Common Vulnerabilities and Exposures

CVE (version 20061101) and Candidates as of 20130619

Description:
ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.

Status: Candidate
Phase: Modified (20051217)
Reference: CERT:CA-98-13-tcp-denial-of-service
Reference: BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service
Reference: CONFIRM:http://www.openbsd.org/errata23.html#tcpfix
Reference: OSVDB:5707
Reference: URL:http://www.osvdb.org/5707

Votes:

   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall
   REVIEWING(1) Christey

 Christey> A Bugtraq posting indicates that the bug has to do with
   "short packets with certain options set," so the description
   should be modified accordingly.
   
   But is this the same as CVE-1999-0052?  That one is related
   to nestea (CVE-1999-0257) and probably the one described in
   BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
   The patch for nestea is in ip_input.c around line 750.
   The patches for CVE-1999-0001 are in lines 388&446.  So, 
   CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052.
   The FreeBSD patch for CVE-1999-0052 is in line 750.
   So, CVE-1999-0257 and CVE-1999-0052 may be the same, though
   CVE-1999-0052 should be RECAST since this bug affects Linux
   and other OSes besides FreeBSD.
 Frech> XF:teardrop(338)
   This assignment was based solely on references to the CERT advisory.
 Christey> The description for BID:190, which links to CVE-1999-0052 (a
   FreeBSD advisory), notes that the patches provided by FreeBSD in
   CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and
   CVE-1999-0052.  CERT:CA-1998-13 is too vague to be sure without
   further analysis.

Description:
Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.

Status: Entry
Reference: SGI:19981006-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I
Reference: CERT:CA-98.12.mountd
Reference: CIAC:J-006
Reference: URL:http://www.ciac.org/ciac/bulletins/j-006.shtml
Reference: BID:121
Reference: URL:http://www.securityfocus.com/bid/121
Reference: XF:linux-mountd-bo

Description:
Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd).

Status: Entry
Reference: NAI:NAI-29
Reference: CERT:CA-98.11.tooltalk
Reference: SGI:19981101-01-A
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-A
Reference: SGI:19981101-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-PX
Reference: XF:aix-ttdbserver
Reference: XF:tooltalk
Reference: BID:122
Reference: URL:http://www.securityfocus.com/bid/122

Description:
MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook.

Status: Candidate
Phase: Modified (19990621-01)
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: XF:outlook-long-name
Reference: SUN:00175
Reference: MS:MS98-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-008.asp

Votes:

   ACCEPT(8) Baker, Cole, Collins, Dik, Landfield, Magdych, Northcutt, Wall
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Shostack

 Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject
   this suggestion, I will not be devastated.) :-)
 Christey> This issue seems to have been rediscovered in
   BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
   http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
   
   Also see
   BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
   http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
 Christey> 
   CVE-2000-0415 may be a later rediscovery of this problem
   for Outlook.
 Dik> Sun bug 4163471,
 Christey> ADDREF BID:125
 Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2

Description:
Arbitrary command execution via IMAP buffer overflow in authenticate command.

Status: Entry
Reference: CERT:CA-98.09.imapd
Reference: SUN:00177
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/177
Reference: BID:130
Reference: URL:http://www.securityfocus.com/bid/130
Reference: XF:imap-authenticate-bo

Description:
Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command.

Status: Entry
Reference: CERT:CA-98.08.qpopper_vul
Reference: SGI:19980801-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980801-01-I
Reference: AUSCERT:AA-98.01
Reference: XF:qpopper-pass-overflow
Reference: BID:133
Reference: URL:http://www.securityfocus.com/bid/133

Description:
Information from SSL-encrypted sessions via PKCS #1.

Status: Entry
Reference: CERT:CA-98.07.PKCS
Reference: MS:MS98-002
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-002.mspx
Reference: XF:nt-ssl-fix

Description:
Buffer overflow in NIS+, in Sun's rpc.nisd program.

Status: Entry
Reference: CERT:CA-98.06.nisd
Reference: SUN:00170
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/170
Reference: ISS:June10,1998
Reference: XF:nisd-bo-check

Description:
Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.

Status: Entry
Reference: SGI:19980603-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083
Reference: SUN:00180
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180
Reference: CERT:CA-98.05.bind_problems
Reference: XF:bind-bo
Reference: BID:134
Reference: URL:http://www.securityfocus.com/bid/134

Description:
Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.

Status: Entry
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083
Reference: XF:bind-dos

Description:
Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.

Status: Entry
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083
Reference: SUN:00180
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180
Reference: XF:bind-axfr-dos

Description:
Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names.

Status: Entry
Reference: CERT:CA-98.04.Win32.WebServers
Reference: XF:nt-web8.3

Description:
Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user.

Status: Entry
Reference: CERT:CA-98.03.ssh-agent
Reference: NAI:NAI-24
Reference: XF:ssh-agent

Description:
Unauthorized privileged access or denial of service via dtappgather program in CDE.

Status: Entry
Reference: HP:HPSBUX9801-075
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-075
Reference: SUN:00185
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/185
Reference: CERT:CA-98.02.CDE

Description:
Teardrop IP denial of service.

Status: Candidate
Phase: Modified (20090302)
Reference: CERT:CA-97.28.Teardrop_Land
Reference: OVAL:oval:org.mitre.oval:def:5579
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5579
Reference: XF:teardrop

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> XF: teardrop-mod
 Christey> Not sure how many separate "instances" of Teardrop there are.
   See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> MSKB:Q154174
   MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104)
   indicate that CVE-1999-0015 was fixed in NT SP3, but
   CVE-1999-0104 was not.  Thus CD:SF-LOC suggests that the
   problems keep separate candidates because one problem appears
   in a different version than the other.
 Christey> BID:124
   http://www.securityfocus.com/bid/124
   Consider MSKB:Q154174
   http://support.microsoft.com/support/kb/articles/q154/1/74.asp
   Consider BUGTRAQ:19971113 Linux IP fragment overlap bug
   http://www.securityfocus.com/archive/1/8014

Description:
Land IP denial of service.

Status: Entry
Reference: CERT:CA-97.28.Teardrop_Land
Reference: FREEBSD:FreeBSD-SA-98:01
Reference: HP:HPSBUX9801-076
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-076
Reference: CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml
Reference: XF:cisco-land
Reference: XF:land
Reference: XF:95-verv-tcp
Reference: XF:land-patch
Reference: XF:ver-tcpip-sys

Description:
FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.

Status: Entry
Reference: CERT:CA-97.27.FTP_bounce
Reference: XF:ftp-bounce
Reference: XF:ftp-privileged-port

Description:
Buffer overflow in statd allows root privileges.

Status: Entry
Reference: CERT:CA-97.26.statd
Reference: AUSCERT:AA-97.29
Reference: XF:statd
Reference: BID:127
Reference: URL:http://www.securityfocus.com/bid/127

Description:
Delete or create a file via rpc.statd, due to invalid information.

Status: Entry
Reference: CERT:CA-96.09.rpc.statd
Reference: XF:rpc-stat
Reference: SUN:00135
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/135

Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0032. Reason: This candidate is a duplicate of CVE-1999-0032. Notes: All CVE users should reference CVE-1999-0032 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Status: Candidate
Phase: Modified (20050204)

Votes:

   MODIFY(1) Frech
   NOOP(4) Levy, Northcutt, Shostack, Wall
   REJECT(2) Baker, Christey

 Frech> XF:lpr-bo
 Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo

Description:
Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program.

Status: Entry
Reference: BUGTRAQ:19971010 Security flaw in Count.cgi (wwwcount)
Reference: CERT:CA-97.24.Count_cgi
Reference: XF:http-cgi-count
Reference: BID:128
Reference: URL:http://www.securityfocus.com/bid/128

Description:
Local user gains root privileges via buffer overflow in rdist, via expstr() function.

Status: Entry
Reference: CERT:CA-97.23.rdist
Reference: SUN:00179
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/179
Reference: XF:rdist-bo3
Reference: XF:rdist-sept97

Description:
Local user gains root privileges via buffer overflow in rdist, via lookup() function.

Status: Entry
Reference: CERT:CA-96.14.rdist_vul
Reference: XF:rdist-bo
Reference: XF:rdist-bo2

Description:
DNS cache poisoning via BIND, by predictable query IDs.

Status: Entry
Reference: CERT:CA-97.22.bind
Reference: XF:bind
Reference: NAI:NAI-11

Description:
root privileges via buffer overflow in df command on SGI IRIX systems.

Status: Entry
Reference: CERT:CA-1997-21
Reference: URL:http://www.cert.org/advisories/CA-1997-21.html
Reference: AUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul
Reference: SGI:SGI:19970505-01-A
Reference: SGI:SGI:19970505-02-PX
Reference: CERT-VN:VU#20851
Reference: URL:http://www.kb.cert.org/vuls/id/20851
Reference: BID:346
Reference: URL:http://www.securityfocus.com/bid/346
Reference: XF:df-bo(440)
Reference: URL:http://xforce.iss.net/xforce/xfdb/440

Description:
root privileges via buffer overflow in pset command on SGI IRIX systems.

Status: Entry
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.20.IRIX.pset.buffer.overflow.vul
Reference: XF:pset-bo

Description:
root privileges via buffer overflow in eject command on SGI IRIX systems.

Status: Entry
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul
Reference: XF:eject-bo

Description:
root privileges via buffer overflow in login/scheme command on SGI IRIX systems.

Status: Entry
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.22.IRIX.login.scheme.buffer.overflow.vul
Reference: XF:sgi-schemebo

Description:
root privileges via buffer overflow in ordist command on SGI IRIX systems.

Status: Entry
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.23-IRIX.ordist.buffer.overflow.vul
Reference: XF:ordist-bo

Description:
root privileges via buffer overflow in xlock command on SGI IRIX systems.

Status: Candidate
Phase: Proposed (19990623)
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul
Reference: XF:sgi-xlockbo
Reference: SGI:19970508-02-PX

Votes:

   ACCEPT(3) Levy, Ozancin, Prosser
   NOOP(1) Baker
   RECAST(1) Frech
   REJECT(1) Christey

 Frech> XF:xlock-bo (also add)
   As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and
   several Linii.
   Also, don't you mean to cite SGI:19970502-02-PX? The one you list is
   login/scheme.
 Levy> Notice that this xlock overflow is the same as in
   CA-97.13. CA-97.21 simply is a reminder.
 Christey> As pointed out by Elias, CA-97.21 states: "For more
   information about vulnerabilities in xlock... see CA-97.13"
   CA-97.13 = CVE-1999-0038.
   This may also be a duplicate with CVE-1999-0306.
   
   See exploits at:
   
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2
   
   Sun also has this problem, at
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba

Description:
JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability.

Status: Entry
Reference: CERT:CA-97.20.javascript
Reference: HP:HPSBUX9707-065
Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html

Description:
Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.

Status: Entry
Reference: BUGTRAQ:19960813 Possible bufferoverflow condition in lpr, xterm and xload
Reference: BUGTRAQ:19961025 Linux & BSD's lpr exploit
Reference: MLIST:[freebsd-security] 19961025 Vadim Kolontsov: BoS: Linux & BSD's lpr exploit
Reference: MLIST:[linux-security] 19961122 LSF Update#14: Vulnerability of the lpr program.
Reference: CERT:CA-97.19.bsdlp
Reference: AUSCERT:AA-96.12
Reference: CIAC:H-08
Reference: CIAC:I-042
Reference: URL:http://www.ciac.org/ciac/bulletins/i-042.shtml
Reference: SGI:19980402-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980402-01-PX
Reference: BID:707
Reference: URL:http://www.securityfocus.com/bid/707
Reference: XF:bsd-lprbo2
Reference: XF:bsd-lprbo
Reference: XF:lpr-bo

Description:
Command execution in Sun systems via buffer overflow in the at program.

Status: Candidate
Phase: Modified (20040811)
Reference: CERT:CA-97.18.at
Reference: SUN:00160
Reference: XF:sun-atbo

Votes:

   ACCEPT(8) Baker, Cole, Collins, Dik, Hill, Northcutt, Shostack, Wall
   NOOP(1) Christey
   RECAST(1) Frech

 Frech> This vulnerability also manifests itself for the following 
   platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light,
   please add the following:
   Reference: XF:at-bo
 Dik> Sun bug 1265200, 4063161
 Christey> ADDREF SGI:19971102-01-PX
   ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX
   SCO:SB.97:01
   ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a
 Christey> CIAC:F-15
   http://ciac.llnl.gov/ciac/bulletins/f-15.shtml
   HP:HPSBUX9502-023
 Christey> Add period to the end of the description.

Description:
Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.

Status: Entry
Reference: CERT:CA-97.17.sperl
Reference: XF:perl-suid

Description:
Race condition in signal handling routine in ftpd, allowing read/write arbitrary files.

Status: Entry
Reference: XF:ftp-ftpd
Reference: CERT:CA-97.16.ftpd
Reference: AUSCERT:AA-97.03

Description:
IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files.

Status: Entry
Reference: CERT:CA-97.15.sgi_login
Reference: AUSCERT:AA-97.12
Reference: CIAC:H-106
Reference: URL:http://www.ciac.org/ciac/bulletins/h-106.shtml
Reference: SGI:19970508-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970508-02-PX
Reference: OSVDB:990
Reference: URL:http://www.osvdb.org/990
Reference: XF:sgi-lockout(557)
Reference: URL:http://xforce.iss.net/xforce/xfdb/557

Description:
Arbitrary command execution via metamail package using message headers, when user processes attacker's message using metamail.

Status: Entry
Reference: CERT:CA-97.14.metamail
Reference: XF:metamail-header-commands

Description:
Buffer overflow in xlock program allows local users to execute commands as root.

Status: Entry
Reference: CERT:CA-97.13.xlock
Reference: XF:xlock-bo

Description:
webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter.

Status: Entry
Reference: BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in
Reference: BUGTRAQ:19970507 Re: SGI Advisory: webdist.cgi
Reference: CERT:CA-1997-12
Reference: URL:http://www.cert.org/advisories/CA-1997-12.html
Reference: AUSCERT:AA-97.14
Reference: SGI:19970501-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
Reference: BID:374
Reference: URL:http://www.securityfocus.com/bid/374
Reference: OSVDB:235
Reference: URL:http://www.osvdb.org/235
Reference: XF:http-sgi-webdist(333)
Reference: URL:http://xforce.iss.net/xforce/xfdb/333

Description:
Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.

Status: Entry
Reference: CERT:CA-97.11.libXt
Reference: XF:libXt-bo

Description:
Buffer overflow in NLS (Natural Language Service).

Status: Entry
Reference: CERT:CA-97.10.nls
Reference: XF:nls-bo

Description:
Buffer overflow in University of Washington's implementation of IMAP and POP servers.

Status: Entry
Reference: NAI:NAI-21
Reference: CERT:CA-97.09.imap_pop
Reference: XF:popimap-bo

Description:
Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others.

Status: Entry
Reference: CERT:CA-97.08.innd
Reference: XF:inn-controlmsg

Description:
fsdump command in IRIX allows local users to obtain root access by modifying sensitive files.

Status: Entry
Reference: SGI:19970301-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970301-01-P
Reference: XF:sgi-fsdump

Description:
List of arbitrary files on Web host via nph-test-cgi script.

Status: Entry
Reference: CERT:CA-97.07.nph-test-cgi_script
Reference: XF:http-cgi-nph

Description:
Buffer overflow of rlogin program using TERM environmental variable.

Status: Entry
Reference: CERT:CA-97.06.rlogin-term
Reference: XF:rlogin-termbo

Description:
MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4.

Status: Entry
Reference: CERT:CA-97.05.sendmail
Reference: BID:685
Reference: URL:http://www.securityfocus.com/bid/685
Reference: XF:sendmail-mime-bo2

Description:
Talkd, when given corrupt DNS information, can be used to execute arbitrary commands with root privileges.

Status: Entry
Reference: CERT:CA-97.04.talkd
Reference: FREEBSD:FreeBSD-SA-96:21
Reference: AUSCERT:AA-97.01
Reference: SUN:00147
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/147
Reference: XF:talkd-bo
Reference: XF:netkit-talkd

Description:
Csetup under IRIX allows arbitrary file creation or overwriting.

Status: Entry
Reference: XF:sgi-csetup
Reference: CERT:CA-97.03.csetup

Description:
Buffer overflow in HP-UX newgrp program.

Status: Entry
Reference: CERT:CA-97.02.hp_newgrp
Reference: AUSCERT:AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability
Reference: XF:hp-newgrpbo

Description:
Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.

Status: Entry
Reference: XF:sgi-licensemanager
Reference: CERT:CA-97.01.flex_lm
Reference: AUSCERT:AA-96.03

Description:
IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash.

Status: Entry
Reference: FREEBSD:FreeBSD-SA-98:08
Reference: OSVDB:908
Reference: URL:http://www.osvdb.org/908
Reference: XF:freebsd-ip-frag-dos(1389)
Reference: URL:http://xforce.iss.net/xforce/xfdb/1389

Description:
TCP RST denial of service in FreeBSD.

Status: Entry
Reference: FREEBSD:FreeBSD-SA-98:07
Reference: OSVDB:6094
Reference: URL:http://www.osvdb.org/6094

Description:
Sun's ftpd daemon can be subjected to a denial of service.

Status: Entry
Reference: SUN:00171
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/171
Reference: XF:sun-ftpd

Description:
Buffer overflows in Sun libnsl allow root access.

Status: Entry
Reference: SUN:00172
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172
Reference: AIXAPAR:IX80543
Reference: URL:http://www-1.ibm.com/support/search.wss?rs=0&q=IX80543&apar=only
Reference: RSI:RSI.0005.05-14-98.SUN.LIBNSL
Reference: XF:sun-libnsl

Description:
Buffer overflow in Sun's ping program can give root access to local users.

Status: Entry
Reference: SUN:00174
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/174
Reference: XF:sun-ping

Description:
Vacation program allows command execution by remote users through a sendmail command.

Status: Entry
Reference: NAI:NAI-19
Reference: XF:vacation
Reference: HP:HPSBUX9811-087
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9811-087

Description:
Buffer overflow in PHP cgi program, php.cgi allows shell access.

Status: Entry
Reference: NAI:NAI-12
Reference: BID:712
Reference: URL:http://www.securityfocus.com/bid/712
Reference: XF:http-cgi-phpbo

Description:
IRIX fam service allows an attacker to obtain a list of all files on the server.

Status: Entry
Reference: NAI:NAI-16
Reference: BID:353
Reference: URL:http://www.securityfocus.com/bid/353
Reference: OSVDB:164
Reference: URL:http://www.osvdb.org/164
Reference: XF:irix-fam(325)
Reference: URL:http://xforce.iss.net/xforce/xfdb/325

Description:
Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool.

Status: Entry
Reference: NAI:NAI-26
Reference: XF:ascend-config-kill
Reference: ASCEND:http://www.ascend.com/2695.html

Description:
File creation and deletion, and remote execution, in the BSD line printer daemon (lpd).

Status: Candidate
Phase: Proposed (19990630)
Reference: NAI:NAI-20
Reference: XF:bsd-lpd

Votes:

   ACCEPT(3) Frech, Hill, Northcutt
   RECAST(1) Baker
   REVIEWING(1) Christey

 Christey> This should be split into three separate problems based on
   the SNI advisory.  But there's newer information to further
   complicate things.
   
