 and earlier stores usernames and passwords in cleartext in the files (1) home.fc for version 5.506, (2) network.fc for version 3.5, or (3) FCCLIENT.LOG when logging is enabled. 19990830 SoftArc's FirstClass E-mail Client 19990909 SoftArc's FirstClass E-mail Client Cole Frech Christey, Foat, Wall (Task 1766) [Frech changed vote from REVIEWING to MODIFY] XF:firstclass-plaintext-account(9874) The following reference is for the FCCLIENT.LOG piece: ADDREF NTBUGTRAQ:19990911 Re: SoftArc's FirstClass E-mail Client URL:http://archives.neohapsis.com/archives/ntbugtraq/1999-q3/0189.html Candidate Proposed BMC Patrol component, when installed with Compaq Insight Management Agent 4.23 and earlier, or Management Agents for Servers 4.40 and earlier, creates a PFCUser account with a default password and potentially dangerous privileges. 19990817 Compaq PFCUser account 19990905 Case ID SSRT0620 - PFCUser account communication 19990915 (I) UPDATE - PFCUser Account, 19991105 UPDATE: SSRT0620 Compaq Foundation Agents v4.40B PFCUser issues http://www.compaq.com/products/servers/management/advisory.html management-pfcuser(3231) Armstrong, Cole, Foat, Frech, Stracener Wall Entry Compaq Integration Maintenance Utility as used in Compaq Insight Manager agent before SmartStart 4.50 modifies the legal notice caption (LegalNoticeCaption) and text (LegalNoticeText) in Windows NT, which could produce a legal notice that is in violation of the security policy. 19990902 Compaq CIM UG Overwrites Legal Notice 19990902 Compaq CIM UG Overwrites Legal Notice 19990917 Re: Compaq CIM UG Overwrites Legal Notice compaq-smartstart-legal-notice(7763) Candidate Proposed Netscape Communicator 4.04 through 4.7 (and possibly other versions) in various UNIX operating systems converts the 0x8b character to a "<" sign, and the 0x9b character to a ">" sign, which could allow remote attackers to attack other clients via cross-site scripting (CSS) in CGI programs that do not filter these characters. 19991005 Time to update those CGIs again Frech Cole, Foat, Wall XF:netscape-cgi-filtering-css(8274) Entry When an administrator in Windows NT or Windows 2000 changes a user policy, the policy is not properly updated if the local ntconfig.pol is not writable by the user, which could allow local users to bypass restrictions that would otherwise be enforced by the policy, possibly by changing the policy file to be read-only. Q157673 nt-user-policy-update(7400) Entry When the Ntconfig.pol file is used on a server whose name is longer than 13 characters, Windows NT does not properly enforce policies for global groups, which could allow users to bypass restrictions that were intended by those policies. Q163875 nt-group-policy-longname(7401) Entry Windows NT 4.0 allows local users to cause a denial of service via a user mode application that closes a handle that was opened in kernel mode, which causes a crash when the kernel attempts to close the handle. Q160650 nt-kernel-handle-dos(7402) Candidate Proposed Windows NT 3.51 and 4.0 running WINS (Windows Internet Name Service) allows remote attackers to cause a denial of service (resource exhaustion) via a flood of malformed packets, which causes the server to slow down and fill the event logs with error messages. 19980509 coke.c Wall Frech Cole, Foat XF:winnt-wins-packet-flood-dos(7329) Entry Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a denial of service (crash) by calling certain WIN32K functions with incorrect parameters. Q160601 nt-win32k-dos(7403) Entry Windows NT 3.51 and 4.0 allow local users to cause a denial of service (crash) by running a program that creates a large number of locks on a file, which exhausts the NonPagedPool. Q163143 nt-nonpagedpool-dos(7405) Candidate Modified Windows NT 4.0 allows local users to cause a denial of service (crash) via an illegal kernel mode address to the functions (1) GetThreadContext or (2) SetThreadContext. Q142653 nt-threadcontext-dos(7421) Cole, Foat, Wall Frech XF:nt-threadcontext-dos(7421) Entry Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default. 19990628 NT runs Explorer.exe, Taskmgr.exe etc. from wrong location 19990630 Update: NT runs explorer.exe, etc... nt-login-default-folder(2336) 0515 Candidate Proposed Pegasus e-mail client 3.0 and earlier uses weak encryption to store POP3 passwords in the pmail.ini file, which allows local users to easily decrypt the passwords and read e-mail. 19990515 Pegasus Mail weak encryption Frech Cole, Foat, Wall XF:pegasus-weak-password-encryption(8430) Candidate Proposed Internet Explorer 5.0 does not properly reset the username/password cache for Web sites that do not use standard cache controls, which could allow users on the same system to access restricted web sites that were visited by other users. http://www.pcworld.com/news/article/0,aid,10842,00.asp Cole, Foat, Wall Frech (Task 2283) Candidate Proposed AV Option for MS Exchange Server option for InoculateIT 4.53, and possibly other versions, only scans the Inbox folder tree of a Microsoft Exchange server, which could allow viruses to escape detection if a user's rules cause the message to be moved to a different mailbox. 19990512 InoculateIT 4.53 Real-Time Exchange Scanner Flawed 20001116 InoculateIT AV Option for MS Exchange Server Frech Cole, Foat, Wall XF:inoculate-message-redirect-bypass(5602) Candidate Proposed Real Media RealServer (rmserver) 6.0.3.353 stores a password in plaintext in the world-readable rmserver.cfg file, which allows local users to gain privileges. 19990414 Real Media Server stores passwords in plain text Frech Cole, Foat, Wall XF:realserver-insecure-password(7544) Candidate Proposed The setup wizard (ie5setup.exe) for Internet Explorer 5.0 disables (1) the screen saver, which could leave the system open to users with physical access if a failure occurs during an unattended installation, and (2) the Task Scheduler Service, which might prevent the scheduled execution of security-critical programs. 19990323 MSIE 5 installer disables screen saver Frech Cole, Foat, Wall XF:ie-ie5setup-disable-password(7545) Candidate Modified Buffer overflow in /usr/bin/write in Solaris 2.6 and 7 allows local users to gain privileges via a long string in the terminal name argument. 19990308 Solaris "/usr/bin/write" bug http://www.securiteam.com/exploits/5ZP0O1P35O.html solaris-write-bo(7546) Cole, Dik Frech Christey, Foat, Wall XF:solaris-write-bo(7546) This appears to be a rediscovery of the problem for Solaris 2.8: BUGTRAQ:20011114 /usr/bin/write (solaris2.x) Segmentation Fault URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100588255815773&w=2 sun bug: 4218941 Candidate Proposed Triactive Remote Manager with Basic authentication enabled stores the username and password in cleartext in registry keys, which could allow local users to gain privileges. 19990219 Plaintext Password in Tractive's Remote Manager Software Frech Cole, Foat, Wall XF:triactive-remote-basic-auth(7548) Candidate Proposed FORE PowerHub before 5.0.1 allows remote attackers to cause a denial of service (hang) via a TCP SYN scan with TCP/IP OS fingerprinting, e.g. via nmap. 19990105 Re: Network Scan Vulnerability [SUMMARY] Frech Cole, Foat, Wall XF:powerhub-nmap-dos(7556) Candidate Proposed perlshop.cgi shopping cart program stores sensitive customer information in directories and files that are under the web root, which allows remote attackers to obtain that information via an HTTP request. 19990427 Re: Shopping Carts exposing CC data Frech Cole, Foat, Wall XF:perlshop-cgi-obtain-information(7557) Candidate Proposed FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter. 19990211 Using FSO in ASP to view just about anything 230 Cole Frech Christey, Foat, Wall XF:iis-fso-read-files(7558) Explicitly mention IIS Candidate Proposed Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands. 19990114 MS IIS 4.0 Security Advisory 19990114 MS IIS 4.0 Security Advisory Wall Frech Cole, Foat XF:frontpage-ext-fpcount-crash(5494) Candidate Proposed Matt Wright's download.cgi 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter. http://pulhas.org/phrack/55/P55-07.html Frech Cole, Foat, Wall XF:download-cgi-directory-traversal(8279) Candidate Proposed dbmlparser.exe CGI guestbook program does not perform a chroot operation properly, which allows remote attackers to read arbitrary files. 