VARIoT IoT vulnerabilities database

Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands. Multiple Telnet clients contain a data length validation flaw which may allow a server to induce arbitrary code execution on the client host. A remote buffer-overflow vulnerability affects multiple vendors' Telnet client. This issue is due to the application's failure to properly validate the length of user-supplied strings before copying them into static process buffers. An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Sun SEAM Telnet Client Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA15030 VERIFY ADVISORY: http://secunia.com/advisories/15030/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: Sun SEAM 1.x http://secunia.com/product/1006/ DESCRIPTION: Sun has acknowledged some vulnerabilities in SEAM, which can be exploited by malicious people to compromise a vulnerable system. For more information: SA14745 SOLUTION: The vendor suggests removing the execute permissions from "/usr/krb5/bin/telnet". ORIGINAL ADVISORY: Sun Microsystems: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1 OTHER REFERENCES: SA14745: http://secunia.com/advisories/14745/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Heimdal, a free implementation of Kerberos 5, also contains such a client. BACKGROUND The TELNET protocol allows virtual network terminals to be connected to over the internet. The initial description of the protocol was given in RFC854 in May 1983. Since then there have been many extra features added including encryption. II. The vulnerability specifically exists in the handling of the LINEMODE suboptions, in that there is no size check made on the output, which is stored in a fixed length buffer. III. It may be possible to automatically launch the telnet command from a webpage, for example: <html><body> <iframe src='telnet://malicious.server/'> </body> On opening this page the telnet client may be launched and attempt to connect to the host 'malicious.server'. IV. DETECTION iDEFENSE has confirmed the existence of the vulnerability in the telnet client included in the Kerberos V5 Release 1.3.6 package and the client included in the SUNWtnetc package of Solaris 5.9. V. WORKAROUND iDEFENSE is currently unaware of any effective workarounds for this vulnerability. VI. VENDOR RESPONSE The following vendors have provided official responses related to this vulnerability. Other vendors may be affected but have not provided an official response. Vulnerable: - ALT Linux All supported ALT Linux distributions include telnet client derived from OpenBSD 3.0. Updated packages with fixes for these issues will be released on March 28, 2005. http://lists.altlinux.ru/pipermail/security-announce/2005-March/000287.html - Apple Computer, Inc. Component: Telnet Available for: Mac OS X 10.3.8, Mac OS X Server 10.3.8 This is fixed in Security Update 2005-003, which is available at http://docs.info.apple.com/article.html?artnum=61798 - FreeBSD FreeBSD-SA-05:01.telnet security advisory: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc - MIT (Kerberos) This vulnerability is covered in the following upcoming advisory: MITKRB5-SA-2005-001: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt patch against krb5-1.4: http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt - Openwall Project The bugs are fixed starting with telnet package version 3.0-owl2. http://www.openwall.com/Owl/CHANGES-current.shtml - Red Hat, Inc. Red Hat Enterprise Linux ships with telnet and krb5 packages vulnerable to this issue. New telnet and krb5 packages are now available along with our advisory at the URLs below and by using the Red Hat Network 'up2date' tool. Red Hat Enterprise Linux - telnet http://rhn.redhat.com/errata/RHSA-2005-330.html Red Hat Enterprise Linux - krb5 http://rhn.redhat.com/errata/RHSA-2005-327.html - Sun Microsystems Inc. Sun confirms that the telnet(1) vulnerabilities do affect all currently supported versions of Solaris: Solaris 7, 8, 9 and 10 Sun has released a Sun Alert which describes a workaround until patches are available at: http://sunsolve.sun.com Sun Alert #57755 The Sun Alert will be updated with the patch information once it becomes available. Sun patches are available from: http://sunsolve.sun.com/securitypatch Not Vulnerable: - CyberSafe Limited The CyberSafe TrustBroker products, version 3.0 or later, are not vulnerable. - Hewlett-Packard Development Company, L.P. HP-UX and HP Tru64 UNIX are not vulnerable. - InterSoft International, Inc. InterSoft International, Inc. products NetTerm, SecureNetTerm and SNetTerm are not affected by the slc_add_reply() buffer overflow conditions. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2005-0469 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/18/2005 Initial vendor notification 03/28/2005 Coordinated public disclosure IX. CREDIT Ga\xebl Delalleau credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright \xa9 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. http://creativecommons.org/licenses/by-sa/2.0 . This is a multi-part message in MIME format. Background ========== netkit-telnetd provides standard Linux telnet client and server. Workaround ========== There is no known workaround at this time. Resolution ========== All netkit-telnetd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/netkit-telnetd-0.17-r6" References ========== [ 1 ] CAN-2005-0469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 [ 2 ] iDEFENSE Advisory 03-28-05 http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200503-36.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : telnet client multiple issues Advisory number: SCOSA-2005.21 Issue date: 2005 April 08 Cross reference: sr893210 fz531446 erg712801 CAN-2005-0469 CAN-2005-0468 ______________________________________________________________________________ 1. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.4 /usr/bin/telnet UnixWare 7.1.3 /usr/bin/telnet UnixWare 7.1.1 /usr/bin/telnet 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.4 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21 4.2 Verification MD5 (erg712801.714.pkg.Z) = bf53673ea12a1c25e3606a5b879adbc4 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download erg712801.714.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg712801.714.pkg.Z # pkgadd -d /var/spool/pkg/erg712801.714.pkg 5. UnixWare 7.1.3 5.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21 5.2 Verification MD5 (erg712801.713.pkg.Z) = e876b261afbecb41c18c26d6ec11e71d md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download erg712801.713.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg712801.713.pkg.Z # pkgadd -d /var/spool/pkg/erg712801.713.pkg 6. UnixWare 7.1.1 6.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21 6.2 Verification MD5 (erg712801.711.pkg.Z) = f3099416a793c1f731bc7e377fe0e4a2 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 6.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download erg712801.711.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg712801.711.pkg.Z # pkgadd -d /var/spool/pkg/erg712801.711.pkg 7. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents sr893210 fz531446 erg712801. 8. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 9. Acknowledgments SCO would like to thank Gal Delalleau and iDEFENSE ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (SCO/SYSV) iD8DBQFCVtn4aqoBO7ipriERAkZbAJ9qiuR3M89tJWzyJ3K7Q5NbBRTvMgCfdeFY JmJIo8zz/ppyCI4EQ5UY9jA= =8sOq -----END PGP SIGNATURE----- . This can lead to the execution of arbitrary code when connected to a malicious server. For the stable distribution (woody) these problems have been fixed in version 1.2.4-5woody8. For the unstable distribution (sid) these problems have been fixed in version 1.3.6-1. We recommend that you upgrade your krb5 package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody8.dsc Size/MD5 checksum: 750 51c3ea6dcf74a9d82bef016509870c3d http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody8.diff.gz Size/MD5 checksum: 83173 97d5ce1eeec763cc67d56b0758891a0f http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4.orig.tar.gz Size/MD5 checksum: 5443051 663add9b5942be74a86fa860a3fa4167 Architecture independent components: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.2.4-5woody8_all.deb Size/MD5 checksum: 512968 88dea0dcf727a6fe03457485e6c98ea4 Alpha architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_alpha.deb Size/MD5 checksum: 253798 4124ad89c3d6698ae5ce09cc0a810e77 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_alpha.deb Size/MD5 checksum: 217536 02bdd8e928ce65cfc415de890106cde7 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_alpha.deb Size/MD5 checksum: 63072 9aa2b092cc3d4729f6d309160b27117c http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_alpha.deb Size/MD5 checksum: 252162 0f2b0638347b34b07ab919c05b7a404a http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_alpha.deb Size/MD5 checksum: 76452 4eab68ade26bdd00dc733183f673cf7e http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_alpha.deb Size/MD5 checksum: 59106 4c00e1ad73ba0be9631ed3b20846cf31 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_alpha.deb Size/MD5 checksum: 207478 f94b1e493f4a35a9244ab0a71f714f61 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_alpha.deb Size/MD5 checksum: 83948 b4870cfb49811f9e9bfc182004d6e72a http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_alpha.deb Size/MD5 checksum: 633440 f794455df495082bd8c40b2f0a6e0f22 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_alpha.deb Size/MD5 checksum: 367446 248fced4d354d47649deaa0c5d349354 ARM architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_arm.deb Size/MD5 checksum: 197342 11591d7d943ee2d38f0117b53ec59026 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_arm.deb Size/MD5 checksum: 160678 f4118cf6266830f7db9553329dcc1532 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_arm.deb Size/MD5 checksum: 48830 dc4986db69fc9fa3aacd9487a1a57004 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_arm.deb Size/MD5 checksum: 198672 6e11c792134a4d9bd602a7461895c42c http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_arm.deb Size/MD5 checksum: 63738 01cee2e685f3bc973f7cce7e5ec08f56 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_arm.deb Size/MD5 checksum: 49406 03755be7fa950f05c099aff6dc847e7d http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_arm.deb Size/MD5 checksum: 166018 b8000d9c82076d7134aacf28a3ae7a98 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_arm.deb Size/MD5 checksum: 73626 3070b54d29b8174b78886e37bc25c112 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_arm.deb Size/MD5 checksum: 493632 b74a2e03c250019f25ff58387792d666 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_arm.deb Size/MD5 checksum: 295230 bd4ccc64814aeebd0071b68dc964080d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_i386.deb Size/MD5 checksum: 179362 e38dffa6b1e44da9c05ab5569283141b http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_i386.deb Size/MD5 checksum: 152348 eb2d37aca6f5aeb2ecd3dc7a66b351fc http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_i386.deb Size/MD5 checksum: 46370 dda52cc0f381955716025f4f3f210630 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_i386.deb Size/MD5 checksum: 178578 3d9e28bc8bbd83161cd8c9781db99e76 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_i386.deb Size/MD5 checksum: 61358 846936ed49d43dddf11c8239e7ecb74f http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_i386.deb Size/MD5 checksum: 46652 4b12ff1ef17b81aadec2cf27c249b263 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_i386.deb Size/MD5 checksum: 156624 