   What do we do about this one?  in 1997 or so, SNI did an
   advisory on this problem.  In early 2000, it was still
   discovered to be present in some Linux systems.  So an 
   SF-DISCOVERY content decision might say that this is a
   long enough time between the two, so this should be recorded
   separately.  But they're the same codebase... so if we keep
   them in the same entry, how do we make sure that this entry
   reflects that some new information has been discovered?
   
   The use of dot notation may help in this regard, to use one
   dot for the original problem as discovered in 1997, and
   another dot for the resurgence of the problem in 2000.
 Baker> We should merge these.
 Christey> Perhaps this should be NAI-19 instead of NAI-20?
   The original Bugtraq post for the SNI advisory suggests SNI-19:
   BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability
   URL:SNI-19:BSD lpd vulnerability
   
   Also add:
   BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2
   
   However, archives of "NAI-0020" point to the lpd vuln.
   
   If I recall correctly, some of the NAI advisory numbers got
   switched when NAI acquired SNI.

Description:
The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage.

Status: Entry
Reference: XF:openbsd-chpass
Reference: NAI:NAI-28
Reference: OSVDB:7559
Reference: URL:http://www.osvdb.org/7559

Description:
Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port.

Status: Entry
Reference: AUSCERT:ESB-98.197
Reference: CISCO:http://www.cisco.com/warp/public/770/iossyslog-pub.shtml
Reference: XF:cisco-syslog-crash

Description:
Buffer overflow in AIX lquerylv program gives root access to local users.

Status: Entry
Reference: BUGTRAQ:May28,1997
Reference: XF:lquerylv-bo

Description:
Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands.

Status: Entry
Reference: SUN:00181
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/181
Reference: XF:hp-dtmail

Description:
AnyForm CGI remote execution.

Status: Entry
Reference: BUGTRAQ:19950731 SECURITY HOLE: "AnyForm" CGI
Reference: BID:719
Reference: URL:http://www.securityfocus.com/bid/719
Reference: XF:http-cgi-anyform

Description:
phf CGI program allows remote command execution through shell metacharacters.

Status: Entry
Reference: BUGTRAQ:19960923 PHF Attacks - Fun and games for the whole family
Reference: CERT:CA-1996-06
Reference: URL:http://www.cert.org/advisories/CA-1996-06.html
Reference: AUSCERT:AA-96.01
Reference: BID:629
Reference: URL:http://www.securityfocus.com/bid/629
Reference: OSVDB:136
Reference: URL:http://www.osvdb.org/136
Reference: XF:http-cgi-phf

Description:
CGI PHP mylog script allows an attacker to read any file on the target server.

Status: Entry
Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts
Reference: XF:http-cgi-php-mylog
Reference: BID:713
Reference: URL:http://www.securityfocus.com/bid/713
Reference: OSVDB:3396
Reference: URL:http://www.osvdb.org/3396

Description:
Solaris ufsrestore buffer overflow.

Status: Entry
Reference: SUN:00169
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/169
Reference: XF:sun-ufsrestore
Reference: OSVDB:8158
Reference: URL:http://www.osvdb.org/8158

Description:
test-cgi program allows an attacker to list files on the server.

Status: Entry
Reference: XF:http-cgi-test

Description:
Apache httpd cookie buffer overflow for versions 1.1.1 and earlier.

Status: Entry
Reference: XF:http-apache-cookie
Reference: NAI:NAI-2

Description:
Buffer overflow in AIX xdat gives root access to local users.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:004.1
Reference: XF:ibm-xdat

Description:
Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.

Status: Entry
Reference: CERT:CA-95:14.Telnetd_Environment_Vulnerability
Reference: XF:linkerbug

Description:
Listening TCP ports are sequentially allocated, allowing spoofing attacks.

Status: Entry
Reference: XF:seqport

Description:
PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV command after specifying a username and password.

Status: Entry
Reference: BUGTRAQ:19961016 Re: ftpd bug? Was: bin/1805: Bug in ftpd
Reference: XF:ftp-pasvcore
Reference: OSVDB:5742
Reference: URL:http://www.osvdb.org/5742

Description:
Buffer overflow in wu-ftp from PASV command causes a core dump.

Status: Candidate
Phase: Modified (19990925-01)
Reference: XF:ftp-args

Votes:

   ACCEPT(3) Baker, Frech, Ozancin
   NOOP(1) Balinsky
   REVIEWING(1) Christey

 Balinsky> Don't know what this is.  Is this the LIST Core dump vulnerability?
 Christey> Need to add more references and details.

Description:
Predictable TCP sequence numbers allow spoofing.

Status: Entry
Reference: XF:tcp-seq-predict(139)
Reference: URL:http://xforce.iss.net/static/139.php

Description:
pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.

Status: Candidate
Phase: Modified (19990621-01)
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd

Votes:

   ACCEPT(5) Collins, Frech, Landfield, Northcutt, Shostack
   NOOP(1) Baker
   RECAST(1) Christey

 Christey> This candidate should be SPLIT, since there are two separate
   software flaws.  One is a symlink race and the other is a
   shell metacharacter problem.
 Christey> The permissions part of this vulnerability appears to
   overlap with CVE-1999-0353
 Christey> SGI:20020802-01-I

Description:
Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports.

Status: Entry
Reference: XF:ftp-pasv-dos
Reference: XF:ftp-pasvdos

Description:
Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH setting to a directory with dangerous commands, such as /bin, which allows remote authenticated users to gain root access via the "site exec" command.

Status: Entry
Reference: BUGTRAQ:19950531 SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)
Reference: CERT:CA-95:16.wu-ftpd.vul
Reference: XF:ftp-execdotdot

Description:
wu-ftp allows files to be overwritten via the rnfr command.

Status: Entry
Reference: XF:ftp-rnfr

Description:
CWD ~root command in ftpd allows root access.

Status: Entry
Reference: XF:ftp-cwd
Reference: FarmerVenema:Improving the Security of Your Site by Breaking Into it
Reference: URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html

Description:
getcwd() file descriptor leak in FTP.

Status: Entry
Reference: XF:cwdleak

Description:
Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.

Status: Entry
Reference: XF:nfs-mknod(78)
Reference: URL:http://xforce.iss.net/xforce/xfdb/78

Description:
Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname.

Status: Entry
Reference: BUGTRAQ:19960821 rwhod buffer overflow
Reference: XF:rwhod(119)
Reference: URL:http://xforce.iss.net/xforce/xfdb/119
Reference: XF:rwhod-vuln(118)
Reference: URL:http://xforce.iss.net/xforce/xfdb/118

Description:
AIX routed allows remote users to modify sensitive files.

Status: Candidate
Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1998:001.1
Reference: XF:ibm-routed

Votes:

   ACCEPT(2) Northcutt, Shostack
   MODIFY(2) Frech, Prosser
   NOOP(1) Baker
   REJECT(1) Christey

 Frech> Reference: XF:ibm-routed
 Prosser> This vulnerability allows debug mode to be turned on which is
   the problem.  Should this be more specific in the description? This
   one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which
   is in the SGI cluster, shouldn't these be cross-referenced as the same
   vuln affects multiple OSes.
 Christey> This appears to be subsumed by CVE-1999-0215

Description:
Denial of service in AIX telnet can freeze a system and prevent users from accessing the server.

Status: Entry
Reference: XF:ibm-telnetdos
Reference: ERS:ERS-SVA-E01-1998:003.1
Reference: OSVDB:7992
Reference: URL:http://www.osvdb.org/7992

Description:
IRIX and AIX automountd services (autofsd) allow remote users to execute root commands.

Status: Candidate
Phase: Proposed (19990617)
Reference: ERS:ERS-SVA-E01-1998:004.1
Reference: URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt

Votes:

   ACCEPT(2) Northcutt, Shostack
   MODIFY(2) Frech, Prosser
   RECAST(1) Baker
   REVIEWING(1) Christey

 Frech> ERS (and other references, BTW) explicitly stipulate 'local and
   remote'.
   Reference: XF:irix-autofsd
 Prosser> Include the SGI Alert as well since it is mentioned in the
   description.
   SGI Security Advisory 19981005-01-PX
 Christey> DUPE CVE-1999-0210?
 Christey> ADDREF CIAC:J-014
 Baker> It does look very similar to 1999-0210.  Perhaps they should be a single entry

Description:
Buffer overflow in AIX libDtSvc library can allow local users to gain root access.

Status: Candidate
Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-libDtSvc

Votes:

   ACCEPT(2) Northcutt, Shostack
   MODIFY(2) Frech, Prosser
   RECAST(1) Baker
   REVIEWING(1) Christey

 Frech> Reference: XF:ibm-libDtSvc
 Prosser> The overflow is in the dtaction utility.  Also affects
   dtaction in the CDE on versions of SunOS (SUN 164). Probably should be
   specific.
 Christey> Same Codebase as CVE-1999-0121, so the two entries should be
   merged.

Description:
Buffer overflow in AIX rcp command allows local users to obtain root access.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-rcp

Description:
Buffer overflow in AIX writesrv command allows local users to obtain root access.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-writesrv

Description:
Various vulnerabilities in the AIX portmir command allows local users to obtain root access.

Status: Candidate
Phase: Proposed (19990623)
Reference: ERS:ERS-SVA-E01-1997:006.1

Votes:

   ACCEPT(2) Baker, Bollinger
   MODIFY(1) Frech
   NOOP(1) Ozancin

 Frech> XF:ibm-portmir

Description:
AIX nslookup command allows local users to obtain root access by not dropping privileges correctly.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:008.1
Reference: XF:ibm-nslookup

Description:
AIX piodmgrsu command allows local users to gain additional group privileges.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:007.1
Reference: XF:ibm-piodmgrsu

Description:
The debug command in Sendmail is enabled, allowing attackers to execute commands as root.

Status: Entry
Reference: CERT:CA-88.01
Reference: CERT:CA-93.14
Reference: BID:1
Reference: URL:http://www.securityfocus.com/bid/1
Reference: OSVDB:195
Reference: URL:http://www.osvdb.org/195
Reference: XF:smtp-debug

Description:
Sendmail decode alias can be used to overwrite sensitive files.

Status: Entry
Reference: CERT:CA-93.16
Reference: CERT:CA-95.05
Reference: CIAC:A-13
Reference: CIAC:A-14
Reference: SUN:00122
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/122&type=0&nav=sec.sba
Reference: XF:smtp-dcod

Description:
The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:009.1
Reference: XF:ibm-ftp

Description:
Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities.

Status: Candidate
Phase: Proposed (19990726)
Reference: XF:smtp-helo-bo

Votes:

   MODIFY(2) Baker, Frech
   NOOP(1) Wall
   REVIEWING(1) Christey

 Frech> (Accept XF reference.)
   Our references do not mention hiding activities. This issue can crash the
   SMTP server or execute arbitrary byte-code. Is there another reference
   available?
 Christey> Should this be merged with CVE-1999-0284, which is Sendmail
   with SMTP HELO?
 Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2
   BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2
 Baker> Apparently this XF reference is not for this issue, but for the other issue.  This should be modified to have the Bugtraq references, and remove the XF reference.

Description:
Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.

Status: Entry
Reference: CERT:CA-95.13.syslog.vul
Reference: XF:smtp-syslog

Description:
Remote access in AIX innd 1.5.1, using control messages.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:002.1
Reference: XF:inn-controlmsg

Description:
Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names.

Status: Entry
Reference: ERS:ERS-SVA-E01-1997:001.1
Reference: ERS:ERS-SVA-E01-1996:007.1
Reference: SUN:00137a
Reference: CIAC:H-13
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-13.shtml
Reference: NAI:NAI-1
Reference: XF:ghbn-bo

Description:
Buffer overflow in SLmail 3.x allows attackers to execute commands using a large FROM line.

Status: Entry
Reference: XF:slmail-fromheader-overflow

Description:
Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.

Status: Entry
Reference: CERT:CA-96.01.UDP_service_denial
Reference: XF:echo
Reference: XF:chargen
Reference: XF:chargen-patch

Description:
A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2.

Status: Candidate
Phase: Modified (20090302)
Reference: CERT:CA-97.28.Teardrop_Land
Reference: OVAL:oval:org.mitre.oval:def:5743
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5743
Reference: XF:teardrop-mod

Votes:

   ACCEPT(2) Frech, Wall
   REVIEWING(1) Christey

 Wall> Another reference is Microsoft Knowledge Base Q179129.
 Christey> Not sure how many separate "instances" of Teardrop there are.
   See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> MSKB:Q179129
   http://support.microsoft.com/support/kb/articles/q179/1/29.asp
 Christey> MSKB:Q179129
   http://support.microsoft.com/support/kb/articles/q179/1/29.asp
   Note that the hotfix name is teardrop2, but the keywords
   included in the KB article specifically name bonk
   (CVE-1999-0258) and boink.
   Since teardrop2 was fixed in a slightly different version
   (at least in a separate patch) than Teardrop, CD:SF-LOC
   suggests keeping them separate.
 Christey> Add period to the end of the description.

Description:
finger allows recursive searches by using a long string of @ symbols.

Status: Candidate
Phase: Proposed (19990726)

Votes:

   MODIFY(3) Baker, Frech, Shostack
   NOOP(1) Christey
   REJECT(1) Northcutt

 Shostack> fingerD
 Frech> XF:finger-bomb
 Christey> aka redirection or forwarding requests? (but then might
   overlap CVE-1999-0106)
 Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS.

Description:
Finger redirection allows finger bombs.

Status: Candidate
Phase: Proposed (19990726)

Votes:

   ACCEPT(1) Northcutt
   MODIFY(2) Frech, Shostack
   RECAST(1) Baker
   REVIEWING(1) Christey

 Shostack> fingerd allows redirection
   This is a larger modification, since there are two applications of the 
   vulnerability, one that I can finger anonymously, and the other that I 
   can finger bomb anonymously.
 Frech> XF:finger-bomb
 Christey> need more refs
 Baker> This should be merged with 1999-0105

Description:
Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.

Status: Candidate
Phase: Modified (19991223-01)
Reference: XF:apache-dos
Reference: BUGTRAQ:19971230 Apache DoS attack?

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall
   REVIEWING(1) Levy
   REVOTE(1) Christey

 Wall> - Although this is probably the phf hack.
 Frech> XF:apache-dos
 Christey> This sounds like the incident reported in:
   NTBUGTRAQ:20000810 Apache Distributed Denial of Service
 Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service.
   BUGTRAQ: http://www.securityfocus.com/archive/1/10228
   BUGTRAQ: http://www.securityfocus.com/archive/1/10516

Description:
The printers program in IRIX has a buffer overflow that gives root access to local users.

Status: Entry
Reference: BUGTRAQ:another day, another buffer overflow...
Reference: XF:printers-bo

Description:
Buffer overflow in ffbconfig in Solaris 2.5.1.

Status: Entry
Reference: SUN:00140
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/140
Reference: AUSCERT:AA-97.06
Reference: XF:ffbconfig-bo

Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0315. Reason: This candidate's original description had a typo that delayed it from being detected as a duplicate of CVE-1999-0315. Notes: All CVE users should reference CVE-1999-0315 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Status: Candidate
Phase: Interim (19990810)

Votes:

   MODIFY(1) Frech
   NOOP(4) Levy, Northcutt, Shostack, Wall
   REJECT(3) Baker, Christey, Dik

 Frech> XF:fdformat-bo
 Christey> Duplicate of CVE-1999-0315
 Dik> dup

Description:
RIP v1 is susceptible to spoofing.

Status: Entry
Reference: XF:rip

Description:
Buffer overflow in AIX dtterm program for the CDE.

Status: Entry
Reference: BUGTRAQ:19970520 AIX 4.2 dtterm exploit
Reference: XF:dtterm-bo(878)
Reference: URL:http://xforce.iss.net/xforce/xfdb/878

Description:
Some implementations of rlogin allow root access if given a -froot parameter.

Status: Entry
Reference: BUGTRAQ:19940729 -froot??? (AIX rlogin bug)
Reference: CERT:CA-94.09.bin.login.vulnerability
Reference: CIAC:E-26
Reference: BID:458
Reference: URL:http://www.securityfocus.com/bid/458
Reference: XF:rlogin-froot

Description:
Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack.

Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990912 elm filter program
Reference: BUGTRAQ:19951226 filter (elm package) security hole
Reference: XF:elm-filter2

Votes:

   ACCEPT(7) Armstrong, Bishop, Blake, Cole, Landfield, Shostack, Wall
   MODIFY(2) Baker, Frech
   NOOP(3) Christey, Northcutt, Ozancin
   REVIEWING(1) Levy

 Frech> XF:elm-filter2
 CHANGE> [Wall changed vote from NOOP to ACCEPT]
 Landfield> with Frech modifications
 Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm	Official Advisory
 Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm
   Need to make sure that this CERT advisory describes the right
   problem, especially since the CERT advisory is dated December
   18, 1995 and the original Bugtraq post was December 26, 1995.
 Christey> BID:1802
   URL:http://www.securityfocus.com/bid/1802
   BID:1802 doesn't include the 1999 posting - does Security
   Focus think that the 1999 post describes a different
   vulnerability?
 Christey> XF:elm-filter2 isn't on the X-Force web site.  How about XF:elm-filter(402) ?
   Its references point to the December 26, 1995 BUgtraq post.
   
   Also consider CIAC:G-36 and CERT:VB-95:10
 Frech> DELREF:XF:elm-filter2(711)
   ADDREF:XF:elm-filter(402)

Description:
AIX bugfiler program allows local users to gain root access.

Status: Entry
Reference: BUGTRAQ:19970909 AIX bugfiler
Reference: XF:ibm-bugfiler
Reference: BID:1800
Reference: URL:http://www.securityfocus.com/bid/1800

Description:
Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.

Status: Entry
Reference: CERT:CA-96.21.tcp_syn.flooding
Reference: SGI:19961202-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19961202-01-PX
Reference: SUN:00136
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/136

Description:
AIX passwd allows local users to gain root access.

Status: Entry
Reference: XF:ibm-passwd
Reference: CERT:CA-92:07.AIX.passwd.vulnerability

Description:
AIX infod allows local users to gain root access through an X display.

Status: Entry
Reference: BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91158980826979&w=2
Reference: XF:aix-infod

Description:
Windows NT 4.0 beta allows users to read and delete shares.

Status: Candidate
Phase: Proposed (19990728)

Votes:

   MODIFY(1) Frech
   NOOP(2) Baker, Northcutt
   REJECT(1) Wall

 Wall> Reject based on beta copy.
 Frech> XF:nt-beta(11)
   Reconsider reject, because this beta was in widespread use.

Description:
Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root.

Status: Entry
Reference: SUN:00126
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/126
Reference: CERT:CA-94.06.utmp.vulnerability
Reference: XF:utmp-write

Description:
Buffer overflow in dtaction command gives root access.

Status: Candidate
Phase: Proposed (19990617)
Reference: SUN:00164
Reference: ERS:ERS-SVA-E01-1997:005.1

Votes:

   ACCEPT(2) Dik, Northcutt
   MODIFY(3) Baker, Frech, Prosser
   REVIEWING(1) Christey

 Frech> Reference: XF:dtaction-bo
   Reference: XF:sun-dtaction
 Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a
   library in AIX 4.x, but reference for this Sun vulnerability should
   only reflect the Sun Bulletin or the CIAC I-032 version of the Sun
   Bulletin
 Christey> This is the Same Codebase as CVE-1999-0089, so the two entries
   should be merged.
 Frech> Replace sun-dtaction(732) with dtaction-bo(879)
 Baker> Merge with 1999-0089

Description:
Buffer overflow in AIX lchangelv gives root access.

Status: Entry
Reference: BUGTRAQ:Jul21,1999
Reference: XF:lchangelv-bo

Description:
Race condition in Linux mailx command allows local users to read user files.

