[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
First candidate cluster for validation: CERT
Below is the first candidate cluster, named CERT. It is a Low
controversy cluster with 60 vulnerabilities. It includes many of the
vulnerabilities reported in CERT advisories in the past few years.
(Other CERT-reported vulnerabilities appear in later clusters).
Since these vulnerabilities are well-known and well-verified, I don't
expect there to be much debate. So let's try and get them reviewed by
next Monday, June 14th. As a reminder, the review process was
discussed in a previous email.
Validate away! I will propose another cluster this Wednesday or
Thursday.
- Steve
------------------------------------------
Candidate: CAN-1999-0003
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.11.tooltalk
Reference: NAI:NAI-29
Reference: SGI:19981101-01-A
Reference: SGI:19981101-01-PX
Execute commands as root via buffer overflow in Tooltalk database
server (rpc.ttdbserverd)
------------------------------------------
Candidate: CAN-1999-0004
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: XF:outlook-long-name
Reference: SUN:00175
MIME buffer overflows in mail/news clients, e.g. Solaris mailtool.
------------------------------------------
Candidate: CAN-1999-0005
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.09.imapd
Reference: XF:imap-authenticate-bo
Reference: SUN:00177
Arbitrary command execution via IMAP buffer overflow, as in
CERT:CA-98.09.imapd.
------------------------------------------
Candidate: CAN-1999-0006
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.08.qpopper_vul
Reference: SGI:19980801-01-I
Reference: AUSCERT:AA-98.01
Reference: XF:qpopper-pass-overflow
Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows
remote attackers to gain root access using a long PASS command.
------------------------------------------
Candidate: CAN-1999-0007
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.07.PKCS
Reference: XF:nt-ssl-fix
Information from SSL-encrypted sessions via PKCS #1
------------------------------------------
Candidate: CAN-1999-0008
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.06.nisd
Reference: SUN:00170
Reference: ISS:June10,1998
Reference: XF:nisd-bo-check
Buffer overflow in NIS+, in Sun's rpc.nisd program
------------------------------------------
Candidate: CAN-1999-0013
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.03.ssh-agent
Reference: NAI:NAI-24
Reference: XF:ssh-agent
Stolen credentials from SSH clients via ssh-agent program, allowing
other local users to access remote accounts belonging to the
ssh-agent user.
------------------------------------------
Candidate: CAN-1999-0014
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.02.CDE
Reference: SUN:00185
Unauthorized privileged access or denial of service via dtappgather
program in CDE.
------------------------------------------
Candidate: CAN-1999-0017
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.27.FTP_bounce
Reference: XF:ftp-bounce
Reference: XF:ftp-privileged-port
FTP bounce attack to connect to arbitrary ports on machines other than
the FTP client.
------------------------------------------
Candidate: CAN-1999-0018
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.26.statd
Reference: XF:statd
Reference: AUSCERT:AA-97.29
Root privileges via statd, as in CERT:CA-97.26.statd, due to
buffer overflow.
------------------------------------------
Candidate: CAN-1999-0019
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.09.rpc.statd
Reference: XF:rpc-stat
Reference: SUN:00135
Delete or create a file via rpc.statd, due to invalid information.
------------------------------------------
Candidate: CAN-1999-0021
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.24.Count_cgi
Reference: XF:http-cgi-count
Arbitrary command execution via buffer overflow in Count.cgi
(wwwcount) cgi-bin program.
------------------------------------------
Candidate: CAN-1999-0022
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.23.rdist
Reference: XF:rdist-bo3
Reference: XF:rdist-sept97
Local user gains root privileges via buffer overflow in rdist, via
expstr() function.
------------------------------------------
Candidate: CAN-1999-0023
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.14.rdist_vul
Reference: XF:rdist-bo
Reference: XF:rdist-bo2
Local user gains root privileges via buffer overflow in rdist, via
lookup() function.
------------------------------------------
Candidate: CAN-1999-0024
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.22.bind
Reference: XF:bind
Reference: NAI:NAI-11
DNS cache poisoning via BIND, by predictable query IDs.
------------------------------------------
Candidate: CAN-1999-0032
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.19.bsdlp
Reference: AUSCERT:AA-96.12
Reference: XF:bsd-lprbo2
Reference: CIAC:I-042
Reference: SGI:19980402-01-PX
Command execution in BSD-based lpr package (lp) due to buffer
overflow.
