[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

INTERIM DECISION: ACCEPT 50 various candidates (Final 9/28)



I have made an Interim Decision to ACCEPT the following 50 candidates.
These candidates did not have sufficient votes a week ago, so the
Board's response on their tailored ballots allowed these candidates to
be ACCEPTed.

I will make a Final Decision on Tuesday, September 28, which will
bring the total number of candidates to around 320.

- Steve


=================================
Candidate: CAN-1999-0009
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-bo
Reference: SUN:00180

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

VOTES:
   ACCEPT(6) Frech, Northcutt, Blake, Prosser, Balinsky, Levy


=================================
Candidate: CAN-1999-0010
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-dos

Denial of Service vulnerability in BIND 8 Releases via maliciously
formatted DNS messages.

VOTES:
   ACCEPT(4) Frech, Blake, Northcutt, Prosser


=================================
Candidate: CAN-1999-0011
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: SUN:00180
Reference: XF:bind-axfr-dos

Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases
via CNAME record and zone transfer.

Modifications:
  CHANGEREF XF:bind-dos XF:bind-axfr-dos

VOTES:
   ACCEPT(2) Blake, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> Change XF reference to:
 Frech> XF:bind-axfr-dos


=================================
Candidate: CAN-1999-0016
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-02
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.28.Teardrop_Land
Reference: FreeBSD:FreeBSD-SA-98:01
Reference: HP:HPSBUX9801-076
Reference: CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml
Reference: XF:cisco-land
Reference: XF:land
Reference: XF:95-verv-tcp
Reference: XF:land-patch
Reference: XF:ver-tcpip-sys

Land IP denial of service

Modifications:
  ADDREF HP:HPSBUX9801-076
  ADDREF XF:ver-tcpip-sys
  DELREF XF:land-exploit

VOTES:
   ACCEPT(4) Northcutt, Blake, Balinsky, Ozancin
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ver-tcpip-sys (applies to a check, not a vulnerability, and is thus not
 Frech> listed on website)
 Frech> XF:land-exploit (obsolete, replaced by land)


=================================
Candidate: CAN-1999-0025
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul
Reference: XF:df-bo

root privileges via buffer overflow in df command on SGI IRIX
systems.

VOTES:
   ACCEPT(2) Frech, Ozancin


=================================
Candidate: CAN-1999-0026
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.20.IRIX.pset.buffer.overflow.vul
Reference: XF:pset-bo

root privileges via buffer overflow in pset command on SGI IRIX
systems.

VOTES:
   ACCEPT(3) Frech, Prosser, Ozancin


=================================
Candidate: CAN-1999-0027
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul
Reference: XF:eject-bo

root privileges via buffer overflow in eject command on SGI IRIX
systems.

VOTES:
   ACCEPT(2) Frech, Ozancin


=================================
Candidate: CAN-1999-0028
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.22.IRIX.login.scheme.buffer.overflow.vul
Reference: XF:sgi-schemebo

root privileges via buffer overflow in login/scheme command on SGI
IRIX systems.

Modifications:
  ADDREF XF:sgi-schemebo

VOTES:
   ACCEPT(1) Prosser
   MODIFY(2) Frech, Ozancin

COMMENTS:
 Frech> XF:sgi-schemebo
 Ozancin> => login/scheme


=================================
Candidate: CAN-1999-0029
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.23-IRIX.ordist.buffer.overflow.vul
Reference: XF:ordist-bo

root privileges via buffer overflow in ordist command on SGI IRIX
systems.

VOTES:
   ACCEPT(2) Frech, Ozancin


=================================
Candidate: CAN-1999-0037
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.14.metamail
Reference: XF:metamail-header-commands

Arbitrary command execution via metamail package using message
headers, when user processes attacker's message using metamail.

Modifications:
  ADDREF XF:metamail-header-commands

VOTES:
   ACCEPT(4) Hill, Prosser, Landfield, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:metamail-header-commands


=================================
Candidate: CAN-1999-0059
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: NAI:NAI-16
Reference: XF:irix-fam

IRIX fam service allows an attacker to obtain a list of all files
on the server.

VOTES:
   ACCEPT(3) Hill, Northcutt, Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:irix-fam


=================================
Candidate: CAN-1999-0068
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-php-mylog
Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts

CGI PHP mylog script allows an attacker to read any file on the
target server.