Status: Candidate
Phase: Modified (20000105-01)
Reference: XF:linux-mailx
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole

Votes:

   ACCEPT(3) Baker, Frech, Ozancin
   NOOP(1) Wall

Description:
Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon.

Status: Entry
Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability
Reference: XF:gopher-vuln

Description:
Buffer overflow in SGI IRIX mailx program.

Status: Entry
Reference: XF:sgi-mailx-bo
Reference: SGI:19980605-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980605-01-PX

Description:
SGI IRIX buffer overflow in xterm and Xaw allows root access.

Status: Entry
Reference: CERT:VB-98.04.xterm.Xaw
Reference: CIAC:J-010
Reference: URL:http://www.ciac.org/ciac/bulletins/j-010.shtml
Reference: XF:xfree86-xterm-xaw
Reference: XF:xfree86-xaw

Description:
swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.

Status: Candidate
Phase: Proposed (19990623)
Reference: CERT:CA-96.27.hp_sw_install
Reference: AUSCERT:AA-96.04
Reference: XF:hpux-swinstall

Votes:

   ACCEPT(2) Baker, Prosser
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> (keep current XF: reference, and add)
   XF:hpux-sqwmodify
 Christey> Perhaps this should be split, per SF-LOC.
 Christey> CIAC:H-81
   http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
   HP:HPSBUX9707-064  references CERT:CA-96.27
   http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
   
   The original AUSCERT advisory says that the programs "create
   files in an insecure manner" and "Exploit details involving
   this vulnerability have been made publicly available." which
   leads one to assume that the following original Bugtraq post
   provides the details for a standard symlink problem:
   
   BUGTRAQ:19961005 swinst,bug
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2

Description:
Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.

Status: Entry
Reference: XF:ping-death
Reference: CERT:CA-96.26.ping

Description:
Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

Status: Entry
Reference: CERT:CA-96.25.sendmail_groups

Description:
Local users can start Sendmail in daemon mode and gain root privileges.

Status: Entry
Reference: CERT:CA-96.24.sendmail.daemon.mode
Reference: BID:716
Reference: URL:http://www.securityfocus.com/bid/716
Reference: XF:sendmail-daemon-mode

Description:
Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users.

Status: Entry
Reference: CERT:CA-96.20.sendmail_vul
Reference: XF:smtp-875bo
Reference: BID:717
Reference: URL:http://www.securityfocus.com/bid/717

Description:
Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.

Status: Entry
Reference: CERT:CA-1996-19
Reference: URL:http://www.cert.org/advisories/CA-1996-19.html
Reference: OSVDB:11723
Reference: URL:http://www.osvdb.org/11723
Reference: XF:expreserve(401)
Reference: URL:http://xforce.iss.net/xforce/xfdb/401

Description:
fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access.

Status: Entry
Reference: CERT:CA-96.18.fm_fls
Reference: XF:fmaker-logfile

Description:
vold in Solaris 2.x allows local users to gain root access.

Status: Entry
Reference: XF:sol-voldtmp
Reference: CERT:CA-96.17.Solaris_vold_vul
Reference: AUSCERT:AL-96.04
Reference: OSVDB:8159
Reference: URL:http://www.osvdb.org/8159

Description:
admintool in Solaris allows a local user to write to arbitrary files and gain root access.

Status: Entry
Reference: XF:sun-admintool
Reference: CERT:CA-96.16.Solaris_admintool_vul
Reference: AUSCERT:AL-96.03

Description:
Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access.

Status: Entry
Reference: XF:sol-KCMSvuln
Reference: AUSCERT:AL-96.02
Reference: CERT:CA-96.15.Solaris_KCMS_vul

Description:
The dip program on many Linux systems allows local users to gain root access via a buffer overflow.

Status: Entry
Reference: XF:linux-dipbo
Reference: CERT:CA-96.13.dip_vul
Reference: XF:dip-bo

Description:
The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.

Status: Entry
Reference: CERT:CA-96.12.suidperl_vul
Reference: XF:sperl-suid

Description:
Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access.

Status: Entry
Reference: XF:sol-mkcookie
Reference: RSI:RSI.0012.12-03-98.SOLARIS.MKCOOKIE
Reference: OSVDB:8205
Reference: URL:http://www.osvdb.org/8205

Description:
Denial of service in RAS/PPTP on NT systems.

Status: Candidate
Phase: Proposed (19990630)

Votes:

   ACCEPT(1) Hill
   MODIFY(2) Frech, Meunier
   NOOP(1) Baker
   REJECT(1) Christey

 Meunier> Add "pptp invalid packet length in header" to distinguish from other
   vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be
   discovered in the future.
 Frech> XF:nt-ras-bo
   ONLY IF reference is to MS:MS99-016
 Christey> According to my mappings, this is not the MS:MS99-016 problem
   referred to by Andre.  However, I have yet to dig up a
   source.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 CHANGE> [Christey changed vote from REVIEWING to REJECT]
 Christey> This is too general to know which problem is being discussed.
   More precise candidates should be created.
 Christey> Consider adding BID:2111

Description:
Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet.

Status: Entry
Reference: XF:http-java-applet
Reference: CERT:CA-96.07.java_bytecode_verifier
Reference: SUN:00134
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/134

Description:
The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts.

Status: Entry
Reference: CERT:CA-96.05.java_applet_security_mgr
Reference: XF:http-java-appletsecmgr

Description:
Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.

Status: Entry
Reference: CERT:CA-96.03.kerberos_4_key_server
Reference: XF:kerberos-bf

Description:
Denial of service in Qmail by specifying a large number of recipients with the RCPT command.

Status: Candidate
Phase: Modified (20010301-02)
Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2
Reference: BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319029&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: BID:2237
Reference: URL:http://www.securityfocus.com/bid/2237
Reference: XF:qmail-rcpt
Reference: URL:http://xforce.iss.net/static/208.php

Votes:

   ACCEPT(4) Baker, Frech, Hill, Meunier
   REVIEWING(1) Christey

 Christey> DUPE CVE-1999-0418 and CVE-1999-0250?
 Christey> Dan Bernstein, author of Qmail, says that this is not a
   vulnerability in qmail because Unix has built-in resource
   limits that can restrict the size of a qmail process; other
   limits can be specified by the administrator.  See
   http://cr.yp.to/qmail/venema.html
   
   Significant discussion of this issue took place on the qmail
   list.  The fundamental question appears to be whether 
   application software should set its own limits, or rely
   on limits set by the parent operating system (in this case,
   UNIX).  Also, some people said that the only problem was that
   the suggested configuration was not well documented, but this
   was refuted by others.
   
   See the following threads at
   http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
   "Denial of service (qmail-smtpd)"
   "qmail-dos-2.c, another denial of service"
   "[PATCH] denial of service"
   "just another qmail denial-of-service"
   "the UNIX way"
   "Time for a reality check"
   
   Also see Bugtraq threads on a different vulnerability that
   is related to this topic:
   BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
   http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
 Baker> http://cr.yp.to/qmail/venema.html
   Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema.
   His page states this is not a qmail problem, rather it is a UNIX problem
   that many apps can consume all available memory, and that the administrator
   is responsible to set limits in the OS, rather than expect applications to
   individually prevent memory exhaustion.  CAN 1999-0250 does appear to
   be a duplicate of this entry, based on the research I have done so far.
   There were two different bugtraq postings, but the second one references
   the first, stating that the new exploit uses perl instead of shell scripting
   to accomplish the same attack/exploit.
 Baker> http://www.securityfocus.com/archive/1/6970
   http://www.securityfocus.com/archive/1/6969
   http://cr.yp.to/qmail/venema.html
   
   Should probably reject CVE-1999-0250, and add these references to this
   Candidate.
 Baker> http://www.securityfocus.com/bid/2237
 CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
 Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250)
   in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
   use any RCPT commands.  Instead, it sends long strings
   of "X" characters.  A followup by "super@UFO.ORG" includes
   an exploit that claims to do the same thing; however, that
   exploit does not send long strings of X characters - it sends
   a large number of RCPT commands.  It appears that super@ufo.org
   followed up to the wrong message.
   
   NOTE: the ufo.org domain was purchased by another party in
   2003, so the current owner is not associated with any
   statements by "super@ufo.org" that were made before 2003.
   
   qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144)
   in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
   sends a large number of RCPT commands.
   
   ADDREF BID:2237
   ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
   ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)
   
   Also see a related thread:
   BUGTRAQ:19990308 SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
   
   This also describes a problem with mail servers not being able
   to handle too many "RCPT TO" requests.  A followup message
   notes that application-level protection is used in Sendmail
   to prevent this:
   BUGTRAQ:19990309 Re: SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
   The person further says, "This attack can easily be
   prevented with configuration methods."

Description:
Sendmail WIZ command enabled, allowing root access.

Status: Entry
Reference: CERT:CA-1990-11
Reference: URL:http://www.cert.org/advisories/CA-1990-11.html
Reference: CERT:CA-1993-14
Reference: URL:http://www.cert.org/advisories/CA-1993-14.html
Reference: BUGTRAQ:19950206 sendmail wizard thing...
Reference: URL:http://www2.dataguard.no/bugtraq/1995_1/0332.html
Reference: FarmerVenema:Improving the Security of Your Site by Breaking Into it
Reference: URL:http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html

Description:
The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file.

Status: Entry
Reference: BUGTRAQ:19970715 Bug CGI campas
Reference: BID:1975
Reference: URL:http://www.securityfocus.com/bid/1975
Reference: XF:http-cgi-campas(298)
Reference: URL:http://xforce.iss.net/xforce/xfdb/298

Description:
The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands.

Status: Entry
Reference: XF:http-cgi-glimpse
Reference: AUSCERT:AA-97.28

Description:
The handler CGI program in IRIX allows arbitrary command execution.

Status: Entry
Reference: SGI:19970501-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
Reference: BID:380
Reference: URL:http://www.securityfocus.com/bid/380
Reference: XF:http-sgi-handler

Description:
The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack.

Status: Entry
Reference: BUGTRAQ:19970420 IRIX 6.x /cgi-bin/wrap bug
Reference: SGI:19970501-02-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
Reference: BID:373
Reference: URL:http://www.securityfocus.com/bid/373
Reference: OSVDB:247
Reference: URL:http://www.osvdb.org/247
Reference: XF:http-sgi-wrap(290)
Reference: URL:http://xforce.iss.net/xforce/xfdb/290

Description:
The Perl fingerd program allows arbitrary command execution from remote users.

Status: Entry
Reference: XF:perl-fingerd

Description:
The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access.

Status: Entry
Reference: CERT:CA-95.07a.REVISED.satan.vul
Reference: CERT:CA-95.06.satan.vul

Description:
The DG/UX finger daemon allows remote command execution through shell metacharacters.

Status: Entry
Reference: BUGTRAQ:19970811 dgux in.fingerd vulnerability
Reference: XF:dgux-fingerd

Description:
Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke.

Status: Entry
Reference: XF:win-oob
Reference: OSVDB:1666
Reference: URL:http://www.osvdb.org/1666

Description:
IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.

Status: Candidate
Phase: Proposed (20010912)
Reference: MSKB:Q163485
Reference: MSKB:Q164059
Reference: BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP
Reference: XF:http-iis-aspdot
Reference: XF:http-iis-aspsource

Votes:

   ACCEPT(4) Foat, Frech, Stracener, Wall
   NOOP(3) Baker, Christey, Cole

 Christey> This is the precursor to the problem that is identified in
   CVE-1999-0253.  
 Christey> CIAC:H-48
   URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml
 CHANGE> [Foat changed vote from NOOP to ACCEPT]

Description:
The ghostscript command with the -dSAFER option allows remote attackers to execute commands.

Status: Entry
Reference: XF:gscript-dsafer
Reference: CERT:CA-95.10.ghostscript

Description:
wu-ftpd FTP daemon allows any user and password combination.

Status: Candidate
Phase: Proposed (19990714)
Reference: XF:ftp-pwless

Votes:

   ACCEPT(2) Northcutt, Shostack
   NOOP(1) Baker
   RECAST(1) Frech
   REVIEWING(2) Christey, Prosser

 Prosser> but so far can find no reference to this one
 Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie,
   also affects IIS FTP server).
 Christey> The references for XF:ftp-pwless are not specific enough,
   e.g. in terms of version numbers.  Perhaps this candidate
   should be rejected due to insufficient information.

Description:
Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service.

Status: Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/nifrag.shtml
Reference: XF:cisco-fragmented-attacks
Reference: OSVDB:1097
Reference: URL:http://www.osvdb.org/1097

Description:
Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known.

Status: Entry
Reference: CISCO:20010913 Cisco PIX Firewall Manager File Exposure
Reference: URL:http://www.cisco.com/warp/public/770/pixmgrfile-pub.shtml
Reference: XF:cisco-pix-file-exposure
Reference: OSVDB:685
Reference: URL:http://www.osvdb.org/685

Description:
Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases.

Status: Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/ioslogin-pub.shtml
Reference: XF:cisco-ios-crash

Description:
Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections.

Status: Entry
Reference: CISCO:19971001 Vulnerabilities in Cisco CHAP Authentication
Reference: CIAC:I-002A
Reference: OSVDB:1099
Reference: URL:http://www.osvdb.org/1099
Reference: XF:cisco-chap

Description:
In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.

Status: Entry
Reference: CISCO:http://www.cisco.com/warp/public/707/1.html
Reference: XF:cisco-acl-tacacs
Reference: OSVDB:797
Reference: URL:http://www.osvdb.org/797

Description:
The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering.

Status: Entry
Reference: CISCO:19950601 "Established" Keyword May Allow Packets to Bypass Filter
Reference: XF:cisco-acl-established

Description:
In older versions of Sendmail, an attacker could use a pipe character to execute root commands.

Status: Candidate
Phase: Proposed (19990714)
Reference: XF:smtp-pipe

Votes:

   ACCEPT(2) Frech, Northcutt
   MODIFY(1) Prosser
   NOOP(2) Baker, Christey
   RECAST(1) Shostack

 Shostack> there was a 'To: |' and a 'From: |' attack, which I
   think are seperate.
 Prosser> older vulnerability, but one additional reference is-
   The Ultimate Sendmail Hole List by Markus Hübner @
   bau2.uibk.ac.at/matic/buglist.htm
   '|PROGRAM '
 Christey> Description needs to be more specific to distinguish between
   this and CVE-1999-0203, as alluded to by Adam Shostack

Description:
A race condition in the Solaris ps command allows an attacker to overwrite critical files.

Status: Entry
Reference: XF:sol-pstmprace
Reference: AUSCERT:AA-95.07
Reference: CERT:CA-95.09.Solaris.ps.vul
Reference: OSVDB:8346
Reference: URL:http://www.osvdb.org/8346

Description:
NFS cache poisoning.

Status: Candidate
Phase: Modified (20040811)
Reference: XF:nfs-cache

Votes:

   ACCEPT(3) Baker, Frech, Northcutt
   MODIFY(1) Shostack
   NOOP(1) Prosser
   REVIEWING(1) Christey

 Shostack> need more data
 Christey> need more refs
 Christey> Add period to the end of the description.

Description:
NFS allows users to use a "cd .." command to access other directories besides the exported file system.

Status: Entry
Reference: XF:nfs-cd

Description:
In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.

Status: Entry
Reference: XF:nfs-guess
Reference: CERT:CA-91.21.SunOS.NFS.Jumbo.and.fsirand

Description:
The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions.

Status: Entry
Reference: XF:nfs-portmap

Description:
NFS allows attackers to read and write any file on the system by specifying a false UID.

Status: Candidate
Phase: Proposed (19990714)
Reference: XF:nfs-uid

Votes:

   ACCEPT(2) Frech, Northcutt
   MODIFY(1) Baker
   REJECT(1) Shostack

 Shostack> this is not a vulnerability but a design feature.
 Baker> Maybe we should reword it so that it is clear that this was a problem to something like:
   
   "A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID."

Description:
Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list.

Status: Entry
Reference: XF:nfs-ultrix

Description:
Denial of service in syslog by sending it a large number of superfluous messages.

Status: Candidate
Phase: Proposed (19990714)
Reference: XF:syslog-flood

Votes:

   ACCEPT(2) Frech, Northcutt
   NOOP(1) Baker
   REJECT(2) Christey, Shostack

 Shostack> design issue, not a vulnerability.  Alternately, add:
   DOS on server by opening a large number of telnet sessions..
 Christey> Duplicate of CVE-1999-0566

Description:
FormMail CGI program allows remote execution of commands.

Status: Entry
Reference: XF:http-cgi-formmail-exe
Reference: BUGTRAQ:Aug02,1995

Description:
FormMail CGI program can be used by web servers other than the host server that the program resides on.

Status: Entry
Reference: XF:http-cgi-formmail-use

Description:
The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.

Status: Entry
Reference: BUGTRAQ:19970208 view-source
Reference: XF:http-cgi-viewsrc

Description:
The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server.

Status: Entry
Reference: XF:http-nov-convert

Description:
The Webgais program allows a remote user to execute arbitrary commands.

Status: Entry
Reference: BUGTRAQ:Jul10,1997
Reference: XF:http-webgais-query

Description:
The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs.

Status: Entry
Reference: NTBUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable
Reference: NTBUGTRAQ:19970905 Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable
Reference: BUGTRAQ:19970904 [Alert] Website's uploader.exe (from demo) vulnerable
Reference: XF:http-website-uploader

Description:
Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string.

Status: Entry
Reference: BUGTRAQ:19970106 Re: signal handling
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1997_1/0021.html
Reference: BID:2078
Reference: URL:http://www.securityfocus.com/bid/2078
Reference: OSVDB:8
Reference: URL:http://www.osvdb.org/8
Reference: XF:http-website-winsample(295)
Reference: URL:http://xforce.iss.net/xforce/xfdb/295

Description:
Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share.

Status: Entry
Reference: MSKB:Q140818
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q140818
Reference: XF:nt-samba-dotdot
Reference: XF:nt-351
Reference: XF:nt-35

Description:
in.rshd allows users to login with a NULL username and execute commands.

Status: Entry
Reference: XF:rsh-null

Description:
The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands.

Status: Entry
Reference: XF:walld

Description:
Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password.

Status: Entry
Reference: CIAC:H-110
Reference: URL:http://www.ciac.org/ciac/bulletins/h-110.shtml
Reference: CERT:VB-97.10.samba
Reference: XF:nt-samba-bo

Description:
Linux implementations of TFTP would allow access to files outside the restricted directory.

Status: Entry
Reference: XF:linux-tftp

Description:
When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records.

Status: Entry
Reference: XF:dns-updates

Description:
In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution.

Status: Entry
Reference: SUN:00156
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/156
Reference: XF:sun-ftpd/logind

Description:
In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters.

Status: Candidate
Phase: Modified (20071119)
Reference: CONFIRM:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm
Reference: SUN:00178
Reference: XF:snmp-backdoor-access

Votes:

   ACCEPT(2) Baker, Dik
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey

 Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr
   Add ISS:Hidden Community String in SNMP Implementation
 Christey> What is the proper level of abstraction to use here?  Should
   we have a separate entry for each different default community
   string?  See:
   http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
   http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
   http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
   
   Until the associated content decisions have been approved
   by the Editorial Board, this candidate cannot be accepted
   for inclusion in CVE.
 Christey> ADDREF BID:177
 Christey> ISS:19981102 Hidden community string in SNMP implementation
   http://xforce.iss.net/alerts/advise11.php
   
   Change description to include "hidden"
 Christey> XF:snmp-backdoor-access is missing.

Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-0022. Reason: This candidate is a duplicate of CVE-1999-0022. Notes: All CVE users should reference CVE-1999-0022 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Status: Candidate
Phase: Modified (20050204)

Votes:

   ACCEPT(2) Hill, Northcutt
   RECAST(3) Baker, Frech, Prosser
   REJECT(1) Dik
   REVIEWING(1) Christey

 Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in
   rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr()
   (ref CERT 97-23) and various vendor bulletins.  However both of these rdist
   BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX,
   FreeBSD, SCO, SGI, etc.  Believe this falls into the SF-codebase content
   decision
 Frech> XF:rdist-bo (error msg formation)
   XF:rdist-bo2 (execute code)
   XF:rdist-bo3 (execute user-created code)
   XF:rdist-sept97 (root from local)
 Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in
   CERT:CA-97.23.rdist), but as Mike and Andre noted, there
   are multiple flaws here, so a RECAST may be necessary.
 Dik> As currently phrasedm thissa duplicate of CVE-1999-0022
 Baker> Based on our new philosophy, this should be recast/merged or re-described.

Description:
The passwd command in Solaris can be subjected to a denial of service.

Status: Entry
Reference: SUN:00182
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/182
Reference: XF:sun-passwd-dos

Description:
Solaris rpcbind listens on a high numbered UDP port, which may not be filtered since the standard port number is 111.

Status: Entry
Reference: NAI:NAI-15
Reference: SUN:00142
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/142
Reference: XF:rpc-32771

Description:
Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access.

Status: Entry
Reference: SUN:00167
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/167
Reference: XF:sun-rpcbind

Description:
IIS newdsn.exe CGI script allows remote users to overwrite files.

Status: Entry
Reference: XF:http-cgi-newdsn
Reference: OSVDB:275
Reference: URL:http://www.osvdb.org/275

Description:
Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable.

Status: Entry
Reference: SNI:SNI-20
Reference: XF:bsd-tel-tgetent

Description:
Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option.

Status: Candidate
Phase: Proposed (19990714)

Votes:

   ACCEPT(5) Bishop, Cole, Northcutt, Ozancin, Shostack
   MODIFY(2) Baker, Blake
   NOOP(4) Armstrong, Frech, Landfield, Wall
   REVIEWING(2) Christey, Levy

 Frech> possibly XF:ascend-kill
   I can't find a reference that lists both routers in the same reference.
 Wall> Comment:  There is a reference about the zero length TCP option in BugTraq on
   Feb 5, 1999
   and it mentions Cisco, but not directly Ascend or 3Com.  CIAC Advisory I-038
   mentions
   vulnerabilities in Ascend, but does not mention TCP.  CIAC Advisory I-052
   mentions
   3Com vulnerabilities, but not TCP.  Too confusing withour better references.
 Landfield> What are the references for this ? I cannot find a means to check it out.
 CHANGE> [Frech changed vote from REVIEWING to NOOP]
 Frech> Cannot reconcile to our database without further references.
 Blake> I'm with Andre.  I only remember and can find reference to the Ascend
   issue.  Do we have a refernce to the 3Coms?  If not, that should be
   removed from the description.
 Baker> http://xforce.iss.net/static/614.php	Misc Defensive Info
   http://www.securityfocus.com/archive/1/5682	Misc Offensive Info
   http://www.securityfocus.com/archive/1/5647	Misc Defensive Info
   http://www.securityfocus.com/archive/1/5640	Misc Defensive Info
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]

Description:
Denial of service in in.comsat allows attackers to generate messages.

Status: Entry
Reference: XF:comsat

Description:
Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.

Status: Candidate
Phase: Modified (19991130-01)
Reference: BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate

Votes:

   ACCEPT(2) Balinsky, Shostack
   MODIFY(1) Frech
   NOOP(3) Baker, Northcutt, Wall
   REVIEWING(2) Christey, Levy

 Frech> XF:rpcbind-spoof
 Christey> CVE-1999-0195 = CVE-1999-0461 ?
   If this is approved over CVE-1999-0461, make sure it gets
   XF:pmap-sset

Description:
websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable).

Status: Entry
Reference: BUGTRAQ:19970704 Vulnerability in websendmail
Reference: BID:2077
Reference: URL:http://www.securityfocus.com/bid/2077
Reference: OSVDB:237
Reference: URL:http://www.osvdb.org/237
Reference: XF:http-webgais-smail

Description:
finger 0@host on some systems may print information on some user accounts.

Status: Candidate
Phase: Proposed (19990726)

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Shostack
   REJECT(1) Northcutt

 Shostack> fingerd may respond to 'finger 0@host' with account info
 Frech> Need more reference to establish this 'exposure'.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:finger-unused-accounts(8378)
   We're entering it into our database solely to track
   competition. The only references seem to be product listings:
   http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002
   Finger 0@host check)
   http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check)
   http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host
   feature)

Description:
finger .@host on some systems may print information on some user accounts.

Status: Candidate
Phase: Proposed (19990726)

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Shostack
   REJECT(1) Northcutt

 Shostack> as above
 Frech> Need more reference to establish this 'exposure'.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:finger-unused-accounts(8378)
   We're entering it into our database solely to track
   competition. The only references seem to be product listings:
   http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004
   Finger .@target-host check)
   http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host
   check )
   http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host
   feature)

Description:
Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password.

Status: Candidate
Phase: Modified (19991130-01)
Reference: MSKB:Q137853

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Shostack
   NOOP(2) Northcutt, Wall
   REJECT(1) Christey
   REVIEWING(1) Levy

 Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another?
 Frech> Other have mentioned this before, but it may be WU-FTP.
   POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root
   access without anon FTP or a regular account?
   POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a
   non-anon FTP account and gain root privs.
 Christey> added MSKB reference
 CHANGE> [Christey changed vote from REVOTE to REJECT]
 Christey> The MSKB article may have confused things even more.  There
   were reports of problems in a Windows-based FTP server called
   WFTP (http://www.wftpd.com/) that is not a Microsft FTP
   server.  It's best to just kill this candidate where it
   stands and start fresh.

Description:
A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user.

Status: Entry
Reference: XF:ftp-home

Description:
The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.

Status: Entry
Reference: XF:ftp-exectar

Description:
In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program.

Status: Entry
Reference: CERT:CA-95.08
Reference: CIAC:E-03
Reference: XF:smtp-sendmail-version5

Description:
Sendmail 8.6.9 allows remote attackers to execute root commands, using ident.

Status: Entry
Reference: XF:ident-bo
Reference: CIAC:F-13

Description:
Denial of service in Sendmail 8.6.11 and 8.6.12.

Status: Candidate
Phase: Modified (19990925-01)
Reference: BUGTRAQ:19990708 SM 8.6.12

Votes:

   ACCEPT(2) Hill, Northcutt
   MODIFY(2) Frech, Prosser
   NOOP(1) Baker
   REVIEWING(2) Christey, Ozancin

 Frech> XF:sendmail-alias-dos
 Prosser> additional source
   Bugtraq
   "Re:  SM 8.6.12"
   http://www.securityfocus.com
 Christey> The Bugtraq thread does not provide any proof, including a
   comment by Eric Allman that he hadn't been provided any
   details either.
   
   See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu
   for the thread.
 Christey> Change Bugtraq reference date to 19950708.

Description:
MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access.

Status: Entry
Reference: XF:sendmail-mime-bo
Reference: AUSCERT:AA-96.06a

Description:
Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command.

Status: Entry
Reference: XF:majordomo-exe
Reference: CERT:CA-94.11.majordomo.vulnerabilities

Description:
rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.

Status: Entry
Reference: XF:rpc-update
Reference: CERT:CA-95.17.rpc.ypupdated.vul

Description:
The SunView (SunTools) selection_svc facility allows remote users to read files.

Status: Entry
Reference: CERT:CA-90.05.sunselection.vulnerability
Reference: BID:8
Reference: URL:http://www.securityfocus.com/bid/8
Reference: XF:selsvc

Description:
Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters.

Status: Entry
Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88053459921223&w=2
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2
Reference: HP:HPSBUX9910-104
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9910-104
Reference: CERT:CA-99-05
Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html
Reference: BID:235
Reference: URL:http://www.securityfocus.com/bid/235

Description:
Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone.

Status: Entry
Reference: CERT:CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability
Reference: BID:24
Reference: URL:http://www.securityfocus.com/bid/24

Description:
Solaris rpc.mountd generates error messages that allow a remote attacker to determine what files are on the server.

Status: Entry
Reference: SUN:00168
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/168
Reference: CIAC:I-048
Reference: URL:http://www.ciac.org/ciac/bulletins/i-048.shtml
Reference: XF:sun-mountd

Description:
libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind.

Status: Candidate
Phase: Modified (20001009-01)
Reference: XF:sun-libnsl
Reference: SUNBUG:4305859

Votes:

   ACCEPT(6) Blake, Cole, Dik, Hill, Landfield, Ozancin
   MODIFY(3) Baker, Frech, Levy
   NOOP(4) Armstrong, Bishop, Meunier, Wall
   REVIEWING(1) Christey

 Frech> XF:sun-libnsl
 Dik> Sun bug #4305859
 Baker> http://xforce.iss.net/static/1204.php	Misc Defensive Info
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba	Vendor Info
   http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt	Vendor Info
   http://www.securityfocus.com/archive/1/9749	Misc Defensive Info
 Christey> I don't think this is the bug that everyone thinks it is.
   This candidate came from CyberCop Scanner 2.4/2.5, which
   only reports this as a DoS problem.  If SUN:00172 is an
   advisory for this, then it may be a duplicate of
   CVE-1999-0055.  There appears to be overlap with other
   references as well.  HOWEVER, this particular one deals with a
   DoS in rpcbind - which isn't mentioned in the sources for
   CVE-1999-0055.
 Levy> BID 148

Description:
Denial of service by sending forged ICMP unreachable packets.

Status: Entry
Reference: XF:icmp-unreachable

Description:
Routed allows attackers to append data to files.

Status: Entry
Reference: SGI:19981004-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981004-01-PX
Reference: CIAC:J-012
Reference: URL:http://www.ciac.org/ciac/bulletins/j-012.shtml
Reference: XF:ripapp

Description:
Denial of service of inetd on Linux through SYN and RST packets.

Status: Candidate
Phase: Modified (19991203-01)
Reference: BUGTRAQ:19971130 Linux inetd..
Reference: XF:linux-inetd-dos
Reference: HP:HPSBUX9803-077
Reference: XF:hp-inetd

Votes:

   ACCEPT(1) Hill
   MODIFY(2) Baker, Frech
   RECAST(1) Meunier

 Meunier> The location of the vulnerability, whether in the Linux kernel or the
   application, is debatable.  Any program making the same (reasonnable)
   assumption is vulnerable, i.e., implements the same vulnerability:
   "Assumption that TCP-three-way handshake is complete after calling Linux
   kernel function accept(), which returns socket after getting SYN.   Result
   is process death by SIGPIPE"
   Moreover, whether it results in DOS (to third parties) depends on the
   process that made the assumption.
   I think that the present entry should be split, one entry for every
   application that implements the vulnerability (really describing threat
   instances, which is what other people think about when we talk about
   vulnerabilities), and one entry for the Linux kernel that allows the
   vulnerability to happen.
 Frech> XF:hp-inetd
   XF:linux-inetd-dos
 Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it?  It applies to mulitple OS and should be likely either modified, or in extreme case, recast

Description:
Malicious option settings in UDP packets could force a reboot in SunOS 4.1.3 systems.

Status: Entry
Reference: XF:udp-bomb

Description:
Livingston portmaster machines could be rebooted via a series of commands.

Status: Entry
Reference: XF:portmaster-reboot

Description:
Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to cause a denial of service (crash) via a long (1) CWD or (2) LS (list) command.

Status: Entry
Reference: NTBUGTRAQ:19990503 Buffer overflows in FTP Serv-U 2.5
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92574916930144&w=2
Reference: NTBUGTRAQ:19990504 Re: Buffer overflows in FTP Serv-U 2.5
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92582581330282&w=2
Reference: BUGTRAQ:19990909 Exploit: Serv-U Ver2.5 FTPd Win9x/NT
Reference: BID:269
Reference: URL:http://www.securityfocus.com/bid/269
Reference: XF:ftp-servu(205)
Reference: URL:http://xforce.iss.net/xforce/xfdb/205

Description:
Attackers can do a denial of service of IRC by crashing the server.

Status: Candidate
Phase: Proposed (19990728)

Votes:

   NOOP(2) Baker, Northcutt
   REJECT(2) Christey, Frech

 Frech> Would reconsider if any references were available.
 Christey> No references available, combined with extremely vague
   description, equals REJECT.

Description:
Denial of service of Ascend routers through port 150 (remote administration).

Status: Entry
Reference: XF:ascend-150-kill

Description:
Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL.

Status: Candidate
Phase: Proposed (19990714)

Votes:

   ACCEPT(1) Baker
   MODIFY(3) Frech, Levy, Shostack
   NOOP(3) Balinsky, Northcutt, Wall
   RECAST(1) Ziese
   REJECT(1) Christey

 Shostack> I follow cisco announcements and problems pretty closely, and haven't
   seen this.  Source?
 Frech> XF:cisco-web-crash
 Christey> XF:cisco-web-crash has no additional references.  I can't find
   any references in Bugtraq or Cisco either.  This bug is
   supposedly tested by at least one security product, but that
   product's database doesn't have any references either.  So
   a question becomes, how did it make it into at least two
   security companies' databases?
 Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159
   BID 1154
 Ziese> The vulnerability is addressed by a vendor acknowledgement.  This one, if
   recast to reflect that "...after using a long url..." should be replaced
   with
   "...A defect in multiple releases of Cisco IOS software will cause a Cisco
   router or switch to halt and reload if the IOS HTTP service is enabled,
   browsing to "http://router-ip/anytext?/" is attempted, and the enable
   password is supplied when requested. This defect can be exploited to produce
   a denial of service (DoS) attack."
   Then I can accept this and mark it as "Verfied by my Company".  If it can't
   be recast because this (long uri) is diffferent then our release (special
   url construction).
 CHANGE> [Christey changed vote from REVIEWING to REJECT]
 Christey> Elias Levy's suggested reference is CVE-2000-0380.
   I don't think that Kevin's description is really addressing
   this either.  The lack of references and a specific
   description make this candidate unusable, so it should be
   rejected.

Description:
Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry.

Status: Entry
Reference: BUGTRAQ:19961109 Syslogd and Solaris 2.4
Reference: SUNBUG:1249320
Reference: CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches
Reference: XF:sol-syslogd-crash
Reference: BID:1878
Reference: URL:http://www.securityfocus.com/bid/1878

Description:
Denial of service in Windows NT messenger service through a long username.

Status: Entry
Reference: XF:nt-messenger

Description:
Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size.

Status: Entry
Reference: NAI:19980214 Windows NT Logon Denial of Service
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/25_windows_nt_dos_adv.asp
Reference: MSKB:Q180963
Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=180963
Reference: XF:nt-logondos

Description:
Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.

Status: Candidate
Phase: Proposed (19990728)

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   NOOP(1) Baker
   REJECT(1) Christey

 Christey> Too general, and no references.
 Frech> XF:nt-frag(528)
   See reference from BugTraq Mailing List, "A New Fragmentation Attack" at
   http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms
   g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net

Description:
Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allows a denial of service.

Status: Entry
Reference: MSKB:Q154087
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154087
Reference: XF:nt-lsass-crash

Description:
Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.

Status: Entry
Reference: XF:nt-rpc-ver
Reference: MSKB:Q162567
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q162567

Description:
Denial of service in Windows NT IIS server using ..\..

Status: Candidate
Phase: Modified (19991228-02)
Reference: MSKB:Q115052

Votes:

   ACCEPT(2) Baker, Shostack
   MODIFY(2) Frech, Wall
   NOOP(1) Northcutt
   REJECT(1) Christey
   REVIEWING(1) Levy

 Wall> Denial of service in Windows NT IIS Server 1.0 using ..\...
   Source: Microsoft Knowledge Base Article Q115052 - IIS Server.
 Frech> XF:http-dotdot (not necessarily IIS?)
 Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot
   problem.
 Christey> This actually looks like XF:iis-dot-dot-crash(1638)
   http://xforce.iss.net/static/1638.php
   If so, include the version number (2.0)
   
 CHANGE> [Christey changed vote from REVOTE to REJECT]
 Christey> Bill Wall intended to suggest Q155052, but the affected
   IIS version there is 1.0; the effect is to read files,
   so this sounds like a directory traversal problem,
   instead of an inability to process certain strings.
   
   As a result, this candidate is too general, since it could
   apply to 2 different problems, so it should be REJECTed.
 Christey> Consider adding BID:2218

Description:
Buffer overflow in Cisco 7xx routers through the telnet service.

Status: Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/pwbuf-pub.shtml
Reference: OSVDB:1102
Reference: URL:http://www.osvdb.org/1102

Description:
Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access.

Status: Candidate
Phase: Modified (19991207-01)
Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also

Votes:

   ACCEPT(2) Baker, Levy
   NOOP(3) Christey, Landfield, Northcutt
   RECAST(1) Frech
   REVIEWING(1) Ozancin

 Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below)
   XF:smtp-vrfy-bo (many mail packages)
 Northcutt> (There is no way I will have access to these systems)
 Christey> Some sources report that VRFY and EXPN are both affected.

Description:
Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.

Status: Candidate
Phase: Modified (19991220-01)

Votes:

   ACCEPT(2) Hill, Northcutt
   MODIFY(1) Frech
   NOOP(1) Prosser
   REJECT(1) Baker
   REVIEWING(1) Christey

 Frech> Unable to provide a match due to vague/insufficient description/references.
   Possible matches are:
   XF:ftp-ncsa (probably not, considering you've mentioned the webserver.)
   XF:http-ncsa-longurl (highest probability)
 Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl
   More research is necessary for this one.
 Baker> Since this has no references at all, and is vague and we have a
   CAN for the most likely issue, we should kill this one

Description:
IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.

Status: Entry
Reference: MSKB:Q148188
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q148188
Reference: MSKB:Q155056
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q155056
Reference: XF:http-iis-cmd

Description:
Bash treats any character with a value of 255 as a command separator.

Status: Entry
Reference: XF:bash-cmd
Reference: CERT:CA-96.22.bash_vuls

Description:
Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.

Status: Candidate
Phase: Modified (19991220-01)
Reference: CERT:CA-95:04
Reference: CIAC:F-11

Votes:

   ACCEPT(3) Hill, Northcutt, Prosser
   MODIFY(1) Frech
   REJECT(2) Baker, Christey

 Frech> XF:http-ncsa-longurl
 Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267
 Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both
   refer to the same problem.  This should be rejected as 1999-0267 is the same problem.

Description:
ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.

Status: Entry
Reference: XF:http-scriptalias

Description:
Remote execution of arbitrary commands through Guestbook CGI program.

Status: Entry
Reference: XF:http-cgi-guestbook
Reference: CERT:VB-97.02

Description:
php.cgi allows attackers to read any file on the system.

Status: Candidate
Phase: Proposed (19990623)
Reference: XF:http-cgi-phpfileread

Votes:

   ACCEPT(5) Baker, Collins, Frech, Northcutt, Prosser
   NOOP(1) Christey

 Prosser> additional source
   AUSCERT External Security Bulletin ESB-97.047
   http://www.auscert.org.au
 Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole
   URL:http://www.dataguard.no/bugtraq/1997_2/0069.html
   The attacker specifies the filename as an argument to the
   program.
   Add "PHP/FI" to description to facilitate search.
   AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047
 Christey> Consider adding BID:2250

Description:
Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.