19990917 improper chroot in dbmlparser.exe Cole, Foat, Wall Frech (Task 2284) Entry DNS allows remote attackers to use DNS name servers as traffic amplifiers via a UDP DNS query with a spoofed source address, which produces more traffic to the victim than was sent by the attacker. 19990730 Possible Denial Of Service using DNS 19990810 Possible Denial Of Service using DNS AL-1999.004 J-063 dns-udp-query-dos(7238) Entry Symantec Norton Utilities 2.0 for Windows 95 marks the TUNEOCX.OCX ActiveX control as safe for scripting, which allows remote attackers to execute arbitrary commands via the run option through malicious web pages that are accessed by browsers such as Internet Explorer 3.0. http://www.net-security.sk/bugs/NT/nu20.html http://mlarchive.ima.com/win95/1997/May/0342.html http://news.zdnet.co.uk/story/0,,s2065518,00.html nu-tuneocx-activex-control(7188) Candidate Proposed Buffer overflow in dbadmin CGI program 1.0.1 on Linux allows remote attackers to execute arbitrary commands. 19981008 buffer overflow in dbadmin Cole, Foat, Wall Entry NetWare NFS mode 1 and 2 implements the "Read Only" flag in Unix by changing the ownership of a file to root, which allows local users to gain root privileges by creating a setuid program and setting it to "Read Only," which NetWare-NFS changes to a setuid root program. 19980108 NetWare NFS 19980812 Re: Netware NFS (fwd) http://support.novell.com/cgi-bin/search/tidfinder.cgi?2940551 netware-nfs-file-ownership(7246) Candidate Proposed (1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \w option in the PS1 variable. 19960913 tee see shell problems 19960919 Vulnerability in expansion of PS1 in bash & tcsh Cole, Foat Entry Indigo Magic System Tour in the SGI system tour package (systour) for IRIX 5.x through 6.3 allows local users to gain root privileges via a Trojan horse .exitops program, which is called by the inst command that is executed by the RemoveSystemTour program. 19961030 (Another) vulnerability in new SGIs AA-96.08 19961101-01-I 470 irix-systour(7456) Entry Buffer overflow in ppp program in FreeBSD 2.1 and earlier allows local users to gain privileges via a long HOME environment variable. 19961219 Exploit for ppp bug (FreeBSD 2.1.0). FreeBSD-SA-96:20 ppp-bo(7465) 6085 Entry Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file. 19980308 another /tmp race: `perl -e' opens temp file not safely http://www.redhat.com/support/errata/rh50-errata-general.html#perl perl-e-tmp-symlink(7243) Candidate Proposed Windows NT 4.0 SP2 allows remote attackers to cause a denial of service (crash), possibly via malformed inputs or packets, such as those generated by a Linux smbmount command that was compiled on the Linux 2.0.29 kernel but executed on Linux 2.0.25. 19970402 Fatal bug in NT 4.0 server 19970403 Fatal bug in NT 4.0 server (more comments) 19970407 DUMP of NT system crash Cole Foat Candidate Proposed passwd in SunOS 4.1.x allows local users to overwrite arbitrary files via a symlink attack and the -F command line argument. 19940513 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 19940514 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX 19941218 Sun Patch Id #102060-01 Dik Cole, Foat sun bug: 1171499 Candidate Proposed US Robotics/3Com Total Control Chassis with Frame Relay between 3.6.22 and 3.7.24 does not properly enforce access filters when the "set host prompt" setting is made for a port, which allows attackers to bypass restrictions by providing the hostname twice at the "host: " prompt. 19980511 3Com/USR Total Control Chassis dialup port access filters 99 Frech Cole, Foat, Wall XF:3com-netserver-filter-bypass(7330) Candidate Proposed suidexec in suidmanager 0.18 on Debian 2.0 allows local users to gain root privileges by specifying a malicious program on the command line. 19980428 [Debian 2.0] /usr/bin/suidexec gives root access 94 Frech Cole, Foat, Wall XF:suidmanager-suidexec-root-privileges(7304) Candidate Modified Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers allows local users to gain privileges via a combination of the npd program and weak directory permissions. CA-1990-06 B-01 10 nextstep-npd-root-access(7143) Cole, Foat, Stracener Frech Wall XF:nextstep-npd-root-access(7143) Candidate Modified Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0 allows local users to gain root privileges. CA-1990-06 B-01 9 nextstep-restore09-root-access(7144) Cole, Foat, Stracener Frech Wall XF:nextstep-restore09-root-access(7144) Candidate Proposed Control Panel "Password Security" option for Apple Powerbooks allows attackers with physical access to the machine to bypass the security by booting it with an emergency startup disk and using a disk editor to modify the on/off toggle or password in the aaaaaaaAPWD file, which is normally inaccessible. http://freaky.staticusers.net/macsec/data/powerbooksecurity-data.html 532 Cole, Foat, Wall Frech (Task 2285) Candidate Proposed BSD 4.4 based operating systems, when running at security level 1, allow the root user to clear the immutable and append-only flags for files by unmounting the file system and using a file system editor such as fsdb to directly modify the file through a device. 19990702 BSD-fileflags 510 Cole Foat, Wall Frech (Task 2286) Candidate Modified Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 through 5.4-2 allows local users to gain privileges. CA-1992-18 CA-92.16 51 59332 vms-monitor-gain-privileges(7136) Cole, Foat, Stracener Frech Christey, Wall XF:vms-monitor-gain-privileges(7136) Duplicate of CVE-1999-1056? If not, indicate why in Analysis comments. Note that CVE-1999-1056 CVE-1999-1056 is in fact a duplicate. This candidate will be kept, and CVE-1999-1056 will be REJECTed, because this candidate has more references. Candidate Modified Vulnerability in integer multiplication emulation code on SPARC architectures for SunOS 4.1 through 4.1.2 allows local users to gain root access or cause a denial of service (crash). CA-1992-15 49 sun-integer-multiplication-access(7150) Cole, Dik, Foat, Stracener Frech Wall XF:sun-integer-multiplication-access(7150) sun bug: 1069072 1071053 Entry Index Server 2.0 on IIS 4.0 stores physical path information in the ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose permissions allows local and remote users to obtain the physical paths of directories that are being indexed. 19990323 Index Server 2.0 and the Registry 19990323 Index Server 2.0 and the Registry 476 iis-indexserver-reveal-path(7559) Candidate Proposed Vulnerability in xfsdump in SGI IRIX may allow local users to obtain root privileges via the bck.log log file, possibly via a symlink attack. 19970507 Irix: misc http://www.insecure.org/sploits/irix.xfsdump.html 472 Cole Frech Foat XF:irix-xfsdump-symlink(7193) Candidate Proposed spaceball program in SpaceWare 7.3 v1.0 in IRIX 6.2 allows local users to gain root privileges by setting the HOSTNAME environmental variable to contain the commands to be executed. 19970820 SpaceWare 7.3 v1.0 471 Cole Frech Foat XF:spaceware-hostname-command-execution(7194) Candidate Proposed The Economist screen saver 1999 with the "Password Protected" option enabled allows users with physical access to the machine to bypass the screen saver and read files by running Internet Explorer while the screen is still locked. 19990603 Huge Exploit in NT 4.0 SP5 Screensaver with Password Protection Enabled 19990603 Re: Huge Exploit in NT 4.0 SP5 Screensaver with Password Protecti on Enabled. 19990604 Official response from The Economist re: 1999 Screen Saver 466 Wall Cole, Foat Frech (Task 2287) CONFIRM NTBUGTRAQ:19990604 Official response from The Economist re: 1999 Screen Saver Candidate Modified Vulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2 sets insecure permissions for certain user files (iconbook and searchbook). 19961201-01-PX 463 8563 irix-searchbook-permissions(7575) Cole, Foat, Stracener Frech XF:irix-searchbook-permissions(7575) Entry The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket. 19970517 UNIX domain socket (Solarisx86 2.5) 19971003 Solaris 2.6 and sockets 456 sun-domain-socket-permissions(7172) Candidate Proposed IBM/Tivoli OPC Tracker Agent version 2 release 1 creates files, directories, and IPC message queues with insecure permissions (world-readable and world-writable), which could allow local users to disrupt operations and possibly gain privileges by modifying or deleting files. 