2a626d8694742a825242085d83efb40f http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_i386.deb Size/MD5 checksum: 72022 678e924f12886c54cb3ca9bdee6a8da4 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_i386.deb Size/MD5 checksum: 433960 9a90e0a4c79b81f2d00945fb7bdf84da http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_i386.deb Size/MD5 checksum: 293706 be17bc6de25438a34466e7a47c5e4a0f Intel IA-64 architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_ia64.deb Size/MD5 checksum: 322390 bd8deae9fe5e2fd0d0e304d93c676c95 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_ia64.deb Size/MD5 checksum: 266614 fa5fedbcc5ce19cf0fd6e0f019988aaa http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_ia64.deb Size/MD5 checksum: 73742 3b21c0fd054d80e979808c47bef49b15 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_ia64.deb Size/MD5 checksum: 322348 b893958f43de292d927b49cd9dda434b http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_ia64.deb Size/MD5 checksum: 92050 2c1a3cf4ae7311dc95a696bf919148e9 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_ia64.deb Size/MD5 checksum: 70700 38b66040685eb5421abcb92cdcb682df http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_ia64.deb Size/MD5 checksum: 256278 5440c691dcc69e168105b60a4433332d http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_ia64.deb Size/MD5 checksum: 107650 0b12f0212a2e8ee31654a605e7b74219 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_ia64.deb Size/MD5 checksum: 705942 9dc21d18876a435f5ecbae3c1fa90fac http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_ia64.deb Size/MD5 checksum: 475034 072e1682115dd9c556d2eca5c65780af HP Precision architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_hppa.deb Size/MD5 checksum: 214666 50a69b51ec610a919c00e13dad97c237 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_hppa.deb Size/MD5 checksum: 189950 ed974a7360091fe4ea8a5dee5f310a93 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_hppa.deb Size/MD5 checksum: 54064 87d03aa246e3a8bed874ea20aab5c90c http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_hppa.deb Size/MD5 checksum: 214092 fdb3544036609131e218f1293d59ab62 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_hppa.deb Size/MD5 checksum: 68802 6476e62e8872de28da85a6d7ff6a91a8 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_hppa.deb Size/MD5 checksum: 55892 ae903fa8671838a64061748b150503ae http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_hppa.deb Size/MD5 checksum: 183066 bde3354927006d85aed74b4ce67f379b http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_hppa.deb Size/MD5 checksum: 85122 160ea9c72f59ee814853092ba414f37e http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_hppa.deb Size/MD5 checksum: 558094 4b5f91e312a31a075cf0ee5f5abb28f4 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_hppa.deb Size/MD5 checksum: 362152 bf33b679c8e3023f1baa81dedc1c9e32 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_m68k.deb Size/MD5 checksum: 164376 695f5090f6f02ef5ffcdb94994923d1d http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_m68k.deb Size/MD5 checksum: 144904 f03b67ac31422c20cd2024a7f530f077 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_m68k.deb Size/MD5 checksum: 44522 7bb04f7623ecb06934e615790364744e http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_m68k.deb Size/MD5 checksum: 164106 460978cf8ba185277681491f91269bd3 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_m68k.deb Size/MD5 checksum: 57054 8bcee8e9061c204cc1d53f310603f647 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_m68k.deb Size/MD5 checksum: 44838 c57524e8c13e8f007451617b6c99374f http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_m68k.deb Size/MD5 checksum: 146184 ef14d19fd5d0d4bb4a4ee88287e556cd http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_m68k.deb Size/MD5 checksum: 70032 1bccace886d6c662ab3b10b0cfaa29d9 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_m68k.deb Size/MD5 checksum: 409054 be8e8f2a4573bb15ec6024f00a1c4087 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_m68k.deb Size/MD5 checksum: 277330 c78d56b08e2e4c37bc7d9d1aae9272f6 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_mips.deb Size/MD5 checksum: 206742 9881404c18f586f88b60322f6ac46e11 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_mips.deb Size/MD5 checksum: 191334 637743e42bdcbd990a8a8eaec03f04e6 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_mips.deb Size/MD5 checksum: 53510 c194be0f6dedfbaa82f3f7f51bbafe48 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_mips.deb Size/MD5 checksum: 209794 7ad1a3ae1a623910446a89d44f4d7c0a http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_mips.deb Size/MD5 checksum: 66606 0921f3d4930ad9501eba05cb48c86093 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_mips.deb Size/MD5 checksum: 55072 22603859834a0c66169b9c6b3438296b http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_mips.deb Size/MD5 checksum: 175416 edcbd96200fec2b725a64df310856287 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_mips.deb Size/MD5 checksum: 72292 afa180a53f462b42ada57f4183e481b2 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_mips.deb Size/MD5 checksum: 541350 be00fa435c03a2474310c03b3aadb3d0 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_mips.deb Size/MD5 checksum: 308518 db69345f0ad3df1e0b3b70310ffa6ed6 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_mipsel.deb Size/MD5 checksum: 210850 d7831efe581155af02fbf4cd4b298577 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_mipsel.deb Size/MD5 checksum: 190990 facf8459bd0684335304e2a9af7b8ec1 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_mipsel.deb Size/MD5 checksum: 53694 cbae172d0491dd9f259b31f502d3f0ef http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_mipsel.deb Size/MD5 checksum: 213350 9b2e3742c660d42556e790503cfa73c2 