Status: Entry
Reference: XF:fastrack-get-directory-list
Reference: OSVDB:122
Reference: URL:http://www.osvdb.org/122

Description:
Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy.

Status: Candidate
Phase: Proposed (19990728)

Votes:

   ACCEPT(1) Northcutt
   NOOP(1) Baker
   REJECT(1) Frech

 Frech> Would reconsider if any references were available.

Description:
Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.

Status: Candidate
Phase: Modified (19990925-01)
Reference: XF:http-xguess-cookie

Votes:

   ACCEPT(3) Hill, Northcutt, Proctor
   MODIFY(2) Frech, Prosser
   NOOP(1) Baker
   REVIEWING(1) Christey

 Frech> Also add to references:
   XF:sol-mkcookie
 Prosser> additional source
   Bugtraq
   "X11 cookie hijacker"
   http://www.securityfocus.com
 Christey> The cookie hijacker thread has to do with stealing cookies
   through a file with bad permissions.  I'm not sure the
   X-Force reference identifies this problem either.
 Christey> CIAC:G-04
   URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml
   SGI:19960601-01-I
   URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I
   CERT:VB-95:08

Description:
Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords.

Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole
Reference: XF:linux-pop3d

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(4) Christey, Northcutt, Shostack, Wall
   REVIEWING(1) Levy

 Frech> Ambiguous description: need more detail. Possibly:
   XF:linux-pop3d (mktemp() leads to reading e-mail)
 Christey> At first glance this might look like CVE-1999-0123 or
   CVE-1999-0125, however this particular candidate arises out
   of a brief mention of the problem in a larger posting which
   discusses CVE-1999-0123 (which may be the same bug as
   CVE-1999-0125).  See the following phrase in the Bugtraq
   post: "one such example of this is in.pop3d"
   
   However, the original source of this candidate's description
   explicitly mentions shadowed passwords, though it has no
   references to help out here.

Description:
Linux cfingerd could be exploited to gain root access.

Status: Candidate
Phase: Proposed (19990714)

Votes:

   ACCEPT(1) Shostack
   NOOP(4) Baker, Levy, Northcutt, Wall
   REJECT(2) Christey, Frech

 Christey> This has no sources; neither does the original database that
   this entry came from.  It's a likely duplicate of 
   CVE-1999-0813.
 Frech> I disagree on the dupe; see Linux-Security Mailing List,
   "[linux-security] Cfinger (Yet more :)" at
   http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
   if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains
   to 1.4.x and below and shows up two years later.
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> If the reference I previously supplied is correct, then
   it appears as if the poster modified the source using authorized 
   access to make it vulnerable. Modifying the source in this manner 
   does not qualify as being listed a vulnerability.
   I disagree on the dupe; see Linux-Security Mailing List,
   "[linux-security] Cfinger (Yet more :)" at
   http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
   if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains
   to 1.4.x and below and shows up two years later.

Description:
Livingston RADIUS code has a buffer overflow which can allow remote execution of commands as root.

Status: Entry
Reference: NAI:NAI-23
Reference: XF:radius-accounting-overflow

Description:
Some configurations of NIS+ in Linux allowed attackers to log in as the user "+".

Status: Entry
Reference: BUGTRAQ:19950907 Linux NIS security problem hole and fix
Reference: XF:linux-plus

Description:
HP Remote Watch allows a remote user to gain root access.

Status: Candidate
Phase: Proposed (19990630)
Reference: XF:hp-remote

Votes:

   ACCEPT(4) Frech, Hill, Northcutt, Prosser
   NOOP(1) Baker
   RECAST(1) Christey

 Frech> Comment: Determine if it's RemoteWatch or Remote Watch.
 Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in
   Remote Watch (the advisory uses two words, not one, for the
   "Remote Watch" name)
   
   ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit)
   URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com
 Prosser> agree that the advisory mentions two vulnerabilities in Remote
   Watch, one being a socket connection and other with the showdisk utility
   which seems to be a suid vulnerability.  Never get much details on this
   anywhere since the recommendation is to remove the program since it is
   obsolete and superceded by later tools. Believe the biggest concern here is
   to just not run the tool at all.
 Christey> CIAC:H-16
   Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp
   And possibly AUSCERT:AA-96.07 at
   ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul
 Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2
   Include "remwatch" in the description to facilitate search.

Description:
Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands.

Status: Entry
Reference: NAI:19970721 INN news server vulnerabilities
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/17_inn_avd.asp
Reference: BID:1443
Reference: URL:http://www.securityfocus.com/bid/1443
Reference: XF:inn-bo

Description:
A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials.

Status: Entry
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html
Reference: CONFIRM:http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1

Description:
Windows NT RSHSVC program allows remote users to execute arbitrary commands.

Status: Candidate
Phase: Proposed (19990714)

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Wall
   NOOP(2) Northcutt, Shostack
   RECAST(1) Christey
   REVIEWING(1) Levy

 Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows
   remote
   users to execute arbitrary commands.
   Source: rshsvc.txt from the Windows NT Resource Kit.
 Frech> XF:rsh-svc
 Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case
   where remote users coming from authorized machines are
   allowed access regardless of what .rhosts says.  XF:rsh-svc
   refers to a bug circa 1997 where any remote entity could
   execute commands as system.

Description:
Denial of service in Qmail through long SMTP commands.

Status: Candidate
Phase: Modified (20010301-01)
Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: XF:qmail-leng

Votes:

   ACCEPT(2) Hill, Meunier
   MODIFY(1) Frech
   REJECT(1) Baker
   REVIEWING(1) Christey

 Frech> XF:qmail-rcpt
 Christey> DUPE CVE-1999-0418 and CVE-1999-0144?
 Christey> Dan Bernstein, author of Qmail, says that this is not a
   vulnerability in qmail because Unix has built-in resource
   limits that can restrict the size of a qmail process; other
   limits can be specified by the administrator.  See
   http://cr.yp.to/qmail/venema.html
   
   Significant discussion of this issue took place on the qmail
   list.  The fundamental question appears to be whether 
   application software should set its own limits, or rely
   on limits set by the parent operating system (in this case,
   UNIX).  Also, some people said that the only problem was that
   the suggested configuration was not well documented, but this
   was refuted by others.
   
   See the following threads at
   http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
   "Denial of service (qmail-smtpd)"
   "qmail-dos-2.c, another denial of service"
   "[PATCH] denial of service"
   "just another qmail denial-of-service"
   "the UNIX way"
   "Time for a reality check"
   
   Also see Bugtraq threads on a different vulnerability that
   is related to this topic:
   BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
   http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
 Baker> This appears to be the same vulnerability listed in CAN 1999-0144.  In reading
   through both bugtraq postings, the one that is referenced by 0144 is
   based on a shell code exploit to cause memory exhaustion. The bugtraq
   posting referenced by this entry refers explicitly to the prior
   posting for 0144, and states that the same effect could be
   accomplished by a perl exploit, which was then attached.
 Baker> http://www.securityfocus.com/archive/1/6969    CVE-1999-0144
   http://www.securityfocus.com/archive/1/6970    CVE-1999-0250
   
   Both references should be added to CVE-1999-0144, and CVE-1999-0250
   should likely be rejected.
 CHANGE> [Baker changed vote from REVIEWING to REJECT]
 Christey> XF:qmail-leng no longer exists; check with Andre to see if they
   regarded it as a duplicate as well.
   
   qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250)
   in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
   use any RCPT commands.  Instead, it sends long strings
   of "X" characters.  A followup by "super@UFO.ORG" includes
   an exploit that claims to do the same thing; however, that
   exploit does not send long strings of X characters - it sends
   a large number of RCPT commands.  It appears that super@ufo.org
   followed up to the wrong message.
   
   qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144)
   in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
   sends a large number of RCPT commands.
   
   ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd)
   ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
   
   Also see a related thread:
   BUGTRAQ:19990308 SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
   
   This also describes a problem with mail servers not being able
   to handle too many "RCPT TO" requests.  A followup message
   notes that application-level protection is used in Sendmail
   to prevent this:
   BUGTRAQ:19990309 Re: SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
   The person further says, "This attack can easily be
   prevented with configuration methods."

Description:
Denial of service in talk program allows remote attackers to disrupt a user's display.

Status: Entry
Reference: XF:talkd-flash

Description:
Buffer overflow in listserv allows arbitrary command execution.

Status: Entry
Reference: XF:smtp-listserv

Description:
IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.

Status: Candidate
Phase: Modified (20000106-01)
Reference: XF:http-iis-2e
Reference: L0PHT:19970319

Votes:

   ACCEPT(9) Armstrong, Baker, Bishop, Blake, Cole, Collins, Frech, Landfield, Northcutt
   MODIFY(1) LeBlanc
   NOOP(3) Ozancin, Prosser, Wall
   REVIEWING(1) Christey

 Christey> This is a problem that was introduced after patching a
   previous dot bug with the iis-fix hotfix (see CVE-1999-0154).
   Since the hotfix introduced the problem, this should be
   treated as a seaprate issue.
 Wall> Agree with the comment.
 LeBlanc> - this one is so old, I don't remember it at all and can't verify or
   deny the issue. If you can find some documentation that says we fixed it (KB
   article, hotfix, something), then I would change this to ACCEPT
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> BID:1814
   URL:http://www.securityfocus.com/bid/1814

Description:
A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information.

Status: Candidate
Phase: Proposed (19990726)
Reference: ISS:Hidden SNMP community in HP OpenView
Reference: XF:hpov-hidden-snmp-comm

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(1) Wall
   REVIEWING(1) Christey

 Christey> What is the proper level of abstraction to use here?  Should
   we have a separate entry for each different default community
   string?  See:
   http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
   http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
   http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
   
   Until the associated content decisions have been approved
   by the Editorial Board, this candidate cannot be accepted
   for inclusion in CVE.

Description:
Buffer overflow in ircd allows arbitrary command execution.

Status: Candidate
Phase: Proposed (19990623)

Votes:

   ACCEPT(3) Baker, Hill, Northcutt
   MODIFY(1) Frech
   NOOP(1) Prosser
   REJECT(1) Christey

 Frech> XF:irc-bo
 Christey> This is too general and doesn't have any references.  The
   XF reference doesn't appear toe xist any more.
   
   Perhaps this reference would help:
   BUGTRAQ:19970701 ircd buffer overflow
 Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post.

Description:
Buffer overflow in War FTP allows remote execution of commands.

Status: Entry
Reference: XF:war-ftpd
Reference: OSVDB:875
Reference: URL:http://www.osvdb.org/875

Description:
Nestea variation of teardrop IP fragmentation denial of service.

Status: Candidate
Phase: Proposed (19990726)

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> XF:nestea-linux-dos
 Christey> Not sure how many separate "instances" of Teardrop
   and its ilk.  Also see comments on CVE-1999-0001.
   
   See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
   
   Is CVE-1999-0001 the same as CVE-1999-0052?  That one is related
   to nestea (CVE-1999-0257) and probably the one described in
   BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
   The patch for nestea is in ip_input.c around line 750.
   The patches for CVE-1999-0001 are in lines 388&446.  So, 
   CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052.
   The FreeBSD patch for CVE-1999-0052 is in line 750.
   So, CVE-1999-0257 and CVE-1999-0052 may be the same, though
   CVE-1999-0052 should be RECAST since this bug affects Linux
   and other OSes besides FreeBSD.
   
   Also see BUGTRAQ:19990909 CISCO and nestea.
   
   Finally, note that there is no fundamental difference between
   nestea and nestea2/nestea-v2; they are different ports that
   exploit the same problem.
   
   The original nestea advisory is at
   http://www.technotronic.com/rhino9/advisories/06.htm
   but notice that the suggested fix is in line 375 of
   ip_fragment.c, not ip_input.c.
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> BUGTRAQ:19980501 nestea does other things
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2
   BUGTRAQ:19980508 nestea2 and HP Jet Direct cards.
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2
   BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2
   
   Nestea source code is in
   MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html

Description:
Bonk variation of teardrop IP fragmentation denial of service.

Status: Candidate
Phase: Proposed (19990726)

Votes:

   MODIFY(2) Frech, Wall
   REVIEWING(1) Christey

 Wall> Reference Q179129
 Frech> XF:teardrop-mod
 Christey> Not sure how many separate "instances" of Teardrop there are.
   See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> BUGTRAQ:19980108 bonk.c
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2
   NTBUGTRAQ:19980108 bonk.c
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2
   NTBUGTRAQ:19980109 Re: Bonk.c
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2
   NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2
   BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2
   CIAC:I-031a
   http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml
   
   CERT summary CS-98.02 implies that bonk, boink, and newtear
   all exploit the same vulnerability.

Description:
cfingerd lists all users on a system via search.**@target.

Status: Entry
Reference: BUGTRAQ:19970523 cfingerd vulnerability
Reference: XF:cfinger-user-enumeration

Description:
The jj CGI program allows command execution via shell metacharacters.

Status: Entry
Reference: BUGTRAQ:19961224 jj cgi
Reference: XF:http-cgi-jj

Description:
Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.

Status: Candidate
Phase: Modified (20000827-01)
Reference: BUGTRAQ:19980504 Netmanage Holes
Reference: MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Landfield
   NOOP(3) Christey, Northcutt, Ozancin

 Frech> XF:chamelion-smtp-dos
 Landfield> - Specify what "a crash" means.
 Christey> ADDREF XF:chameleon-smtp-dos ?  (but it's not on the web site)
 Christey> Consider adding BID:2387

Description:
Hylafax faxsurvey CGI script on Linux allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.

Status: Entry
Reference: BUGTRAQ:19980804 remote exploit in faxsurvey cgi-script
Reference: BUGTRAQ:19980804 PATCH: faxsurvey
Reference: BID:2056
Reference: URL:http://www.securityfocus.com/bid/2056
Reference: XF:http-cgi-faxsurvey(1532)
Reference: URL:http://xforce.iss.net/xforce/xfdb/1532

Description:
Solaris SUNWadmap can be exploited to obtain root access.

Status: Entry
Reference: SUN:00173
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/173
Reference: XF:sun-sunwadmap

Description:
htmlscript CGI program allows remote read access to files.

Status: Entry
Reference: XF:http-htmlscript-file-access
Reference: BUGTRAQ:Jan27,1998

Description:
ICMP redirect messages may crash or lock up a host.

Status: Entry
Reference: MSKB:Q154174
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q154174
Reference: ISS:ICMP Redirects Against Embedded Controllers
Reference: XF:icmp-redirect

Description:
The info2www CGI script allows remote file access or remote command execution.

Status: Entry
Reference: BUGTRAQ:19980303 Vulnerabilites in some versions of info2www CGI
Reference: BID:1995
Reference: URL:http://www.securityfocus.com/bid/1995
Reference: XF:http-cgi-info2www

Description:
Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution.

Status: Entry
Reference: XF:http-port
Reference: CERT:CA-95.04.NCSA.http.daemon.for.unix.vulnerability

Description:
MetaInfo MetaWeb web server allows users to upload, execute, and read scripts.

Status: Entry
Reference: BUGTRAQ:19980630 Security vulnerabilities in MetaInfo products
Reference: BUGTRAQ:19980703 Followup to MetaInfo vulnerabilities
Reference: OSVDB:110
Reference: URL:http://www.osvdb.org/110
Reference: OSVDB:3969
Reference: URL:http://www.osvdb.org/3969
Reference: XF:metaweb-server-dot-attack

Description:
Netscape Enterprise servers may list files through the PageServices query.

Status: Entry
Reference: XF:netscape-server-pageservices

Description:
Directory traversal vulnerability in pfdispaly.cgi program (sometimes referred to as "pfdisplay") for SGI's Performer API Search Tool (performer_tools) allows remote attackers to read arbitrary files.

Status: Entry
Reference: BUGTRAQ:19980317 IRIX performer_tools bug
Reference: SGI:19980401-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980401-01-P
Reference: CIAC:I-041
Reference: URL:http://www.ciac.org/ciac/bulletins/i-041.shtml
Reference: BID:64
Reference: URL:http://www.securityfocus.com/bid/64
Reference: OSVDB:134
Reference: URL:http://www.osvdb.org/134
Reference: XF:sgi-pfdispaly(810)
Reference: URL:http://xforce.iss.net/xforce/xfdb/810

Description:
Progressive Networks Real Video server (pnserver) can be crashed remotely.

Status: Candidate
Phase: Modified (19990925-01)
Reference: BUGTRAQ:19980115 pnserver exploit..
Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?

Votes:

   ACCEPT(3) Baker, Blake, Northcutt
   MODIFY(1) Frech
   NOOP(1) Prosser
   REVIEWING(1) Christey

 Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq
   posting), but may be multiple codebases since several
   Real Audio servers are affected.
   
   Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow.
   See CVE-1999-0896
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> ADDREF XF:realvideo-telnet-dos

Description:
Denial of service in Slmail v2.5 through the POP3 port.

Status: Entry
Reference: XF:slmail-username-bo

Description:
Denial of service through Solaris 2.5.1 telnet by sending ^D characters.

Status: Entry
Reference: XF:sun-telnet-kill

Description:
Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made.

Status: Entry
Reference: NAI:NAI-5
Reference: XF:nt-dns-dos

Description:
Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.

Status: Entry
Reference: XF:nt-dnscrash
Reference: XF:nt-dnsver
Reference: MS:Q169461

Description:
mSQL v2.0.1 and below allows remote execution through a buffer overflow.

Status: Entry
Reference: XF:msql-debug-bo
Reference: SEKURE:sekure.01-99.msql

Description:
The WorkMan program can be used to overwrite any file to get root access.

Status: Entry
Reference: XF:workman
Reference: CERT:CA-96.23.workman_vul

Description:
In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.

Status: Entry
Reference: MS:MS98-003
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx
Reference: XF:iis-asp-data-check
Reference: OVAL:oval:org.mitre.oval:def:913
Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:913

Description:
Excite for Web Servers (EWS) allows remote command execution via shell metacharacters.

Status: Entry
Reference: BUGTRAQ:19971217 CGI security hole in EWS (Excite for Web Servers)
Reference: BUGTRAQ:19980115 Excite announcement
Reference: CERT:VB-98.01.excite
Reference: XF:excite-cgi-search-vuln

Description:
Remote command execution in Microsoft Internet Explorer using .lnk and .url files.

Status: Entry
Reference: NTBUGTRAQ:19970317 Internet Explorer Bug #4
Reference: CIAC:H-38
Reference: XF:http-ie-lnkurl

Description:
Denial of service in IIS using long URLs.

Status: Entry
Reference: XF:http-iis-longurl

Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage.

Status: Candidate
Phase: Modified (20050830)

Votes:

   ACCEPT(2) Baker, Dik
   MODIFY(1) Frech
   NOOP(1) Ozancin
   RECAST(1) Prosser
   REJECT(1) Christey

 Frech> XF:sun-loadmodule
   XF:sun-modload (CERT CA-93.18 very old!)
 Prosser> Believe the reference given, 95-12,  is referencing a later
   loadmodule(8) setuid problem in the X11/NeWS windowing system.  There is an
   earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories
   for the SunOS 4.1.x/Solbourne and OpenWindow 3.0.  In fact, there may be the
   same as the HP patches are 100448-02 for the 93 loadmodule/modload
   vulnerability and 100448-03 for the 95 loadmodule vulnerability which
   normally indicated a patch update.  Looks like the original patch either
   didn't completely fix the problem or it resurfaced in X11 NeWS.  Can't tell
   much beyond that and this is my opinion only as have no way to check it.  
   Which one is this CVE referencing?  I accept both.
 Dik> There are three similar Sun bug ids associated with the patches.
   1076118 loadmodule has a security vulnerability
   1148753 loadmodule has a security vulnerability
   1222192 loadmodule has a security vulnerability
   as well as:
   1137491
   Ancient stuff.
 Christey> Add period to the end of the description.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> This is distinct from CVE-1999-1584 - CVE-1999-1584 is for
   CA-93.18.
 CHANGE> [Christey changed vote from REVIEWING to REJECT]
 Christey> This candidate combines two separate issues.  It uses the CERT
   alert reference from 1995, from one issue, but a description that
   is associated with a separate issue.