Modifications:
  ADDREF BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts

VOTES:
   ACCEPT(2) Frech, Northcutt
   MODIFY(1) Prosser

COMMENTS:
 Prosser> add source
 Prosser> Bugtraq
 Prosser> "Vulnerability in PHP Example Logging Scripts"
 Prosser> http://www.securityfocus.com/bugtraq/1997_3/0560.html


=================================
Candidate: CAN-1999-0075
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd
Reference: XF:pasvcore

PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV
command after specifying a username and password.

Modifications:
  ADDREF BUGTRAQ:19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd
  DESC make more explicit to distinguish from CAN-1999-0076

VOTES:
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> There is no pasvcore record; delete and add
 Frech> XF:ftp-pasvcore
 Prosser> additional sources
 Prosser> Various BUGTRAQ messages
 Prosser> http://www.securityfocus.com/
 Prosser> http://oliver.efri.hr/~crv/security/bugs/SunOS/wuftpd7.html
 Prosser> http://www.insecure.org/sploits


=================================
Candidate: CAN-1999-0084
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:nfs-mknod

NFS mknod bug

VOTES:
   ACCEPT(5) Hill, Frech, Northcutt, Proctor, Balinsky


=================================
Candidate: CAN-1999-0087
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:ibm-telnetdos
Reference: ERS:ERS-SVA-E01-1998:003.1

Denial of service in AIX telnet can freeze a system and prevent
users from accessing the server.

Modifications:
  ADDREF XF:ibm-telnetdos

VOTES:
   ACCEPT(1) Hill
   MODIFY(3) Meunier, Frech, Landfield
   NOOP(2) Northcutt, Christey

COMMENTS:
 Meunier> Add "STD0011:  Incorrect or incomplete address field found and ignored" to
 Meunier> distinguish from other vulnerabilities resulting in DOS on AIX telnet that
 Meunier> might be discovered in the future.
 Frech> XF:ibm-telnetdos
 Christey> To keep the description as short and simple as possible, we
 Christey> should avoid this specific detail until there is a second AIX
 Christey> telnet DoS


=================================
Candidate: CAN-1999-0095
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: CF
Reference: CERT:CA-88.01
Reference: CERT:CA-93.14
Reference: XF:smtp-debug

The debug command in Sendmail is enabled, allowing attackers to
execute commands as root.

Modifications:
  ADDREF CERT:CA-88.01
  ADDREF CERT:CA-93.14
  DESC change to reflect that it's a config problem

VOTES:
   ACCEPT(7) Hill, Frech, Blake, Northcutt, Proctor, Balinsky, Ozancin
   NOOP(1) Christey
   RECAST(1) Prosser

COMMENTS:
 Northcutt> (I swear I have voted for this before, this is how I got into
 Northcutt> computer security, someone broke into my SUN WS doing this)
 Prosser> There is an sendmail 8.6.7 debug vulnerability :source
 Prosser> CERT Advisory CA-94.12
 Prosser> http://www.cert.org
 Prosser> as well as an older BSD sendmail 5.59 debug vulnerability
 Prosser> CERT Advisory CA-88.01,96.20, 24 and 25
 Prosser> which one are we talking about here
 Christey> Some of Steve's votes got lost somehow.  I found them and
 Christey> re-entered them, using his latest votes where conflicts
 Christey> occurred.
 Christey>
 Christey> With respect to CERT advisories, some of the advisories
 Christey> mentioned by Mike are superseded by others, and not available
 Christey> on the CERT web site.  However, this entry is referencing
 Christey> when Sendmail is configured with the Debug option enabled,
 Christey> as referred to in CA-88.01 and CA-93.14.


=================================
Candidate: CAN-1999-0096
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: CF
Reference: CERT:CA-93.16
Reference: CERT:CA-95.05
Reference: CIAC:A-13
Reference: CIAC:A-14
Reference: SUN:00122
Reference: XF:smtp-dcod

Sendmail decode alias can be used to overwrite sensitive files

Modifications:
  ADDREF CERT:CA-93.16
  ADDREF CERT:CA-95.05
  ADDREF CIAC:A-13
  ADDREF CIAC:A-14
  ADDREF SUN:00122

VOTES:
   ACCEPT(7) Hill, Frech, Blake, Northcutt, Proctor, Balinsky, Ozancin
   MODIFY(1) Prosser

COMMENTS:
 Prosser> additional sources
 Prosser> CERT Advisory CA-93:16, CA-95.05
 Prosser> http://www.cert.org
 Prosser> Sun Security Bulletin 00122
 Prosser> http://www.sunsolve.sun.com


=================================
Candidate: CAN-1999-0126
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:VB-98.04.xterm.Xaw
Reference: CIAC:J-010
Reference: XF:xfree86-xterm-xaw
Reference: XF:xfree86-xaw

SGI IRIX buffer overflow in xterm and Xaw allows root access.