19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt 382 Cole, Foat, Wall Candidate Proposed IBM/Tivoli OPC Tracker Agent version 2 release 1 allows remote attackers to cause a denial of service (resource exhaustion) via malformed data to the localtracker client port (5011), which prevents the connection from being closed properly. 19981002 Several potential security problems in IBM/Tivoli OPC Tracker Age nt 382 Cole, Foat, Wall Candidate Proposed snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory with world-readable permissions and does not remove or clear the directory when snap -a is executed, which could allow local users to access the shadowed password file by creating /tmp/ibmsupt/general/passwd before root runs snap -a. 19990217 snap utility for AIX. 19990220 Re: snap utility for AIX. 375 Frech Cole, Foat, Wall XF:aix-snap-insecure-tmp(7560) Candidate Proposed dumpreg in Red Hat Linux 5.1 opens /dev/mem with O_RDWR access, which allows local users to cause a denial of service (crash) by redirecting fd 1 (stdout) to the kernel. 19980729 Crash a redhat 5.1 linux box 19980730 FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux box) 372 Cole Foat, Wall Entry ifdhcpc-done script for configuring DHCP on Red Hat Linux 5 allows local users to append text to arbitrary files via a symlink attack on the dhcplog file. 19980309 *sigh* another RH5 /tmp problem 368 initscripts-ifdhcpdone-dhcplog-symlink(7294) http://www.redhat.com/support/errata/rh50-errata-general.html#initscripts Candidate Proposed Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users to cause a denial of service (crash) by using a socket to connect to a port on the localhost, calling shutdown to clear the socket, then using the same socket to connect to a different port on localhost. 19970305 Bug in connect() for aix 4.1.4 ? 352 Frech Christey, Cole, Foat XF: aix-hpux-connect-dos(7195) BUGTRAQ:19970307 Re: Bug in connect() ? URL:http://www.securityfocus.com/archive/1/Pine.HPP.3.92.970307195408.12139B-100000@wpax13.physik.uni-wuerzburg.de BUGTRAQ:19970311 Re: Bug in connect() for aix 4.1.4 ? URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6419 Entry The at program in IRIX 6.2 and NetBSD 1.3.2 and earlier allows local users to read portions of arbitrary files by submitting the file to at with the -f argument, which generates error messages that at sends to the user via e-mail. 19980703 more about 'at' 19980805 irix-6.2 "at -f" vulnerability NetBSD-SA1998-004 331 at-f-read-files(7577) Candidate Proposed addnetpr in IRIX 5.3 and 6.2 allows local users to overwrite arbitrary files and possibly gain root privileges via a symlink attack on the printers temporary file. 19970509 Re: Irix: misc ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX 330 Cole, Foat Christey, Frech DUPE CVE-1999-1286 Need to add these references to CVE-1999-1286 Entry The installation of the fsp package 2.71-10 in Debian GNU/Linux 2.0 adds the anonymous FTP user without notifying the administrator, which could automatically enable anonymous FTP on some servers such as wu-ftp. 19981126 new version of fsp fixes security flaw 19981128 Debian: Security flaw in FSP 19981130 Debian: Security flaw in FSP 19990217 Debian GNU/Linux 2.0r5 released (fwd) 316 fsp-anon-ftp-access(7574) Candidate Proposed A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes. 19990603 MacOS X system panic with CGI 306 Cole, Foat, Wall Frech (Task 2288) Candidate Proposed Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg. 19960803 Exploiting Zolaris 2.4 ?? :) 296 Dik, Frech Cole, Foat XF:solaris-coredump-symlink(7196) sun bug: 1208241 Also applies to set-uid executables that have made real and effective uid identical Entry IBM Netfinity Remote Control allows local users to gain administrator privileges by starting programs from the process manager, which runs with system level privileges. 19990525 Security Leak with IBM Netfinity Remote Control Software 19990609 IBM's response to "Security Leak with IBM Netfinity Remote Control Software 284 Candidate Proposed Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local users to gain privileges. CA-91.13 27 Cole, Foat, Stracener Frech Christey, Wall XF:bsd-binmail(515) CA-1991-13 was superseded by CA-1995-02. Is there overlap between CVE-1999-1415 and CVE-1999-1438? Both CERT advisories are vague. Candidate Proposed AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large content-length. 19980823 Solaris ab2 web server is junk 253 Cole, Foat, Wall Candidate Proposed Format string vulnerability in AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via encoded % characters in an HTTP request, which is improperly logged. 19980823 Solaris ab2 web server is junk 253 Dik Cole, Foat, Wall sun bug: 4218283 Candidate Proposed ICQ99 ICQ web server build 1701 with "Active Homepage" enabled generates allows remote attackers to determine the existence of files on the server by comparing server responses when a file exists ("404 Forbidden") versus when a file does not exist ("404 not found"). 19990501 Update: security hole in the ICQ-Webserver 246 Frech Cole, Foat, Wall XF;icq-webserver-gain-information(8229) CONFIRM:http://online.securityfocus.com/archive/1/13655 Entry Buffer overflow in nss_nisplus.so.1 library in NIS+ in Solaris 2.3 and 2.4 allows local users to gain root privileges. 00148 219 sun-nisplus-bo(7535) Candidate Proposed NBase switches NH2012, NH2012R, NH2015, and NH2048 have a back door password that cannot be disabled, which allows remote attackers to modify the switch's configuration. 19980720 N-Base Vulnerability Advisory 19980722 N-Base Vulnerability Advisory Followup 212 Cole Foat, Wall Candidate Proposed NBase switches NH208 and NH215 run a TFTP server which allows remote attackers to send software updates to modify the switch or cause a denial of service (crash) by guessing the target filenames, which have default names. 19980720 N-Base Vulnerability Advisory 19980722 N-Base Vulnerability Advisory Followup 212 Cole, Foat Wall Candidate Proposed The default configuration of Slackware 3.4, and possibly other versions, includes . (dot, the current directory) in the PATH environmental variable, which could allow local users to create Trojan horse programs that are inadvertently executed by other users. 19990102 PATH variable in zip-slackware 2.0.35 211 Frech Cole, Foat, Wall XF:linux-path-execute-commands(7561) Entry ping in Solaris 2.3 through 2.6 allows local users to cause a denial of service (crash) via a ping request to a multicast address through the loopback interface, e.g. via ping -i. 19970626 Solaris Ping bug (DoS) 19970627 SUMMARY: Solaris Ping bug (DoS) 19970627 Solaris Ping bug(inetsvc) 19971005 Solaris Ping Bug and other [bc] oddities 00146 209 ping-multicast-loopback-dos(7492) Candidate Proposed Solaris Solstice AdminSuite (AdminSuite) 2.1 uses unsafe permissions when adding new users to the NIS+ password table, which allows local users to gain root access by modifying their password table entries. 00145 208 Cole, Dik, Foat, Stracener Frech XF:solaris-adminsuite-nisplus-password(7467) sun bug:1237225 Candidate Proposed Solaris Solstice AdminSuite (AdminSuite) 2.1 incorrectly sets write permissions on source files for NIS maps, which could allow local users to gain privileges by modifying /etc/passwd. 00145 208 Cole, Dik, Foat, Stracener Frech XF:solaris-adminsuite-password-map-permissions(7468) 1236787 Candidate Proposed Solaris Solstice AdminSuite (AdminSuite) 2.1 follows symbolic links when updating an NIS database, which allows local users to overwrite arbitrary files. 00145 208 Cole, Dik, Foat, Stracener Frech XF:solaris-adminsuite-symlink(7469) sun bug: 1262888 Candidate Proposed Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 create lock files insecurely, which allows local users to gain root privileges. 00145 208 Cole, Dik, Foat, Stracener Frech XF:solaris-adminsuite-lock-file(7470) sun bug: 1262888 Candidate Proposed Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 allows local users to gain privileges via the save option in the Database Manager, which is running with setgid bin privileges. 00145 208 Cole, Dik, Foat, Stracener Frech XF:solaris-adminsuite-database-manager(7471) sun bug: 4005611 Candidate Proposed DIT TransferPro installs devices with world-readable and world-writable permissions, which could allow local users to damage disks through the ff device driver. 