------------------------------------------
Candidate: CAN-1999-0033
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.18.at
Reference: SUN:00160
Reference: XF:sun-atbo
Command execution in Sun systems via buffer overflow in the at program
------------------------------------------
Candidate: CAN-1999-0034
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.17.sperl
Reference: XF:perl-suid
Buffer overflow in suidperl (sperl), Perl 4.x and 5.x
------------------------------------------
Candidate: CAN-1999-0035
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.16.ftpd
Reference: AUSCERT:AA-97.03
Race condition in signal handling routine in ftpd, allowing read/write
arbitrary files
------------------------------------------
Candidate: CAN-1999-0036
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.15.sgi_login
Reference: AUSCERT:AA-97.12
Reference: SGI:19970508-02-PX
Reference: XF:sgi-lockout
IRIX login program with a nonzero LOCKOUT parameter allows creation or
damage to files.
------------------------------------------
Candidate: CAN-1999-0038
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.13.xlock
Reference: XF:xlock-bo
Buffer overflow in xlock program allows local users to execute
commands as root.
------------------------------------------
Candidate: CAN-1999-0039
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.12.webdist
Reference: AUSCERT:AA-97.14
Reference: SGI:19970501-02-PX
Reference: XF:http-sgi-webdist
Arbitrary command execution using webdist CGI program in IRIX.
------------------------------------------
Candidate: CAN-1999-0040
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.11.libXt
Reference: XF:libXt-bo
Buffer overflow in Xt library of X Windowing System allows local
users to execute commands with root privileges.
------------------------------------------
Candidate: CAN-1999-0041
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.10.nls
Reference: XF:nls-bo
Buffer overflow in NLS (Natural Language Service)
------------------------------------------
Candidate: CAN-1999-0043
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.08.innd
Reference: XF:inn-controlmsg
Command execution via shell metachars in INN daemon (innd) 1.5
using "newgroup" and "rmgroup" control messages, and others.
------------------------------------------
Candidate: CAN-1999-0045
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.07.nph-test-cgi_script
Reference: XF:http-cgi-nph
List of arbitrary files on Web host via nph-test-cgi script
------------------------------------------
Candidate: CAN-1999-0046
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.06.rlogin-term
Reference: XF:bsdi-rlogind
Buffer overflow of rlogin program using TERM environmental variable
------------------------------------------
Candidate: CAN-1999-0049
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.03.csetup
Csetup under IRIX allows arbitrary file creation or overwriting.
------------------------------------------
Candidate: CAN-1999-0050
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.02.hp_newgrp
Reference: AUSCERT:AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability
Reference: XF:hp-newgrpbo
Buffer overflow in HP-UX newgrp program
------------------------------------------
Candidate: CAN-1999-0051
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.01.flex_lm
Reference: AUSCERT:AA-96.03
Arbitrary file creation and program execution using FLEXlm
LicenseManager, from versions 4.0 to 5.0, in IRIX.
------------------------------------------
Candidate: CAN-1999-0067
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.06.cgi_example_code
Reference: XF:http-cgi-phf
CGI phf program allows remote command execution
------------------------------------------
Candidate: CAN-1999-0073
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95:14.Telnetd_Environment_Vulnerability
Reference: XF:linkerbug
Telnet allows a remote client to specify environment variables including
LD_LIBRARY_PATH, allowing an attacker to bypass the normal system
libraries and gain root access.
------------------------------------------
Candidate: CAN-1999-0078
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd
Reference: XF:nfs-pcnfsd
pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions,
or execute arbitrary commands through arguments in the RPC call.
------------------------------------------
Candidate: CAN-1999-0080
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95:16.wu-ftpd.vul
Reference: XF:ftp-execdotdot
wu-ftp FTP server allows root access via "site exec" command.
------------------------------------------
Candidate: CAN-1999-0099
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95.13.syslog.vul
Reference: XF:smtp-syslog
A buffer overflow in the syslog utility allows remote execution
through Sendmail.
------------------------------------------
Candidate: CAN-1999-0117
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-92:07.AIX.passwd.vulnerability
AIX passwd allows local users to gain root access.
------------------------------------------
Candidate: CAN-1999-0128
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.26.ping
Oversized ICMP ping packets can result in a denial of service,
e.g. from the Ping o' Death exploit.
------------------------------------------
Candidate: CAN-1999-0129
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.25.sendmail_groups
Sendmail allows local users to write to a file and gain group
permissions via a .forward or :include: file.
------------------------------------------
Candidate: CAN-1999-0130
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.24.sendmail.daemon.mode
Local users can start Sendmail in daemon mode and gain root privileges.
