[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
20 CVE Entries for Interoperability Demo

To: cve-editorial-board-list@lists.mitre.org
Subject: 20 CVE Entries for Interoperability Demo
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Thu, 16 Sep 1999 18:25:05 -0400 (EDT)
Delivery-Date: Thu Sep 16 18:27:46 1999
Sender: owner-cve-editorial-board-list@lists.mitre.org
Below is a re-send of the list of 20 CVE entries for the upcoming
Interoperability Demo.  As you do the mappings to your tool/database,
if you can map to a candidate and you haven't voted for it yet, please
do so.  That will ensure that all 20 of these entries will have gone
through the voting process.

Thanks,
- Steve

************************************************************************

As mentioned previously, we would like to have a list of 10 Unix and
10 NT problems to support the Interoperability Demo.  We'd like to
focus on two primary entries (one Unix and one NT) which will be
listed on the poster boards at the SANS booth; they can highlight the
problem and what we're doing about it.

For the primary entries, please send Dave (damann@mitre.org) and me
your "name" for these entries (advisory title, short name, tool
check/decode number, database ID, etc.)

The Unix and NT lists are provided afterward.  Please review them and
verify with me and Dave Mann which ones your tool/database includes.
We want to make sure that all Interoperability Demo participants can
map to most or all of either the Unix or NT entries.

Note that some of these entries are candidates, and will require
additional votes to be accepted into the CVE.

Details of each entry/candidate are provided at the bottom.
Candidates include the voting summaries, and you are strongly
encouraged to vote on these so that we can convert them to real CVE
entries within a week or two.



********************
PRIMARY ENTRIES
********************

We want to have two examples of the different "names" that each
organization has for various CVE entries, one for Unix and one for NT.
A sample slide is included in the previous package that I sent.


UNIX
----

ToolTalk - CVE-1999-0003
  - on CERT current activity list
  - unknown if all/most tools check

phf - CVE-1999-0067
  - all tools
  - Is it still active?  The Internet Auditing Project thinks so.


Windows NT
----------

There are no CVE entries available that are used by most/all
tools/databases.  But there are some good candidates that can be
accepted with another vote or two.

land - CAN-1999-0016
   - needs votes
   - Same Codebase, so will need to be modified to use dot notation
     and record all the different codebases
   - all tools check for this
   - current activity?

winnuke (out-of-band) - CAN-1999-0153
   - one more voter would be good, but could be accepted based on 2
     non-MITRE voters and tool usage
   - current activity?



********************
OTHER ENTRIES
********************

Below are some *likely* entries that all or most tools/databases
include.  These can round out the lists of 10 problems in combination
with the primary entries.

These lists could change based on (a) whether they are included in the
CVE (some are candidates), and (b) whether CERT can confirm that there
is activity related to these problems.


UNIX
********

1) wu-ftp site exec - CVE-1999-0080

2) POP3 buffer overflow based on qpopper - CVE-1999-0006

3) Ping o' Death - CVE-1999-0128

4) Bind problems - CAN-1999-0009, CAN-1999-0010, CAN-1999-0011
     - NEED VOTES

5) U-Washington IMAP - CAN-1999-0005
     - can be accepted

6) campas - CAN-1999-0146
  - could be accepted with current votes

7) aglimpse - CAN-1999-0147
  - could be accepted with current votes

8) IRIX wrap - CAN-1999-0149
  - could be accepted with current votes

9) rlogin -froot - CAN-1999-0113
  - could be accepted with current votes

10) NFS mountd logging buffer overflow - CAN-1999-0002
  - needs votes



NT
********

1) RPC Locator DoS - CVE-1999-0228

2) NetMeeting buffer overflow - CVE-1999-0332

3) Sechole - CVE-1999-0344

4) Microsoft Scriptlet Component read files - CVE-1999-0468

5) GetAdmin - CAN-1999-0496
  - could use one more vote

6) KnownDLLs -  CAN-1999-0376
  - can be ACCEPTed

7) Screen Saver privileges - CAN-1999-0382
  - needs one more vote

8) BackOffice passswords in setup file - CAN-1999-0372
  - needs one more vote

9) IIS FTP ls buffer overflow - CAN-1999-0349
  - needs one more vote

10) NT 4.0 SP4 null hash/password - CAN-1999-0366
  - needs one more vote



************ CVE ENTRIES ************



CVE version: 199908272309

----------------------
Name: CVE-1999-0003
Category: SF
Reference: XF:aix-ttdbserver
Reference: XF:tooltalk
Reference: CERT:CA-98.11.tooltalk
Reference: NAI:NAI-29
Reference: SGI:19981101-01-A
Reference: SGI:19981101-01-PX
Created: 19990720

Execute commands as root via buffer overflow in Tooltalk database
server (rpc.ttdbserverd)

----------------------
Name: CVE-1999-0006
Category: SF
Reference: CERT:CA-98.08.qpopper_vul
Reference: SGI:19980801-01-I
Reference: AUSCERT:AA-98.01
Reference: XF:qpopper-pass-overflow
Created: 19990720

Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows
remote attackers to gain root access using a long PASS command.