19980105 Security flaw in either DIT TransferPro or Solaris 204 Frech Cole, Foat, Wall XF:transferpro-devices-insecure-permissions(7305) Candidate Proposed PIM software for Royal daVinci does not properly password-protext access to data stored in the .mdb (Microsoft Access) file, which allows local users to read the data without a password by directly accessing the files with a different application, such as Access. 19990102 security problem with Royal daVinci 185 Frech Cole, Foat, Wall XF:davinci-pim-access-information(7562) Candidate Proposed ZAK in Appstation mode allows users to bypass the "Run only allowed apps" policy by starting Explorer from Office 97 applications (such as Word), installing software into the TEMP directory, and changing the name to that for an allowed application, such as Winword.exe. 19990107 WinNT, ZAK and Office 97 19990109 WinNT, ZAK and Office 97 181 Frech Cole, Foat, Wall XF:zak-bypass-restrictions(7563) Entry Power management (Powermanagement) on Solaris 2.4 through 2.6 does not start the xlock process until after the sys-suspend has completed, which allows an attacker with physical access to input characters to the last active application from the keyboard for a short period after the system is restoring, which could lead to increased privileges. 19980716 Security risk with powermanagemnet on Solaris 2.6 160 4024179 Entry HP JetAdmin D.01.09 on Solaris allows local users to change the permissions of arbitrary files via a symlink attack on the /tmp/jetadmin.log file. 19980715 JetAdmin software 19980722 Re: JetAdmin software 157 Candidate Proposed login in Slackware Linux 3.2 through 3.5 does not properly check for an error when the /etc/group file is missing, which prevents it from dropping privileges, causing it to assign root privileges to any local user who logs on to the server. 19980713 Slackware Shadow Insecurity 155 Cole, Foat, Wall Candidate Proposed Buffer overflow in libsocks5 library of Socks 5 (socks5) 1.0r5 allows local users to gain privileges via long environmental variables. 19980710 socks5 1.0r5 buffer overflow.. 154 Cole Foat, Wall Candidate Proposed Ray Chan WWW Authorization Gateway 0.1 CGI program allows remote attackers to execute arbitrary commands via shell metacharacters in the "user" parameter. 19980708 WWW Authorization Gateway 152 Cole, Foat, Wall Entry ePerl 2.2.12 allows remote attackers to read arbitrary files and possibly execute certain commands by specifying a full pathname of the target file as an argument to bar.phtml. 19980707 ePerl: bad handling of ISINDEX queries 19980710 ePerl Security Update Available 151 Candidate Proposed Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local users to gain root privileges via certain command line arguments. CA-1991-01 00105 15 Cole, Dik, Foat, Stracener Frech Christey, Wall XF:bsd-binmail(515) sun bug: 1047340 Is there overlap between CVE-1999-1415 and CVE-1999-1438? Both CERT advisories are vague. Candidate Proposed gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files. 19980102 Symlink bug with GCC 2.7.2 19980108 GCC Exploit 19980115 GCC 2.7.? /tmp files 146 Cole Frech Foat, Wall XF:gnu-gcc-tmp-symlink(7338) Candidate Proposed Win32 ICQ 98a 1.30, and possibly other versions, does not display the entire portion of long filenames, which could allow attackers to send an executable file with a long name that contains so many spaces that the .exe extension is not displayed, which could make the user believe that the file is safe to open from the client. 19990101 Win32 ICQ 98a flaw 132 Cole Frech Foat, Wall XF:icq-long-filename(7564) Candidate Proposed Linux 2.0.34 does not properly prevent users from sending SIGIO signals to arbitrary processes, which allows local users to cause a denial of service by sending SIGIO to processes that do not catch it. 19980630 Serious Linux 2.0.34 security problem 111 Frech Cole, Foat, Wall XF:linux-sigio-dos(7339) Candidate Proposed Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments. http://www.cs.helsinki.fi/linux/linux-kernel/Year-1998/1998-25/0816.html http://uwsg.iu.edu/hypermail/linux/kernel/9805.3/0855.html 105 Frech Cole, Foat, Wall XF:linux-k6-dos(7340) Candidate Proposed Micah Software Full Armor Network Configurator and Zero Administration allow local users with physical access to bypass the desktop protection by (1) using <CTRL><ALT><DEL> and kill the process using the task manager, (2) booting the system from a separate disk, or (3) interrupting certain processes that execute while the system is booting. 19980602 Full Armor.... Fool Proof etc... bugs 19980609 Full Armor 103 Frech Cole, Foat, Wall XF:full-armor-protection-bypass(7341) Candidate Proposed genkey utility in Alibaba 2.0 generates RSA key pairs with an exponent of 1, which results in transactions that are sent in cleartext. http://catless.ncl.ac.uk/Risks/20.41.html#subj4 Cole, Foat, Wall Frech (Task 2290) Candidate Proposed Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with shadowing enabled, and possibly other operating systems, allows remote attackers to cause a core dump via a short sequence of USER and PASS commands that do not provide valid usernames or passwords. 19980202 imapd/ipop3d coredump in slackware 3.4 Frech Cole, Foat, Wall XF:linux-imapd-ipop3d-dos(7345) Candidate Proposed Internet Explorer 3 records a history of all URL's that are visited by a user in DAT files located in the Temporary Internet Files and History folders, which are not cleared when the user selects the "Clear History" option, and are not visible when the user browses the folders because of tailored displays. 19970805 Re: Strange behavior regarding directory 19970806 Re: Strange behavior regarding directory Frech Cole, Foat XF:http-ie-record(524) In description, URL's should be URLs. Candidate Modified Internet Explorer 4.0 allows remote attackers to cause a denial of service (crash) via HTML code that contains a long CLASSID parameter in an OBJECT tag. 19980728 Object tag crashes Internet Explorer 4.0 19980730 Re: Object tag crashes Internet Explorer 4.0 Cole, Wall Christey, Foat BUGTRAQ:19980730 Re: Object tag crashes Internet Explorer 4.0 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526188&w=2 Candidate Proposed Eudora and Eudora Light before 3.05 allows remote attackers to cause a crash and corrupt the user's mailbox via an e-mail message with certain dates, such as (1) dates before 1970, which cause a Divide By Zero error, or (2) dates that are 100 years after the current date, which causes a segmentation fault. 19980729 Eudora exploit (was Microsoft Security Bulletin (MS98-008)) Cole, Foat, Wall Candidate Proposed SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial of service (kernel panic) by reading from the /dev/tcx0 TCX device. 19970519 /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's http://www.insecure.org/sploits/sunos.dev.tcx0.write.wierd.shit.to.device.bug.html Frech Cole, Foat XF:sun-tcx-dos(7197) Candidate Proposed Vulnerability in (1) rlogin daemon rshd and (2) scheme on SCO UNIX OpenServer 5.0.5 and earlier, and SCO UnixWare 7.0.1 and earlier, allows remote attackers to gain privileges. SB-99.03b SB-99.06b SSE020 SSE023 Cole, Foat, Stracener Frech XF:sco-rshd(7466) Correct URLS are listed below: Reference: SCO:SSE020 Reference: URL:ftp://stage.caldera.com/pub/security/sse/sse020/sse020.ltr Reference: SCO:SSE023 Reference: URL:ftp://stage.caldera.com/pub/security/sse/sse023/sse023.ltr Candidate Proposed The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remote attackers to read arbitrary files. Q231368 MS99-013 iis-samples-winmsdp(3271) Cole, Foat, Frech, Wall Entry GINA in Windows NT 4.0 allows attackers with physical access to display a portion of the clipboard of the user who has locked the workstation by pasting (CTRL-V) the contents into the username prompt. 19990129 ole objects in a "secured" environment? 19990205 Alert: MS releases GINA-fix for SP3, SP4, and TS 19990129 ole objects in a "secured" environment? Q214802 198 nt-gina-clipboard(1975) Candidate Proposed Internet Explorer 4 allows remote attackers (malicious web site operators) to read the contents of the clipboard via the Internet WebBrowser ActiveX object. 19990222 New IE4 vulnerability : the clipboard again. 