|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: First candidate cluster for validation: CERT
All: Here's the first review that came in from Steve Northcutt. I've forwarded it along to the list. I'll comment on his non-ACCEPTs later. Bill Hill of MITRE has given me an implicit "ACCEPT" of all the candidates in the CERT cluster. Later today or tomorrow, I expect to present my own review of the cluster (there are a couple descriptions that I think could be improved.) I hope to see comments from more of you soon! - Steve ------------------------------------------ Candidate: CAN-1999-0003 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.11.tooltalk Reference: NAI:NAI-29 Reference: SGI:19981101-01-A Reference: SGI:19981101-01-PX Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd) ACCEPT ------------------------------------------ Candidate: CAN-1999-0004 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.10.mime_buffer_overflows Reference: XF:outlook-long-name Reference: SUN:00175 MIME buffer overflows in mail/news clients, e.g. Solaris mailtool. ACCEPT ------------------------------------------ Candidate: CAN-1999-0005 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.09.imapd Reference: XF:imap-authenticate-bo Reference: SUN:00177 Arbitrary command execution via IMAP buffer overflow, as in CERT:CA-98.09.imapd. REVIEWING, there are multiple similar exploits which may imply multiple vulnerabilties ------------------------------------------ Candidate: CAN-1999-0006 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.08.qpopper_vul Reference: SGI:19980801-01-I Reference: AUSCERT:AA-98.01 Reference: XF:qpopper-pass-overflow Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command. ACCEPT ------------------------------------------ Candidate: CAN-1999-0007 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.07.PKCS Reference: XF:nt-ssl-fix Information from SSL-encrypted sessions via PKCS #1 ACCEPT ------------------------------------------ Candidate: CAN-1999-0008 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.06.nisd Reference: SUN:00170 Reference: ISS:June10,1998 Reference: XF:nisd-bo-check Buffer overflow in NIS+, in Sun's rpc.nisd program ACCEPT ------------------------------------------ Candidate: CAN-1999-0013 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.03.ssh-agent Reference: NAI:NAI-24 Reference: XF:ssh-agent Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user. ACCEPT ------------------------------------------ Candidate: CAN-1999-0014 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.02.CDE Reference: SUN:00185 Unauthorized privileged access or denial of service via dtappgather program in CDE. NO OPINION ------------------------------------------ Candidate: CAN-1999-0017 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.27.FTP_bounce Reference: XF:ftp-bounce Reference: XF:ftp-privileged-port FTP bounce attack to connect to arbitrary ports on machines other than the FTP client. MODIFY - the primary vulnerability is in some FTP server implementations that allow this as opposed to the actual connecting to the ports ------------------------------------------ Candidate: CAN-1999-0018 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.26.statd Reference: XF:statd Reference: AUSCERT:AA-97.29 Root privileges via statd, as in CERT:CA-97.26.statd, due to buffer overflow. ACCEPT ------------------------------------------ Candidate: CAN-1999-0019 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.09.rpc.statd Reference: XF:rpc-stat Reference: SUN:00135 Delete or create a file via rpc.statd, due to invalid information. ACCEPT ------------------------------------------ Candidate: CAN-1999-0021 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.24.Count_cgi Reference: XF:http-cgi-count Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program. ACCEPT ------------------------------------------ Candidate: CAN-1999-0022 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.23.rdist Reference: XF:rdist-bo3 Reference: XF:rdist-sept97 Local user gains root privileges via buffer overflow in rdist, via expstr() function. ACCEPT ------------------------------------------ Candidate: CAN-1999-0023 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.14.rdist_vul Reference: XF:rdist-bo Reference: XF:rdist-bo2 Local user gains root privileges via buffer overflow in rdist, via lookup() function. ACCEPT ------------------------------------------ Candidate: CAN-1999-0024 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.22.bind Reference: XF:bind Reference: NAI:NAI-11 DNS cache poisoning via BIND, by predictable query IDs. ACCEPT ------------------------------------------ Candidate: CAN-1999-0032 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.19.bsdlp Reference: AUSCERT:AA-96.12 Reference: XF:bsd-lprbo2 Reference: CIAC:I-042 Reference: SGI:19980402-01-PX Command execution in BSD-based lpr package (lp) due to buffer overflow. ACCEPT ------------------------------------------ Candidate: CAN-1999-0033 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.18.at Reference: SUN:00160 Reference: XF:sun-atbo Command execution in Sun systems via buffer overflow in the at program ACCEPT ------------------------------------------ Candidate: CAN-1999-0034 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.17.sperl Reference: XF:perl-suid Buffer overflow in suidperl (sperl), Perl 4.x and 5.x ACCEPT ------------------------------------------ Candidate: CAN-1999-0035 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.16.ftpd