------------------------------------------
Candidate: CAN-1999-0131
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.20.sendmail_vul
Buffer overflow and denial of service in Sendmail 8.7.5 and
earlier through GECOS field gives root access to local users.
------------------------------------------
Candidate: CAN-1999-0132
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.19.expreserve
Reference: XF:expreserve
Expreserve, used in vi and ex, allows local users to overwrite
arbitrary files and gain root access.
------------------------------------------
Candidate: CAN-1999-0133
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.18.fm_fls
Reference: XF:fmaker-logfile
fm_fls license server for Adobe Framemaker allows local users to
overwrite arbitrary files and gain root access.
------------------------------------------
Candidate: CAN-1999-0134
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.17.Solaris_vold_vul
Reference: AUSCERT:AL-96.04
vold in Solaris 2.x allows local users to gain root access
------------------------------------------
Candidate: CAN-1999-0135
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.16.Solaris_admintool_vul
Reference: AUSCERT:AL-96.03
admintool in Solaris allows a local user to write to arbitrary files
and gain root access.
------------------------------------------
Candidate: CAN-1999-0136
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: AUSCERT:AL-96.02
Reference: CERT:CA-96.15.Solaris_KCMS_vul
Kodak Color Management System (KCMS) on Solaris allows a local user to
write to arbitrary files and gain root access.
------------------------------------------
Candidate: CAN-1999-0137
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.13.dip_vul
Reference: XF:dip-bo
The dip program on many Linux systems allows local users to gain root
access via a buffer overflow.
------------------------------------------
Candidate: CAN-1999-0141
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.07.java_bytecode_verifier
Reference: SUN:00134
Java Bytecode Verifier allowed malicious applets to execute
arbitrary commands as the user of the applet.
------------------------------------------
Candidate: CAN-1999-0142
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.05.java_applet_security_mgr
Java Applet Security Manager allows an applet to connect to arbitrary
hosts.
------------------------------------------
Candidate: CAN-1999-0143
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.03.kerberos_4_key_server
Reference: XF:kerberos-bf
Kerberos 4 key servers allow a user to masquerade as another by
breaking and generating session keys.
------------------------------------------
Candidate: CAN-1999-0155
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95.10.ghostscript
The ghostscript command with the -dSAFER option allows remote
attackers to execute commands.
------------------------------------------
Candidate: CAN-1999-0164
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: AUSCERT:AA-95.07
Reference: CERT:CA-95.09.Solaris.ps.vul
A race condition in the Solaris ps command allows an attacker to
overwrite critical files.
------------------------------------------
Candidate: CAN-1999-0207
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: XF:majordomo-exe
Reference: CERT:CA-94.11.majordomo.vulnerabilities
Remote attacker can execute commands through Majordomo using the
Reply-To field and a "lists" command.
------------------------------------------
Candidate: CAN-1999-0208
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95.17.rpc.ypupdated.vul
rpc.ypupdated (NIS) allowed remote users to execute arbitrary commands.
------------------------------------------
Candidate: CAN-1999-0209
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-90.05.sunselection.vulnerability
The SunView (SunTools) selection_svc facility allows remote users to
read files.
------------------------------------------
Candidate: CAN-1999-0267
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95.04.NCSA.http.daemon.for.unix.vulnerability
Buffer overflow in NCSA HTTP daemon v1.3 allowed remote command execution.
------------------------------------------
Candidate: CAN-1999-0277
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.23.workman_vul
The WorkMan program can be used to overwrite any file to get root access.
------------------------------------------
Candidate: CAN-1999-0334
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: XF:sol-startup
Reference: CERT:CA-93.19.Solaris.Startup.vulnerability
In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local
user with physical access to obtain root access.
------------------------------------------
Candidate: CAN-1999-0337
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-94.10.IBM.AIX.bsh.vulnerability.html
Reference: XF:ibm-bsh
AIX batch queue (bsh) allows local and remote users to gain additional
privileges when network printing is enabled.
------------------------------------------
Candidate: CAN-1999-0338
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: XF:ibm-perf-tools
Reference: CERT:CA-94.03.AIX.performance.tools
AIX Licensed Program Product performance tools allow local users to
gain root access.
------------------------------------------
Candidate: CAN-1999-0513
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: CF
Reference: CERT:CA-98.01.smurf
Reference: FreeBSD:FreeBSD-SA-98:06
Reference: XF:smurf
ICMP messages to broadcast addresses are allowed, allowing for a
Smurf attack that can cause a denial of service.