215 Wall Frech Cole, Foat XF:webbrowser-activex-view-clipboard(7565) REMOVE:http://www.securityfocus.com/bid/215 This reference deals with the Forms vulnerability only. Candidate Proposed Macromedia "The Matrix" screen saver on Windows 95 with the "Password protected" option enabled allows attackers with physical access to the machine to bypass the password prompt by pressing the ESC (Escape) key. 19991004 Weakness In "The Matrix" Screensaver For Windows Frech Christey, Cole, Foat, Wall Looks like there might have been a re-discovery, though the exploit is slightly different, and there is insufficient detail to be certain that this isn't for a different Matrix screen saver: BUGTRAQ:20010801 matrix screensvr(16 Bit CineMac Screen Saver Engine) - [input validation error?] URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99669949717618&w=2 BID:3130 URL:http://www.securityfocus.com/bid/3130 XF:matrix-win95-password-bypass(8280) Entry RSH service utility RSHSVC in Windows NT 3.5 through 4.0 does not properly restrict access as specified in the .Rhosts file when a user comes from an authorized host, which could allow unauthorized users to access the service by logging in from an authorized host. Q158320 nt-rshsvc-ale-bypass(7422) Entry thttpd HTTP server 2.03 and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. 19980819 thttpd 2.04 released (fwd) http://www.acme.com/software/thttpd/thttpd.html#releasenotes thttpd-file-read(1809) Candidate Proposed Buffer overflow in thttpd HTTP server before 2.04-31 allows remote attackers to execute arbitrary commands via a long date string, which is not properly handled by the tdate_parse function. 19991116 thttpd Cole, Foat, Stracener Frech Candidate Proposed Buffer overflow in at program in Digital UNIX 4.0 allows local users to gain root privileges via a long command line argument. 19990125 Digital Unix 4.0 exploitable buffer overflows SSRT0583U du-at(3138) Cole, Foat, Frech Stracener Candidate Proposed BMC PATROL Agent before 3.2.07 allows local users to gain root privileges via a symlink attack on a temporary file. 19981102 BMC PATROL File Creation Vulnerability bmc-patrol-file-create(1388) 534 Cole, Frech Christey, Foat, Wall The vendor has acknowledged this vulnerability via e-mail. It has been fixed. NOTE: despite the fact that this candidate has been acknowledged and fixed by the vendor, it is affected by the CVE content decision CD:SF-LOC. It cannot be accepted until the CD:SF-LOC guidelines have been finalized. Candidate Proposed BMC PATROL SNMP Agent before 3.2.07 allows local users to create arbitrary world-writeable files as root by specifying the target file as the second argument to the snmpmagt program. 19990713 Root Perms Gained with Patrol SNMP Agent 3.2 (all others?) 19990801 Re: Root Perms Gained with Patrol SNMP Agent 3.2 (all others?) 525 Frech Christey, Cole, Foat, Wall XF:patrol-snmp-file-creation(2347) The vendor has acknowledged this vulnerability via e-mail. It has been fixed. NOTE: despite the fact that this candidate has been acknowledged and fixed by the vendor, it is affected by the CVE content decision CD:SF-LOC. It cannot be accepted until the CD:SF-LOC guidelines have been finalized. Candidate Proposed inpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH environmental variable to find and execute the ttsession program, which allows local users to obtain root access by modifying the PATH to point to a Trojan horse ttsession program. 19970507 Irix: misc 20001101-01-I 381 Cole, Foat, Stracener Frech Possible conflict with CVE-2000-0799. Candidate Proposed Vulnerability in bb-hist.sh CGI History module in Big Brother 1.09b and 1.09c allows remote attacker to read portions of arbitrary files. 19990426 FW: Security Notice: Big Brother 1.09b/c http://bb4.com/README.CHANGES 142 http-cgi-bigbrother-bbhist(3755) Armstrong, Cole, Foat, Frech, Stracener Wall Candidate Proposed Windows NT 4.0 before SP3 allows remote attackers to bypass firewall restrictions or cause a denial of service (crash) by sending improperly fragmented IP packets without the first fragment, which the TCP/IP stack incorrectly reassembles into a valid session. 19970710 A New Fragmentation Attack nt-frag(528) Cole, Frech Foat This issue is also listed under CVE-1999-0226. Candidate Proposed Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled interface to an interface that does not have DFS enabled, as described by Cisco bug CSCdk35564. 19981105 Cisco IOS DFS Access List Leakage J-016 cisco-acl-leakage(1401) Armstrong, Balinsky, Cole, Foat, Frech, Stracener Wall Candidate Modified Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled input interface to an output interface with a logical subinterface, as described by Cisco bug CSCdk43862. 19981105 Cisco IOS DFS Access List Leakage J-016 cisco-acl-leakage(1401) Armstrong, Balinsky, Cole, Foat, Frech, Stracener Wall Candidate Proposed Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote attackers to bypass access control lists when extended IP access lists are used on certain interfaces, the IP route cache is enabled, and the access list uses the "established" keyword. CA-1992-20 53 Cole, Foat, Stracener Frech Christey, Wall XF:cisco-acl-established(1248) Possible dupe with CVE-1999-0162. This is not a dupe with CVE-1999-0162. The Cisco advisory referenced in CVE-1999-0162 says that affected Cisco versions are 10.0 through 10.3. This CAN deals with versions 8.2 through 9.1. In addition, the date of release of CVE-1999-0162 is June 1995; this CAN was released December 1992. Both items include clear Cisco acknowledgement with details, so we should conclude that they are separate problems, despite the vagueness of the reports. Candidate Proposed Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user. CA-1989-07 5 sun-rcp(3165) Cole, Dik, Foat, Frech, Stracener Wall sun bug: 1028958 Entry rdist in various UNIX systems uses popen to execute sendmail, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable. http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.html CA-91.20 31 rdist-popen-gain-privileges(7160) 8106 Candidate Proposed Buffer overflow in w3-auth CGI program in miniSQL package allows remote attackers to execute arbitrary commands via an HTTP request with (1) a long URL, or (2) a long User-Agent MIME header. 19990930 mini-sql Buffer Overflow Frech Cole, Foat, Wall XF:msql-w3auth-bo(8301) Candidate Proposed Eastman Work Management 3.21 stores passwords in cleartext in the COMMON and LOCATOR registry keys, which could allow local users to gain privileges. 19990624 Eastman Software Work Management 3.21 eastman-cleartext-passwords(2303) 485 Frech Cole, Foat, Wall Candidate Modified Buffer overflow in passwd in BSD based operating systems 4.3 and earlier allows local users to gain root privileges by specifying a long shell or GECOS field. CA-1989-01 4 bsd-passwd-bo(7152) Cole, Foat, Stracener Frech Wall XF:bsd-passwd-bo(7152) Entry Internet Explorer 4.0 allows remote attackers to read arbitrary text and HTML files on the user's machine via a small IFRAME that uses Dynamic HTML (DHTML) to send the data to the attacker, aka the Freiburg text-viewing issue. 19971017 Security Hole in Explorer 4.0 http://www.insecure.org/sploits/Internet_explorer_4.0.hack.html http://www.microsoft.com/Windows/ie/security/freiburg.asp Q176794 Q176697 http-ie-spy(587) 7819 Entry When a Web site redirects the browser to another site, Internet Explorer 3.02 and 4.0 automatically resends authentication information to the second site, aka the "Page Redirect Issue." Q176697 ie-page-redirect(7426) 7818 Candidate Proposed PowerPoint 95 and 97 allows remote attackers to cause an application to be run automatically without prompting the user, possibly through the slide show, when the document is opened in browsers such as Internet Explorer. http://www.microsoft.com/windows/ie/security/powerpoint.asp nt-ppt-patch(179) Armstrong, Cole, Foat, Frech, Stracener, Wall Looks like CONFIRM URL is too old for Microsoft to keep (currently cached at http://www.google.com/search?q=cache:86loHcRhaL4:www.microsoft.com/ie/ security/powerpoint.htm+%22PowerPoint+Browsing+Security+Issue%22&hl=en ). Same information is available at BugTraq at http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6724 Candidate Proposed ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords in the wtmp log file, which allows local users to obtain the passwords and gain privileges by reading wtmp, e.g. via the last command. 