----------------------
Name: CVE-1999-0067
Category: SF
Reference: CERT:CA-96.06.cgi_example_code
Reference: XF:http-cgi-phf
Created: 19990827

CGI phf program allows remote command execution through shell
metacharacters.

----------------------
Name: CVE-1999-0080
Category: SF
Reference: CERT:CA-95:16.wu-ftpd.vul
Reference: XF:ftp-execdotdot
Created: 19990720

wu-ftp FTP server allows root access via "site exec" command.

----------------------
Name: CVE-1999-0128
Category: SF
Reference: XF:ping-death
Reference: CERT:CA-96.26.ping
Created: 19990827

Oversized ICMP ping packets can result in a denial of service,
aka Ping o' Death.

----------------------
Name: CVE-1999-0228
Category: SF
Reference: XF:nt-rpc-ver
Reference: MSKB:Q162567
Created: 19990827

Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.

----------------------
Name: CVE-1999-0332
Category: SF
Reference: XF:nt-netmeeting
Reference: MSKB:Q184346
Created: 19990827

Buffer overflow in NetMeeting allows denial of service and remote
command execution.

----------------------
Name: CVE-1999-0344
Category: SF
Reference: MS:MS98-009
Reference: MSKB:Q190288
Reference: XF:nt-priv-fix
Created: 19990827

NT users can gain debug-level access on a system process using the
Sechole exploit.

----------------------
Name: CVE-1999-0468
Category: SF
Reference: MS:MS99-012
Reference: XF:ie-scriplet-fileread
Reference: BUGTRAQ:Apr9,1999
Created: 19990827

Internet Explorer 5.0 allows a remote server to read arbitrary files
on the client's file system using the Microsoft Scriptlet Component.



*********** CANDIDATE ENTRIES ***********


=================================
Candidate: CAN-1999-0002
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.12.mountd
Reference: XF:linux-mountd-bo

Buffer overflow in NFS mountd gives root access to remote attackers,
mostly in Linux systems.

VOTES:
   ACCEPT(1) Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0005
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.09.imapd
Reference: XF:imap-authenticate-bo
Reference: SUN:00177

Arbitrary command execution via IMAP buffer overflow, as in
CERT:CA-98.09.imapd.

VOTES:
   ACCEPT(4) Hill, Shostack, Frech, Wall
   MODIFY(1) Christey
   REVIEWING(1) Northcutt

COMMENTS:
 Northcutt> there are multiple similar exploits which may imply
 Northcutt> multiple vulnerabilties
 Christey> It's difficult to distinguish between this vulnerability and
another
 Christey> IMAP vulnerability via just the textual description.  (The other
 Christey> vulnerability is CVE-00042, not yet proposed as a candidate for
some
 Christey> odd reason).  I had to reference the different CERT advisories to
 Christey> distinguish between this candidate and CVE-00042.  The X-Force
 Christey> database says that "[the CVE-00042 vulnerability is in] the IMAP
LOGIN
 Christey> command whereas [CAN-1999-0005] affects the IMAP AUTHENTICATE
 Christey> command."  I propose modifying the description to say something
to
 Christey> this effect, though the typical analyst may still need to rely on
the
 Christey> references.


=================================
Candidate: CAN-1999-0009
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-bo
Reference: SUN:00180

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

VOTES:
   ACCEPT(1) Frech


=================================
Candidate: CAN-1999-0010
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-dos

Denial of Service vulnerability in BIND 8 Releases via maliciously
formatted DNS messages.

VOTES:
   ACCEPT(1) Frech


=================================
Candidate: CAN-1999-0011
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-dos
Reference: SUN:00180

Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases
via CNAME record and zone transfer.