Description:
The Java Web Server would allow remote users to obtain the source code for CGI programs.

Status: Candidate
Phase: Modified (19991203-01)
Reference: BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2

Votes:

   ACCEPT(7) Baker, Blake, Cole, Collins, Dik, Northcutt, Wall
   MODIFY(1) Frech
   NOOP(5) Armstrong, Bishop, Christey, Landfield, Prosser
   REVIEWING(1) Ozancin

 Wall> Acknowledged by vendor at
   http://www.sun.com/software/jwebserver/techinfo/jws112info.html.
 Baker> Vulnerability Reference (HTML)	Reference Type
   http://www.securityfocus.com/archive/1/7260	Misc Defensive Info
   http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info
 Christey> BID:1891
   URL:http://www.securityfocus.com/bid/1891
 Christey> Add version number (1.1 beta) and details of attack (appending
   a . or a \)
   
   The Sun URL referenced by Dave Baker no longer exists, so I
   wasn't able to verify that it addressed the problem described
   in the Bugtraq post.  This might not even be Sun's
   "Java Web Server," as CVE-2001-0186 describes some product
   called "Free Java Web Server"
 Dik> There appears to be some confusion.
   
   The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed
   in 1.1.2 (get foo.jthml source by appending "." of "\" to URL)
   
   There are other bugs that give access and that require a configuration
   change.
   
   http://www.sun.com/software/jwebserver/techinfo/security_advisory.html
 Christey> Need to make sure to create CAN's for the other bugs,
   as documented in:
   NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS
   http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2
   BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2
   The reported bugs are:
   1) file read by appending %20
   2) Directly call /servlet/file
   URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html
   #2 is explicitly mentioned in the Sun advisory for
   CVE-1999-0283.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:javawebserver-cgi-source(5383)

Description:
Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command.

Status: Candidate
Phase: Proposed (19990623)
Reference: XF:smtp-helo-bo

Votes:

   ACCEPT(2) Blake, Northcutt
   MODIFY(3) Frech, Levy, Ozancin
   NOOP(1) Baker
   REVIEWING(1) Christey

 Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification)
   XF:mdaemon-helo-bo
   XF:lotus-notes-helo-crash
   XF:slmail-helo-overflow
   XF:smtp-helo-bo (mentions several products)
   XF:smtp-exchangedos
 Levy> - Need one per software. Each one should be its own
   vulnerability.
 Ozancin> => Windows NT is correct
 Christey> These are probably multiple codebases, so we'll need to use
   dot notation.  Also need to see if this should be merged
   with CVE-1999-0098 (Sendmail SMTP HELO).

Description:
Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.

Status: Candidate
Phase: Proposed (19990630)

Votes:

   ACCEPT(1) Hill
   NOOP(2) Baker, Wall
   REJECT(2) Christey, Frech

 Christey> No references, no information.
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> No references; closest documented match is with
   CVE-2001-0346, but that's for Windows 2000.

Description:
In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages.

Status: Candidate
Phase: Proposed (19990714)

Votes:

   ACCEPT(3) Armstrong, Cole, Shostack
   MODIFY(3) Blake, Levy, Wall
   NOOP(5) Baker, Bishop, Landfield, Northcutt, Ozancin
   REJECT(1) Frech
   REVIEWING(1) Christey

 Wall> In some NT web servers, appending a dot at the end of a URL may
   allows attackers to read source code for active pages.
   Source:  MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears
   in Browser"
 Frech> In the meantime, reword description as 'Windows NT' (trademark issue)
 Christey> Q163485 does not refer to a space, it refers to a dot.
   However, I don't have other references.
   
   Reading source code with a dot appended is in CVE-1999-0154,
   which will be proposed.  A subsequent bug similar to the
   dot bug is CVE-1999-0253.
 Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014
   NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019
   BID 273
 Blake> Reference:  http://www.allaire.com/handlers/index.cfm?ID=10967
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> BID articles)

Description:
Vulnerability in the Wguest CGI program.

Status: Candidate
Phase: Proposed (19990714)

Votes:

   MODIFY(2) Frech, Shostack
   NOOP(4) Blake, Levy, Northcutt, Wall
   REJECT(2) Baker, Christey

 Shostack> allows file reading
 Frech> XF:http-cgi-webcom-guestbook
 Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467.  In
   NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
   Mnemonix says that he had previously reported on a similar
   problem.  Let's refer to the NTBugtraq posting as
   CVE-1999-0467.  We will refer to the "previous report" as
   CVE-1999-0287, which could be found at:
   http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
   
   0287 describes an exploit via the "template" hidden variable.
   The exploit describes manually editing the HTML form to
   change the filename to read from the template variable.
   
   The exploit as described in 0467 encodes the template variable
   directly into the URL.  However, hidden variables are also
   encoded into the URL, which would have looked the same to
   the web server regardless of the exploit.  Therefore 0287
   and 0467 are the same.
 Christey> BID:2024

Description:
The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets.

Status: Entry
Reference: NTBUGTRAQ:19970801 WINS flooding
Reference: BUGTRAQ:19970801 WINS flooding
Reference: BUGTRAQ:19970815 Re: WINS flooding
Reference: MISC:http://safenetworks.com/Windows/wins.html
Reference: MSKB:155701
Reference: XF:nt-winsupd-fix(1233)
Reference: URL:http://xforce.iss.net/xforce/xfdb/1233

Description:
The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL.

Status: Entry

Description:
The WinGate telnet proxy allows remote attackers to cause a denial of service via a large number of connections to localhost.

Status: Entry
Reference: BUGTRAQ:19980221 WinGate DoS
Reference: BUGTRAQ:19980326 WinGate Intermediary Fix/Update
Reference: XF:wingate-dos

Description:
The WinGate proxy is installed without a password, which allows remote attackers to redirect connections without authentication.

Status: Entry
Reference: XF:wingate-unpassworded

Description:
Denial of service through Winpopup using large user names.

Status: Entry
Reference: XF:nt-winpopup

Description:
AAA authentication on Cisco systems allows attackers to execute commands without authorization.

Status: Entry
Reference: CISCO:http://www.cisco.com/warp/public/770/aaapair-pub.shtml
Reference: XF:cisco-ios-aaa-auth

Description:
All records in a WINS database can be deleted through SNMP for a denial of service.

Status: Entry
Reference: XF:nt-wins-snmp2

Description:
Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges.

Status: Entry
Reference: XF:sun-sysdef
Reference: SUN:00157
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/157

Description:
Solaris volrmmount program allows attackers to read any file.

Status: Entry
Reference: SUN:00162
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/162
Reference: XF:sun-volrmmount

Description:
Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.

Status: Entry
Reference: NAI:NAI-3
Reference: AUSCERT:AA-96.21
Reference: CIAC:H-17
Reference: XF:vixie-cron

Description:
ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack.

Status: Candidate
Phase: Modified (20000524-01)
Reference: NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp

Votes:

   ACCEPT(4) Cole, Dik, Levy, Northcutt
   MODIFY(1) Frech
   NOOP(3) Baker, Christey, Shostack

 Christey> ADDREF BID:1441
   URL:http://www.securityfocus.com/bid/1441
 Dik> If you run with "-ypset", then you're always insecure.
   With ypsetme, only root on the local host
   can run ypset in Solaris 2.x+.
   Probably true for SunOS 4, hence my vote.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> ADDREF XF:ypbind-ypset-root
 CHANGE> [Dik changed vote from REVIEWING to ACCEPT]
 Dik> This vulnerability does exist in SunOS 4.x in non default configurations.
   In Solaris 2.x, the vulnerability only applies to files named "cache_binding"
   and not all files ending in .2
   Both releases are not vulnerable in the default configuration (both
   disabllow ypset by default which prevents this problem from occurring)

Description:
Buffer overflow in FreeBSD lpd through long DNS hostnames.

Status: Entry
Reference: NAI:NAI-9
Reference: OSVDB:6093
Reference: URL:http://www.osvdb.org/6093

Description:
nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ servers.

Status: Entry
Reference: SUN:00155
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/155
Reference: XF:sun-niscache

Description:
Buffer overflow in SunOS/Solaris ps command.

Status: Entry
Reference: SUN:00149
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/149
Reference: AUSCERT:AUSCERT-97.17
Reference: XF:sun-ps2bo

Description:
SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server.

Status: Entry
Reference: SUN:00176
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/176
Reference: XF:sun-ftp-server

Description:
Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

Status: Entry
Reference: XF:bnu-uucpd-bo
Reference: RSI:RSI.0002.05-18-98.BNU.UUCPD

Description:
mmap function in BSD allows local attackers in the kmem group to modify memory through devices.

Status: Entry
Reference: XF:bsd-mmap
Reference: FREEBSD:FreeBSD-SA-98:02

Description:
The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections.

Status: Entry
Reference: OPENBSD:Feb15,1998 "IP Source Routing Problem"
Reference: MISC:http://www.openbsd.org/advisories/sourceroute.txt
Reference: OSVDB:11502
Reference: URL:http://www.osvdb.org/11502
Reference: XF:bsd-sourceroute(736)
Reference: URL:http://xforce.iss.net/xforce/xfdb/736

Description:
buffer overflow in HP xlock program.

Status: Candidate
Phase: Proposed (19990714)
Reference: XF:hp-xlock

Votes:

   ACCEPT(3) Baker, Frech, Northcutt
   MODIFY(1) Prosser
   NOOP(1) Shostack
   REJECT(1) Christey

 Prosser> This is another of those with multiple affected OSs.
   Refs:  CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt,
   HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150
 Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is
   the same problem as in CERT:CA-97.13, which is CVE-1999-0038.

Description:
Buffer overflow in HP-UX cstm program allows local users to gain root privileges.

Status: Candidate
Phase: Modified (19991207-01)
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-cstm-bo

Votes:

   ACCEPT(2) Frech, Northcutt
   NOOP(3) Baker, Prosser, Shostack
   RECAST(1) Christey

 Prosser> only ref I can find is an old SOD exploit on
   www.outpost9.com
 Christey> MERGE CVE-1999-0336 (the exact exploit works with both
   cstm and mstm, which are clearly part of the same package,
   so CD:SF-EXEC says to merge them.)
   
   Also, there does not seem to be any recognition of this problem
   by HP.  The only other information besides the Bugtraq post
   is the SOD exploit.
   
   See the original post:
   http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org

Description:
HP-UX gwind program allows users to modify arbitrary files.

Status: Entry
Reference: HP:HPSBUX9410-018
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9410-018
Reference: XF:hpux-gwind-overwrite
Reference: CIAC:H-03: HP-UX suid Vulnerabilities

Description:
HP-UX vgdisplay program gives root access to local users.

Status: Entry
Reference: HP:HPSBUX9702-056
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9702-056
Reference: XF:hpux-vgdisplay
Reference: CIAC:H-27: HP-UX vgdisplay Buffer Overrun Vulnerability

Description:
SSH 1.2.25 on HP-UX allows access to new user accounts.

Status: Entry
Reference: XF:ssh-1225

Description:
fpkg2swpk in HP-UX allows local users to gain root access.

Status: Entry
Reference: XF:hpux-fpkg2swpk
Reference: HP:HPSBUX9612-042
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9612-042

Description:
HP ypbind allows attackers with root privileges to modify NIS data.

Status: Entry
Reference: XF:nis-ypbind
Reference: CERT:CA-93:01.REVISED.HP.NIS.ypbind.vulnerability

Description:
disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.

Status: Entry
Reference: MISC:http://www.securityfocus.com/bid/213/exploit
Reference: SGI:19980701-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980701-01-P
Reference: BID:214
Reference: URL:http://www.securityfocus.com/bid/214
Reference: OSVDB:936
Reference: URL:http://www.osvdb.org/936
Reference: XF:sgi-disk-bandwidth(1441)
Reference: URL:http://xforce.iss.net/xforce/xfdb/1441

Description:
ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to gain root access using relative pathnames.

Status: Entry
Reference: MISC:http://www.securityfocus.com/bid/213/exploit
Reference: SGI:19980701-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980701-01-P
Reference: BID:213
Reference: URL:http://www.securityfocus.com/bid/213
Reference: OSVDB:6788
Reference: URL:http://www.osvdb.org/6788
Reference: XF:sgi-ioconfig(1199)
Reference: URL:http://xforce.iss.net/xforce/xfdb/1199

Description:
Buffer overflow in Solaris fdformat command gives root access to local users.

Status: Entry
Reference: XF:fdformat-bo
Reference: SUN:00138
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/138

Description:
Buffer overflow in Linux splitvt command gives root access to local users.

Status: Entry
Reference: XF:linux-splitvt
Reference: CIAC:G-08

Description:
Buffer overflow in Linux su command gives root access to local users.

Status: Candidate
Phase: Modified (19991216-01)
Reference: BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow
Reference: XF:su-bo

Votes:

   ACCEPT(3) Frech, Hill, Northcutt
   NOOP(1) Prosser
   RECAST(1) Baker
   REVIEWING(1) Christey

 Christey> DUPE CVE-1999-0845?
   Also, ADDREF XF:unixware-su-username-bo
   A report summary by Aleph One states that nobody was able to
   confirm this problem on any Linux distribution.
 Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845.  There is about a two and half month difference in the bugtraq reporting of these.
   Sounds like the same bug however...
 Christey> XF:su-bo no longer seems to exist.
   How about XF:linux-subo(734) ?
   http://xforce.iss.net/static/734.php
   
   BID:475 also seems to describe the same problem
   (http://www.securityfocus.com/bid/475) in which case,
   vsyslog is blamed in:
   BUGTRAQ:19971220 Linux vsyslog() overflow
   http://www.securityfocus.com/archive/1/8274

Description:
Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable.

Status: Entry
Reference: BUGTRAQ:19961125 Security Problems in XMCD
Reference: BUGTRAQ:19961125 XMCD v2.1 released (was: Security Problems in XMCD)
Reference: XF:xmcd-envbo

Description:
Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting.

Status: Candidate
Phase: Proposed (19990623)
Reference: XF:xmcd-tiflestr

Votes:

   ACCEPT(3) Frech, Hill, Northcutt
   NOOP(2) Baker, Prosser
   REVIEWING(1) Christey

 Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1
   A followup to this post says that xmcd is not suid here.

Description:
SunOS rpc.cmsd allows attackers to obtain root access by overwriting arbitrary files.

Status: Entry
Reference: SUN:00166
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/166
Reference: XF:sun-rpc.cmsd

Description:
Buffer overflow in Solaris kcms_configure command allows local users to gain root access.

Status: Entry
Reference: XF:sun-kcms-configure-bo

Description:
The open() function in FreeBSD allows local attackers to write to arbitrary files.

Status: Entry
Reference: FREEBSD:FreeBSD-SA-97:05
Reference: XF:freebsd-open
Reference: OSVDB:6092
Reference: URL:http://www.osvdb.org/6092

Description:
FreeBSD mmap function allows users to modify append-only or immutable files.

Status: Entry
Reference: FREEBSD:FreeBSD-SA-98:04
Reference: NETBSD:1998-003
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-003.txt.asc
Reference: XF:bsd-mmap

Description:
ppl program in HP-UX allows local users to create root files through symlinks.

Status: Entry
Reference: HP:HPSBUX9702-053
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9702-053
Reference: CIAC:H-31
Reference: XF:hp-ppllog

Description:
vhe_u_mnt program in HP-UX allows local users to create root files through symlinks.

Status: Entry
Reference: XF:hp-vhe
Reference: HP:HPSBUX9406-013
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9406-013

Description:
Vulnerability in HP-UX mediainit program.

Status: Entry
Reference: HP:HPSBUX9710-071
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9710-071
Reference: XF:hp-mediainit

Description:
SGI syserr program allows local users to corrupt files.

Status: Entry
Reference: SGI:19971103-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19971103-01-PX
Reference: XF:sgi-syserr

Description:
SGI permissions program allows local users to gain root privileges.

Status: Entry
Reference: SGI:19971103-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19971103-01-PX
Reference: XF:sgi-permtool

Description:
SGI mediad program allows local users to gain root access.

Status: Entry
Reference: SGI:19980602-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980602-01-PX
Reference: XF:sgi-mediad

Description:
Linux bdash game has a buffer overflow that allows local users to gain root access.

Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19940101 (No Subject)
Reference: XF:bdash-bo

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall
   REVIEWING(1) Levy

 Frech> XF:bdash-bo

Description:
Buffer overflow in Internet Explorer 4.0(1).

Status: Candidate
Phase: Modified (20040811)
Reference: XF:msie-bo

Votes:

   ACCEPT(2) Baker, Northcutt
   MODIFY(2) Frech, Shostack
   RECAST(1) Prosser
   REJECT(2) Christey, LeBlanc

 Shostack> this is a high cardinality item
 Prosser> needs to be more specific.
 Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague
   duplicate)
   Description (from xfdb): Some versions of Internet Explorer for Windows
   contain a vulnerability that may crash the broswer when a malicious web site
   contains a certain kind of URL (that begins with "mk://") with more
   characters than the browser supports. 
 Christey> The description is too vague.
 LeBlanc> too vague
 Christey> Add period to the end of the description.

Description:
Buffer overflow in NetMeeting allows denial of service and remote command execution.

Status: Entry
Reference: XF:nt-netmeeting
Reference: MSKB:Q184346
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q184346

Description:
HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack.

Status: Candidate
Phase: Modified (19990925-01)
Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK
Reference: HP:HPSBUX9810-085
Reference: XF:omniback-remote

Votes:

   ACCEPT(2) Baker, Frech
   MODIFY(1) Prosser
   RECAST(1) Christey

 Prosser> additional source
   HP Security Bulletin 85
   http://us-support.external.hp.com
   http://europe-support.external.hp.com
 Christey> Two separate bugs, so SF-LOC says this candidate should be
   split
 Christey> ADDREF CIAC:J-007
   URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml

Description:
In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access.

Status: Entry
Reference: XF:sol-startup
Reference: CERT:CA-93.19.Solaris.Startup.vulnerability

Description:
DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032.

Status: Entry

Description:
Buffer overflow in mstm in HP-UX allows local users to gain root access.

Status: Candidate
Phase: Modified (19991207-01)
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-mstm-bo

Votes:

   ACCEPT(2) Frech, Northcutt
   NOOP(3) Baker, Prosser, Shostack
   RECAST(1) Christey

 Prosser> same as CVE-1999-0307, only ref I can find is an old SOD
   exploit on www.outpost9.com
 Christey> MERGE CVE-1999-0307 (the exact exploit works with both
   cstm and mstm, which are clearly part of the same package,
   so CD:SF-EXEC says to merge them.)
   
   Also, there does not seem to be any recognition of this problem
   by HP.  The only other information besides the Bugtraq post
   is the SOD exploit.

Description:
AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled.