Modifications:
  ADDREF XF:xfree86-xterm-xaw
  ADDREF XF:xfree86-xaw

VOTES:
   ACCEPT(3) Northcutt, Prosser, Ozancin
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:xfree86-xterm-xaw
 Frech> XF:xfree86-xaw


=================================
Candidate: CAN-1999-0138
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.12.suidperl_vul
Reference: XF:sperl-suid

The suidperl and sperl program do not give up root privileges when
changing UIDs back to the original users, allowing root access.

Modifications:
  ADDREF XF:sperl-suid

VOTES:
   ACCEPT(1) Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:sperl-suid


=================================
Candidate: CAN-1999-0150
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:perl-fingerd

The Perl fingerd program allows arbitrary command execution from
remote users.

Modifications:
  ADDREF XF:perl-fingerd

VOTES:
   ACCEPT(3) Hill, Northcutt, Proctor
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:perl-fingerd


=================================
Candidate: CAN-1999-0152
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19970811 dgux in.fingerd vulnerability
Reference: XF:dgux-fingerd

The DG/UX finger daemon allows remote command execution through shell
metacharacters.

Modifications:
  ADDREF BUGTRAQ:19970811 dgux in.fingerd vulnerability

VOTES:
   ACCEPT(5) Hill, Frech, Northcutt, Proctor, Balinsky
   MODIFY(1) Prosser

COMMENTS:
 Prosser> additional resource
 Prosser> Bugtraq
 Prosser> "dgux in.fingerd vulnerability"
 Prosser> http://www.securityfocus.com/


=================================
Candidate: CAN-1999-0167
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:nfs-guess
Reference: CERT:CA-91.21.SunOS.NFS.Jumbo.and.fsirand

In SunOS, NFS file handles could be guessed, giving unauthorized
access to the exported file system.

Modifications:
  ADDREF CERT:CA-91.21.SunOS.NFS.Jumbo.and.fsirand

VOTES:
   ACCEPT(6) Hill, Frech, Blake, Northcutt, Proctor, Balinsky
   MODIFY(1) Prosser

COMMENTS:
 Prosser> sort of an oldie source
 Prosser> CERT Security Alert CA-91:21
 Prosser> http://www.cert.org


=================================
Candidate: CAN-1999-0175
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:http-nov-convert

The convert.bas program in the Novell web server allows a remote
attackers to read any file on the system that is internally accessible
by the web server.

VOTES:
   ACCEPT(4) Hill, Frech, Blake, Northcutt


=================================
Candidate: CAN-1999-0183
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:linux-tftp

Linux implementations of TFTP would allow access to files outside the
restricted directory.

VOTES:
   ACCEPT(3) Hill, Frech, Landfield
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0202
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:ftp-exectar

The GNU tar command, when used in FTP sessions, may allow an attacker
to execute arbitrary commands.

VOTES:
   ACCEPT(4) Hill, Frech, Northcutt, Proctor


=================================
Candidate: CAN-1999-0204
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:ident-bo

Sendmail 8.6.9 allows remote attackers to execute root commands, using
ident.

Modifications:
  ADDREF XF:ident-bo

VOTES:
   ACCEPT(3) Hill, Balinsky, Landfield
   NOOP(1) Northcutt
   REVIEWING(1) Frech

COMMENTS:
 Frech> probably XF:ident-bo


=================================
Candidate: CAN-1999-0245
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19950907 Linux NIS security problem hole and fix
Reference: XF:linux-plus

Some configurations of NIS+ in Linux allowed attackers
to log in as the user "+"

Modifications:
  REFERENCE
  ADDREF BUGTRAQ:19950907 Linux NIS security problem hole and fix

VOTES:
   ACCEPT(3) Hill, Frech, Northcutt
   MODIFY(1) Prosser

COMMENTS:
 Prosser> source
 Prosser> BUGTRAQ
 Prosser> "Linux NIS security problem hole and fix"
 Prosser> http://www.securityfocus.com/


=================================
Candidate: CAN-1999-0260
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961224 jj cgi
Reference: XF:http-cgi-jj

The jj CGI program allows command execution via shell metacharacters.

Modifications:
  ADDREF XF:http-cgi-jj
  ADDREF BUGTRAQ:19961224 jj cgi

VOTES:
   ACCEPT(2) Hill, Ozancin
   MODIFY(1) Frech
   NOOP(2) Northcutt, Landfield

COMMENTS:
 Frech> XF:http-cgi-jj


=================================
Candidate: CAN-1999-0273
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:sun-telnet-kill

Denial of service through Solaris 2.5.1 telnet by sending ^D characters.