VOTES:
   MODIFY(1) Frech

COMMENTS:
 Frech> Change XF reference to:
 Frech> XF:bind-axfr-dos


=================================
Candidate: CAN-1999-0016
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.28.Teardrop_Land
Reference: FreeBSD:FreeBSD-SA-98:01
Reference: XF:cisco-land
Reference: XF:land
Reference: XF:95-verv-tcp
Reference: XF:land-exploit
Reference: XF:land-patch
Reference: CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml

Land IP denial of service

VOTES:
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ver-tcpip-sys (applies to a check, not a vulnerability, and is
thus not
 Frech> listed on website)
 Frech> XF:land-exploit (obsolete, replaced by land)


=================================
Candidate: CAN-1999-0113
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: CERT:CA-94.09.bin.login.vulnerability

Some implementations of rlogin would allow root access if given a
-froot parameter.

VOTES:
   ACCEPT(2) Northcutt, Shostack
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:rlogin-froot


=================================
Candidate: CAN-1999-0146
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-campas

The campas CGI program provided with some NCSA web servers allows an
attacker to read arbitrary files.

VOTES:
   ACCEPT(3) Northcutt, Prosser, Frech

COMMENTS:
 Prosser> additional source,
 Prosser> Bugtraq
 Prosser> "Francisco Torres"
 Prosser> http://www.securityfocus.com


=================================
Candidate: CAN-1999-0147
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-glimpse

The aglimpse CGI program of the Glimpse package allows remote
execution of arbitrary commands

VOTES:
   ACCEPT(3) Northcutt, Prosser, Frech

COMMENTS:
 Prosser> additional source
 Prosser> AUSCERT Alert AA-97.28
 Prosser> http://www.auscert.org.au


=================================
Candidate: CAN-1999-0149
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-sgi-wrap

The wrap CGI program in IRIX allows arbitrary command execution from
remote users.

VOTES:
   ACCEPT(3) Northcutt, Prosser, Frech

COMMENTS:
 Prosser> additional source
 Prosser> SGI Security Advisory 19970501-02-PX
 Prosser> http://www.sgi.com/Support/security/advisories.html


=================================
Candidate: CAN-1999-0153
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

Windows 95/NT out of band (OOB) data denial of service through NETBIOS
port, aka WinNuke.

VOTES:
   ACCEPT(2) Hill, Wall
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:win-oob


=================================
Candidate: CAN-1999-0349
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-003
Reference: MSKB:Q188348
Reference: BUGTRAQ:Jan27,1999
Reference: EEYE:IIS Remote FTP Exploit/DoS Attack

A buffer overflow in the FTP list (ls) command in IIS allows remote
attackers to conduct a denial of service and, in some cases, execute
arbitrary commands.

VOTES:
   ACCEPT(2) Hill, Wall
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:iis-remote-ftp
 Frech> It is extremely hard to find articles by their dates, especially
 Frech> for heavily trafficked groups like *Bugtraq. Is it possible to
convert them
 Frech> to titles instead?


=================================
Candidate: CAN-1999-0366
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-004
Reference: MSKB:Q214840

In some cases, Service Pack 4 for Windows NT 4.0 can allow access to
network shares using a blank password, through a problem with a null
NT hash value.

VOTES:
   ACCEPT(2) Hill, Wall
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-sp4-auth-error


=================================
Candidate: CAN-1999-0372
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-005

The installer for BackOffice Server includes account names and
passwords in a setup file which is not deleted.

VOTES:
   ACCEPT(1) Hill
   MODIFY(2) Wall, Frech

COMMENTS:
 Wall> "The installer for BackOffice Server 4.0 includes account names
 Wall> and passwords in a setup file (reboot.ini) which is not deleted."
 Wall> Also reference Q217004
 Frech> XF:nt-backoffice-setup


=================================
Candidate: CAN-1999-0376
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-006
Reference: BUGTRAQ:Feb20,1999
Reference: L0PHT:Feb18,1999

Local users in Windows NT can obtain administrator privileges by
changing the KnownDLLs list to reference malicious programs.

VOTES:
   ACCEPT(2) Hill, Wall
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-knowndlls-list


=================================
Candidate: CAN-1999-0382
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-008

The screen saver in Windows NT does not verify that its security
context has been changed properly, allowing attackers to run programs
with elevated privileges.

VOTES:
   ACCEPT(2) Hill, Wall
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-screen-saver
Prev by Date: FINAL DECISION: ACCEPT 45 various candidates
Next by Date: Administrivia: Two new Editorial Board members
Prev by thread: FINAL DECISION: ACCEPT 45 various candidates
Next by thread: Administrivia: Two new Editorial Board members
Index(es):
- Date
- Thread