[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PROPOSAL] Cluster RECENT-30 - 17 candidates

* Steven M. Christey (coley@LINUS.MITRE.ORG) [000803 02:59]:
> The following cluster contains 17 candidates that were announced
> between 7/21/2000 and 7/27/2000.
> 
> The candidates are listed in order of priority.  Priority 1 and
> Priority 2 candidates both deal with varying levels of vendor
> confirmation, so they should be easy to review and it can be trusted
> that the problems are real.
> 
> If you discover that any RECENT-XX cluster is incomplete with respect
> to the problems discovered during the associated time frame, please
> send that information to me so that candidates can be assigned.
> 
> - Steve
> 
> 
> 
> Summary of votes to use (in ascending order of "severity")
> ----------------------------------------------------------
> 
> ACCEPT - voter accepts the candidate as proposed
> NOOP - voter has no opinion on the candidate
> MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
> REVIEWING - voter is reviewing/researching the candidate, or needs more info
> RECAST - candidate must be significantly modified, e.g. split or merged
> REJECT - candidate is "not a vulnerability", or a duplicate, etc.
> 
> 1) Please write your vote on the line that starts with "VOTE: ".  If
>    you want to add comments or details, add them to lines after the
>    VOTE: line.
> 
> 2) If you see any missing references, please mention them so that they
>    can be included.  References help greatly during mapping.
> 
> 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
>    So if you don't have sufficient information for a candidate but you
>    don't want to NOOP, use a REVIEWING.
> 
> ********** NOTE ********** NOTE ********** NOTE ********** NOTE **********
> 
> Please keep in mind that your vote and comments will be recorded and
> publicly viewable in the mailing list archives or in other formats.
> 
> =================================
> Candidate: CAN-2000-0621
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000726
> Category: SF
> Reference: MS:MS00-046
> Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-046.asp
> Reference: CERT:CA-2000-14
> Reference: URL:http://www.cert.org/advisories/CA-2000-14.html
> Reference: BID:1501
> Reference: URL:http://www.securityfocus.com/bid/1501
> 
> Microsoft Outlook 98 and 2000, and Outlook Express 4.0x and 5.0x,
> allow remote attackers to read files on the client's system via a
> malformed HTML message that stores files outside of the cache, aka the
> "Cache Bypass" vulnerability.
> 
> 
> ED_PRI CAN-2000-0621 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0655
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000724 JPEG COM Marker Processing Vulnerability in Netscape Browsers
> Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007242356.DAA01274%40false.com
> Reference: REDHAT:RHSA-2000:046-02
> Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-046-02.html
> Reference: BID:1503
> Reference: URL:http://www.securityfocus.com/bid/1503
> 
> Netscape Communicator 4.73 and earlier allows remote attackers to
> cause a denial of service or execute arbitrary commands via a JPEG
> image containing a comment with an illegal field length of 1.
> 
> 
> ED_PRI CAN-2000-0655 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0663
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: MS:MS00-052
> Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-052.asp
> Reference: MSKB:Q269049
> Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=269049
> Reference: BID:1507
> Reference: URL:http://www.securityfocus.com/bid/1507
> 
> The registry entry for the Windows Shell executable (Explorer.exe) in
> Windows NT and Windows 2000 uses a relative path name, which allows
> local users to execute arbitrary commands by inserting a Trojan Horse
> named Explorer.exe into the %Systemdrive% directory, aka the "Relative
> Shell Path" vulnerability.
> 
> 
> ED_PRI CAN-2000-0663 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0668
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: REDHAT:RHSA-2000:044-02
> Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-044-02.html
> Reference: BID:1513
> Reference: URL:http://www.securityfocus.com/bid/1513
> 
> pam_console PAM module in Linux systems allows a user to access the
> system console and reboot the system when a display manager such as
> gdm or kdm has XDMCP enabled.
> 
> 
> ED_PRI CAN-2000-0668 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0673
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: NAI:20000727 Windows NetBIOS Name Conflicts
> Reference: MS:MS00-047
> Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-047.asp
> Reference: BID:1514
> Reference: URL:http://www.securityfocus.com/bid/1514
> Reference: BID:1515
> Reference: URL:http://www.securityfocus.com/bid/1515
> 
> The NetBIOS Name Server (NBNS) protocol does not perform
> authentication, which allows remote attackers to cause a denial of
> service by sending a spoofed Name Conflict or Name Release datagram,
> aka the "NetBIOS Name Server Protocol Spoofing" vulnerability.
> 
> 
> ED_PRI CAN-2000-0673 1
> 
> 
> VOTE: MODIFY

It seems you are conbining these two problems because they have the
same root problem: that NetBIOS trusts everyone and its not authenticated.
But if that is your reasoning then you can classify this as a software
fault (SF), it should be a design flaw.

> =================================
> Candidate: CAN-2000-0664
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000726 AnalogX "SimpleServer:WWW" dot dot bug
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0374.html
> Reference: CONFIRM:http://www.analogx.com/contents/download/network/sswww.htm
> Reference: BID:1508
> Reference: URL:http://www.securityfocus.com/bid/1508
> 
> AnalogX SimpleServer:WWW 1.06 and earlier allows remote attackers to read
> arbitrary files via a modified .. (dot dot) attack that uses the %2E
> URL encoding for the dots.
> 
> 
> ED_PRI CAN-2000-0664 2
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0671
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000721 Roxen security alert: Problems with URLs containing null characters.
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0321.html
> Reference: BUGTRAQ:20000721 Roxen Web Server Vulnerability
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0307.html
> Reference: BID:1510
> Reference: URL:http://www.securityfocus.com/bid/1510
> 
> Roxen web server earlier than 2.0.69 allows allows remote attackers to
> list directory contents and read source code by appending a null
> character (%00) to the URL.
> 
> 
> ED_PRI CAN-2000-0671 2
> 
> 
> VOTE: MODIFY

There really is more to this problem than simply being able to
list the contents of a directory. Roxen uses Pike. Pike can handle
strings with nulls in them, but the underlying OS truncates the
string at the first null. Thus Roxen and the OS do not agree on 
what file the string really points to. On symptom is being able
to list a directory. More dangerous is being able to bypass
access restrictions by sending a query that passes the web server's
ACLs but is valid to the underlying OS. You could also use it
to download the source code to scripts by sending a request that
the web server will not think is a file type that should be parsed
or executed but that will make the underlying OS open the script for
reading.

> 
> =================================
> Candidate: CAN-2000-0644
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
> Reference: BID:1506
> Reference: URL:http://www.securityfocus.com/bid/1506
> 
> WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of
> service by executing a STAT command while the LIST command is still
> executing.
> 
> 
> ED_PRI CAN-2000-0644 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0645
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
> Reference: BID:1506
> Reference: URL:http://www.securityfocus.com/bid/1506
> 
> WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of
> service by using the RESTART (REST) command and writing beyond the end
> of a file, or writing to a file that does not exist, via commands such
> as STORE UNIQUE (STOU), STORE (STOR), or APPEND (APPE).
> 
> 
> ED_PRI CAN-2000-0645 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0646
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
> Reference: BID:1506
> Reference: URL:http://www.securityfocus.com/bid/1506
> 
> WFTPD and WFTPD Pro 2.41 allows remote attackers to obtain the real
> pathname for a file by executing a STATUS (STAT) command while the
> file is being transferred.
> 
> 
> ED_PRI CAN-2000-0646 3
> 
> 
> VOTE: ACCEPT
>  
> =================================
> Candidate: CAN-2000-0647
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000721 WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
> Reference: BID:1506
> Reference: URL:http://www.securityfocus.com/bid/1506
> 
> WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of
> service by executing an MLST command before logging into the server.
> 
> 
> ED_PRI CAN-2000-0647 3 
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0652
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000723 IBM WebSphere default servlet handler showcode vulnerability
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0342.html
> Reference: BID:1500
> Reference: URL:http://www.securityfocus.com/bid/1500
> 
> IBM WebSphere allows remote attackers to read source code for
> executable web files by directly calling the default InvokerServlet
> using a URL which contains the "/servlet/file" string.
> 
> 
> ED_PRI CAN-2000-0652 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0656
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
> Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
> Reference: BID:1504
> Reference: URL:http://www.securityfocus.com/bid/1504
> 
> Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote
> attackers to cause a denial of service via a long USER command in the
> FTP protocol.
> 
> 
> ED_PRI CAN-2000-0656 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0657
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
> Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
> Reference: BID:1504
> Reference: URL:http://www.securityfocus.com/bid/1504
> 
> Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote
> attackers to cause a denial of service via a long HELO command in the
> SMTP protocol.
> 
> 
> ED_PRI CAN-2000-0657 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0658
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
> Reference: CONFIRM:http://www.analogx.com/contents/download/network/proxy.htm
> Reference: BID:1504
> Reference: URL:http://www.securityfocus.com/bid/1504
> 
> Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote
> attackers to cause a denial of service via a long USER command in the
> POP3 protocol.
> 
> 
> ED_PRI CAN-2000-0658 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0659
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000724 AnalogX Proxy DoS
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
> Reference: BID:1504
> Reference: URL:http://www.securityfocus.com/bid/1504
> 
> Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote
> attackers to cause a denial of service via a long user ID in a SOCKS4
> CONNECT request.
> 
> 
> ED_PRI CAN-2000-0659 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0672
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000803
> Assigned: 20000802
> Category: SF
> Reference: BUGTRAQ:20000721 Jakarta-tomcat.../admin
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0309.html
> 
> The default configuration of Jakarta Tomcat does not restrict access
> to the /admin context, which allows remote attackers to read arbitrary
> files by directly calling the administrative servlets to add a context
> for the root directory.
> 
> 
> ED_PRI CAN-2000-0672 3
> 
> 
> VOTE: REVIEWING

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
Page Last Updated or Reviewed: May 22, 2007