19991119 ProFTPd - mod_sqlpw.c 812 Frech Cole, Foat, Wall XF:proftpd-modsqlpw-insecure-passwords(8332) Entry A bug in Intel Pentium processor (MMX and Overdrive) allows local users to cause a denial of service (hang) in Intel-based operating systems such as Windows NT and Windows 95, via an invalid instruction, aka the "Invalid Operand with Locked CMPXCHG8B Instruction" problem. Q163852 pentium-crash(704) Candidate Proposed Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as nethack. 19990923 Linux GNOME exploit 663 gnome-espeaker-local-bo(3349) Frech Cole, Foat, Wall Entry The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character. 19990706 Bug in SUN's Hotspot VM 19990716 FW: (Review ID: 85125) Hotspot crashes bringing down webserver 522 sun-hotspot-vm(2348) Candidate Modified The textcounter.pl by Matt Wright allows remote attackers to execute arbitrary commands via shell metacharacters. 19980624 textcounter.pl SECURITY HOLE 2265 http-cgi-textcounter(2052) Frech Cole, Foat, Wall Candidate Proposed (1) acledit and (2) aclput in AIX 4.3 allow local users to create or modify files via a symlink attack. 429 Frech Cole, Foat, Wall XF:aix-acledit-aclput-symlink(7346) CONFIRM:APAR IX79139 Entry Squid 2.2.STABLE5 and below, when using external authentication, allows attackers to bypass access controls via a newline in the user/password pair. 19991025 [squid] exploit for external authentication problem 19991103 [squid]exploit for external authentication problem http://www.squid-cache.org/Versions/v2/2.2/bugs/ 741 squid-proxy-auth-access(3433) Candidate Proposed SVGAlib zgv 3.0-7 and earlier allows local users to gain root access via a privilege leak of the iopl(3) privileges to child processes. 19990219 Security hole: "zgv" Frech Cole, Foat, Wall XF:zgv-privilege-leak(1798) Candidate Proposed Buffer overflow in zgv in svgalib 1.2.10 and earlier allows local users to execute arbitrary code via a long HOME environment variable. 19970619 svgalib/zgv Frech Cole, Foat XF;linux-svgalib-dos(3412) Candidate Proposed Buffer overflow in MSN Setup BBS 4.71.0.10 ActiveX control (setupbbs.ocx) allows a remote attacker to execute arbitrary commands via the methods (1) vAddNewsServer or (2) bIsNewsServerConfigured. 19990924 Several ActiveX Buffer Overruns msn-setup-bbs-activex-bo(3310) 668 Cole, Frech Foat, Wall Candidate Modified nsd in IRIX 6.5 through 6.5.2 exports a virtual filesystem on a UDP port, which allows remote attackers to view files and cause a possible denial of service by mounting the nsd virtual file system. 19990531 IRIX 6.5 nsd virtual filesystem vulnerability 8564 sgi-nsd-view(2246) sgi-nsd-create(2247) 412 Frech Cole, Foat, Wall Entry sadc in IBM AIX 4.1 through 4.3, when called from programs such as timex that are setgid adm, allows local users to overwrite arbitrary files via a symlink attack. http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info IX75554 IX76853 IX76330 408 aix-sadc-timex(7675) Candidate Modified Vulnerability in digest in AIX 4.3 allows printq users to gain root privileges by creating and/or modifing any file on the system. IX74599 405 aix-digest(7477) Cole, Foat, Stracener Frech XF:aix-digest(7477) Entry sdrd daemon in IBM SP2 System Data Repository (SDR) allows remote attackers to read files without authentication. I-079A 371 ibm-sdr-read-files(7217) Candidate Proposed Buffer overflow in TestChip function in XFree86 SuperProbe in Slackware Linux 3.1 allows local users to gain root privileges via a long -nopr argument. 19970304 Linux SuperProbe exploit 364 Frech Cole, Foat XF:xfree86-superprobe-testchip-bo(7198) Entry xosview 1.5.1 in Red Hat 5.1 allows local users to gain root access via a long HOME environmental variable. 19980528 ALERT: Tiresome security hole in "xosview", RedHat5.1? 19980529 Re: Tiresome security hole in "xosview" (xosexp.c) 362 linux-xosview-bo(8787) Candidate Proposed abuse.console in Red Hat 2.1 uses relative pathnames to find and execute the undrv program, which allows local users to execute arbitrary commands via a path that points to a Trojan horse program. 19960202 abuse Red Hat 2.1 security hole 354 Cole Foat Candidate Proposed Vulnerability in (1) diskperf and (2) diskalign in IRIX 6.4 allows local attacker to create arbitrary root owned files, leading to root privileges. 19980502-01-P3030 sgi-diskalign(2104) sgi-diskperf(2103) 348 Cole, Foat, Frech, Stracener Candidate Modified Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through SR10.3 allows remote attackers to gain root privileges via insecure system calls, (1) pad_$dm_cmd and (2) pad_$def_pfk(). CA-1991-23 34 apollo-crp-root-access(7158) Cole, Foat, Stracener Frech Wall XF:apollo-crp-root-access(7158) Entry colorview in Silicon Graphics IRIX 5.1, 5.2, and 6.0 allows local attackers to read arbitrary files via the -text argument. 19940809 Re: IRIX 5.2 Security Advisory 19950307 sigh. another Irix 5.2 hole. 19950209-00-P sgi-colorview(2112) 336 Candidate Proposed xtvscreen in SuSE Linux 6.0 allows local users to overwrite arbitrary files via a symlink attack on the pic000.pnm file. 19990218 xtvscreen and suse 6 xtvscreen-overwrite(1792) 325 Frech Cole, Foat, Wall Candidate Proposed Sudo 1.5 in Debian Linux 2.1 and Red Hat 6.0 allows local users to determine the existence of arbitrary files by attempting to execute the target filename as a program, which generates a different error message when the file does not exist. 19990608 unneeded information in sudo 321 sudo-file-exists(2277) Frech Cole, Foat, Wall Candidate Modified Ipswitch IMail 5.0 and 6.0 uses weak encryption to store passwords in registry keys, which allows local attackers to read passwords for e-mail accounts. 19991221 [w00giving '99 #11] IMail's password encryption scheme 880 Frech Cole, Foat, Wall XF:imail-passwords(1901) May be the same as CVE-2000-0019 on a different level of abstraction. Candidate Proposed Slackware Linux 3.4 pkgtool allows local attacker to read and write to arbitrary files via a symlink attack on the reply file. 19980406 insecure tmp file creation 82 Frech Cole, Foat, Wall XF:linux-pkgtool-reply-symlink(7347) Candidate Proposed named in ISC BIND 4.9 and 8.1 allows local users to destroy files via a symlink attack on (1) named_dump.db when root kills the process with a SIGINT, or (2) named.stats when SIGIOT is used. 19980410 BIND 4.9.7 named follows symlinks, clobbers anything 80 Frech Cole, Wall Foat The files get written to /var/named which the user does not have write access. XF:bind-sigint-sigiot-symlink(7366) Candidate Proposed Internet Anywhere POP3 Mail Server 2.3.1 allows remote attackers to cause a denial of service (crash) via (1) LIST, (2) TOP, or (3) UIDL commands using letters as arguments. 19991001 Vulnerabilities in the Internet Anywhere Mail Server 733 Frech Cole, Foat, Wall XF:iams-pop3-command-dos(3283) Candidate Proposed (1) ipxchk and (2) ipxlink in SGI OS2 IRIX 6.3 does not properly clear the IFS environmental variable before executing system calls, which allows local users to execute arbitrary commands. 19980408 SGI O2 ipx security issue 70 71 Frech Cole, Foat, Wall Christey XF:irix-ipxchk-ipxlink-ifs-commands(7365) DUPE CVE-1999-1040 Candidate Proposed Buffer overflows in Quake 1.9 client allows remote malicious servers to execute arbitrary commands via long (1) precache paths, (2) server name, (3) server address, or (4) argument to the map console command. 19980408 QuakeI client: serious holes. 68 69 Frech Cole, Foat, Wall XF:quake-precache-bo(7358) XF:quake-server-address-bo(7359) XF:quake-map-argument-bo(7360) Candidate Proposed Network Flight Recorder (NFR) 1.5 and 1.6 allows remote attackers to cause a denial of service in nfrd (crash) via a TCP packet with a null header and data field. 63 Cole Frech Foat, Wall XF:nfr-tcp-packet-dos(7357) Candidate Proposed Stalker Internet Mail Server 1.6 allows a remote attacker to cause a denial of service (crash) via a long HELO command. 19980408 Re: AppleShare IP Mail Server 62 Frech Cole, Foat, Wall XF:smtp-helo-bo(886) Candidate Proposed Buffer overflow in QuakeWorld 2.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary commands via a long initial connect packet. 