Modifications:
  ADDREF XF:sun-telnet-kill

VOTES:
   ACCEPT(3) Hill, Blake, Northcutt
   MODIFY(1) Frech
   NOOP(1) Meunier

COMMENTS:
 Frech> XF:sun-telnet-kill


=================================
Candidate: CAN-1999-0281
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:http-iis-longurl

Denial of service in IIS using long URLs.

Modifications:
  ADDREF XF:http-iis-longurl

VOTES:
   ACCEPT(6) Hill, Blake, Wall, Balinsky, Ozancin, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:http-iis-longurl


=================================
Candidate: CAN-1999-0289
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

The Apache web server for Win32 may provide access to restricted
files when a . (dot) is appended to a requested URL.

VOTES:
   ACCEPT(4) Hill, Blake, Landfield, Ozancin
   NOOP(1) Northcutt
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0346
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-php-mlog

CGI PHP mlog script allows an attacker to read any file on the target
server.

Modifications:
  ADDREF XF:http-cgi-php-mlog

VOTES:
   ACCEPT(2) Northcutt, Proctor
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:http-cgi-php-mlog


=================================
Candidate: CAN-1999-0348
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NTBUGTRAQ:Jan27,1999
Reference: MSKB:Q197003

IIS ASP caching problem releases sensitive information when two
virtual servers share the same physical directory.

Modifications:
  ADDREF MSKB:Q197003

VOTES:
   ACCEPT(4) Northcutt, Prosser, Wall, Levy
   REVIEWING(1) Frech

COMMENTS:
 Prosser> additional source
 Prosser> MS KnowledgeBase Article Q197003
 Prosser> http://support.microsoft.com/support/kb/articles/q197/0/03.asp


=================================
Candidate: CAN-1999-0350
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: L0PHT:Feb8,1999
Reference: XF:clearcase-temp-race

Race condition in the db_loader program in ClearCase gives local
users root access by setting SUID bits.

Modifications:
  ADDREF XF:clearcase-temp-race

VOTES:
   ACCEPT(3) Hill, Prosser, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:clearcase-temp-race


=================================
Candidate: CAN-1999-0362
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: EEYE:AD02021999
Reference: XF:wsftp-remote-dos
Reference: SF:217

WS_FTP server remote denial of service through cwd command.

VOTES:
   ACCEPT(4) Ozancin, Frech, Northcutt, Levy
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0368
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NETECT:palmetto.ftpd
Reference: CERT:CA-99.03
Reference: XF:palmetto-ftpd-bo

Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to
remote root access, a.k.a. palmetto.

Modifications:
  ADDREF XF:palmetto-ftpd-bo

VOTES:
   ACCEPT(2) Northcutt, Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:palmetto-ftpd-bo


=================================
Candidate: CAN-1999-0383
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb02,1999
Reference: XF:acc-tigris-login

ACC Tigris allows public access without a login.

Modifications:
  DESC change allowed to allows for consistency

VOTES:
   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   NOOP(3) Wall, Northcutt, Landfield

COMMENTS:
 Frech> Change allowed to allows.


=================================
Candidate: CAN-1999-0388
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:datalynx-suguard-relative-paths
Reference: L0PHT:Jan3,1999

DataLynx suGuard trusts the PATH environment variable to execute the
ps command, allowing local users to execute commands as root.

VOTES:
   ACCEPT(4) Hill, Frech, Prosser, Northcutt


=================================
Candidate: CAN-1999-0391
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: L0PHT:Jan. 5, 1999

The cryptographic challenge of SMB authentication in Windows 95 and
Windows 98 is reused, allowing an attacker to replay the response and
inpersonate a user.

VOTES:
   ACCEPT(4) Hill, Northcutt, Landfield, Levy
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0412
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb19,1999
Reference: XF:iis-isapi-execute
Reference: SF:501

In IIS and other web servers, an attacker can attack commands as
SYSTEM if the server is running as SYSTEM and loading an ISAPI
extension.

VOTES:
   ACCEPT(2) Frech, Wall
   NOOP(1) Ozancin


=================================
Candidate: CAN-1999-0424
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-overwrite

talkback in Netscape 4.5 allows a local user to overwrite
arbitrary files of another user whose Netscape crashes.