Reference: AUSCERT:AA-97.03 Race condition in signal handling routine in ftpd, allowing read/write arbitrary files ACCEPT ------------------------------------------ Candidate: CAN-1999-0036 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.15.sgi_login Reference: AUSCERT:AA-97.12 Reference: SGI:19970508-02-PX Reference: XF:sgi-lockout IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files. ACCEPT ------------------------------------------ Candidate: CAN-1999-0038 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.13.xlock Reference: XF:xlock-bo Buffer overflow in xlock program allows local users to execute commands as root. ACCEPT ------------------------------------------ Candidate: CAN-1999-0039 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.12.webdist Reference: AUSCERT:AA-97.14 Reference: SGI:19970501-02-PX Reference: XF:http-sgi-webdist Arbitrary command execution using webdist CGI program in IRIX. ACCEPT ------------------------------------------ Candidate: CAN-1999-0040 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.11.libXt Reference: XF:libXt-bo Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges. ACCEPT ------------------------------------------ Candidate: CAN-1999-0041 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.10.nls Reference: XF:nls-bo Buffer overflow in NLS (Natural Language Service) NO OPINION ------------------------------------------ Candidate: CAN-1999-0043 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.08.innd Reference: XF:inn-controlmsg Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. ACCEPT ------------------------------------------ Candidate: CAN-1999-0045 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.07.nph-test-cgi_script Reference: XF:http-cgi-nph List of arbitrary files on Web host via nph-test-cgi script ACCEPT ------------------------------------------ Candidate: CAN-1999-0046 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.06.rlogin-term Reference: XF:bsdi-rlogind Buffer overflow of rlogin program using TERM environmental variable ACCEPT ------------------------------------------ Candidate: CAN-1999-0049 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.03.csetup Csetup under IRIX allows arbitrary file creation or overwriting. ACCEPT ------------------------------------------ Candidate: CAN-1999-0050 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.02.hp_newgrp Reference: AUSCERT:AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability Reference: XF:hp-newgrpbo Buffer overflow in HP-UX newgrp program ACCEPT ------------------------------------------ Candidate: CAN-1999-0051 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.01.flex_lm Reference: AUSCERT:AA-96.03 Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX. ACCEPT ------------------------------------------ Candidate: CAN-1999-0067 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.06.cgi_example_code Reference: XF:http-cgi-phf CGI phf program allows remote command execution MODIFY, this is not about phf it is about escape_shell_cmd(), you had the same thing with php and so forth. ------------------------------------------ Candidate: CAN-1999-0073 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95:14.Telnetd_Environment_Vulnerability Reference: XF:linkerbug Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access. ACCEPT ------------------------------------------ Candidate: CAN-1999-0078 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.08.pcnfsd Reference: XF:rpc-pcnfsd Reference: XF:nfs-pcnfsd pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. ACCEPT ------------------------------------------ Candidate: CAN-1999-0080 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95:16.wu-ftpd.vul Reference: XF:ftp-execdotdot wu-ftp FTP server allows root access via "site exec" command. ACCEPT ------------------------------------------ Candidate: CAN-1999-0099 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95.13.syslog.vul Reference: XF:smtp-syslog A buffer overflow in the syslog utility allows remote execution through Sendmail. ACCEPT ------------------------------------------ Candidate: CAN-1999-0117 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-92:07.AIX.passwd.vulnerability AIX passwd allows local users to gain root access. NO OPINION ------------------------------------------ Candidate: CAN-1999-0128 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.26.ping Oversized ICMP ping packets can result in a denial of service, e.g. from the Ping o' Death exploit. ACCEPT ------------------------------------------ Candidate: CAN-1999-0129 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.25.sendmail_groups Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. ACCEPT ------------------------------------------ Candidate: CAN-1999-0130 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.24.sendmail.daemon.mode Local users can start Sendmail in daemon mode and gain root privileges. ACCEPT ------------------------------------------ Candidate: CAN-1999-0131 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.20.sendmail_vul Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users. ACCEPT ------------------------------------------ Candidate: CAN-1999-0132 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.19.expreserve Reference: XF:expreserve Expreserve, used in vi and ex, allows local users to overwrite arbitrary files and gain root access. ACCEPT ------------------------------------------ Candidate: CAN-1999-0133 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.18.fm_fls Reference: XF:fmaker-logfile fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access. ACCEPT ------------------------------------------ Candidate: CAN-1999-0134 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.17.Solaris_vold_vul Reference: AUSCERT:AL-96.04 vold in Solaris 2.x allows local users to gain root access ACCEPT ------------------------------------------ Candidate: CAN-1999-0135 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.16.Solaris_admintool_vul Reference: AUSCERT:AL-96.03 admintool in Solaris allows a local user to write to arbitrary files and gain root access. NO OPINION ------------------------------------------ Candidate: CAN-1999-0136 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: AUSCERT:AL-96.02 Reference: CERT:CA-96.15.Solaris_KCMS_vul Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access. NO OPINION ------------------------------------------ Candidate: CAN-1999-0137 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.13.dip_vul Reference: XF:dip-bo The dip program on many Linux systems allows local users to gain root access via a buffer overflow. ACCEPT --------------------------------------- Candidate: CAN-1999-0141 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.07.java_bytecode_verifier Reference: SUN:00134 Java Bytecode Verifier allowed malicious applets to execute arbitrary commands as the user of the applet. ACCEPT ------------------------------------------ Candidate: CAN-1999-0142 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.05.java_applet_security_mgr Java Applet Security Manager allows an applet to connect to arbitrary hosts. RECAST - Please note I am not a Java expert, but I think jdk 2.0 and so forth do not have a sandbox notion and applets (perhaps trusted applets) can connect to arbitrary hosts as a matter of course. You might want to contact Li Gong (li.gong@sun.com) or a similar expert before issuing this one. NOTE: another reason to consider the original date!!! ------------------------------------------ Candidate: CAN-1999-0143 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.03.kerberos_4_key_server Reference: XF:kerberos-bf Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys. NO OPINION ------------------------------------------ Candidate: CAN-1999-0155 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95.10.ghostscript The ghostscript command with the -dSAFER option allows remote attackers to execute commands. ACCEPT ------------------------------------------ Candidate: CAN-1999-0164 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: AUSCERT:AA-95.07 Reference: CERT:CA-95.09.Solaris.ps.vul A race condition in the Solaris ps command allows an attacker to overwrite critical files. ACCEPT ------------------------------------------ Candidate: CAN-1999-0207 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: XF:majordomo-exe Reference: CERT:CA-94.11.majordomo.vulnerabilities Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. ACCEPT ------------------------------------------ Candidate: CAN-1999-0208 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95.17.rpc.ypupdated.vul rpc.ypupdated (NIS) allowed remote users to execute arbitrary commands. ACCEPT with a warning, this is from the so called slammer exploit true? If I recall, the exploit was posted, but some library needed to be purchased to compile the thing. It was never clear to me if this was true, or a marketing gimmick. ------------------------------------------ Candidate: CAN-1999-0209 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-90.05.sunselection.vulnerability The SunView (SunTools) selection_svc facility allows remote users to read files. ACCEPT ------------------------------------------ Candidate: CAN-1999-0267 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95.04.NCSA.http.daemon.for.unix.vulnerability Buffer overflow in NCSA HTTP daemon v1.3 allowed remote command execution. ACCEPT ------------------------------------------ Candidate: CAN-1999-0277 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.23.workman_vul The WorkMan program can be used to overwrite any file to get root access. NO OPINION ------------------------------------------ Candidate: CAN-1999-0334 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: XF:sol-startup Reference: CERT:CA-93.19.Solaris.Startup.vulnerability In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access. ACCEPT ------------------------------------------ Candidate: CAN-1999-0337 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-94.10.IBM.AIX.bsh.vulnerability.html Reference: XF:ibm-bsh AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled. ACCEPT ------------------------------------------ Candidate: CAN-1999-0338 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: XF:ibm-perf-tools Reference: CERT:CA-94.03.AIX.performance.tools AIX Licensed Program Product performance tools allow local users to gain root access. ACCEPT ------------------------------------------ Candidate: CAN-1999-0513 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: CF Reference: CERT:CA-98.01.smurf Reference: FreeBSD:FreeBSD-SA-98:06 Reference: XF:smurf ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service. MODIFY - If you put it this way then ping mapping becomes part of smurf. I would consider calling the vulnerability ICMP to broadcast addresses and in the text state allowing for a Smurf denial or service or ICMP ping mapping to acquire intelligence data about a network.
|
||||