19980407 QW vulnerability 60 Frech Cole, Foat, Wall XF:quakeworld-connect-bo(7356) Candidate Proposed Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote attackers to access user bin. CA-1990-01 6 Cole, Dik, Stracener Frech Foat, Wall XF:sunos-sendmail-bin-access(7161) sun bug 1028173 [Foat changed vote from ACCEPT to NOOP] Entry Sun SunOS 4.1 through 4.1.3 allows local attackers to gain root access via insecure permissions on files and directories such as crash. CA-1993-03 59 sun-dir(521) Candidate Proposed Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a remote attacker to gain administrator access by directly calling undocumented URLs such as ncl_items.html and ncl_subjects.html. 19991116 [Fwd: Printer Vulnerability: Tektronix PhaserLink Webserver gives Administrator Password] 806 Frech Cole, Foat, Wall Christey XF:tektronix-phaserlink-webserver-backdoor(6482) Possible dupe with CVE-2001-0484 and BID-2659. CVE-2001-0484 may be a duplicate. Candidate Proposed Directory traversal vulnerability in Etype Eserv 2.50 web server allows a remote attacker to read any file in the file system via a .. (dot dot) in a URL. 19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability 19991104 Eserv 2.50 Web interface Server Directory Traversal Vulnerability 773 eserv-fileread Frech Cole, Foat, Wall Normalize XF:eserv-fileread(3449) Normalize URL:http://xforce.iss.net/static/3449.php Candidate Proposed Buffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long (1) USER, (2) LIST, or (3) CWD commands. 19990517 Vulnerabilities in BisonWare FTP Server 3.5 bisonware-command-bo(3234) Cole, Foat, Frech Wall Candidate Proposed Buffer overflows in Xtramail 1.11 allow attackers to cause a denial of service (crash) and possibly execute arbitrary commands via (1) a long PASS command in the POP3 service, (2) a long HELO command in the SMTP service, or (3) a long user name in the Control Service. 19991110 Multiples Remotes DoS Attacks in Artisoft XtraMail v1.11 Vulnerability 791 xtramail-pass-dos(3488) Frech Cole, Foat, Wall Entry The AMaViS virus scanner 0.2.0-pre4 and earlier allows remote attackers to execute arbitrary commands as root via an infected mail message with shell metacharacters in the reply-to field. 19990716 AMaViS virus scanner for Linux - root exploit http://www.amavis.org/ChangeLog.txt 527 amavis-command-execute(2349) Candidate Proposed Management information base (MIB) for a 3Com SuperStack II hub running software version 2.10 contains an object identifier (.1.3.6.1.4.1.43.10.4.2) that is accessible by a read-only community string, but lists the entire table of community strings, which could allow attackers to conduct unauthorized activities. 19990830 One more 3Com SNMP vulnerability Cole, Foat, Wall Frech (ACCEPT; Task 2355) Candidate Proposed Buffer overflow in Celtech ExpressFS FTP server 2.x allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long USER command. 19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability 19990729 ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability 749 expressfs-command-bo(3401) Frech Cole, Foat, Wall BugTraq reference date seems to be 19991029; see http://online.securityfocus.com/archive/1/33123 Candidate Proposed A non-default configuration in TenFour TFS Gateway 4.0 allows an attacker to cause a denial of service via messages with incorrect sender and recipient addresses, which causes the gateway to continuously try to return the message every 10 seconds. 613 tfs-gateway-dos(3290) Frech Cole, Foat, Wall Candidate Proposed A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows an attacker to crash the mail server and possibly execute arbitrary code by offering more than 128 bytes in a MAIL FROM string. 19990902 [SECURITY] TenFour TFS SMTP 3.2 Buffer Overflow Frech Cole, Foat, Wall XF:tfs-gateway-dos(3290) Candidate Proposed runtar in the Amanda backup system used in various UNIX operating systems executes tar with root privileges, which allows a user to overwrite or read arbitrary files by providing the target files to runtar. 19991101 Amanda multiple vendor local root compromises 750 Frech Cole, Foat, Wall XF:amanda-runtar(3402) Candidate Proposed Operating systems with shared memory implementations based on BSD 4.4 code allow a user to conduct a denial of service and bypass memory limits (e.g., as specified with rlimits) using mmap or shmget to allocate memory and cause page faults. 19990715 Shared memory DoS's 526 bsd-shared-memory-dos(2351) Cole, Frech Foat, Wall Candidate Proposed Gene6 G6 FTP Server 2.0 allows a remote attacker to cause a denial of service (resource exhaustion) via a long (1) user name or (2) password. 19991117 Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability 805 g6ftp-username-dos(3513) Frech Cole, Foat, Wall Entry A configuration problem in the Ad Server Sample directory (AdSamples) in Microsoft Site Server 3.0 allows an attacker to obtain the SITE.CSC file, which exposes sensitive SQL database information. 19990511 [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs 256 siteserver-site-csc(2270) Candidate Proposed Computalynx CMail 2.4 and CMail 2.3 SP2 SMTP servers are vulnerable to a buffer overflow attack in the MAIL FROM command that may allow a remote attacker to execute arbitrary code on the server. 19990912 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug 19990729 Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer 633 cmail-command-bo(2240) Frech Christey, Cole, Foat, Wall Remove "attack" from description and slightly rewrite. ADDREF BUGTRAQ:19991029 Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer URL:URL:http://www.securityfocus.com/archive/1/32573 ADDREF BUGTRAQ:19990616 C-Mail SMTP Server Remote Buffer Overflow Exploit URL:http://online.securityfocus.com/archive/1/15524 Note: this last post exploits an overflow through VRFY instead of MAIL FROM. However, CD:SF-LOC suggests merging two issues of the same type that are in the same versions. ADDREF BUGTRAQ:19990526 Multiple Web Interface Security Holes URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92774425211457&w=2 Candidate Proposed Vulnerability in htmlparse.pike in Roxen Web Server 1.3.11 and earlier, possibly related to recursive parsing and referer tags in RXML. 19991007 Roxen security alert Frech Cole, Foat, Wall XF:roxen-rxml-recursive-parsing(3372) Candidate Proposed Buffer overflow in Sambar Web Server 4.2.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP GET request. 19991004 19991006 Re: Sample DOS against the Sambar HTTP-Server sambar-logging-bo(1672) Frech Cole, Foat, Wall Candidate Proposed FlowPoint DSL router firmware versions prior to 3.0.8 allows a remote attacker to exploit a password recovery feature from the network and conduct brute force password guessing, instead of limiting the feature to the serial console port. 19990807 Re: FlowPoint DSL router vulnerability Cole, Foat, Wall Candidate Proposed Macromedia Shockwave before 6.0 allows a malicious webmaster to read a user's mail box and possibly access internal web servers via the GetNextText command on a Shockwave movie. 19970314 Shockwave Security Alert shockwave-internal-access(1585) shockwave-file-read-vuln(1586) http-ns-shockwave(460) Frech Cole, Foat Candidate Proposed Auto-update feature of Macromedia Shockwave 7 transmits a user's password and hard disk information back to Macromedia. 19990311 [Fwd: Shockwave 7 Security Hole] shockwave-updater(1931) Frech Cole, Foat Candidate Proposed Internal HTTP server in Sun Netbeans Java IDE in Netbeans Developer 3.0 Beta and Forte Community Edition 1.0 Beta does not properly restrict access to IP addresses as specified in its configuration, which allows arbitrary remote attackers to access the server. 19991123 NetBeans/ Forte' Java IDE HTTP vulnerability 816 Cole Frech Foat, Wall XF:sun-java-ide-http-access(8333) Candidate Proposed ProSoft Netware Client 5.12 on Macintosh MacOS 9 does not automatically log a user out of the NDS tree when the user logs off the system, which allows other users of the same system access to the unprotected NDS session. 19991114 MacOS 9 and the MacOS Netware Client 794 Cole Frech Foat, Wall XF:macos-netware-nds-access(8339) Candidate Proposed A buffer overflow exists in the HELO command in Trend Micro Interscan VirusWall SMTP gateway 3.23/3.3 for NT, which may allow an attacker to execute arbitrary code. 19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow 19991107 Interscan VirusWall NT 3.23/3.3 buffer overflow. 