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_mipsel.deb Size/MD5 checksum: 66918 cf9b408405283ea6cda2dc7d79dc5187 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_mipsel.deb Size/MD5 checksum: 54936 13d0e562fea89e39cecffe02caa5184f http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_mipsel.deb Size/MD5 checksum: 177270 6e92b594956acc65452e8c351222fb53 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_mipsel.deb Size/MD5 checksum: 72106 54a3fbae7e86134d48ee49befcb00c99 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_mipsel.deb Size/MD5 checksum: 540884 a93fd74e3cfce1d61e81dc15adeede7d http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_mipsel.deb Size/MD5 checksum: 307184 e725f0ab101cf33b1eb127eb3d18df81 PowerPC architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_powerpc.deb Size/MD5 checksum: 188456 1605cd80b08025be71477d33bae41d53 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_powerpc.deb Size/MD5 checksum: 164152 0e3d09352a72b78dce03519b297a87c3 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_powerpc.deb Size/MD5 checksum: 49372 9289fc6a3d9a4a1e35e55a8f536b2762 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_powerpc.deb Size/MD5 checksum: 189546 cee053d38c1f38de08966f6957ed914a http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_powerpc.deb Size/MD5 checksum: 62728 e6f98290ed591d955d5c80eb58d9f6dd http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_powerpc.deb Size/MD5 checksum: 49338 bf451f9b226dd16dac16ee9c59d97783 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_powerpc.deb Size/MD5 checksum: 162762 2edc9dee6e7672c838626cd391820de9 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_powerpc.deb Size/MD5 checksum: 74060 5c6ce5c10f005fa31786354fd60c4616 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_powerpc.deb Size/MD5 checksum: 490920 1a5ee5de494c46f5c00598b2ef5dff3d http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_powerpc.deb Size/MD5 checksum: 303574 0972361a36370e77050b37e46aeaed66 IBM S/390 architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_s390.deb Size/MD5 checksum: 189308 1b5d39163a97cb6ea829810afb1a648c http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_s390.deb Size/MD5 checksum: 166440 0709eaf98f958d5190afbe956a277995 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_s390.deb Size/MD5 checksum: 50302 f8721e09d7b159a5e16b293a8999d43c http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_s390.deb Size/MD5 checksum: 190628 cd1c66f7eaa63239aee8fbb4a26bed76 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_s390.deb Size/MD5 checksum: 67096 a191f8826271cfe94a8aef0d8e6aece1 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_s390.deb Size/MD5 checksum: 50278 b0fccd0d25256f8357e8f32e815bf6f6 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_s390.deb Size/MD5 checksum: 164334 ce022c07d1815b0df8b5f9a46e8c2ed8 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_s390.deb Size/MD5 checksum: 76638 4aa46656e9c0293fb5e28e56391e77bc http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_s390.deb Size/MD5 checksum: 453482 b52bf2d4a664c52c350f80c1593ea5c2 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_s390.deb Size/MD5 checksum: 319656 7b7d0c4b136d99b9dfaf798d4f94d0c9 Sun Sparc architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_sparc.deb Size/MD5 checksum: 183454 aa907094cbdaac57da2f0eca9b8eb5bd http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_sparc.deb Size/MD5 checksum: 173036 7f173f3267bcab3e66922ea6d40b9108 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_sparc.deb Size/MD5 checksum: 49792 ce46cc950c54a24025647cec765c6e6b http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_sparc.deb Size/MD5 checksum: 184358 1ae257a74f7e385a2e4e186a26e86da6 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_sparc.deb Size/MD5 checksum: 64400 6429cb02f6d8c3948ef94176ee077c9e http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_sparc.deb Size/MD5 checksum: 49780 dc7690038fd1b4125179157411f96396 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_sparc.deb Size/MD5 checksum: 159528 4c9938799737182f5fd4455f7ba08508 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_sparc.deb Size/MD5 checksum: 73406 83f33192e1d069af16c155136117b331 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_sparc.deb Size/MD5 checksum: 463024 94916989bafb9975e1d973cc0210b1d0 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_sparc.deb Size/MD5 checksum: 301464 ebf61bee3343e02ea2d64066a6713424 These files will probably be moved into the stable distribution on its next update

Buffer overflow in QuickTime PictureViewer 6.5.1 allows remote attackers to cause a denial of service (application crash) via a JPEG file with crafted Huffman Table (marker DHT) data. Apple QuickTime is reportedly prone to a buffer overflow when viewing malformed image files. This issue was reported to exist in QuickTime 6.5.1 for Windows. Other versions may also be affected. This issue may be related to BID 11553. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more

Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq. Dnsmasq is reported prone to multiple remote vulnerabilities. These issues can allow an attacker to exploit an off-by-one overflow condition and carry out DNS cache poisoning attacks. An attacker may leverage these issues to manipulate cache data, potentially facilitating man-in-the-middle, site impersonation, or denial of service attacks. A denial of service condition may occur due to the off-by-one overflow vulnerability. Although unconfirmed, there is a circumstantial possibility of remote code execution in the context of the server. Reportedly, exploitation of the cache-poisoning issue is not trivial as improvements were made to the application to mitigate cache-poisoning attacks. The off-by-one overflow issue affects Dnsmasq 2.14, 2.15, 2.16, 2.17, 2.18, 2.19 and 2.20. The cache-poisoning issue affects Dnsmasq 2.20 and prior. Due to a lack of details, further information is not available at the moment. This BID will be updated when more information becomes available. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Dnsmasq DHCP Lease File Denial of Service and DNS Cache Poisoning SECUNIA ADVISORY ID: SA14691 VERIFY ADVISORY: http://secunia.com/advisories/14691/ CRITICAL: Moderately critical IMPACT: Spoofing, Manipulation of data, DoS WHERE: >From remote SOFTWARE: Dnsmasq 2.x http://secunia.com/product/4837/ DESCRIPTION: Two vulnerabilities have been reported in Dnsmasq, which can be exploited by malicious people to cause a DoS (Denial of Service) or poison the DNS cache. 1) An off-by-one boundary error when reading the DHCP lease file can be exploited by a malicious DHCP client to cause a buffer overflow by supplying an overly long hostname and client-id. Successful exploitation crashes Dnsmasq the next time it is started. 2) When receiving DNS replies, only the 16-bit ID is checked against the current query. This can be exploited to poison the DNS cache if a valid ID (randomly generated) is guessed by e.g. sending a flood of DNS replies. SOLUTION: Update to version 2.21. http://www.thekelleys.org.uk/dnsmasq/ PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Rob Holland. 2) Reported by vendor. ORIGINAL ADVISORY: http://www.thekelleys.org.uk/dnsmasq/CHANGELOG ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Off-by-one buffer overflow in Dnsmasq before 2.21 may allow attackers to execute arbitrary code via the DHCP lease file. Dnsmasq is reported prone to multiple remote vulnerabilities. An attacker may leverage these issues to manipulate cache data, potentially facilitating man-in-the-middle, site impersonation, or denial of service attacks. A denial of service condition may occur due to the off-by-one overflow vulnerability. Although unconfirmed, there is a circumstantial possibility of remote code execution in the context of the server. Reportedly, exploitation of the cache-poisoning issue is not trivial as improvements were made to the application to mitigate cache-poisoning attacks. The off-by-one overflow issue affects Dnsmasq 2.14, 2.15, 2.16, 2.17, 2.18, 2.19 and 2.20. The cache-poisoning issue affects Dnsmasq 2.20 and prior. Due to a lack of details, further information is not available at the moment. This BID will be updated when more information becomes available. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Dnsmasq DHCP Lease File Denial of Service and DNS Cache Poisoning SECUNIA ADVISORY ID: SA14691 VERIFY ADVISORY: http://secunia.com/advisories/14691/ CRITICAL: Moderately critical IMPACT: Spoofing, Manipulation of data, DoS WHERE: >From remote SOFTWARE: Dnsmasq 2.x http://secunia.com/product/4837/ DESCRIPTION: Two vulnerabilities have been reported in Dnsmasq, which can be exploited by malicious people to cause a DoS (Denial of Service) or poison the DNS cache. Successful exploitation crashes Dnsmasq the next time it is started. 2) When receiving DNS replies, only the 16-bit ID is checked against the current query. This can be exploited to poison the DNS cache if a valid ID (randomly generated) is guessed by e.g. sending a flood of DNS replies. SOLUTION: Update to version 2.21. http://www.thekelleys.org.uk/dnsmasq/ PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Rob Holland. 2) Reported by vendor. ORIGINAL ADVISORY: http://www.thekelleys.org.uk/dnsmasq/CHANGELOG ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Nortel VPN client 5.01 stores the cleartext password in the memory of the Extranet.exe process, which could allow local users to obtain sensitive information. Credentials that are harvested through the exploitation of this weakness may then be used to aid in further attacks. This weakness is reported to affect Nortel Contivity VPN Client version 5.01 for Microsoft Windows, versions for the Linux platform are not reported to be vulnerable. Other versions might also be affected

The Boa web server, as used in Samsung ADSL Modem SMDK8947v1.2 and possibly other products, allows remote attackers to read arbitrary files via a full pathname in the HTTP request. Multiple vulnerabilities are reported to exist in Samsung DSL modems. The first issue is an information disclosure issue due to a failure of the device to block access to potentially sensitive files. The second issue is a default backdoor account vulnerability. It is reported that multiple accounts exist on the modem by default, allowing remote attackers to gain administrative privileges on the modem. These vulnerabilities may allow remote attackers to gain access to potentially sensitive information, or to gain administrative access to the affected device. Samsung DSL modems running software version SMDK8947v1.2 are reported to be affected. Other devices and software versions are also likely affected. Samsung's DSL modem is a communication device used in broadband networks

Samsung ADSL Modem SMDK8947v1.2 uses default passwords for the (1) root, (2) admin, or (3) user users, which allows remote attackers to gain privileges via Telnet or an HTTP request to adsl.cgi. Multiple vulnerabilities are reported to exist in Samsung DSL modems. The first issue is an information disclosure issue due to a failure of the device to block access to potentially sensitive files. The second issue is a default backdoor account vulnerability. These vulnerabilities may allow remote attackers to gain access to potentially sensitive information, or to gain administrative access to the affected device. Samsung DSL modems running software version SMDK8947v1.2 are reported to be affected. Other devices and software versions are also likely affected. Samsung's DSL modem is a communication device used in broadband networks

Mac OS X before 10.3.8 users world-writable permissions for certain directories, which may allow local users to gain privileges, possibly via the receipt cache or ColorSync profiles. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. Insecure permissions are reported to be set on certain Apple Mac OS X folders . It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. This BID will be updated and split into unique BIDs as soon as further information is available. The insecure permissions are on folders that contain the installer 'receipt cache' and 'system-level ColorSync profiles'. Mac OS X bundled by default in Core Foundation A buffer overflow vulnerability exists in the library that could allow an attacker to obtain root User rights

AFP Server in Mac OS X before 10.3.8 uses insecure permissions for "Drop Boxes," which allows local users to read the contents of a Drop Box. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. This BID will be updated and split into unique BIDs as soon as further information is available. The issue arises because file permissions are not properly validated. A buffer overflow vulnerability exists in the Core Foundation libraries bundled with Mac OS X by default, which could allow an attacker to gain root user privileges. The vulnerability is caused by improper handling of the CF_CHARSET_PATH environment variable. If a string larger than 1024 characters is passed through this variable, it may cause a stack overflow, allowing the attacker to control the program flow by overwriting the return address of the function on the stack. Some vulnerable setuid root binaries include su, pppd, and login

The Bluetooth Setup Assistant for Mac OS X before 10.3.8 can be launched without a keyboard or Bluetooth device, which allows local users to bypass access restrictions and gain privileges. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. Insecure permissions are reported to be set on certain Apple Mac OS X folders . It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. This BID will be updated and split into unique BIDs as soon as further information is available. Exploitation could allow an attacker to bypass local security settings. The vulnerability is caused by improper handling of the CF_CHARSET_PATH environment variable. If a string larger than 1024 characters is passed through this variable, it may cause a stack overflow, allowing the attacker to control the program flow by overwriting the return address of the function on the stack. Some vulnerable setuid root binaries include su, pppd, and login

Stack-based buffer overflow in the Core Foundation Library in Mac OS X 10.3.5 and 10.3.6, and possibly earlier versions, allows local users to execute arbitrary code via a long CF_CHARSET_PATH environment variable. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. Insecure permissions are reported to be set on certain Apple Mac OS X folders . It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. This BID will be updated and split into unique BIDs as soon as further information is available. More information is available at the following link: http://www.apple.com/macosx/ II. The vulnerability specifically exists due to improper handling of the CF_CHARSET_PATH environment variable. When a string greater than 1,024 characters is passed via this variable, a stack-based overflow occurs, allowing the attacker to control program flow by overwriting the function's return address on the stack. Some of the setuid root binaries that are vulnerable include su, pppd and login. III. ANALYSIS Successful exploitation of this vulnerability allows for root access. This vulnerability is difficult to workaround due to the fact that a large number of system binaries are linked against the vulnerable code. IV. V. WORKAROUND Restrict local access to trusted users only, as it is impossible to remove the setuid bit from the affected binaries without severely limiting the function of the system. VI. VENDOR RESPONSE This vulnerability is addressed in Apple Security Update 2005-003 available at: http://docs.info.apple.com/article.html?artnum=301061 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-0716 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/04/2005 Initial vendor notification 02/04/2005 Initial vendor response 03/21/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Belkin 54G (F5D7130) wireless router allows remote attackers to access restricted resources by sniffing URIs from UPNP datagrams, then accessing those URIs, which do not require authentication. The Belkin 54G (F5D7130) appliance is reported prone to multiple remote vulnerabilities. The following individual issues are reported: It is reported that the Belkin 54G appliance transmits UPNP datagrams to the connected private network at regular intervals. Reports indicate that these datagrams contain a URI, this URI may be accessed by local network users without requiring authentication. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. It is reported that SNMP support is enabled on the affected appliance under a default configuration. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. Finally, it is reported that the SNMP service may be exploited to deny service for legitimate users. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to deny service for legitimate users

Belkin 54G (F5D7130) wireless router enables SNMP by default in a manner that allows remote attackers to obtain sensitive information. The Belkin 54G (F5D7130) appliance is reported prone to multiple remote vulnerabilities. The following individual issues are reported: It is reported that the Belkin 54G appliance transmits UPNP datagrams to the connected private network at regular intervals. Reports indicate that these datagrams contain a URI, this URI may be accessed by local network users without requiring authentication. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. It is reported that SNMP support is enabled on the affected appliance under a default configuration. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. Finally, it is reported that the SNMP service may be exploited to deny service for legitimate users. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to deny service for legitimate users

The SNMP service in the Belkin 54G (F5D7130) wireless router allows remote attackers to cause a denial of service via unknown vectors. The Belkin 54G (F5D7130) appliance is reported prone to multiple remote vulnerabilities. The following individual issues are reported: It is reported that the Belkin 54G appliance transmits UPNP datagrams to the connected private network at regular intervals. Reports indicate that these datagrams contain a URI, this URI may be accessed by local network users without requiring authentication. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. It is reported that SNMP support is enabled on the affected appliance under a default configuration. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. Finally, it is reported that the SNMP service may be exploited to deny service for legitimate users. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to deny service for legitimate users

Smc.exe in My Firewall Plus 5.0 build 1117, and possibly other versions, does not drop privileges before launching the Log Viewer export functionality, which allows local users to corrupt arbitrary files by saving log files. A local insecure file creation vulnerability affects Webroot My Firewall. This issue is due to an access validation issue that allows an unprivileged user to create files with escalated privileges. This issue may be exploited by a local attacker to corrupt arbitrary files on an affected computer with SYSTEM privileges. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: My Firewall Plus Arbitrary File Corruption Vulnerability SECUNIA ADVISORY ID: SA13577 VERIFY ADVISORY: http://secunia.com/advisories/13577/ CRITICAL: Not critical IMPACT: Manipulation of data, DoS WHERE: Local system SOFTWARE: My Firewall Plus 5.x http://secunia.com/product/4276/ DESCRIPTION: Secunia Research has discovered a vulnerability in My Firewall Plus, which can be exploited by malicious, local users to manipulate the content of arbitrary files on a vulnerable system. Successful exploitation requires that the user has access to the Log Viewer (all users by default). The vulnerability has been confirmed in version 5.0 (build 1117). Other versions may also be affected. NOTE: This vulnerability has been rated "Not critical" as only trusted users should have access to the configuration and logging functionality. SOLUTION: Update to version 5.0 (build 1119) or apply patch. Patch: http://www.webroot.com/services/mfp_patch.exe Use the "Password Protection" feature to restrict access to the configuration and logging functionality. PROVIDED AND/OR DISCOVERED BY: Carsten Eiram, Secunia Research. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2004-20/ Webroot: http://www.webroot.com/services/mfp_advisory.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unknown vulnerability in the DNSd proxy, as used in Symantec Gateway Security 5400 2.x and 5300 1.x, Enterprise Firewall 7.0.x and 8.x, and VelociRaptor 1100/1200/1300 1.5, allows remote attackers to poison the DNS cache and redirect users to malicious sites. The underlying issue causing this vulnerability is currently unknown. An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site impersonation, or denial of service attacks. The vulnerability is caused due to an unspecified error in the DNS proxy (DNSd) when functioning as a DNS caching server or primary DNS server and can be exploited to poison the DNS cache. SOLUTION: The vendor has issued hotfixes. http://www.symantec.com/techsupp ORIGINAL ADVISORY: Symantec: http://securityresponse.symantec.com/avcenter/security/Content/2005.03.15.html http://service1.symantec.com/support/ent-gate.nsf/docid/2005030417285454 OTHER REFERENCES: SA11888: http://secunia.com/advisories/11888/ Internet Storm Center: http://www.isc.sans.org/diary.php?date=2005-03-04 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the IMAP daemon (IMAP4d32.exe) for Ipswitch Collaboration Suite (ICS) before 8.15 Hotfix 1 allows remote authenticated users to execute arbitrary code via a long EXAMINE command. The Ipswitch Collaboration Suite IMail IMAP service is reported prone to a buffer overflow vulnerability. The issue exists due to a lack of sufficient boundary checks performed on arguments that are passed to the EXAMINE command. It is conjectured that a remote authenticated attacker may exploit this vulnerability to execute arbitrary code in the context of the affected service. Immediate consequences of a failed exploit attempt would be a denial of service due to the application crashing on an access violation. IMail Server version 8.13 an earlier are reported prone to this vulnerability. ---------------------------------------------------------------------- Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=l ---------------------------------------------------------------------- TITLE: Ipswitch Collaboration Suite IMAP EXAMINE Buffer Overflow SECUNIA ADVISORY ID: SA14546 VERIFY ADVISORY: http://secunia.com/advisories/14546/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: Ipswitch Collaboration Suite (ICS) 1.x http://secunia.com/product/4773/ IMail Server 8.x http://secunia.com/product/3048/ DESCRIPTION: Nico Steinhardt has reported a vulnerability in Ipswitch Collaboration Suite, which can be exploited by malicious users to compromise a vulnerable system. SOLUTION: Apply IMail Server 8.15 Hotfix 1: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM815HF1.exe PROVIDED AND/OR DISCOVERED BY: Nico Steinhardt ORIGINAL ADVISORY: iDEFENSE: http://www.idefense.com/application/poi/display?id=216&type=vulnerabilities ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . BACKGROUND Ipswitch Collaboration Suite (ICS) is a comprehensive communication and collaboration solution for Microsoft Windows with a customer base of over 53 million users. More information is available on the vendor's website: http://www.ipswitch.com/products/IMail_Server/index.html II. The EXAMINE command selects a mailbox so that messages within the mailbox may be accessed with read-only privileges. EXAMINE requests with malformed mailbox names of 259 bytes will overwrite the saved stack frame pointer, resulting in potential process execution control. It should be noted that IMAP will append a '/' character to your supplied mailbox name so the most significant byte of the frame pointer will be 0x2e. The output below shows successful control of the frame pointer. (668.f8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000006 ebx=008943b0 ecx=42424242 edx=00c8fad4 esi=008943b0 edi=00000013 eip=0078626d esp=00c9fd20 ebp=2e434343 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 0078626d ?? ??? Frame pointer overwrites may allow attackers to redirect program flow when the current function returns. It should be noted that the IMAP EXAMINE command is only available after successful authentication. III. The EXAMINE IMAP command is only valid after authentication has occurred, however due to the nature of IMAP servers serving a large user base, this requirement only slightly reduces exposure to the vulnerability. IV. DETECTION iDEFENSE has confirmed that the IMAP4 daemon (IMAP4d32.exe ver. IMail Server is now packaged as part of Ipswitch Collaboration Suite. V. WORKAROUND Use application level content filtering on overly long IMAP commands. VI. VENDOR RESPONSE This vulnerability is addressed in IMail Server 8.15 Hotfix 1 (February 3, 2005), which is available for download at: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM815HF1.exe VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-0707 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/02/2005 Initial vendor notification 03/08/2005 Initial vendor response 03/10/2005 Public disclosure IX. CREDIT Nico Steinhardt is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

The SMTP binding function in Symantec Firewall/VPN Appliance 200/200R firmware after 1.5Z and before 1.68, Gateway Security 360/360R and 460/460R firmware before vuild 858, and Nexland Pro800turbo, when configured for load balancing between two WANs, might send SMTP traffic to a trusted network through an untrusted network. Symantec Gateway Security is reported prone to a vulnerability that may result in the leakage of potentially sensitive SMTP data. It is reported that this issue manifests when an affected appliance is configured to load-balance two WAN network connections and SMTP binding is configured for a single WAN interface. This may result in SMTP data leakage in deployments where one WAN interface is trusted and the other is not. SMTP traffic bound to the trusted WAN interface is load-balanced onto the untrusted WAN. ---------------------------------------------------------------------- Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=l ---------------------------------------------------------------------- TITLE: Symantec Firewall Devices SMTP Binding Configuration Bypass SECUNIA ADVISORY ID: SA14428 VERIFY ADVISORY: http://secunia.com/advisories/14428/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From remote OPERATING SYSTEM: Symantec Firewall/VPN Appliance 100/200/200R http://secunia.com/product/552/ Symantec Gateway Security 2.x http://secunia.com/product/3104/ Symantec Nexland Firewall Appliances 1.x http://secunia.com/product/4466/ DESCRIPTION: Arthur Hagen has reported a security issue in various Symantec firewall devices, which may disclose sensitive information to malicious people. The problem is caused due to an error in the SMTP binding functionality of certain devices with ISP load-balancing capabilities. The security issue has been reported in the following versions: * Symantec Firewall/VPN Appliance 200/200R (firmware builds prior to build 1.68 and later than 1.5Z) * Symantec Gateway Security 360/360R (firmware builds prior to build 858) * Symantec Gateway Security 460/460R (firmware builds prior to build 858) * Nexland Pro800turbo (firmware builds prior to build 1.6X and later than 1.5Z) SOLUTION: The vendor has issued updated firmware releases. http://www.symantec.com/techsupp Symantec Firewall/VPN Appliance models 200 and 200R: Update to build 1.68. Symantec Gateway Security Appliance 300 and 400 series: Update to build 858. Nexland Pro800turbo: Update to build 1.6X. PROVIDED AND/OR DISCOVERED BY: Arthur Hagen ORIGINAL ADVISORY: http://securityresponse.symantec.com/avcenter/security/Content/2005.02.28.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco devices running Application and Content Networking System (ACNS) 4.x, 5.0, or 5.1 before 5.1.11.6 allow remote attackers to cause a denial of service (CPU consumption) via malformed IP packets. This issue is due to a failure of the affected software to properly handle malformed network data. Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device

Cisco devices running Application and Content Networking System (ACNS) 5.0 before 5.0.17.6 and 5.1 before 5.1.11.6 allow remote attackers to cause a denial of service (process restart) via a "crafted TCP connection.". This issue is due to a failure of the affected software to properly handle malformed network data. Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device