Status: Entry
Reference: CERT:CA-94.10.IBM.AIX.bsh.vulnerability.html
Reference: XF:ibm-bsh

Description:
AIX Licensed Program Product performance tools allow local users to gain root access.

Status: Entry
Reference: XF:ibm-perf-tools
Reference: CERT:CA-94.03.AIX.performance.tools

Description:
Buffer overflow in the libauth library in Solaris allows local users to gain additional privileges, possibly root access.

Status: Entry
Reference: XF:sol-sun-libauth
Reference: RSI:RSI.0007.05-26-98

Description:
Buffer overflow in Linux Slackware crond program allows local users to gain root access.

Status: Entry
Reference: KSRT:005
Reference: XF:linux-crond

Description:
Buffer overflow in the Linux mail program "deliver" allows local users to gain root access.

Status: Entry
Reference: KSRT:006
Reference: XF:linux-deliver

Description:
Linux PAM modules allow local users to gain root access using temporary files.

Status: Entry
Reference: REDHAT:http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam
Reference: XF:linux-pam-passwd-tmprace

Description:
A malicious Palace server can force a client to execute arbitrary programs.

Status: Entry
Reference: BUGTRAQ:19981002 Announcements from The Palace (fwd)
Reference: XF:palace-malicious-servers-vuln

Description:
NT users can gain debug-level access on a system process using the Sechole exploit.

Status: Entry
Reference: MS:MS98-009
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-009.mspx
Reference: MSKB:Q190288
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q190288
Reference: XF:nt-priv-fix

Description:
Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems.

Status: Candidate
Phase: Proposed (19990728)

Votes:

   ACCEPT(2) Blake, Cole
   MODIFY(2) Frech, Wall
   NOOP(4) Bishop, Landfield, Northcutt, Ozancin
   RECAST(1) Meunier
   REJECT(4) Armstrong, Baker, LeBlanc, Levy
   REVIEWING(1) Christey

 Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and
   Windows NT systems.
   Reference: Q154174.
   Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death.
   It is a modified teardrop 2 attack.  
 Frech> XF:nt-ssping
   ADDREF XF:ping-death
   ADDREF XF:teardrop-mod
   ADDREF XF:mpeix-echo-request-dos
 Christey> I can't tell whether the Jolt exploit at:
   
   http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net
   
   is exploiting any different flaw than teardrop does.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Baker> Jolt (original) is basically just a fragmented oversized ICMP that
   kills Win boxes ala Ping of Death.
   Teardrop is altering the offset in fragmented tcp packets so that the
   end of subsequent fragments is inside first packet...
   Teardrop 2 is UDP packets, if I remember right.
   Seems like Jolt (original, not jolt 2) is just exploit code that
   creates a ping of death (CVE 1999-0128)
 Levy> I tend to agree with Baker.
 CHANGE> [Armstrong changed vote from REVIEWING to REJECT]
 Armstrong> This code does not use fragment overlap.  It is simply a large ICMP echo request.
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same
   thing as ping of death - POD was an oversized ICMP packet, Jolt froze
   Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes.
   Teardrop and teardrop2 were related attacks (usually ICMP frag attacks),
   but each of these is a distinct vulnerability, affected a discrete group
   of systems, and should have distinct CVE numbers. CVE entries should be
   precise as to what the problem is.
 Meunier> I agree with Leblanc in that Jolt is multi-faceted.  Jolt has
   characteristics of Ping of Death AND teardrop, but it doesn't do
   either exactly.  Moreover, it sends a truncated IP fragment.  I
   disagree with Armstrong; jolt uses overlapping fragments.  It's not a
   simple ping of death either.  It may be that the author's intent was
   to construct a "super attack" somehow combining elements of other
   vulnerabilities to try to make it more potent.  In any case it
   succeeded in confusing the CVE board :-).
   
   I notice that Jolt uses echo replies (type 0) instead of echo
   requests (to get past firewalls?).  Jolt is peculiar in that it also
   sends numerous overlapping fragments.  The "Pascal Simulator" :-) says
   it sends:
   
   - 172 fragments of length 400 with offset starting at 5120 and
   increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)),
   which eventually results in sending fragments inside an already
   covered area once ((n* 380) >> 3) is greater than 5120, which occurs
   when n is reaches 108.  This would look a bit like TearDrop if
   fragments were reassembled on-the-fly.
   
   - 1 fragment such that the total length of all the fragments
   is greater than 65535 (my calculation is 172*380 + 418 = 65778; the
   comment about 65538 must be wrong).  The last packet is size 418
   according to the IP header but the buffer is of size 400.  The sendto
   takes as argument the size of the buffer so a truncated packet is
   sent.
   
   So, I am not sure if the problem is because the last packet
   doesn't extend to the payload it says it has or because the total size
   of all fragments is greater than 65535.  The author says it may take
   more than one sending, so perhaps this has to do with an incorrect
   error handling and recovery.  One would need to experiment and isolate
   each of those characteristics and test them independently.  Inasmuch
   as each of those things is likely a different vulnerability, then I
   agree with Leblanc that this entry should be split.  I'll try that if
   I ever get bored.  Jolt 2 should also have a different entry (see
   below).
   
   Jolt 2 runs in an infinite loop, sending the same fragmented
   IP packet, which can pretend to be "ICMP" or "UDP" data; however this
   is meaningless, as it's just a late fragment of an IP packet.  The
   attack works only as long as packets are sent.  According to
   http://www.securityfocus.com/archive/1/62170 the packets are
   truncated, and would overflow over the 65535 byte limit, which is
   similar to Jolt.  Note that Jolt does send that much data whereas
   jolt2 doesn't.  Since jolt2 is simpler and narrower than jolt, and it
   has weaker consequences, I believe that it's a different
   vulnerability.
   
   "Jolt 2 vulnerability causes a temporary denial-of-service in
   Windows-type OSes" would be a title for it.

Description:
CGI PHP mlog script allows an attacker to read any file on the target server.

Status: Entry
Reference: BUGTRAQ:19971019 Vulnerability in PHP Example Logging Scripts
Reference: BID:713
Reference: URL:http://www.securityfocus.com/bid/713
Reference: XF:http-cgi-php-mlog
Reference: OSVDB:3397
Reference: URL:http://www.osvdb.org/3397

Description:
Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character.

Status: Candidate
Phase: Modified (20051028)
Reference: BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2
Reference: NTBUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2

Votes:

   ACCEPT(4) Baker, LeBlanc, Levy, Northcutt
   MODIFY(2) Frech, Prosser
   REVIEWING(1) Christey

 Prosser> this is a modified Cross-Frame vulnerability that circumvents
   the original Cross-Frame Patch.  Addressed in MS Bulletin MS99.012
   http://www.microsoft.com/security/bulletins/ms99-012.asp
 Christey> Duplicate of CVE-1999-0490?
 LeBlanc> If Prosser is correct that this is MS99-012, accept
 Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2
   NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2
   BID:197
   URL:http://www.securityfocus.com/bid/197
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:ie-window-spoof(2069)

Description:
IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory.

Status: Entry
Reference: NTBUGTRAQ:Jan27,1999
Reference: MSKB:Q197003
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q197003
Reference: OSVDB:930
Reference: URL:http://www.osvdb.org/930

Description:
A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands.

Status: Entry
Reference: EEYE:IIS Remote FTP Exploit/DoS Attack
Reference: URL:http://www.eeye.com/html/Research/Advisories/IIS Remote FTP Exploit/DoS Attack.html
Reference: MS:MS99-003
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-003.mspx
Reference: MSKB:Q188348
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q188348
Reference: BUGTRAQ:Jan27,1999
Reference: XF:iis-remote-ftp

Description:
Race condition in the db_loader program in ClearCase gives local users root access by setting SUID bits.

Status: Entry
Reference: L0PHT:Feb8,1999
Reference: XF:clearcase-temp-race

Description:
FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client.

Status: Entry
Reference: INFOWAR:01
Reference: MISC:http://attrition.org/security/advisory/misc/infowar/iw_sec_01.txt
Reference: XF:pasv-pizza-thief-dos(3389)
Reference: URL:http://xforce.iss.net/xforce/xfdb/3389

Description:
ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption.

Status: Candidate
Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-passwd-encrypt

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(2) Northcutt, Wall
   RECAST(1) Ozancin

 Ozancin> Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses
   weak encryption.

Description:
rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory.

Status: Entry
Reference: HP:HPSBUX9902-091
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9902-091
Reference: CIAC:J-026
Reference: URL:http://www.ciac.org/ciac/bulletins/j-026.shtml
Reference: XF:pcnfsd-world-write

Description:
Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message.

Status: Candidate
Phase: Proposed (19990623)
Reference: NTBUGTRAQ:Jan27,1999
Reference: MS:MS99-002
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-002.asp

Votes:

   ACCEPT(3) Baker, Ozancin, Wall
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:word97-template-macro
 Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2
   BID:196
   http://www.securityfocus.com/bid/196
 Christey> MSKB:Q214652
   http://support.microsoft.com/support/kb/articles/q214/6/52.asp

Description:
Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service.

Status: Entry
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-reboot

Description:
ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book.

Status: Candidate
Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-bookfile-access

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(2) Northcutt, Wall
   RECAST(1) Ozancin

Description:
Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid fragmentation offsets.

Status: Entry
Reference: BUGTRAQ:19990125 Win98 crash?
Reference: XF:win98-oshare-dos

Description:
Digital Unix 4.0 has a buffer overflow in the inc program of the mh package.

Status: Entry
Reference: BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows
Reference: URL:http://www.securityfocus.com/archive/1/12121
Reference: COMPAQ:SSRT0583U
Reference: XF:du-inc
Reference: CIAC:J-027
Reference: URL:http://www.ciac.org/ciac/bulletins/j-027.shtml

Description:
ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords.

Status: Candidate
Phase: Proposed (20010214)
Reference: BUGTRAQ:19990127 UNIX shell modem access vulnerabilities
Reference: XF:ptylogin-dos

Votes:

   ACCEPT(2) Cole, Frech
   MODIFY(1) Baker

 Frech> XF:ptylogin-dos 
 Baker> Should say "... lock out a modem, ..." rather than "... locking out modems..."

Description:
MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely.

Status: Candidate
Phase: Modified (20000530-01)
Reference: BUGTRAQ:19990130 Security Advisory for Internet Information Server 4 with Site
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91763097004101&w=2
Reference: NTBUGTRAQ:Jan29,1999

Votes:

   ACCEPT(6) Blake, Cole, Collins, Landfield, Northcutt, Wall
   MODIFY(3) Baker, Frech, LeBlanc
   NOOP(4) Armstrong, Christey, Ozancin, Prosser

 Christey> I can't find the original Bugtraq posting (it appears that
   mnemonix discovered the problem).
 LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a
   BUGTRAQ posting we can't find could be anything. 
 Baker> Vulnerability Reference (HTML)	Reference Type
   http://www.securityfocus.com/archive/1/12218	Misc Defensive InfoVulnerability Reference (HTML)	Reference Type
   THis is the URL for the Bugtraq posting.  It was cross posted to
   NT Bugtraq as well, but identical text.  It was Mnemonix...
 Christey> BID:1811
   URL:http://www.securityfocus.com/bid/1811
 Christey> CHANGEREF BUGTRAQ add "Server 2." to the subject.
   Also standardize NTBUGTRAQ reference title.
 Christey> Add "uploadn.asp" to the description.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:siteserver-user-dir-permissions(5384)

Description:
NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging.

Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:Jan29,1999

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall

 Frech> XF:compulink-pw-laserfiche(1679)
   Normalize BUGTRAQ reference to:
   BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords

Description:
WS_FTP server remote denial of service through cwd command.

Status: Entry
Reference: EEYE:AD02021999
Reference: URL:http://www.eeye.com/html/Research/Advisories/AD02021999.html
Reference: XF:wsftp-remote-dos
Reference: BID:217
Reference: URL:http://www.securityfocus.com/bid/217

Description:
SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise.

Status: Entry
Reference: BUGTRAQ:Feb02,1999
Reference: XF:plp-lpc-bo
Reference: BID:328
Reference: URL:http://www.securityfocus.com/bid/328

Description:
Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.

Status: Candidate
Phase: Modified (20000426-01)
Reference: BUGTRAQ:19990204 Microsoft Access 97 Stores Database Password as Plaintext
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91816470220259&w=2

Votes:

   ACCEPT(2) Baker, LeBlanc
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall

 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:access-weak-passwords(1774)
   An older published reference (from our own Adam) would be
   better:
   ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0"
   http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192
   07028.1462108427&hitnum=1

Description:
The metamail package allows remote command execution using shell metacharacters that are not quoted in a mailcap entry.

Status: Entry
Reference: BUGTRAQ:Feb04,1999
Reference: XF:metamail-header-commands

Description:
In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value.

Status: Entry
Reference: MS:MS99-004
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-004.mspx
Reference: MSKB:Q214840
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q214840
Reference: XF:nt-sp4-auth-error

Description:
NetBSD netstat command allows local users to access kernel memory.

Status: Entry
Reference: NETBSD:1999-002
Reference: OSVDB:7571
Reference: URL:http://www.osvdb.org/7571

Description:
Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto.

Status: Entry
Reference: NETECT:palmetto.ftpd
Reference: CERT:CA-99.03
Reference: XF:palmetto-ftpd-bo

Description:
The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.

Status: Entry
Reference: SUN:00183
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/183
Reference: XF:sun-sdtcm-convert-bo

Description:
In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files.

Status: Candidate
Phase: Modified (19991210-01)
Reference: SUN:00184
Reference: BID:165
Reference: URL:http://www.securityfocus.com/bid/165

Votes:

   ACCEPT(4) Baker, Dik, Northcutt, Prosser
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> Reference: XF:sun-man
 Christey> ADDREF CIAC:J-028
   
   Is the Linux man symlink problem the same as the one for Sun?
   See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1
   Also see BID:305
 Dik> sun bug 4154565

Description:
Lynx allows a local user to overwrite sensitive files through /tmp symlinks.

Status: Entry
Reference: BUGTRAQ:19990211 Lynx /tmp problem
Reference: CERT:VB-97.05.lynx
Reference: XF:lynx-temp-files-race

Description:
The installer for BackOffice Server includes account names and passwords in a setup file (reboot.ini) which is not deleted.

Status: Entry
Reference: MS:MS99-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-005.mspx
Reference: XF:nt-backoffice-setup
Reference: MSKB:Q217004
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q217004

Description:
Buffer overflow in the "Super" utility in Debian GNU/Linux, and other operating systems, allows local users to execute commands as root.

Status: Entry
Reference: ISS:Buffer Overflow in "Super" package in Debian Linux
Reference: XF:linux-super-bo
Reference: XF:linux-super-logging-bo

Description:
Debian GNU/Linux cfengine package is susceptible to a symlink attack.

Status: Entry
Reference: DEBIAN:19990215
Reference: BUGTRAQ:Feb16,1999
Reference: XF:linux-cfengine-symlinks

Description:
Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Research allows remote attackers to execute commands.

Status: Entry
Reference: NAI:February 16, 1999
Reference: BUGTRAQ:Feb16,1999
Reference: XF:nfr-webd-overflow

Description:
Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs.

Status: Entry
Reference: MS:MS99-006
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-006.mspx
Reference: BUGTRAQ:Feb20,1999
Reference: L0PHT:Feb18,1999
Reference: XF:nt-knowndlls-list

Description:
Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services.

Status: Entry
Reference: BUGTRAQ:Feb22,1999

Description:
InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands.

Status: Entry
Reference: BUGTRAQ:19990222 BlackHats Advisory -- InterScan VirusWall
Reference: BUGTRAQ:19990225 Patch for InterScan VirusWall for Unix now available
Reference: XF:viruswall-http-request
Reference: OSVDB:6167
Reference: URL:http://www.osvdb.org/6167

Description:
Microsoft Taskpads allows remote web sites to execute commands on the visiting user's machine via certain methods that are marked as Safe for Scripting.

Status: Entry
Reference: MS:MS99-007
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-007.mspx
Reference: BUGTRAQ:19990223 Microsoft Security Bulletin (MS99-007)
Reference: BID:498
Reference: URL:http://www.securityfocus.com/bid/498
Reference: OSVDB:1019
Reference: URL:http://www.osvdb.org/1019
Reference: XF:win-resourcekit-taskpads

Description:
SLMail 3.1 and 3.2 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled by setting a user's Finger File to point to the target file, then running finger on the user.

Status: Entry
Reference: NTBUGTRAQ:199902225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91999015212415&w=2
Reference: BUGTRAQ:19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91996412724720&w=2
Reference: NTBUGTRAQ:SLmail 3.2 Build 3113 (Web Administration Security Fix)
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92110501504997&w=2
Reference: BID:497
Reference: URL:http://www.securityfocus.com/bid/497
Reference: XF:slmail-ras-ntfs-bypass(5392)
Reference: URL:http://xforce.iss.net/static/5392.php

Description:
super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.

Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:19990225 SUPER buffer overflow
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet
Reference: XF:linux-super-logging-bo
Reference: BID:342
Reference: URL:http://www.securityfocus.com/bid/342

Votes:

   ACCEPT(7) Baker, Blake, Cole, Frech, Landfield, Levy, Ozancin
   MODIFY(1) Bishop
   NOOP(2) Armstrong, Wall
   REVIEWING(1) Christey

 Christey> Is this the same as CVE-1999-0373?  They both have the same
   X-Force reference.
   
   BID:342 suggests that there are two.
   
   http://www.debian.org/security/1999/19990215a suggests
   that there are two.  However, CVE-1999-0373 is written up in
   a fashion that is too general; and both XF:linux-super-bo and
   XF:linux-super-logging-bo refer to CVE-1999-0373.
   CVE-1999-0373 may need to be split.
   
 Frech> From what I can surmise, ISS released the original advisory (attached to
   linux-super-bo), and Sekure SDI expanded on it by releasing another related
   overflow in syslog (which is linux-super-logging-bo).
   
   When I was originally assigning these issues, I placed both XF references
   and the ISS advisory on the -0373 candidate, since there was nothing else
   available. Based on the information above, I'd request that
   XF:linux-super-logging-bo be removed from CVE-1999-0373.
 Christey> Given Andre's feedback, these are different issues.
   CVE-1999-0373 does not need to be split because the ISS
   reference is sufficient to distinguish that CVE from this
   candidate; however, the CVE-1999-0373 description should
   probably be modified slightly.
 Bishop> (as indicated by Christey)
 CHANGE> [Cole changed vote from NOOP to ACCEPT]
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> There are 2 bugs, as confirmed by the super author at:
   BUGTRAQ:19990226 Buffer Overflow in Super (new)
   http://www.securityfocus.com/archive/1/12713
   BID:397 also seems to cover this one, and it may cover
   CVE-1999-0373 as well.

Description:
The screen saver in Windows NT does not verify that its security context has been changed properly, allowing attackers to run programs with elevated privileges.

Status: Entry
Reference: MS:MS99-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-008.mspx
Reference: XF:nt-screen-saver

Description:
ACC Tigris allows public access without a login.

Status: Entry
Reference: BUGTRAQ:19990103 Tigris vulnerability
Reference: BID:183
Reference: URL:http://www.securityfocus.com/bid/183
Reference: OSVDB:267
Reference: URL:http://www.osvdb.org/267
Reference: XF:acc-tigris-login

Description:
The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesses documents with ActiveX content.

Status: Entry
Reference: XF:forms-vuln-patch
Reference: MS:MS99-001
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-001.mspx

Description:
The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands.