19991108 Re: Interscan VirusWall NT 3.23/3.3 buffer overflow. 19991108 Patch for VirusWall 3.23. 19991108 Patch for VirusWall 3.23. 20000417 New DOS on Interscan NT/3.32 787 viruswall-helo-bo(3465) Cole, Foat Wall Frech Entry cgiwrap as used on Cobalt RaQ 2.0 and RaQ 3i does not properly identify the user for running certain scripts, which allows a malicious site administrator to view or modify data located at another virtual site on the same system. 19991108 Security flaw in Cobalt RaQ2 cgiwrap 19991109 [Cobalt] Security Advisory - cgiwrap 777 cobalt-cgiwrap-incorrect-permissions(7764) 35 Entry Buffer overflow in IBM HomePagePrint 1.0.7 for Windows98J allows a malicious Web site to execute arbitrary code on a viewer's system via a long IMG_SRC HTML tag. 19991102 Some holes for Win/UNIX softwares 763 ibm-homepageprint-bo(7767) Candidate Modified Netscape Messaging Server 3.54, 3.55, and 3.6 allows a remote attacker to cause a denial of service (memory exhaustion) via a series of long RCPT TO commands. 19991029 message:Netscape Messaging Server RCPT TO vul. 748 Frech Cole, Foat, Wall XF:netscape-messaging-rcptto-dos(8340) Description ends with a comma and not a period, possibly indicating that the sentence is not complete, Candidate Proposed Eicon Technology Diva LAN ISDN modem allows a remote attacker to cause a denial of service (hang) via a long password argument to the login.htm file in its HTTP service. 19990926 DoS Exploit in Eicon Diehl LAN ISDN Modem 665 diva-lan-isdn-dos(3317) Frech Cole, Foat, Wall Candidate Proposed Buffer overflow in (1) nlservd and (2) rnavc in Knox Software Arkeia backup product allows local users to obtain root access via a long HOME environmental variable. 19990923 Multiple vendor Knox Arkiea local root/remote DoS 661 Frech Cole, Foat, Wall XF:arkiea-backup-home-bo(3322) Entry Buffer overflow in AspUpload.dll in Persits Software AspUpload before 1.4.0.2 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument in the HTTP request. 19990720 Buffer overflow in AspUpload 1.4 19990818 AspUpload Buffer Overflow Fixed 592 http-aspupload-bo(3291) Candidate Modified .sbstart startup script in AcuShop Salesbuilder is world writable, which allows local users to gain privileges by appending commands to the file. 19990730 World writable root owned script in SalesBuilder (RedHat 6.0) 560 13557 Cole, Foat, Wall Frech (ACCEPT; Task 2356) Entry IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL. 19990707 SSL and IIS. 521 ssl-iis-dos(2352) Candidate Proposed When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password. 19990114 MS IIS 4.0 Security Advisory 19990114 MS IIS 4.0 Security Advisory 189 Wall Frech Cole, Foat XF:iis-ismdll-info(7566) Candidate Proposed Buffer overflow in FTP server in QPC Software's QVT/Term Plus versions 4.2d and 4.3 and QVT/Net 4.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long (1) user name or (2) password. 19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability 19991110 Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability 796 qvtterm-login-dos(3491) Frech Cole, Foat, Wall Candidate Proposed shell-lock in Cactus Software Shell Lock uses weak encryption (trivial encoding) which allows attackers to easily decrypt and obtain the source code. 19991004 19991005 Cactus Software's shell-lock cactus-shell-lock-retrieve-shell-code(3356) Frech Cole, Foat, Wall Candidate Proposed shell-lock in Cactus Software Shell Lock allows local users to read or modify decoded shell files before they are executed, via a symlink attack on a temporary file. 19991004 19991005 Cactus Software's shell-lock cactus-shell-lock-root-privs(3358) Frech Cole, Foat, Wall Entry RPMMail before 1.4 allows remote attackers to execute commands via an e-mail message with shell metacharacters in the "MAIL FROM" command. 19991004 RH6.0 local/remote command execution 19991006 Fwd: [Re: RH6.0 local/remote command execution] linux-rh-rpmmail(3353) Candidate Proposed MacOS uses weak encryption for passwords that are stored in the Users & Groups Data File. 19990710 MacOS system encryption algorithm 19990914 MacOS system encryption algorithm 3 519 Cole, Foat, Wall Frech (ACCEPT; Task 2357) Candidate Proposed Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command. 19990124 Advisory: IIS FTP Exploit/DoS Attack Wall Cole, Foat Frech Dupe CVE-1999-0349 Candidate Proposed Joe's Own Editor (joe) 2.8 sets the world-readable permission on its crash-save file, DEADJOE, which could allow local users to read files that were being edited by other users. 19990714 19990717 joe 2.8 makes world-readable DEADJOE Cole, Foat, Wall Frech (ACCEPT; Task 2358) Candidate Proposed netstation.navio-com.rte 1.1.0.1 configuration script for Navio NC on IBM AIX exports /tmp over NFS as world-readable and world-writable. 19990129 TROJAN: netstation.navio-comm.rte 1.1.0.1 navionc-config-script(1724) Frech Cole, Foat, Wall Candidate Proposed Oracle Web Listener 2.1 allows remote attackers to bypass access restrictions by replacing a character in the URL with its HTTP-encoded (hex) equivalent. 19991125 Oracle Web Listener 19991125 Oracle Web Listener 841 Frech Cole, Foat, Wall XF:oracle-weblistener-bypass-restrictions(8355) Candidate Proposed Cabletron SmartSwitch Router (SSR) 8000 firmware 2.x can only handle 200 ARP requests per second allowing a denial of service attack to succeed with a flood of ARP requests exceeding that limit. 19991124 Cabletron SmartSwitch Router 8000 Firmware v2.x 821 Frech Cole, Foat, Wall XF:smartswitch-arp-flood-dos(7770) BID URL should be 821, not 841. Candidate Proposed Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a "secure" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands. 19991116 lynx 2.8.x - 'special URLs' anti-spoofing protection is weak 804 Frech Cole, Foat, Wall XF:lynx-lynxurl-spoof(8342) Entry bigconf.conf in F5 BIG/ip 2.1.2 and earlier allows remote attackers to read arbitrary files by specifying the target file in the "file" parameter. 19991108 BigIP - bigconf.cgi holes 19991109 Re: BigIP - bigconf.cgi holes 19991109 778 bigip-bigconf-view-files(7771) Candidate Proposed Buffer overflow in Ipswitch IMail Service 5.0 allows an attacker to cause a denial of service (crash) and possibly execute arbitrary commands via a long URL. 19990302 Multiple IMail Vulnerabilites 505 imail-websvc-overflow(1898) Cole, Frech Foat, Wall Candidate Proposed dpsexec (DPS Server) when running under XDM in IBM AIX 3.2.5 and earlier does not properly check privileges, which allows local users to overwrite arbitrary files and gain privileges. 19940720 xnews and XDM 358 Cole, Foat Candidate Proposed Buffer overflow in XCmail 0.99.6 with autoquote enabled allows remote attackers to execute arbitrary commands via a long subject line. 19990301 [0z0n3] XCmail remotely exploitable vulnerability 311 xcmail-reply-overflow(1859) Frech Cole, Foat, Wall Candidate Modified /usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the group ID to the group ID of the user who started Mail, which allows local users to read the mail of other users. CA-1990-08 13 sgi-irix-reset(3164) Cole, Stracener Frech Foat, Wall XF:sgi-irix-reset(3164) [Foat changed vote from ACCEPT to NOOP] Candidate Proposed Cheyenne InocuLAN Anti-Virus Server in Inoculan 4.0 before Service Pack 2 creates an update directory with "EVERYONE FULL CONTROL" permissions, which allows local users to cause Inoculan's antivirus update feature to install a Trojan horse dll. 19980611 Cheyenne Inoculan vulnerability on NT 106 inoculan-bad-permissions(1536) Frech Cole, Foat, Wall http://support.cai.com/Download/patches/inocnt.html Entry Microsoft SQL Server 6.5 uses weak encryption for the password for the SQLExecutiveCmdExec account and stores it in an accessible portion of the registry, which could allow local users to gain privileges by reading and decrypting the CmdExecAccount value. 19980629 MS SQL Server 6.5 stores password in unprotected registry keys 109 mssql-sqlexecutivecmdexec-password(7354) Candidate Proposed Buffer overflow in the login functions in IMAP server (imapd) in Ipswitch IMail 5.0 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long user name or (2) a long password. 19990301 Multiple IMail Vulnerabilites imail-imap-overflow(1895) Cole, Frech Foat, Wall