VOTES:
   ACCEPT(3) Ozancin, Frech, Prosser
   REVIEWING(1) Wall

COMMENTS:
 Prosser> source should be
 Prosser> SuSE Security Announcements
 Prosser> "Security hole in Netscape Communicator's 4.5 'talkback' function"
 Prosser> http://www.suse.de/security


=================================
Candidate: CAN-1999-0425
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-kill

talkback in Netscape 4.5 allows a local user to kill an arbitrary
process of another user whose Netscape crashes.

VOTES:
   ACCEPT(3) Ozancin, Frech, Prosser
   REVIEWING(1) Wall

COMMENTS:
 Prosser> again source should be
 Prosser> SuSE Security Announcements
 Prosser> "Security hole in Netscape Communicator's 4.5 'talkback' function"
 Prosser> http://www.suse.de/security


=================================
Candidate: CAN-1999-0437
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:WebRamp Denial of Service Attacks
Reference: XF:webramp-device-crash

Remote attackers can perform a denial of service in WebRamp systems by
sending a malicious string to the HTTP port.

Modifications:
  ADDREF XF:webramp-device-crash

VOTES:
   ACCEPT(2) Hill, Meunier
   MODIFY(1) Frech
   NOOP(2) Northcutt, Landfield

COMMENTS:
 Frech> XF:webramp-device-crash
 Landfield> - really should specify versions


=================================
Candidate: CAN-1999-0438
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:WebRamp Denial of Service Attacks
Reference: XF:webramp-ipchange

Remote attackers can perform a denial of service in WebRamp systems by
sending a malicious UDP packet to port 5353, changing its IP address.

Modifications:
  ADDREF XF:webramp-ipchange

VOTES:
   ACCEPT(2) Hill, Meunier
   MODIFY(1) Frech
   NOOP(2) Northcutt, Landfield

COMMENTS:
 Frech> XF:webramp-ipchange
 Landfield> - really should specify versions


=================================
Candidate: CAN-1999-0448
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: XF:iis-http-request-logging

IIS 4.0 and Apache log HTTP request methods, regardless of how long
they are, allowing a remote attacker to hide the URL they really
request.

VOTES:
   ACCEPT(3) Frech, Wall, Levy
   NOOP(2) Ozancin, Landfield


=================================
Candidate: CAN-1999-0449
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan26,1999
Reference: XF:iis-exair-dos
Reference: SF:193

Denial of service in IIS 4 with scripts from the ExAir sample site.

VOTES:
   ACCEPT(4) Wall, Frech, Northcutt, Levy


=================================
Candidate: CAN-1999-0458
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan6,1999
Reference: XF:l0phtcrack-temp-files

L0phtcrack 2.5 used temporary files in the system TEMP directory which
could contain password information.

Modifications:
  ADDREF XF:l0phtcrack-temp-files

VOTES:
   ACCEPT(3) Hill, Prosser, Northcutt
   MODIFY(1) Frech
   NOOP(2) Landfield, Levy

COMMENTS:
 Frech> XF:l0phtcrack-temp-files


=================================
Candidate: CAN-1999-0494
Published:
Final-Decision:
Interim-Decision: 19990925
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:wingate-pop3-user-bo

Denial of service in WinGate proxy through a buffer overflow in
POP3.

VOTES:
   ACCEPT(5) Hill, Frech, Northcutt, Landfield, Ozancin


=================================
Candidate: CAN-1999-0514
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: CF
Reference: XF:fraggle

UDP messages to broadcast addresses are allowed, allowing for a
Fraggle attack that can cause a denial of service by flooding the
target.

Modifications:
  ADDREF XF:fraggle
  DESC clarified at Landfield's prompting

VOTES:
   ACCEPT(2) Hill, Northcutt
   MODIFY(1) Frech
   REVIEWING(1) Landfield

COMMENTS:
 Frech> XF:fraggle
 Landfield> System ? General Stack issue ?  This is not clear.


=================================
Candidate: CAN-1999-0526
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: CF
Reference: XF:xcheck-keystroke

An X server's access control is disabled (e.g. through an "xhost +"
command) and allows anyone to connect to the server.

Modifications:
  ADDREF XF:xcheck-keystroke
  DESC Rephrase per Northcutt's suggestion

VOTES:
   ACCEPT(4) Hill, Blake, Proctor, Balinsky
   MODIFY(2) Frech, Northcutt

COMMENTS:
 Frech> XF:xcheck-keystroke
 Northcutt> X does have some access control as long as a user (insider) doesn't type
 Northcutt> "xhost +". I don't think an outsider can disable the access.
 Northcutt> Suggested phrasing "An X server's access control can be disabled e.g.
 Northcutt> through an "xhost +" command and allows anyone to connect to the server."

Page Last Updated or Reviewed: May 22, 2007