Status: Entry
Reference: MS:MS99-009
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-009.mspx
Reference: ISS:LDAP Buffer overflow against Microsoft Directory Services
Reference: XF:ldap-exchange-overflow
Reference: XF:ldap-mds-dos

Description:
Microsoft Personal Web Server and FrontPage Personal Web Server in some Windows systems allows a remote attacker to read files on the server by using a nonstandard URL.

Status: Entry
Reference: MS:MS99-010
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-010.mspx
Reference: XF:pws-file-access
Reference: OSVDB:111
Reference: URL:http://www.osvdb.org/111

Description:
A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords.

Status: Entry
Reference: MS:MS99-052
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-052.asp
Reference: MSKB:Q168115
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q168115
Reference: BID:829
Reference: URL:http://www.securityfocus.com/bid/829
Reference: XF:9x-plaintext-pwd

Description:
DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root.

Status: Entry
Reference: XF:datalynx-suguard-relative-paths
Reference: L0PHT:Jan3,1999
Reference: OSVDB:3186
Reference: URL:http://www.osvdb.org/3186

Description:
Buffer overflow in the bootp server in the Debian Linux netstd package.

Status: Candidate
Phase: Modified (19991207-01)
Reference: DEBIAN:19990104
Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows
Reference: BID:324
Reference: URL:http://www.securityfocus.com/bid/324

Votes:

   ACCEPT(3) Baker, Ozancin, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798?  CVE-1999-0389
   has January 1999 dates associated with it, while CVE-1999-0798
   was reported in late December.
   
   Also, is this the same line of code as CVE-1999-0914?  Both are in
   the netstd package, it could look like a library problem.
   
   However, deep in the changelog in the
   netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes
   the following entry:
   
   +netstd (3.07-7slink.1) frozen; urgency=high
   +
   +  * bootpd:     Applied patch from Redhat as well as a fix for the overflow in
   +                report() (fixes #30675).
   +  * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow
   +                bugs.
   +
   + -- Herbert Xu <herbert@debian.org>  Sat, 19 Dec 1998 14:36:48 +1100
   
   This tells me that two separate bugs are involved.
   
   Note that Red Hat posted *some* fix for *some* bootp problem
   in June 1998.  See:
   http://www.redhat.com/support/errata/rh42-errata-general.html#bootp
 Frech> XF:debian-netstd-bo
 Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
 CHANGE> [Christey changed vote from REJECT to REVIEWING]
 Christey> The fix information for BID:324 suggests that there are two
   overflows, one of which is in handle_request (bootpd.c) and is
   likely related to a file name; but there is another issue in
   report (report.c) which also looks like a straightforward
   overflow, which would suggest that this is not a duplicate of
   CVE-1999-0798 or CVE-1999-0799.
   
   Note: see comments for CVE-1999-0798 which explain how that
   candidate is not related to CVE-1999-0799.

Description:
Buffer overflow in Dosemu Slang library in Linux.

Status: Entry
Reference: BUGTRAQ:19990104 Dosemu/S-Lang Overflow + sploit
Reference: CALDERA:CSSA-1999-006.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999-006.1.txt
Reference: BID:187
Reference: URL:http://www.securityfocus.com/bid/187

Description:
The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user.

Status: Entry
Reference: L0PHT:Jan. 5, 1999

Description:
Buffer overflow in Thomas Boutell's cgic library version up to 1.05.

Status: Entry
Reference: BUGTRAQ:Jan10,1999
Reference: XF:http-cgic-library-bo

Description:
Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers.

Status: Entry
Reference: BUGTRAQ:19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want!
Reference: BUGTRAQ:19990121 Sendmail 8.8.x/8.9.x bugware
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91694391227372&w=2
Reference: XF:sendmail-parsing-redirection

Description:
DPEC Online Courseware allows an attacker to change another user's password without knowing the original password.

Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990115 DPEC Online Courseware

Votes:

   ACCEPT(1) Baker
   NOOP(1) Christey
   REJECT(1) Frech

 Frech> If I understand the issue, this HIGHCARD involves insecure web programming. 
   If I don't understand, mark this as my first NOOP.
 Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com
   ADDREF BID:565
   URL:http://www.securityfocus.com/vdb/bottom.html?vid=565

Description:
A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server.

Status: Entry
Reference: ISS:19990118 Vulnerability in the BackWeb Polite Agent Protocol
Reference: URL:http://xforce.iss.net/alerts/advise17.php
Reference: XF:backweb-polite-agent-protocol

Description:
A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service.

Status: Entry
Reference: NETBSD:1999-001
Reference: OPENBSD:Feb17,1999
Reference: XF:netbsd-tcp-race

Description:
The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.

Status: Candidate
Phase: Proposed (19990728)
Reference: L0PHT:Jan21,1999
Reference: BUGTRAQ:Jan21,1999

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   NOOP(1) Baker
   REJECT(1) Wall

 Wall> Reject based on beta copy.
 Frech> XF:quakenbush-pw-appraiser(1652)

Description:
In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login.

Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990123 SSH 1.x and 2.x Daemon
Reference: BUGTRAQ:19990124 SSH Daemon
Reference: XF:ssh-exp-account-access

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet
   released. v1.2.26 should be substituted in the description for '27.
   XF:ssh-exp-account-access

Description:
The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands.

Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole
Reference: XF:mirc-dcc-metachar-filename

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> XF:mirc-dcc-metachar-filename

Description:
Denial of service in Linux 2.2.0 running the ldd command on a core file.

Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990127 2.2.0 SECURITY (fwd)
Reference: XF:linux-kernel-ldd-dos
Reference: BID:344
Reference: URL:http://www.securityfocus.com/bid/344

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> BUGTRAQ:Jan27,1999
   (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22&
   msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com)
   XF:linux-kernel-ldd-dos

Description:
A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.

Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd)
Reference: XF:linux-race-condition-proc

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> XF:linux-race-condition-proc

Description:
wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.

Status: Entry
Reference: BUGTRAQ:Feb2,1999
Reference: XF:wget-permissions
Reference: DEBIAN:19990220

Description:
A bug in Cyrix CPUs on Linux allows local users to perform a denial of service.

Status: Entry
Reference: BUGTRAQ:19990204 Cyrix bug: freeze in hell, badboy
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91821080015725&w=2
Reference: XF:cyrix-hang

Description:
Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution.

Status: Entry
Reference: BUGTRAQ:Feb14,1999
Reference: XF:mailmax-bo

Description:
A buffer overflow in lsof allows local users to obtain root privilege.

Status: Entry
Reference: HERT:002
Reference: BUGTRAQ:Feb18,1999
Reference: DEBIAN:19990220a
Reference: XF:lsof-bo
Reference: OSVDB:3163
Reference: URL:http://www.osvdb.org/3163

Description:
Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege.

Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:digital-networker-bo

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> In description, change 'which' to 'that'.

Description:
By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system.

Status: Entry
Reference: BUGTRAQ:19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91983486431506&w=2
Reference: BUGTRAQ:19990209 Re: IIS4 allows proxied password attacks over NetBIOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92000623021036&w=2
Reference: XF:iis-iisadmpwd

Description:
Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server.

Status: Entry
Reference: BUGTRAQ:19990225 Cobalt root exploit
Reference: XF:cobalt-raq-history-exposure
Reference: BID:337
Reference: URL:http://www.securityfocus.com/bid/337

Description:
Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access.

Status: Entry
Reference: BUGTRAQ:19990304 Linux /usr/bin/gnuplot overflow
Reference: XF:gnuplot-home-overflow
Reference: BID:319
Reference: URL:http://www.securityfocus.com/bid/319

Description:
The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access.

Status: Entry
Reference: BUGTRAQ:Mar5,1999
Reference: XF:sol-cancel
Reference: BID:293
Reference: URL:http://www.securityfocus.com/bid/293

Description:
Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access.

Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:sco-startup-scripts

Votes:

   MODIFY(2) Baker, Frech
   NOOP(2) Christey, Wall

 Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not
   19 February) does not mention gaining root access... it says a local user
   could
   "delete or overwrite arbitrary files on the system."
 Baker> By overwriting arbitrary files, one could then gain root access.  I agree with a minor description change to reflect this.
 Christey> Normalize Bugtraq reference to:
   BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p).
   http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2
   Also, SCO:SB-99.17
   ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c

Description:
In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.

Status: Entry
Reference: BUGTRAQ:Feb19,1999
Reference: XF:iis-isapi-execute
Reference: BID:501
Reference: URL:http://www.securityfocus.com/bid/501

Description:
A buffer overflow in the SGI X server allows local users to gain root access through the X server font path.

Status: Entry
Reference: SGI:19990301-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19990301-01-PX
Reference: XF:irix-font-path-overflow

Description:
In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection.

Status: Entry
Reference: NAI:Linux Blind TCP Spoofing
Reference: XF:linux-blind-spoof

Description:
The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration.

Status: Entry
Reference: ISS:19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers
Reference: CISCO:19990311 Cisco 7xx TCP and HTTP Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/770/7xxconn-pub.shtml
Reference: CIAC:J-034
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-034.shtml
Reference: XF:cisco-router-commands
Reference: XF:cisco-web-config

Description:
Vulnerability in Cisco 7xx series routers allows a remote attacker to cause a system reload via a TCP connection to the router's TELNET port.

Status: Entry
Reference: ISS:19990311 Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers
Reference: CISCO:19990311 Cisco 7xx TCP and HTTP Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/770/7xxconn-pub.shtml
Reference: CIAC:J-034
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-034.shtml
Reference: XF:cisco-web-crash

Description:
64 bit Solaris 7 procfs allows local users to perform a denial of service.

Status: Entry
Reference: BUGTRAQ:Mar9,1999
Reference: XF:solaris-psinfo-crash
Reference: BID:448
Reference: URL:http://www.securityfocus.com/bid/448
Reference: OSVDB:1001
Reference: URL:http://www.osvdb.org/1001

Description:
Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection.

Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990308 SMTP server account probing
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(3) Baker, Foat, Wall
   REVIEWING(1) Christey

 Christey> DUPE CVE-1999-0144 and CVE-1999-0250?
 Frech> XF:smtp-rctpto-dos(7499)

Description:
When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service.

Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid
Reference: XF:smtp-4xx-error-dos

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, LeBlanc
   REVIEWING(1) Christey

 Frech> XF:smtp-4xx-error-dos
 LeBlanc> - if we can find a KB or something that shows that this wasn't just
   user error, I'd vote ACCEPT.
 Christey> David Lemson, Microsoft SMTP Service Program Manager,
   posted a followup that said "We have confirmed this as a
   problem..."
   http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2

Description:
umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program.

Status: Entry
Reference: NETBSD:1999-006

Description:
During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password.

Status: Entry
Reference: ISS:Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations
Reference: XF:linux-slackware-install
Reference: BID:338
Reference: URL:http://www.securityfocus.com/bid/338
Reference: OSVDB:981
Reference: URL:http://www.osvdb.org/981

Description:
In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set.

Status: Entry
Reference: NETBSD:1999-007

Description:
Vulnerability in hpterm on HP-UX 10.20 allows local users to gain additional privileges.

Status: Entry
Reference: HP:HPSBUX9903-093
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-093
Reference: XF:hp-hpterm-files

Description:
talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes.

Status: Entry
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-overwrite

Description:
talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes.

Status: Entry
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-kill

Description:
The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing.

Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure.

Votes:

   MODIFY(1) Frech
   NOOP(1) Baker
   REJECT(1) Christey

 Frech> XF:linux-dev-kmem-spoof
 Christey> DUPE CVE-1999-0414
   XF:linux-dev-kmem-spoof does not exist.
 Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists...

Description:
Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names.

Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
Reference: XF:eudora-long-attachments

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq
   reference states: "Both the Win 95 and Win NT versions, along with the 4.2
   beta of Eudora are affected."
 Christey> This issue seems to have been rediscovered in
   BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
   http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
   
   Also see
   BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
   http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
   
   Is this a duplicate/subsumed by CVE-1999-0004?

Description:
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

Status: Entry
Reference: BUGTRAQ:19990322 OpenSSL/SSLeay Security Alert
Reference: XF:ssl-session-reuse
Reference: OSVDB:3936
Reference: URL:http://www.osvdb.org/3936

Description:
The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference.

Status: Entry
Reference: BUGTRAQ:19990323
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92221437025743&w=2
Reference: BUGTRAQ:19990324 Re: LNotes encryption
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92241547418689&w=2
Reference: BUGTRAQ:19990326 Lotus Notes Encryption Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92246997917866&w=2
Reference: BUGTRAQ:19990326 Re: Lotus Notes security advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92249282302994&w=2
Reference: XF:lotus-client-encryption

Description:
Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload.

Status: Entry
Reference: ISS:Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches
Reference: CISCO:Cisco Catalyst Supervisor Remote Reload
Reference: XF:cisco-catalyst-crash
Reference: OSVDB:1103
Reference: URL:http://www.osvdb.org/1103

Description:
Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.

Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug
Reference: XF:linux-zerolength-fragment

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:linux-zerolength-fragment  
 Christey> Consider adding BID:2247

Description:
ftp on HP-UX 11.00 allows local users to gain privileges.

Status: Entry
Reference: HP:HPSBUX9903-094
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-094
Reference: XF:hp-ftp

Description:
XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.

Status: Entry
Reference: SUSE:Mar28,1999
Reference: BUGTRAQ:19990321 X11R6 NetBSD Security Problem
Reference: XF:xfree86-temp-directories

Description:
XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.

Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990331 Bug in xfs
Reference: BID:359
Reference: URL:http://www.securityfocus.com/bid/359

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:xfree86-xfs-symlink-dos
 Christey> Is this the same problem as CVE-1999-0433?  CVE-1999-0433
   deals with a symlink attack on one file (/tmp/.X11-unix),
   while xfs (this candidate) deals with /tmp/.font-unix
   XF:xfree86-xfs-symlink-dos doesn't exist.
 Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable
   Note: Debian's advisory says that this is not a problem for Debian.

Description:
MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM.

Status: Candidate
Phase: Proposed (19990623)
Reference: HP:HPSBUX9903-096

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:hp-servicegaurd
 Christey> ADDREF CIAC:J-039
 Christey> Note the typo in Andre's suggested reference.
   Normalize to XF:hp-serviceguard(2046)

Description:
Domain Enterprise Server Management System (DESMS) in HP-UX allows local users to gain privileges.

Status: Entry
Reference: HP:HPSBUX9903-095
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9903-095
Reference: XF:hp-desms-servers

Description:
Remote attackers can perform a denial of service in WebRamp systems by sending a malicious string to the HTTP port.

Status: Entry
Reference: ISS:WebRamp Denial of Service Attacks
Reference: XF:webramp-device-crash

Description:
Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address.

Status: Entry
Reference: ISS:WebRamp Denial of Service Attacks
Reference: XF:webramp-ipchange

Description:
Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file.

Status: Entry
Reference: BUGTRAQ:19990405 Re: [SECURITY] new version of procmail with security fixes
Reference: DEBIAN:19990422
Reference: CALDERA:CSSA-1999:007
Reference: XF:procmail-overflow

Description:
The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages.

Status: Entry
Reference: BUGTRAQ:19990405 Security Hole in Java 2 (and JDK 1.1.x)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92333596624452&w=2
Reference: CONFIRM:http://java.sun.com/pr/1999/03/pr990329-01.html
Reference: BID:1939
Reference: URL:http://www.securityfocus.com/bid/1939
Reference: XF:java-unverified-code

Description:
Remote attackers can perform a denial of service in WinGate machines using a buffer overflow in the Winsock Redirector Service.

Status: Entry
Reference: EEYE:AD02221999
Reference: URL:http://www.eeye.com/html/Research/Advisories/AD02221999.html
Reference: XF:wingate-redirector-dos
Reference: BID:509
Reference: URL:http://www.securityfocus.com/bid/509

Description:
Solaris ff.core allows local users to modify files.

Status: Entry
Reference: BUGTRAQ:19990107 really silly ff.core exploit for Solaris
Reference: BUGTRAQ:19990108 ff.core exploit on Solaris (2.)7
Reference: BUGTRAQ:19990408 Solaris7 and ff.core
Reference: BID:327
Reference: URL:http://www.securityfocus.com/bid/327

Description:
Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password.

Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990409 Patrol security bugs
Reference: URL:http://www.securityfocus.com/archive/1/13204
Reference: XF:bmc-patrol-replay

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> Change "Patrol management software" to "The PATROL management product from
   BMC Software".

Description:
Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files.

Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990412 ARP problem in Windows9X/NT
Reference: XF:windows-arp-dos

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> ADDREF: XF:windows-arp-dos  

Description:
In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters.

Status: Entry
Reference: CISCO:Cisco IOS(R) Software Input Access List Leakage with NAT
Reference: XF:cisco-natacl-leakage
Reference: OSVDB:1104
Reference: URL:http://www.osvdb.org/1104

Description:
Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS.

Status: Entry
Reference: NETBSD:1999-008
Reference: XF:netbsd-vfslocking-panic
Reference: OSVDB:7051
Reference: URL:http://www.osvdb.org/7051

Description:
Local users can gain privileges using the debug utility in the MPE/iX operating system.

Status: Entry
Reference: HP:HPSBMP9904-006
Reference: URL:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMP9904-006
Reference: XF:mpeix-debug

Description:
IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.

Status: Entry
Reference: BUGTRAQ:19990121 IIS 4 Request Logging Security Advisory
Reference: XF:iis-http-request-logging

Description:
The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts.

Status: Entry
Reference: BUGTRAQ:19990126 IIS 4 Advisory - ExAir sample site DoS
Reference: NTBUGTRAQ:19990126 IIS 4 Advisory - ExAir sample site DoS
Reference: BUGTRAQ:19990125 Re: [NTSEC] IIS 4 Advisory - ExAir sample site DoS
Reference: BID:193
Reference: URL:http://www.securityfocus.com/bid/193
Reference: OSVDB:2
Reference: URL:http://www.osvdb.org/2
Reference: OSVDB:3
Reference: URL:http://www.osvdb.org/3
Reference: OSVDB:4
Reference: URL:http://www.osvdb.org/4
Reference: XF:iis-exair-dos

Description:
In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe).

Status: Candidate
Phase: Modified (20090622)
Reference: BUGTRAQ:19990122 Perl.exe and IIS security advisory
Reference: BID:194
Reference: URL:http://www.securityfocus.com/bid/194

Votes:

   ACCEPT(2) Ozancin, Wall
   NOOP(2) Baker, Christey
   REJECT(2) Frech, LeBlanc

 Frech> Can't find in database.
 Christey> This looks like another discovery of CVE-2000-0071 
 LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information,
   and it does not repro - 
   GET /bogus.pl HTTP/1.0
   HTTP/1.1 404 Object Not Found
   Server: Microsoft-IIS/5.0
   Date: Thu, 05 Oct 2000 21:04:20 GMT
   Content-Length: 3243
   Content-Type: text/html
   No path is returned whatsoever. This may have been a problem on some version
   of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable.
   Let's try and figure out what version had the problem, whether it is
   intrinsic to IIS or the result of adding a 3rd party implementation of perl,
   and when it got fixed, then we can try again.
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Christey> Add "no-such-file.pl" as an example to the desc, to facilitate
   search (it's used by CGI scanners and in the original example)

Description:
Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.

Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:Jan19,1999
Reference: BID:343
Reference: URL:http://www.securityfocus.com/bid/343

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall

 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:linux-ports-dos(8364)

Description:
A service or application has a backdoor password that was placed there by the developer.

Status: Candidate
Phase: Proposed (19990726)

Votes: